|
It's down to your threat model.
You seem to be worried about someone hacking your local PC and getting access to your password manager's database. But if that happens, you've got bigger problems to worry about. And any decent password manager will have encrypted the database using your master password, which shouldn't be stored anywhere on your computer.
Similarly with password managers which store or back-up the database to an online site: any decent tool will have encrypted the database, and the encryption key won't be stored on the server. If the server is breached, there wouldn't be any trivial way to retrieve your passwords.
Whereas if you reuse the same password across multiple sites, you're relying on the developers behind all of those sites to protect your data properly. You just need to spend five minutes in QA to see how unlikely that is! If even one site stores your password insecurely and suffers a data breach, your accounts on all of the other sites you've used the same password for are at risk.
Troy Hunt: The only secure password is the one you can’t remember[^]
Troy Hunt: Password managers don't have to be perfect, they just have to be better than not having one[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: You seem to be worried about someone hacking your local PC
No, LastPass for example, is online.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
And, as I said, the database will be encrypted with a key which isn't stored on their server. If their server was breached, the attacker would still be a long way from having all of your passwords.
Whereas if you're reusing a single password across multiple sites, you only need one of those sites to be written by someone who doesn't know what they're doing to have your password stolen.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: the database will be encrypted with a key which isn't stored on their server.
An assumption.
You seem to be assuming that something like LastPass will never be hacked but other websites could be hacked.
In your scenario you're hoping that one single point of failure never fails. Those very words should stand out. It also makes those single points of failures huge targets.
I'm not saying one way is better than the other, I just find it interesting that a bunch of developers would think trusting a single site is the only way to do it.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
ZurdoDev wrote: An assumption.
No, a statement direct from the horse's mouth:
Security | LastPass[^]
What Happens if LastPass Gets Hacked | Our Security Model[^]
Also backed up by other sources - for example:
Is LastPass secure enough? | NordVPN[^]
Back in 2017, one user discovered that the URL of the site wasn't being encrypted, whilst everything else was:
PSA: LastPass Does Not Encrypt Everything In Your Vault | Hacker Noon[^]
It's up to you to decide whether that concerns you enough to avoid the product.
ZurdoDev wrote: You seem to be assuming that something like LastPass will never be hacked but other websites could be hacked.
Read my message again. I explicitly mentioned the possibility of their site being hacked. 
The difference is that if it happened, the hackers would get a database containing encrypted data, and would have no access to the encryption key. They would not have your passwords.
Compare that to the level of code often seen in QA - passwords stored in plain text, or at best using unsalted MD5 hashes; SQL Injection vulnerabilities everywhere; I've even seen people trying to store your password in an unsecured cookie to implement a "remember me" feature!
ZurdoDev wrote: I just find it interesting that a bunch of developers would think trusting a single site is the only way to do it.
As I said, if you don't trust LastPass, use a different password manager. Use one that stores your passwords off-line if you prefer.
Unless you're in a shared workspace with people you don't trust, even a notebook with your passwords written in it would be better than remembering a single password and using it everywhere!
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: No, a statement direct from the horse's mouth:
Well that settles that. 
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
The very idea of "You can tell us all your secrets - we promise not to tell them to anyone!" is, to me, outright repulsive! Disgusting!
I see way too many people showing an approach of "Well, if those guys kow all the details of my private life, it is OK - they are nice guys! They would never abuse that information!" 'Those guys' may be the police, social services, in the USA it might include FBI/CIA. Even today I do not trust any of those to always set my interests before their own. A future power slide over to less symphathetic forces could change that to the worse.
There is no reason to trust commercial service providers more that the authorities. They may be under a legal pressure to reveal information to "law enforcement", and the are by definition under a commercial pressure. Sending my passwords to them is way outside my trust zone.
Similarly with encryption certificates for email: Those providing such certificates will by default provide you with a public key and a private key. So they know my private key - they provided it! I made a request, who would allow me to generate a key pair myself, revealing the public key to them but keeping the private to myself, sending me a certificate encrypted with the public key. Those who didn't accept that but insisted on generating/knowing my private key, were rejected.
Be careful with who you trust!
|
|
|
|
|
Once again for those in the back:
For LastPass, as for any decent password manager, the database is encrypted locally before being uploaded. The encryption key is never uploaded. They do not have your passwords.
Unless you believe that they have some previously unknown means to crack AES-256, they literally cannot give your passwords to "the authorities", no matter how much pressure is applied.
If you don't trust them, and think that they might be coerced into inserting a back-door into the encryption to allow them to access your passwords, then use an off-line password manager. If you're completely paranoid and think that all off-line password managers are secretly uploading your passwords to their servers, then use pen and paper.
Whatever you do, just don't resort to reusing the same password on every site.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
There are other aspects to it as well, e.g. your dependency on an internet connection to the keystore. You may have keys for resources that do not necessarily have the same acessibility as you keystore, or rather the other way around: Your keystore access may be more limited. Say that you are running a lot of servers within a local network, requiring login. Then an excavator rips the fiber cable connecting you to the external internet. You can no longer authenticate yourself to local services.
If all your passwords can be accessed by specifying a single password - that to the keystore - then it really doesn't make much difference that after the keystore is opened you can select any key to get in anywhere. Only one key is needed for arbitrary access: That to the keystore. You get an illusion of security much higher than reality.
The fundamental problem is that we pass keys around for login. For thirty years we have had solutions like Kerberos[^], where no passwors need to be sent across the network. For some reason, it never caught on, as it really could deserve.
(Every time I mention Kerberos to someone who actually recognizes the name, I get an explanation of its failure to be accepted based on some nitty-gritty little detail that keeps if from being 100% perfect. So instead of getting someting that would be 99% perfect, we use something that is extremely far from any perfection, and we have to remedy the most serious problems with such tools as keystores. From a system architeture point of view, I find it disgusting )
|
|
|
|
|
Member 7989122 wrote: You can no longer authenticate yourself to local services.
With LastPass, if you've logged in at least once with an internet connection, you'll have a cached local copy of the encrypted keystore. So long as you don't clear the local cache, that copy will be used if your internet connection is unavailable.
There's also a separate app you can install for offline access.
Other password managers will probably offer something similar.
Member 7989122 wrote: Only one key is needed for arbitrary access: That to the keystore. You get an illusion of security much higher than reality.
At the very least that's no worse that reusing the same password across multiple sites.
The big difference is that you're not sharing your master key with lots of random sites thrown together by people who don't know what they're doing. You can be reasonably confident that it's not stored in plain text behind an application full of SQLi vulnerabilities.
Password managers don't have to be perfect; they just have to be better than not using a password manager.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
In any case, I consider password managers a clumsy and ugly workaroud. We have got far better solutions, e.g. in Kerberos. No matter how many times I hear "But we have a fix for that", it remains a messy way of doing it.
In my opinion, that is. Your Meanings May Vary.
|
|
|
|
|
I implement social distancing with my passwords. They used to be "password1", then "password2", then "password3". Now they are "password6", "password8", "password10"
|
|
|
|
|
You should use prime numbers, silly.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
I only use perfect numbers.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
The Inkscape project's version 1.0 of the free and open-source vector graphics editor is packed with new features. And it only took 16 years to get there!
I don't often need a vector graphics tool, but it's handier than Illustrator (cheaper as well)
|
|
|
|
|
Slower too, most notably on zooming, but a great tool.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
Alan Kay.
|
|
|
|
|
NASA is indeed working with actor Tom Cruise on a film to be shot in space — aboard the International Space Station (ISS), it turns out. Topmost Gun? Mission Astronomical?
|
|
|
|
|
The budget is going to be astronomical...
|
|
|
|
|
Cyril Diagne, a designer and programmer currently in residence at the Google Arts and Culture Lab in Paris, showed that as mundane an operation as cut-and-paste can be turbocharged in the era of augmented reality. "I reject your reality and substitute my own!"
Well, "Copy and Paste", but still kind of neat
|
|
|
|
|
Engineers at Stanford have demonstrated a new method of transmitting electricity wirelessly to multiple devices. Does it involve rubbing a lot of balloons against peoples' heads?
|
|
|
|
|
GoDaddy on Tuesday reported [PDF] an October data breach to Californian authorities, stating that an unauthorised individual was able to access SSH accounts used in its hosting environment. No, Daddy!
|
|
|
|
|
Software vulnerabilities are more likely to be discussed on social media before they're revealed on a government reporting site, a practice that could pose a national security threat, according to computer scientists at the U.S. Department of Energy's Pacific Northwest National Laboratory. Because we need another reason to thank "social" media
|
|
|
|
|
If the bounty programms were really attracting / wrothy, I suppose they would be used more than they are.
But it looks like it is not enough that we (users) are the beta testers but if we at the end find something, they want you to report it for free.
M.D.V. 
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
With brute-forcing on the rise, experts promote two-factor authentication. Even the hackers have to rely on remote work?
|
|
|
|
|
The controversial sale of the .org web domain - used by charities and non-profit organisations - has been set back after months of deliberation. The people of Organa will not be happy to hear this
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
