Hacker News new | ask | show | jobs
by mjthompson 1790 days ago
Good advice. Ever since Tavis Ormandy set his sights on password managers, I have been a very sceptical user. I still use 1Password, but without the browser extension. Putting autofill aside, there's a couple of other concerns I have.

I am hesitant about recommending a password manager to the tech illiterate simply because one piece of malware could compromise the entire vault. In that respect, a sticky note is arguably more secure than a tech illiterate person using a password manager.

Also, I have my usual criticism of client-side browser encryption. Anyone who has the technical ability to compromise a cloud-based service can likely take it a step further and modify JavaScript files enabling total vault compromise. There is no easy way for a user to mitigate this risk.

Password managers must be a stop-gap measure only until webauthn is more widely deployed. I long for the day when phone-based webauthn keys are the norm, and I can stop fielding questions about password managers from friends and family.
3 comments
emodendroket 1790 days ago
A piece of paper is the most secure solution, sure, but once you get to the point where you have a hundred passwords, even if you've got them all in the same place, it's too unwieldy to use.
link
earthboundkid 1790 days ago
FieldNotesBrand.com

Sticky notes suck because people leave them in plain sight. A notebook is a totally reasonable way for a non-technical person to track passwords securely.

link
PhantomGremlin 1790 days ago
A notebook is a totally reasonable way for a non-technical person to track passwords securely.

I do this, even though I'm a "technical" person. I do it because I use unique passwords for almost every site I visit.

The notebook never leaves the house, but what if I have a fire? I remember a few passwords, but most of them "poof, gone".

My reckless behavior reminds me of this commercial parody on SNL, long ago:

- A Tradition of Security -

We will make a list of our clients and how much money each of them has given us to invest. We will keep this list in a safe place. If we have time we will make a copy of the list in case something happens to the first list.

http://www.faqs.org/faqs/tv/sat-night-live/commercials/

link
dunnevens 1789 days ago
In case of fire, seems like you only need to memorize the passwords for your email accounts. Everything else can be fixed with “reset your password” links.

I’ve sometimes wondered if that would be a useful security scheme. Using email as a de facto pw manager. Memorize your email pw. Use the password reset feature on your critical sites. It would be enormously inconvenient. But it would mean your passwords are never written down and never stored in a pw manager’s database.

Seems like that would make things more secure, but I’m probably overlooking something.

link
PhantomGremlin 1789 days ago
It's a complicated issue.

I think some people don't make any real effort to keep track of their passwords, and so reset via email is kind of common.

But what if you're Sarah Palin, governor of some out-of-the-way state (pop. 736,000). Suddenly you're thrust into the spotlight as a VP candidate.

Sucks for her that Yahoo's password reset questions at the time were simple: The Yahoo! account's password could be reset using shared secret questions including "where did you meet your spouse?" along with the date of birth and ZIP code of the former governor to which answers were easily available online.

https://en.wikipedia.org/wiki/Knowledge-based_authentication

Can you trust your email provider not to let your account get "stolen" from you?

I think having a discussion like this on HN is great. It gives people an opportunity to re-evaluate their current procedures.

link
throwawayboise 1790 days ago
Do you have your password manager database and private keys backed up in a way that would survive if you have a fire? A lot of people may think they have backups of stuff like this but unless you remember to grab that thumb drive out of your desk drawer (assuming you're home) a fire might still destroy them.
link
PhantomGremlin 1790 days ago
No, no, I don't have my passwords anywhere but in a paper notebook. And I don't have any other copies. That's what I meant by "my reckless behavior".

What percentage of people use a password manager? I think on iOS/macOS it's pretty high because Safari offers to save them, but what about non-technical users in general?

As to why I don't use a password manager, I think that the probability of some bug or hack or whatever of the password manager, which would lead to all my passwords being compromised, is greater than the probability of my house burning down.

Do I really want to trust Firefox with all my passwords? Do I really want to trust Google with all my passwords? (Fuck no!) Do I really want to trust some random password manager with all my passwords?

The smart thing to do, which I unfortunately don't, is to memorize a handful of passwords and use a password manager for the rest. E.g. remember bank password, use a password manager for Chipotle and Five Guys.

link
ViViDboarder 1789 days ago
> Do I really want to trust Firefox with all my passwords? Do I really want to trust Google with all my passwords? (Fuck no!) Do I really want to trust some random password manager with all my passwords?

There are options like KeePass or Bitwarden that allow you to store your own database file wherever you see fit or self host, respectively.

> The smart thing to do, which I unfortunately don't, is to memorize a handful of passwords and use a password manager for the rest. E.g. remember bank password, use a password manager for Chipotle and Five Guys.

This is the way that I mitigate risk as well. My email password is not present in the db, nor is my checking.

link
vgalin 1790 days ago
It should be reasonably safe to store database files on various cloud storages. If you are not willing to do so, it is also possible to keep them on flash drives at your relatives' homes.
link
emodendroket 1790 days ago
Yeah but unless you have a lot of foresight they’re not going to end up in a useful order.
link
jszymborski 1790 days ago
You can just use an address book (the paper sort with letter dividers).
link
yosito 1790 days ago
> A piece of paper is the most secure solution

I beg to differ. A piece of paper can easily be found by someone. Much easier than hacking a password manager. Unless you're storing that piece of paper in a safe, it's not secure. The only advantage of paper is that it's not exploitable remotely.

link
mjthompson 1790 days ago
> A piece of paper can easily be found by someone. Much easier than hacking a password manager.

A piece of paper in a locked drawer is potentially accessible to a person breaking into it. It is probably an unsophisticated burglar looking for money. They are probably located in the vicinity of your neighbourhood and have rocked up to your home, and will not evade capture for long. They will likely leave DNA. If they decide to swipe your notebook, it will be immediately apparent you have been compromised, as your drawer is open and your notebook open or missing. Your notebook may be looked at momentarily, perhaps passed to one or two people, more likely, it will be thrown into a gutter as soon as the burglar realises it has no money in it, or just left untouched.

A password in a locked password manager is potentially accessible to a person breaking into it. It is probably a sophisticated cyberattacker looking for credentials. They are probably located overseas and have remotely connected to your home network, and will evade capture. They will leave no trace. If they decide to compromise your vault, it may not be immediately apparent you have been compromised, as your password manager is still there. Your vault will be scrutinised intensely, and your credentials will be sold to many others on a darknet forum.

I know which I'd rather.

link
NavinF 1790 days ago
If someone sees a list of site/user/pass, wouldn't they take a photo of it instead of stealing the entire notebook? It just seems like the obvious thing to do.

>They are probably located in the vicinity of your neighbourhood and have rocked up to your home, and will not evade capture for long. They will likely leave DNA

Did you get that from CSI: Miami? Nobody is gonna collect DNA samples just because some stuff went missing in your home. The cops will file a report and tell you to file an insurance claim.

link
mjthompson 1790 days ago
Burglars are in and out in a matter of minutes. There's no way they're standing there taking photographs. Like I said, they want money (and easily hocked valuables). No street criminal is interested in your Google Account login.

Australian here. When my house was broken into Police forensics came that afternoon and fingerprint dusted all points of entry and lifted prints. Do they not do this in your jurisdiction? I have just realised DNA is probably poor shorthand for that.

link
emodendroket 1790 days ago
Honestly the American cops are unlikely to bother with that. But still, I agree that a burglar is unlikely to bother with your password notebook.
link
maccard 1790 days ago
If someone has remotely compromised my home network how do I know they haven't just installed a keylogger, and are capturing the passwords that I type in via a sticky note?

I'm just a person on the internet, so my threat model may be different to yours, but my threat model is for the most part phishing, social engineering, data breaches, and the likes. The majority of these are fixed by password autofill (for the most part)

link
usrusr 1790 days ago
> It is probably a sophisticated cyberattacker looking for credentials

It is probably the script of a sophisticated cyberattacker leveraging some vulnerability for looking for credentials of thousands of people at once. Yes, the burglar is a total non-threat by comparison (unless they happen to be working for your very personal enemy intelligence agency)

Good security practice would add a memorized element to the stored passwords as an informal second factor. Are there password managers that have good support for that when auto-filling and updating?

link
kmonsen 1790 days ago
I used to work in a pretty secure environment. The way to store passwords was to write them on a piece of paper and put that paper in your personal safe. This was inside a building with armed guards.

I guess it all depends on where your risk/convenience preference. I would say just like the best camera is the one you have with you, the best way of storing passwords is the one you are willing to use. Perhaps pen and paper in a safe is the best way, but if that means insecure easy passwords are used for many sites I guess password managers are better.

link
numpad0 1790 days ago
There’s an assumption that no malicious actors exist in any physical proximity. A strange thing to say but so far probably true enough.
link
enaaem 1790 days ago
If you hide it in a random book, it will be unlikely found by anyone. Burglars don't steal books.
link
usrusr 1790 days ago
When you hide it in a random book, and need to access it frequently, you end up with the plot device where the hyperintelligent detective guy immediately realizes that there can only be one reason this particular book looks more used than all the others.

The real threat of course is that you'll definitely not remember yourself (because you only use it for that one ring master password which you never use)

link
jsmith99 1790 days ago
Yes but there is very low correlation of risk - much less than if your password manager is online.
link
ericd 1790 days ago
Time to revive the rolodex...
link
sitkack 1790 days ago
With a polarizing filter, oled display, vision based user recognition and a nice haptic knob, hopefully in some sort of upcycled oak, alder or white ash.
link
geoka9 1790 days ago
Don't forget wifi connectivity...
link
lmohseni 1790 days ago
A web based admin interface might be handy as well...
link
sitkack 1790 days ago
Ohhh, with automatic firmware updates! Maybe it syncs over Bluetooth, or pretends to be a car infotainment system to keep a copy of your mobile contacts.

The complexity probably warrants some sort of embedded microservice arch, like microK8S.

link
dredmorbius 1790 days ago
That was going to be my suggestion.

I'm a fan of Zettlekasten for notetaking and knowledge management.

Filing passwords on index cards or business cards (3.5x2 in, ~9x5cm), with a sensible indexing system, scales up reasonably well. There's certainly extant physical infrastructure.

The typical person has on the order of about 100 online accounts. Managing even 1,000 accounts in an index card file is at least within reason.

Another alternative is a GPG-encrypted file, though keeping that synchronised between multiple locations might prove a challenge.

link
maccard 1790 days ago
> Another alternative is a GPG-encrypted file, though keeping that synchronised between multiple locations might prove a challenge.

What's the difference between what you're suggesting here and a password manager? Enxrypted local file, with an optional sync service. I know that if I was setting up my own password manager for security reasons, the sync part is likely the most vulnerable, hence why I would like to offload that to a third party that I trust.

[0] https://bitwarden.com/help/article/what-encryption-is-used/

link
dredmorbius 1790 days ago
Not being dependent on some external maintainer outside your preferred editor and encryption tools.

The ability to port to any alternative tools that provide superior capabilities, should the need arise.

Utilising the file using standard shell tools (gpg piped to grep, sed, awk, etc.).

I've been around long enough to see multiple tools come and go. Even PGP itself dates from after the beginning of my professional career with computers (though near the beginning). There are multiple applications, operating systems, and architectures I've used which have been relegated to the dustbin of history. I'm quite leery of becoming dependent on any one specific application or tool, most especially one that that's not been proven across multiple decades and widely adopted.

PGP, GPG, vi/vim, or emacs would all pass my tests. They're available on any system I could conceivably use. Even iOS, though with some difficulty.

Encrypting and syncing a file is simple.

Managing syncs from multiple locations of an encrypted file is ... a bit more complicated. Git might be able to manage that with some hooks.

link
usrusr 1790 days ago
Your personal convention that would keep you unaffected from bulk attacks targeting the tool used by millions in the same way.
link
pbhjpbhj 1790 days ago
Security through obscurity, in other words (I've always been a fan, it works as an additional factor; not being sarcastic!).
link
maccard 1790 days ago
So security through obscurity?
link
emodendroket 1790 days ago
If you want a local one, Keepass will do.
link
jefftk 1790 days ago
A sticky note doesn't protect against phishing, though, which is a much more likely risk for most users.
link
mjthompson 1790 days ago
A password manager only really offers marginal phishing protection, in the sense that 'automatic autofill' (as defined in the original post) is not available with an unrecognised website.

The problem is most profound with tech illiterate folk. If you have tried to teach a tech illiterate person how to use a password manager (as I have), you may have encountered the issue that 'autofill' isn't 100% accurate. You will occasionally hit a subdomain or alternative domain which using the same credentials as the saved website (eg amazon.co.uk vs amazon.com). It will appear that no credentials are available for that site. Therefore, you usually have to teach the person how to manually search the vault and either fill manually, or copy and paste credentials. Otherwise, you can expect phone calls for support. And, of course, the original article actually suggests disabling automatic autofill. It suggests filling manually, further opening up the possibility of mistakenly filling onto a dodgy domain. As soon as you teach them a workaround to deal with this case, the phishing vector is basically no different to a post-it.

This problem might also apply to a tired, tech literate person, who mindlessly fills manually or copies credentials without checking the domain.

In either case, we fall back to Google Safe Browsing doing its job properly, and await solid anti-phishing solutions like FIDO2/webauthn.

link
BeefWellington 1790 days ago
> A password manager only really offers marginal phishing protection, in the sense that 'automatic autofill' (as defined in the original post) is not available with an unrecognised website.

I don't know if alerting the user that something is wrong could be described as "marginal" for phishing attacks.

Sure, they may still make the bad decision but it might seem odd to them that their password manager didn't offer to fill it in for the site and get them to start looking around and double checking things.

link
bmurphy1976 1790 days ago
You still need 2FA and the 2FA absolutely should NOT be a part of your password manager. Use a different app at the very least.

This should help alleviate some of the worst password manager risks.

link
tialaramex 1790 days ago
Under WebAuthn you can have 2FA despite only one authentication flowing from your authenticator to the web site. Nice smartphones (say, a modern Pixel or an iPhone) with fingerprint readers, have as the two factors your fingerprint (something you are) and the phone itself (something you have). The phone signs your authentication, the private information (your fingerprint) never leaves the phone, it just warrants that it checked it (UV bitflag in the signed data)

Or say you have a FIDO 2 Security Key from Yubico. As well as the features of the cheaper FIDO 1 Security Key products, this has a PIN verifier. The PIN is something you know, while the Security Key itself is something you have, so that's two factors, once again the UV bitflag is signed.

It's simpler, it's easier, it's more secure. And yet, right now I bet an HN reader is implementing yet another shitty SMS-as-2FA hack and we're still in a thread about remote authenticating with passwords - an idea that was already terrible in the 1970s.

link
valenterry 1790 days ago
What if the phone is fully compromised?
link
tialaramex 1790 days ago
What about it?

If your threat model is "People fully compromised my phone" then you should definitely not rely on the phone in the face of that.

link
kmonsen 1790 days ago
Is there any realistic scenario that protects against a fully compromised phone/computer?
link
valenterry 1790 days ago
I mean yeah, if you use 2FA and both phone and computer are just one factor on their own, then a compromised phone does not matter. So my question is, how about the mentioned scenario - to me it seems that just compromising the phone would compromise the whole, but maybe I misunderstood.
link
Marsymars 1790 days ago
> You still need 2FA and the 2FA absolutely should NOT be a part of your password manager. Use a different app at the very least.

Recommended if storing 2FA codes in a password manager is to use 2FA for the password manager that isn't stored in the password manager. Off the top of my head, that doesn't seem to really open up any additional risks over storing 2FA passwords outside of the password manager.

Personally, it's a matter of practicality - I use my phone for personal 2FA codes, but don't have a work-provided phone and am not going to use my personal phone for work purposes - and as many services now require 2FA, it's easiest to store those 2FA codes in my work-provided password manager.

link