| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by ecesena 3147 days ago

I read it indeed. Before I respond please let me say that this is just my opinion, and I'm totally happy if other people think differently. Also, the point that I wrote and I'd like to stress is that there are some passwords, the most critical ones (i.e. Google, Facebook, banks), that I never want to store and just remember. The reason is that I've found myself in situation where my devices aren't available and I have a urgent need to access these services.

For all the other passwords I honestly don't care, deterministic or vault both have pros and cons, but in reality it doesn't really matter. First, I never experienced the same urgent need of access. Second, I could temp reset the password provided that I can access my gmail.

On point 4 specifically I have two things to say.

> With a traditional encrypted password vault scheme, we need two things to obtain site-specific passwords: the ciphertext of the password vault, and the master password.

To me this is not a feature at all. I want exactly the opposite, meaning I don't want to depend on a file to retrieve my passwords, at least not the most critical ones. So, I guess this is a critical distinction. Are you ok with this dependency? Then definitely go for a vault. Ar you against? Then you can't use a vault.

Second, and to your point. It's worth noting that, because you need the vault file, you probably have it replicated in multiple places or at least accessible by multiple devices. To me, this makes the probability to get access to your vault file higher than the probability to find out the master password. Or, said in another way, I wouldn't base the security of the system on the fact that the attacker can access the master password but not the vault file.

To limit the attack surface you have to create multiple groups with different master passwords. The one that you type more often are the one more exposed, so you want to group sites with similar security risk and frequency of login (this is another thing that often seems amplified, I don't logout+login every day in all sites, I typically keep things logged in).

I hope this replies to your question, happy to chat more.