Hacker News new | ask | show | jobs
by NegativeK 1094 days ago
I've been involved in switching users in a corporate environment from one password manager to another.

You want to irritate non-technical people? Tell them that they need to use a password manager.

You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.

I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
2 comments
jeroenhd 1094 days ago
You want irate non-technical people? Tell them they need to come up with something better than Password123.

People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.

When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.

Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.

And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.

Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.

link
NegativeK 1094 days ago
NIST's recommendation of passphrases that don't expire except when cracked is better, because it avoids <employer name>fall2023. But now you have to pay for the audit (whether it's internal or external) and then explain why their TV quote/book title/whatever is easy to guess.

And whether it's passphrases or passkeys, we still haven't solved the problem of the gajillion other accounts people will have to log into to do work that are nowhere near that standard.

link
throwaway67743 1094 days ago
As a technical user faced with the most absurd of password complexity policies I totally understand non technical user frustration given my much higher bar of ability etc, so I don't think it's entirely fair to blame them, sure they could do with making more of an effort but most people just don't care or aren't aware of the ramifications...
link
maerF0x0 1094 days ago
> and _they_ have to do the export/import steps

At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .

Does it not work for enterprise? Or perhaps each would have to run it?

link
NegativeK 1094 days ago
When there's segregation between passwords that the organization can see and passwords that only the employee can see, then each user has to run the import/export.
link