|
There are other aspects to it as well, e.g. your dependency on an internet connection to the keystore. You may have keys for resources that do not necessarily have the same acessibility as you keystore, or rather the other way around: Your keystore access may be more limited. Say that you are running a lot of servers within a local network, requiring login. Then an excavator rips the fiber cable connecting you to the external internet. You can no longer authenticate yourself to local services.
If all your passwords can be accessed by specifying a single password - that to the keystore - then it really doesn't make much difference that after the keystore is opened you can select any key to get in anywhere. Only one key is needed for arbitrary access: That to the keystore. You get an illusion of security much higher than reality.
The fundamental problem is that we pass keys around for login. For thirty years we have had solutions like Kerberos[^], where no passwors need to be sent across the network. For some reason, it never caught on, as it really could deserve.
(Every time I mention Kerberos to someone who actually recognizes the name, I get an explanation of its failure to be accepted based on some nitty-gritty little detail that keeps if from being 100% perfect. So instead of getting someting that would be 99% perfect, we use something that is extremely far from any perfection, and we have to remedy the most serious problems with such tools as keystores. From a system architeture point of view, I find it disgusting )
|
|
|
|
|
Member 7989122 wrote: You can no longer authenticate yourself to local services.
With LastPass, if you've logged in at least once with an internet connection, you'll have a cached local copy of the encrypted keystore. So long as you don't clear the local cache, that copy will be used if your internet connection is unavailable.
There's also a separate app you can install for offline access.
Other password managers will probably offer something similar.
Member 7989122 wrote: Only one key is needed for arbitrary access: That to the keystore. You get an illusion of security much higher than reality.
At the very least that's no worse that reusing the same password across multiple sites.
The big difference is that you're not sharing your master key with lots of random sites thrown together by people who don't know what they're doing. You can be reasonably confident that it's not stored in plain text behind an application full of SQLi vulnerabilities.
Password managers don't have to be perfect; they just have to be better than not using a password manager.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
In any case, I consider password managers a clumsy and ugly workaroud. We have got far better solutions, e.g. in Kerberos. No matter how many times I hear "But we have a fix for that", it remains a messy way of doing it.
In my opinion, that is. Your Meanings May Vary.
|
|
|
|
|
I implement social distancing with my passwords. They used to be "password1", then "password2", then "password3". Now they are "password6", "password8", "password10"
|
|
|
|
|
You should use prime numbers, silly.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
I only use perfect numbers.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
The Inkscape project's version 1.0 of the free and open-source vector graphics editor is packed with new features. And it only took 16 years to get there!
I don't often need a vector graphics tool, but it's handier than Illustrator (cheaper as well)
|
|
|
|
|
Slower too, most notably on zooming, but a great tool.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
Alan Kay.
|
|
|
|
|
NASA is indeed working with actor Tom Cruise on a film to be shot in space — aboard the International Space Station (ISS), it turns out. Topmost Gun? Mission Astronomical?
|
|
|
|
|
The budget is going to be astronomical...
|
|
|
|
|
Cyril Diagne, a designer and programmer currently in residence at the Google Arts and Culture Lab in Paris, showed that as mundane an operation as cut-and-paste can be turbocharged in the era of augmented reality. "I reject your reality and substitute my own!"
Well, "Copy and Paste", but still kind of neat
|
|
|
|
|
Engineers at Stanford have demonstrated a new method of transmitting electricity wirelessly to multiple devices. Does it involve rubbing a lot of balloons against peoples' heads?
|
|
|
|
|
GoDaddy on Tuesday reported [PDF] an October data breach to Californian authorities, stating that an unauthorised individual was able to access SSH accounts used in its hosting environment. No, Daddy!
|
|
|
|
|
Software vulnerabilities are more likely to be discussed on social media before they're revealed on a government reporting site, a practice that could pose a national security threat, according to computer scientists at the U.S. Department of Energy's Pacific Northwest National Laboratory. Because we need another reason to thank "social" media
|
|
|
|
|
If the bounty programms were really attracting / wrothy, I suppose they would be used more than they are.
But it looks like it is not enough that we (users) are the beta testers but if we at the end find something, they want you to report it for free.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
With brute-forcing on the rise, experts promote two-factor authentication. Even the hackers have to rely on remote work?
|
|
|
|
|
The controversial sale of the .org web domain - used by charities and non-profit organisations - has been set back after months of deliberation. The people of Organa will not be happy to hear this
|
|
|
|
|
During this pandemic, many organizations are offering free or drastically cheaper courses to help people skill-up for when we eventually get out of lock-down. Just think of how impressed future employers will be when they hear you studied at the JetBrains Academy!
Free, but registration required.
|
|
|
|
|
Microsoft's Windows Experience (and Surface) chief Panos Panay is providing his first general guidance about the direction Windows client will be pursuing, going forward. Why bother learning the lessons of Windows 10S and Windows for Tablets?
|
|
|
|
|
Kent Sharkey wrote: Why bother learning the lessons of Windows 10S and Windows for Tablets? Not to forget Windows Millenium, Windows 8, Windows 8.1...
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
The Windows dream trio is actually CE,ME,NT
'nuff said
Director of Transmogrification Services
Shinobi of Query Language
Master of Yoda Conditional
|
|
|
|
|
|
Kent Sharkey wrote: Why bother learning the lessons of Windows 10S and Windows for Tablets?
Indeed, there does seem to be no reason to think this will work out any better than the previous attempts to do the very same thing.
|
|
|
|
|
Hey, you didn’t spam out this time. Did it get fixed?
TTFN - Kent
|
|
|
|
|
I am optimistic. Time will tell.
|
|
|
|