A Plea For Websites To Stop Blocking Password Managers

An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."

Scripts that interact with passwords fields awsome

[Anonymous Coward]

Well some sites don't want scripts interacting with the password fields. This could be a way to stop some malware from scraping user passwords from input fields.

Re:

[Z00L00K]

Another factor - do you trust the password manager?

Re:Scripts that interact with passwords fields aws

[invictusvoyd]

I generally don't trust anything or anyone having the word "manager" in their name.

Re:Scripts that interact with passwords fields aws

[MrL0G1C]

Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.

Trust an online password manager - hell no.

Re:Scripts that interact with passwords fields aws

[jarfil]

Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.

Re:Scripts that interact with passwords fields aws

[TheRaven64]

JavaScript can also intercept the contents of the clipboard. If you're blocking password managers, then people are going to do one of two things. Either they'll pick a (weak) easy-to-remember password, or they'll use a password manager and paste the password in. If they opt for the latter, then any malicious ad on the page can grab the password while it's in the clipboard...

Re:

[MrL0G1C]

Which is one of the many reasons why JavaScript clipboard functions should only be allowed for white-listed sites.

If anyone knows of an extension to fix this I'd like to know.

Re:

[jbmartin6]

Why not NoScript?

Re:

[MrL0G1C]

Found one, apparently no whitelist though.
Disable clipboard manipulations [mozilla.org]

Re:Scripts that interact with passwords fields aws

[Zalbik]

JavaScript can also intercept the contents of the clipboard.

Not by default it can't.

True there are potentially bugs in implementation or bad configurations that allow scripts to read the external clipboard, but the same argument could be made against password managers. Poor security / configuration of the browser could allow scripts to read the password provided by the password manager.

Re:Scripts that interact with passwords fields aws

[TheRaven64]

True, although most password managers can generate random passwords (of varying strengths, as a recent Oakland paper showed). Using this functionality is generally easier than thinking up a password.

Re:

[war4peace]

Until you go to a random PC which you don't own and try logging in to that whatever website...
What I did (but is difficult to do in general) is learn an algorithm which allows my own brain to generate a password based on the website I'm logging in to.
Give me a website name and I can create an unique password for it, all in my head. And whenever I revisit the website I can re-generate the password for reuse.
The algorithm has evolved during last few years and sometimes I have to enter 2-3 passwords if I rarel

Re:

[war4peace]

Darn it!

Re:Scripts that interact with passwords fields aws

[Demonoid-Penguin]

Your argument has one flaw - just because someone uses a password manager doesn't mean he will pick strong passwords...

The flaw you see is not where you think it is. The OP never said a password manager requires strong passwords. That would require idiot proofing - that's a whole other subject.

Using a password manager does not necessarily enforce good passwords - or prohibit the reuse of them.

Writing passwords down means you have to read them out, and type them in to use them - a practise that also does not necessarily enforce good passwords - or prohibit the reuse of them.

Writing passwords down means you have to read them out, and type them in to use them - a practise that encourages bad passwords and the reuse of them.

Using a password manager does not encourage bad passwords and the reuse of them.

The reason for the difference is in ease of use and amount of effort involved. People cut corners because they are lazy or in a hurry.
I touch type - most people don't, I make mistakes typing in complex passwords that have been written down. The more I use those passwords, and the more passwords I need to keep, the greater the incentive to practise bad security. Given that most people can't touch type - they have an even stronger incentive than me to practise poor security - the evidence from all the password list dumps and all the security tests on password usage just proves the same thing. People use dumb passwords, people reuse passwords. When they are asked why they do so they say it's because it's too hard to remember them - or to write them all down, keep control of the pieces of paper, and to type them back in each time.

The other risk with using either method for storing password is loss of the passwords. Passwords managers have to be backed up. Paper records of password needed to be backed up and secured. Password manager use passphrase protection so they are secured. (or should be - see my previous comment about idiot proofing)

Re:

[CrimsonAvenger]

Your argument has one flaw - just because someone uses a password manager doesn't mean he will pick strong passwords...

PasswordSafe.

Generates random passwords for you, using specifications you provide (generally that means "generate a password consistent with the site requirements") as to length and content.

You never have to even look at your passwords if you don't want to - they're not displayed by default, so someone looking over your shoulder while you use it won't see a password by accident. Right-cl

Re:

[MrL0G1C]

Doesn't make sense, if you have malware it could be keystroke logging - which would make a password manager more, not less secure if it auto-fills the user+password fields the user+password might not get sniffed.

Re:Scripts that interact with passwords fields aws

[rvw]

IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.

[Disclaimer: I'm not the GP AC.]

Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.

Re:Scripts that interact with passwords fields aws

[stevel]

LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.

I agree with the article - blocking password managers lowers security.

Re:

[stevel]

Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)

Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you ca

Re:

[DroolTwist]

Why would you not have a backup? You can't fix stupid, no matter what you use.

Re: Scripts that interact with passwords fields aw

[bazmonkey]

Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform. Combined with Dropbox or some private file sync tool (I host a seafile installation), I have a synced password manager that works on Linux/Win/Mac/iOS/android. And I keep the key separate and move that to devices I use manually, so I'm almost totally unafraid of my vault being intercepted/stolen. Without my master pass phrase AND the encrypted key itself, breaking it is.... way harder than my passwords are worth.

Re:

[Demonoid-Penguin]

IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.

[Disclaimer: I'm not the GP AC.]

I'd have to disagree with that opinion. I would reconsider if someone showed me good reason. Typing password manually lead to password reuse and insufficiently complex password use.

Re:

[Demonoid-Penguin]

And why not?

Some script/program having access to a password field is totally irrelevant from a security standpoint. Heck, even browsers most of the times can't even tell that some html field is THE password field (because there's no standard...often they just guess).

That's interesting. Which browsers guess which form field takes a password please? It'd save me some time if you could tell me the function is used to guess it - but I can just dig through the documentation if you don't remember precisely.

I know how Iceweasel/Firefox finds a password form field - and it's not "guess" work.(it remembers the form field positions from when you hit the Submit button - if you have autologin enabled).
The password manager I use knows nothing of form fields - it handles password r

Re:

[KingMotley]

Heck, even browsers most of the times can't even tell that some html field is THE password field (because there's no standard...often they just guess).

You mean the one with the attribute type=password? That is the standard, and it's been used like, forever. AC, please stop talking about silly things you know absolutely nothing about.

Never seen them blocking CNTRL-C CNTRL-V

[drolli]

And that works fine for me. (using keeppass)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Demonoid-Penguin]

Blizzard's Battle.net does this. Or at least to, I haven't checked recently. I did contact them about it and they just scoffed it off as a "security measure."

It's a bullshit excuse on their part. See my earlier post [slashdot.org] earlier in thread for some javascript that may get around that.

OpemERP does that.

[Demonoid-Penguin]

One work-around - that doesn't work with OpenERP, is a little javascript I use as a bookmarklet.

javascript:(function(){var%20ac,c,f,fa,fe,fea,x,y,z;ac="autocomplete";c=0;f=document.forms;for(x=0;x<f.length;x++){fa=f[x].attributes;for(y=0;y<fa.length;y++){if(fa[y].name.toLowerCase()==ac){fa[y].value="on";c++;}}fe=f[x].elements;for(y=0;y<fe.length;y++){fea=fe[y].attributes;for(z=0;z<fea.length;z++){if(fea[z].name.toLowerCase()==ac){fea[z].value="on";c++;}}}}alert("Enabled%20'"+ac+"'%20on%20"+c+"%

Prioritization vs Managers

[invictusvoyd]

Prioritization of passwords i.e. choosing complex ones for a few critical accounts/services and "easy to remember" ones for non critical things can eliminate the need for managers . As someone pointed out , managers are all eggs in one basket.

Re:

[gmack]

Or the way I do it: Complex passwords for a few critical accounts and my password manager. Sites that don't hold my personal or financial info get to use the password manager

Re:Prioritization vs Managers

[Overzeetop]

Managers are like placing all of your eggs in one basket which has been specifically designed for carrying eggs, with proper separation and cushioning against nearly all common shipping contingencies.

Having a couple of really secure passwords and a couple of throwaways is like putting a couple of small eggs in your back pocket and carrying the big ones in your hands. Much more convenient, and only as secure as you are diligent.

Re:

[AchilleTalon]

Hard to remember for a human being doesn't mean it is hard to break for a computer program. The real problem is the limit on the number of characters a password can have on some sites. Limiting a password to 6 to 8 characters limits the entropy of a password, hence the requirements for special characters, non-repeating characters (in fact it reduces entropy by some security admins seems to think it is a good idea), numbers and so on.

Can I sue?

[X10]

I mean, can I sue a site for forcing me to use an easy password, which then gets hacked?

Re:

[bloodhawk]

I mean, can I sue a site for forcing me to use an easy password, which then gets hacked?

Can they sue you if you expose your account details? something like 1 in 3 machines have some sort of malware on them (yet if you ask people nearly everyone will say there machine is clean, 1 in 3 of them are wrong), I can't really blame any site for being unwilling to let any additional software apart from your browser interact with credential fields on their site if the site holds anything of value.

Re:

[AchilleTalon]

On another hand, there is still websites registration systems which once the process is completed send you your password in plain text in a email for you to easily remember and store in you mailbox.

Why do browsers allow websites to do this?

[EmperorArthur]

While it's true the site operators are at fault, I also blame the browser makers.

Many websites don't allow copy or paste, or even selecting/highlighting text.
While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.

Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.

Re:

[Richard_J_N]

There are a couple of legitimate uses for sites to interfere, with select/copy in certain very restricted cases.
1. Using the no-select attribute on buttons (or text styled as buttons). Otherwise, it's very easy to accidentally select the button text when you mean to click it - and that's just a UI mistake.
2. When an image is meant not to be re-shared (e.g, a personal photo on a social or dating network), intercepting right-click with a message asking the viewer not to take a copy.

Re:

[EmperorArthur]

While not said in the best way, AC is correct.

Use case 1 sounds like a problem, but one that should be fixed somewhere else.
Use case 2 is like popups and the blink tag. The times when users actively want that feature is dwarfed by its abuse. Further, it's easy to work around. Worst case, I've used a cell phone camera because a program I had to use locked down the entire pc.

Re:

[ProzacPatient]

Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.

Firefox used to have a settings dialog that allowed you to choose how much control you wanted JavaScript to have but then Mozilla in all their wisdom decided to remove those options when they removed the settings to disable JavaScript all together. I'm not entirely sure what the rationale for that decision was because making JavaScript and all its hooks absolutely mandatory doesn't seem to benefit the user in any way.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Vokkyt]

Keep in mind this often has nothing to do with any actual decision by the administrators/managers at the institution and everything to do with the financial/healthcare system provider. Healthcare in particular is plagued with lowest bidders trying to scam money out of the institutions from doctors and upper management that know nothing about technology and security.

At the end of the day, these decisions are the result of lazy programmers looking for a quick buck, not a conscious decision. The actual HIPPA

Re:

[jonwil]

If you are writing software that takes in a password and you are hashing the password to compare it to a stored hash, there is no reason at all to restrict the maximum length of a password or prohibit certain characters from being used in it.

If you are writing software that takes in a password and you are NOT hashing the password (but instead storing it in the clear or otherwise doing something with it), you shouldn't be writing software involving passwords in the first place (I can't think of a single vali

Re:

[drinkypoo]

I just had this conversation on a visit with a friend. The worst are the sites that have all the "strong password criteria" and then do something idiotic like limit you to a certain number of characters. Those are mostly going away. The best thing to do would just to be mandate a good minimum length and suggest people make up nonsense phrases, then they would be likely to remember them and they would also be likely to be useful passwords.

Gotta agree

[Runaway1956]

I have some generic passwords that I use for non-critical accounts. For critical accounts, I have some pretty tough password-generated things. I have a list of them encrypted on my hard disk, so that I can throw some away if/when the need arises, and grab another. But - I can't copy paste them everywhere. How the hell am I supposed to EVER memorize those damned passwords? Just let me copy paste them, FFS.

A real "Password Manager" would be even better - if I find one that I trust, and I'm comfortable us

A variation on this

[DrXym]

Another commonplace annoyance is sites of no consequence that ask for an email address and for some unknown reason require it to be entered twice. And to stop people working around this fuck wittery they block copy & paste. I might understand the need to enter an email twice if it were a tax form or suchlike, but many sites are simply doing it for no meaningful purpose at all.

Some sites and wifi hotspots double down on this annoyance by inflicting it on their mobile pages too. So you have to enter an email twice from a handset. And just in case that wasn't enough, they fail to specify the field is for email so the phone browser's autocorrect fucks it up as you type it.

A plea for browsers to stop blocking autocomplete

[MightyDrunken]

Websites have disabled autocomplete on password fields to prevent browser bases password managers from working. In response to this many browsers ignore autocomplete=off on password fields. I ran into this behaviour on a user administration screen, the browser was trying to fill in my password into the other users password field. I could not stop the browser from autofilling in the wrong password.

Its 2015 people.

[ruir]

So many talking about securing passwords and not single mention to double factor authentication...

Re:

[drinkypoo]

So many talking about securing passwords and not single mention to double factor authentication...

Something you know, and something that can be stolen or lost, I think that's how the saying goes, right?

2FA is cool in principle, but I live in the sticks and don't have high-speed internet and I use a prepay plan which charges me daily because it fits my current usage patterns. It would cost me money to use 2FA.

Good password managers...

[Shados]

have a feature that "types" your password in the box instead of having to copy paste it.

Problem -> solved.

Oh you mean like gov websites?

[sims 2]

The nicsez check website comes to mind.

You know to one that's used to run background checks for guns in 36 states or so?

If I recall correctly its forbidden in the terms to use a password manager.

And you have to change the password every 90 days.

Stop Using "Passwords"

[lars5]

I stopped using traditional "passwords" years ago and switched to a derivation algorithm instead.
 
I never have to remember a password because I can derive each one easily. Does anyone else use this strategy?

How about a standard password manager interface?

[Applehu Akbar]

The article mes a good point: preventing paste into a password field just encourages people to use crappy passwords that are easier to type. The same applies to that silly convention of asterisk masking in password fields. The inconvenience massively outweighs that one time in a hundred that masking prevents a shoulder-surf attack.

Can we develop a standard HTML interface for password managers, with built-in safeguards against malware usage? Any compliant PM would connect with any compliant login screen.

No problem with KeepassX

[xororand]

KeepassX [keepassx.org] does not use the clipboard but instead simulates actual typing, with a configurable delay.
When you select a password entry and press Ctrl-v in KeepassX, it hides itself, switches the focus to the last active window and types the password.
This also protects you from accidentally leaking password to remote desktop sessions or virtual machines that synchronize the clipboards.

Something IS Wrong

[Jim Sadler]

Not only password managers but institutions are screwing up online security and it has to be deliberate. Banks have vast restrictions on what one can use for a password. Really only weak passwords are allowed at many banks. Every night on the news we here whining about lack of security in financial transactions over the net. Yet the banks refuse the use of strong passwords. Other people must be noticing this. why is there no outcry?

Salted your passwords

[0100010001010011]

I gave up on trying to remember increasingly complex passwords and just remembered how to make them. Computers are great at doing complex math humans aren't. Humans can remember some things very easily (Correct Horse Battery Staple).

Then I only have to remember or write down 3 things: The 'password', the length and the mapping.

echo -n $password+$user+$website | sha256 | cut -c1-$length | [mapping]

Where mapping maps the hex codes to a-z, a-Z, a-Z0-9, a-Z0-9!-). (You can make up your own charset and just use mod(charset length)).

For example if my password was 'qwerty' I'd salt it such that my actual slashdot password would be:
echo -n qwerty+0100010001010011+slashdot.org | sha256 | cut -c1-20
050e48f9f39d4d481ec3

It's not that much harder to implement in Python for use on Windows. (I just have a simple GUI).

If you want to take it a step further just remember a pattern and then a start letter. qwerty, asdfgh and zxcvbn are the same 'password' in my brain. It's "Password 1, start q, a, or z'.

I have everything written down on how to generate the passwords in a lock box and my wife knows my 'password'. So if I die and everything is locked she could get into any website she wanted just by following the instructions.

All of our joint accounts do actually use our anniversary. Jan 1, 1980. 01Jan1980, etc are all going to generate different end passwords. You have to know both the date and the formatting, which she does.

Stop remembering passwords and start remembering how to get to your password.

Re:

[Opportunist]

Provided that we now know how your passwords are created, finding your password is essentially not harder or easier than before. From a technical point of view of course. Actually, it probably is much easier now considering that, since you probably rely on your creation algorithm to introduce enough entropy, you probably choose simpler passwords.

Re:Lazy and Stupid

[Demonoid-Penguin]

Anyone who uses password managers and believes them to be safe and unable to be broken should not be able to use the Internet. All passwords should be maintained separately and typed in manually.

Do you have a citation for that Mr. Scraps of Bad Security on Paper? or are you just varying your normal MOO trolls.

I'm sure Bruce Scheirer would appreciate your insights into secure code. KeepPass has so many flaws.

Re:

[MMC Monster]

I think the concern is that if your computer gets taken over, the criminal can just automatically scan the password logs for all your browsers and you're toast.

Re:

[Demonoid-Penguin]

I think the concern is that if your computer gets taken over, the criminal can just automatically scan the password logs for all your browsers and you're toast.

I agree - that probably is the concern. I don't believe that's a legitimate concern. It definitely is a concern that it's expressed so vehemently with no supporting reasons. It may not be a troll, but it is as ugly as one.

• Consider that password managers come with a capacity for a passphrase for a reason? (those passwords are not stored in plain text)
• [citation required] Which computers use a password log? If some computers have a password log - how will keeping your passwords on scraps of paper protect you?

Re:

[Demonoid-Penguin]

This is only if you allow passwords to be saved in your browser...

Which browsers does not allow passphrase protection of the password manager?

Re:

[Demonoid-Penguin]

It's not a difference that I would rely on; but there likely are some differences: it's typically easiest to get some sort of cross-site-scripting malice to work,

In which case your passwords are toast no matter whether you typed them in by hand or they were injected by a password manager.

less easy but far too common to escape from the browser and poke around with the user's permissions,

Do you have a citation for this common occurrence?

I can't seem to find one - though I only did a quick google and a search though the last decade of email from the Full Disclosure mailing list.

Also could you expand on how such an exploit would not be able to result in key logging that also result in a typed password being captured?

more difficult again to escalate privileges above the user's context; and potentially quite tricky to get a kernel driver in without either compromising some vaguely respectable OEM or mucking with the system's certificate store.

I agree with what made sense. You lost me with the "

Re:

[Demonoid-Penguin]

"Do you have a citation for that Mr. Scraps of Bad Security on Paper?"

Every fucking government agency that uses a fucking AIR GAP like a REAL PROFESSIONAL.

That's not a citation - that's just stupid. Hint: you can't use an air gapped machine on the internet you moron.

Re:A plea to fuck off.

[Sneeka2]

The alternative being what? Using the same password everywhere and/or spreading your security thin across a thousand different web services you're using all incompetent at protecting your password to varying degrees?

Re: A plea to fuck off.

[fuzzyfuzzyfungus]

The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.

Re:

[SScorpio]

SQRL does something like a secure token. It allows a manager on a smartphone or computer.

The site you are trying to access presents a clickable QR code that contains a session id and some random gibberish. The SQRL manager will sign that message with a private key that you have, and it signifies that you are who you say you are.

This allows you to sign into a public machine using your smartphone, and once the session is terminated, anything that could have been captured doesn't allow an attacker to login l

Password protection --- of what?

[petes_PoV]

Using the same password everywhere and/or spreading your security thin across a thousand different web services

Let's face it. Those "thousands of different web services" don't amount to shit. There are probably only a handful that contain any *valuable* information about the user: such as your online banking, online tax returns, the very few sites that a person of sound mind would trust with storing their credit card details (e.g, PayPal, Amazon). But apart from that, most web sites, like forums - and even Facebook (you don't really give them actual personal information - do you? ) contain nothing of any value. So

Re:

[Anonymous Coward]

The problem AC "identified" is that a password manager can be cracked and reveal all your passwords.

A password BOOK doesn't even need to be cracked, so it's not a solution to that problem - it's got the same problems as before PLUS it's not secured at all.

Hey, I know, why don't we write all our passwords onto stickers and put them under the keyboard. Nobody ever looks under the keyboard.

Re:

[Anonymous Coward]

A password BOOK doesn't even need to be cracked, so it's not a solution to that problem - it's got the same problems as before PLUS it's not secured at all.

It's locked into my house. If someone breaks into my house I worry more about my immediate safety than someone logging into my facebook account.
If they got access to my physical password book they have already gotten access to my wallet with my credit card and ID.
Oh, and they probably found my passport too.

And my passwords aren't written in a way that is legible. I don't write address, login and password together, and the password is usually a reference to a by me well known password with a modifier.

Re: A plea to fuck off.

[Overzeetop]

horse battery staple

Not any more. Words are now characters. You have a 3 character password right there. Unless you're going to munge up the words with misspellings or nonalphanumerics,

Besides, having to type in your master pass[phrase] that's 30 characters long into something like LastPass from a phone keyboard with ******** as your visual feedback every time you need to re-authorize (which should be frequent if you're being diligent) is a royal pain in the ass. Do that for a couple of days and you'll be back to 12345 out of shear frustration.

Re:

[blahbooboo]

Have you used LastPass? LastPass has several options to not re-enter a master password if you choose:
1) If you have an iPhone you can unlock the vault with TouchID 2) Create a 4 character pin

Both of these are enabled after x minutes that you set post entering your master password. Between having a passcode/touchID to unlock the iphone, having to enter last pass master password, and then having a secure pin post master password I feel it is secure enough for my needs.

Re:

[Ed Tice]

I wish that I hadn't commented so that I could mod the parent up. The reason we are in this situation is that the uniform application of the same level of security to different targets. There are *two* targets to think about. The web site operator and you. Unless you are a member of a clandestine state organization, a public figure, or wealthy enough to buy Dice and return /. to the glory days, you really aren't a target. If you are, there isn't information here to help you. Most web sites aren't a d

Re:

[Ol Olsoc]

horse battery staple

Not any more. Words are now characters. You have a 3 character password right there.

Phew! That came awful close to my password of Rock Paper Scissors.

Re:

[jbolden]

The recent OED has 171.5k words in it. Native speakers have a vocabulary of about 20k-35k words. Finally at least now you want to use 4 words not 3 and possibly one substitution trick.

lowest figure: 20k^3 = 8 trillion ~ 2^43 ~ 7 character random password
highest figure: 171.5k^4 = 8.65^10^20 > 2^69 ~ 11 character random password

Humans generally don't remember random passwords very well. This ain't bad.

Re:

[Archangel Michael]

horse battery staple

As a hacker this is all you know
1) You have a password that is eighteen characters long,

As a hacker you can make assumptions
1) Word length
2) Number of words
3) Spaces or Not
4) Fancy Characters or not
5) Numbers or not

OR you can target passwords that are eight characters in length.

I would suggest to you, that if you have a whole database of passwords, encrypted and salted properly, you pick low hanging fruit first.

If you're a hacker, which password is easier to brute force ? "onetwothreefourabeeceedeeexclamat

Re:

[BlacKSacrificE]

But instead use something which

..Is completely, totally, irrevocably air gapped from the network, and not in a format which is easily machine readable? (considering that I type substantially more than I write anymore, my handwriting format is borderline "me" readable).

I see your point. A list of passwords in a book is are bad. Much better to put them into a globally accessible cloud behind a single point of protection (password). I know if I were in a basement somewhere out to ruin someones life the nondescript notebooks all around my

Post-it's are easier

[Overzeetop]

Better to use a single password and write it on a couple of post-its. That way you can tape one to every device you own.

Re:

[darkestsoul]

Except that in the year 2015, attackers have realized that it is far easier to just attack companies directly instead. A password manager, or a manually typed 50-character password that is unique to the site isn't going to change poor security one bit. If you don't trust a recognized password manager, I hope you keep your life savings in your mattress as well.

Re:A plea to fuck off.

[gmack]

My server logs disagree with your assumptions. Fail2ban is running constant blocks on botnets trying to guess passwords on SSH, FTP, SASL and webesites and this goes for my day job, my personal server and my evening contracts.

Re:

[Demonoid-Penguin]

My server logs disagree with your assumptions. Fail2ban is running constant blocks on botnets trying to guess passwords on SSH, FTP, SASL and webesites and this goes for my day job, my personal server and my evening contracts.

Why do you allow password logins for SSH? Why the hell don't you have port knocking enabled for SSH?

Re:A plea to fuck off.

[Whiternoise]

It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere. Password managers let you eliminate password reuse so even if your Amazon account gets hacked, the attackers won't suddenly have the keys to the castle.

It is one place to attack, true, but how likely is it that someone targets your password database? I would argue it's pretty remote, even if your machine was compromised or stolen. Assuming your master password is strong, the attacker either needs to crack it (difficult) or know you well enough to guess it. What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords. However in that scenario, you might have printed backup keys for your email account (Gmail will let you do this) and no worries.

For the truly paranoid, good old wetware suffices or a pencil and paper; again, you're weighing the risk of your house (or mind) being broken into vs some script kiddies attacking a website.

Re:

[umafuckit]

It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere.

I have one strongish password which I modify in a systematic and easy to remember way based on the website name. For example (and this isn't exactly what I do, obviously), say my core password is ghs78kja: on slashdot I would use as a password /DOTghs78kjaSLASH* on the New Scientist's site I would use /SCIENTISTghs78kjaNEW*. These passwords are all unique, long, very easy to remember, and use all the character classes.

Re:

[AthanasiusKircher]

I have one strongish password which I modify in a systematic and easy to remember way based on the website name. For example (and this isn't exactly what I do, obviously), say my core password is ghs78kja: on slashdot I would use as a password /DOTghs78kjaSLASH* on the New Scientist's site I would use /SCIENTISTghs78kjaNEW*.

While I understand the appeal of such a system (and tried it briefly years ago), it seems somewhat bizarre to me if you actually want any security. Yes, it will stop some random hacker who obtained a password list from site X from automatically logging into site Y by just applying the old list.

But if a hacker actually gives a crap about what he's doing and actually wants to get into your accounts, a system like this is well-known enough that he could guess your passwords to other sites once he knows one

Re:

[dinfinity]

What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords.

LastPass stores your password vault on their servers in encrypted form. So really the only issue is the strength and secrecy of your master password and the encryption used on the vault.

Having said that, I do not store passwords for banking accounts, Paypal, etc. in my password manager. Terrible shit will still happen if my vault is opened by those with malicious intent, but there is at least a minor barrier preventing them from converting my life savings into Bitcoin.

Re:A plea to fuck off.

[Rich0]

Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised.

If your hard drive is compromised then your keystrokes are being logged and your cookies are being extracted, and any website you log into will be compromised. The password manager isn't really adding that much more risk here.

Re:

[jbengt]

It's risk analysis.

Using a password manager sounds like a guarantee that at some time in the future access to all the passwords will be lost simultaneously. Writing them down physically, there is a better chance of recovering them, and very little chance of some random hacker finding them.

Re:

[TwentyCharsIsNotEnou]

As always, it's a trade-off between security and convenience.

You could keep your passwords engraved on dog-tags and locked in various fire-proof safes in different basements, but that really ruins the convenience part of the trade-off.

Or you could just use the same password for all sites (if possible), but that really ruins the security part of the trade-off.

How about: you use a password manager to store your non-critical passwords and store your critical passwords somewhere else - especially the pas

Re:

[N1AK]

I tend to work on the premise that if it's an important password it either doesn't go in my password manager unless it supports 2 factor authentication. I'm yet to hear an argument against password managers that isn't wrong, trivial or blatantly obvious. Yes it'd be stupid to put all the information required to get into your bank account and transfer money out onto a password manager, however none of my financial service providers allow money to be sent to an account it hasn't already been sent to without r

Re: A plea to fuck off.

[Tomahawk]

From a previous article, most experts agree that using a password manager is one of the best things to do. Non-experts are three only ones that give arguments against them.

I tend to trust the experts.

Re:

[RobinH]

This problem is with both "online" and "offline" password managers. Certainly I wouldn't use an online (i.e. website) password manager because it's a really juicy target sitting there connected to the internet. People can and will attack it, and at least one online password manager has been hacked. Offline password managers, such as KeePass, aren't as bad. It's all in a single encrypted database file, but you can store it on a home PC, a thumb drive, and in some backup location. The program allows very

Re:Wait, you have to TYPE the password???

[Sneeka2]

If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...

* Yes, please use exactly this password; it's super safe, I promise!

Re:

[zm]

If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...

Now my favorite password is in cleartext on the Interweb, and I can't use it any longer.. Thanks for nothing. :(

Re:Wait, you have to TYPE the password???

[swillden]

If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...

Parent was modded funny, but this is what your passwords should look like -- long and random, and typing them is a PITA. Any web site that disables pasting or prevents your browser or extensions from auto-filling passwords is broken. The sad thing is that most sites that do this (other than those that do it by accident because the devs are clueless) do it because they think they're increasing the security of their users' accounts. They're not.

Solutions like LastPass et al are the best, but honestly just using your browser's password database is better than reusing passwords everywhere. And Chrome and Firefox (at least, perhaps others) offer the option of keeping your passwords synced to all of the devices you use, optionally protected with a master password. Browsers need to offer password generation as well. I think some are working on it.

Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication. Yes this means that most users will use their Facebook or Google logins, which means that, essentially, the site has outsourced its account security to those other entities. So what? If the developers of random web sites think they can do a better job of account security than Google or Facebook -- they're wrong . I work for Google and previously spent a decade as a security consultant in the financial industry and after seeing how they all work from the inside, I would feel much more secure about my bank account if I could use my Google account (with 2FA, plus all of the analytics and monitoring Google does) to log into it rather than trusting the bank to do a decent job with password-based security. I haven't seen Facebook's infrastructure, but I know people who work there, and they're good. Far better than you'll find at a typical bank, much less J. Random Web Developer.

Re:

[serano]

OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73

What a coincidence. That used to be my exact password until I read somewhere you aren't supposed to use your name as a password.

Re:

[jarfil]

I used to have a "good" combination on my luggage... until the day I forgot it (or set it wrong, who knows). Poking this way and the other, it turned out that it takes about 10-15 seconds to pick my luggage, and about 2 seconds to pry it open with a screwdriver.
Since then, I just use 12345, because why bother :D

Re:

[AchilleTalon]

The last thing that someone would try as your luggage combination is 9999. I suggest you change your combination for this one, it will take longer to break in.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Dog-Cow]

And this is why OS X is great. Keychain is available system-wide, but apps can integrate access to it. Safari does this. It will generate random passwords if you want it to, and store them in your keychain.

Re:

[Overzeetop]

But apps have to integrate it. That's the problem - some don't.

Re:

[Guy Harris]

Correct cow battery staple.

Re:

[Rich0]

Many SaaS vendors are moving towards new generation of logins. I see many vendors removing OpenID in general and we're seeing an equally high number of companies embracing SSO.

Ugh, unfortunately the SaaS vendor I'm working with right now isn't one of them.

OAuth2? Nope. Another password to remember/reset/etc.

Webservices? Nope. Drop a file onto an FTP site which is polled, and poll the site yourself.

XML? Sort-of - it is their least-preferred file format which they try to avoid at all costs. Oh yeah, they have failures to parse xml files that W3 validates (for syntax, not semantics). I'm sure that there are issues with their non-xml-file parsers for the majority of the files