[Thorrez]

If there's generic malware that's targeting your password manager, then yes this provides protection against that. But it doesn't provide protection against a targeted attack, because the malware can just keylog your horcrux.

Another weakness that doesn't require a keylogger, is the attacker might be able to find some stolen database of a website that stored passwords in plaintext, then deduce your horcrux from the difference between what was in your password manager and what was in the database. And if the site did hash passwords, the attacker can try cracking the horcrux. The 5-character example horcrux probably wouldn't be too hard. The article somewhat covers this by saying only use the horcrux on important sites. This is good, but it still has weaknesses because an important site can still get its database stolen, and some people also want to protect less important sites.

And if no password databases are available, the attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site. I've actually had an attacker contact me personally (that is, actually chatting with me live) and ask me to sign up for his forum under the hope that I would reuse my valuable account's password on the forum.

[GoblinSlayer]

>And if no password databases are available, the attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site.

Some sites email your password to you: https://plaintextoffenders.com/

[Dylan16807]

With two important notes:

1) A site that emails you your password might not be storing it in plain text. They're similar but separate problems.

2) A site that sends you a login link could be just as bad as the sites listed here, if that login link doesn't expire (and you used a unique password). It's a more subtle way of having the same problem.

[Thorrez]

For 2, if it's a password that the user chose, the site should never email it, because the user likely reused that password across many sites, and someone who snoops on the user's email (say a housemate) can get the password to a ton of sites.

If it's a password generated by the site, then it's actually fine to email it. Although you likely don't want it too early in the email that it would show up in a phone notification or in a body summary in gmail.

[GoblinSlayer]

Many sites are wrongly listed there, like https://plaintextoffenders.com/post/629608281322733568/qnx-s...

[101008]

Honest question: If you send it on the email without storing (just sending appending the $password variable to the email body), what would be the problem?

[UncleMeat]

Some email is still sent unencrypted over the web so people snooping on traffic could see it.

[GoblinSlayer]

Not hypothetical https://plaintextoffenders.com/post/628974096028434433/movis...

[thedanbob]

Any mail server the email happens to pass through is able to read/log the entire content of the message.

[boomboomsubban]

It's sad to think that the list of 5801 sites probably only accounts for a couple percent of the total amount of offenders.

[upbeat_general]

True but all of the methods you mention to determine the horcrux are also ways to get someone's typical password, so password manager + horcrux is still much stronger as you need both (besides obviously the keylogger/malware).

You could also just have a horcrux for a couple sites and make them all distinct obviously.

[Thorrez]

Well my thought is that it doesn't take much effort to get a typical password, but does to get a password manager user's password. So an attacker who gets the password from a password manager can probably easily get the horcrux as well.

[Hackbraten]

> I've actually had an attacker contact me personally (that is, actually chatting with me live) and ask me to sign up for his forum under the hope that I would reuse my valuable account's password on the forum.

How did you eventually find out their true motivation?

[Thorrez]

I had one of the most valuable accounts in a video game, so attackers of all kinds were constantly contacting me. I was immediately suspicious of anyone who contacted me. I signed up for the forum with a password from my password manager (I like toying with attackers). I told him I signed up, and a few minutes later he said there was a problem with my account and asked if I used a password manager. I said yes. He said to sign up without it because the site doesn't support it. I tried arguing with him that that makes no sense. But arguing with someone who's lying and refuses to admit it is generally not productive, and the argument got nowhere.

His idea to make me sign up without a password manager was illogical anyways. If I use a password manager on his site, it should be obvious I use a password manager for my video game account, so me halting my password manager usage for his site wouldn't help him get my video game account.

[GoblinSlayer]

All security eventually relies on obscurity, it's a bad idea to disclose your security practices. Use hunter2 as password for junk sites.

[Thorrez]

From a humor point of view that would be a good idea, something like "dontbothertryingtostealmyaccount".

I also agree somewhat about obscurity. Notice that I haven't said what password manager I use, or where I store it. The fact that I use a password manager I don't consider sensitive though.

[lstamour]

By that same logic, use disposable email addresses and the password doesn’t matter? I mean, this kind of thing only holds up while you don’t care to enter any data about yourself and re-visit the site later. Those who need to be anonymous can provide junk info to junk sites, sure, but for everything else, there’s email and 2FA TOTP codes and password managers for a reason... largely because OAuth and FIDO2 aren’t universal yet I suppose ;-)

[red0point]

Can you elaborate on why all security will eventually rely on obscurity?

[GoblinSlayer]

It's jokingly called Fleming's cryptanalysis: if there's a secret key, you just send James Bond to steal it.

[Thorrez]

The only type of obscurity that would protect me against that type of attack is if I myself am entirely obscure. By having one the most valuable accounts in a video game, I've already given up on that.

[jerezzprime]

https://xkcd.com/538/

[gbh444g]

For important logins, I don't even write the password in my password manager, as I assume it's already compromised. Instead, I write there notes about how the password should be derived, e.g. contoso.com|x4|s1. Even if someone gets to see this and even they guess the exact structure of this algorithm, they'd have to know the salt, which would take long time to bruteforce. Otherwise they'd have to wonder if x4 means "4 times hashing" or "repeated 4 times" or it's something to do with the salt.

[TwoBit]

> attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site.

I don't think that reusing the same pepper (horcrux string) for all sites would be best practice.

[toasted_flakes]

If only we had a secure place to store all of the horcrux strings that are unique per-website!

Joking aside, I don't see the point of this. It guards against exactly one attack (your password manager somehow revealing all your passwords) which is unlikely, but not against a whole lot of other (slightly more generic malware, phishing, ...) whilst making logging in harder (there's now a manual process).

If you're willing to go such lengths, enable 2FA on more accounts (which the articles mentions, points for that) or get a physical token for your password manager.

[djeiasbsbo]

That might be likely if the password manager database is stored in the cloud. iCloud hacks seem to be at least somewhat common and iOS users often hsve no other means of syncing their password manager database.

[gruez]

Isn't that a non-issue if the cloud version is encrypted?

[starfallg]

That defeats the point of using a password manager more or less. You're just remembering individial passwords but it's even more complicated now.

[ska]

That's ok - just use two different password managers and merge the parts manually on login ;)

[kurthr]

Oh, my... I can imagine quite a few obscene and anatomically impossible pass phrases that would be generated for that forum. However, I supposed you would still give up some knowledge/deniability in that case.