|
|
|
|
|
|
by TheDong
2742 days ago
|
|
|
A good critique of these systems is here: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-passw..., discussed on HN here: https://news.ycombinator.com/item?id=13016132 The general consensus of security experts seems to be that they're a bad idea. I think my setup using `password-store` works great, and arguably is more secure since I rotate my passwords regularly as well. The main reason I argue my system is more secure is that it has a physical gpg yubikey token to decrypt my password database. In the 'deterministic password managers', there's no easy way to require that you have physical access to my yubikey in order to decrypt the passwords. You could keylog the master phrase in the case of deterministic ones and have a persistent pwn... heck, just typing the master password into a public slack by accident pwns most deterministic password managers (as pointed out in the above article) On the other hand, even if someone keylogs my yubikey's user pin, well, they still need to either have the yubikey or to trick me into unlocking the yubikey again for their malicious attacking software. If I accidentally type my user pin into slack, I really don't have to worry all that much. |
|
|