[temporallobe]

I’ve been preaching this message for many years now. For example, since password generators basically make keys that can’t be remembered, this has led to the advent of password managers, all protected by a single password, so your single point of failure is now just ONE password, the consequences of which would be that an attacker would have access to all of your passwords.

The n-tries lockout rule is much more effective anyway, as it breaks the brute-force attack vector in most cases. I am not a cybersecurity expert, so perhaps there are cases where high-complexity, long passwords may make a difference.

Not to mention MFA makes most of this moot anyway.

[nouveaux]

Most of us can't remember more than one password. This means that if one site is compromised, then the attacker now has access to multiple sites. A password manager mitigates this issue.

[cardanome]

People used to memorize the phone numbers of all important family members and close friends without much trouble. Anyone without a serious disability should have no trouble memorizing multiple passwords.

Sure, I do use password managers for random sites and services but I probably have at lower double digit amount of passwords memorized for the stuff that matters. Especially for stuff that I want to be able to access in an emergency when my phone/laptop gets stolen.

[542354234235]

People used to memorize a few phone numbers, likely less than 10, and used notebooks made specifically for writing down phone numbers to keep track of the rest.

Phone numbers of the people you called the most (the 10 you memorized) were overwhelmingly likely to be local numbers, so you were only memorizing (3 number chunk) + (4 number chunk). Password rules are all over the place. Memorizing numbers, letters, whole words, the capitalization of those letters and words, and special characters, that are far longer than ye olde timey phone numbers, is orders of magnitude more difficult.

I have over 100 passwords in my password manager. They are all unique, so if any one is compromised, it is contained. My password manager is protected by strong 2FA, so someone would have to physically interact with my property to gain access. In the real world, there is no scenario where memorizing all your passwords is more secure.

[watwut]

They did not. They had papers with all those numbers written down next to landline phones. They also had little notebooks they carried everywhere with them with those numbers written down. You could buy those little notebooks in any store and they fitted into a pocket.

Moreover, those numbers did not changed for years and years. Unlike passwords that change, like, every 3 months.

[userbinator]

Vary the password per site based on your own algorithm.

[jay_kyburz]

AKA, put the name of the site in the password :)

[Sohcahtoa82]

"MyPasswordIsSecureDespiteNotBeingComplexBecauseItIsLong_BobsForum" is great until Bob's Forum gets hacked and it turns out that they were storing your password in plain text and your password of "MyPasswordIsSecureDespiteNotBeingComplexBecauseItIsLong_Google" becomes easily guessed.

[zzo38computer]

One way to mitigate such a problem is to use the hash of this text as the password, instead of using the text directly.

[userbinator]

Not necessarily, but just a pattern that only you would likely remember.

[viraptor]

You need a pattern that only you recognise/understand, not just remember. It takes only one leak of your password from service FooBar that looks like "f....b" to know what to try on other sites. Patterns easy to remember are mostly easy to understand.

[ArnoVW]

With LLM that sort of approach can be attacked at scale

[tshaddox]

That algorithm becomes analogous to the password to your password manager.

[soupbowl]

Most people can surely remember beyond one password.

[defrost]

Not to mention they're like underpants, you can use the same one forwards, backwards, inside out, and inside out backwards.

[bende511]

They can remember O(1) passwords, but they need O(n) passwords

[chipsrafferty]

Surely not more than 1 or 2

[wruza]

My bitwarden plugin locks out after a few minutes of inactivity. New installations are protected by totp. So one has to physically be at one of my devices few minutes after I leave even if they have a password. This reduces the attack source to a few people that I have to trust anyway. Also I can lock / logout manually if situation suggests. Or not log in at all and instead type the password from my phone screen.

I understand the conceptual risk of storing everything behind a single “door”. That’s not ideal. But in practice, circumstances force you to create passwords, expose passwords, reset passwords, so you cannot remember them all. You either write them down (where? how secure?) or resort to having only a few “that you usually use”.

Password managers solve the “where? how secure?” part. They don’t solve security, they help you to not do stupid things under pressure.

[borski]

> so your single point of failure is now just ONE password, the consequences of which would be that an attacker would have access to all of your passwords.

Most managers have 2FA, or an offline key, to prevent this issue, and encrypt your passwords at rest so that without that key (and the password) the database is useless.

[nottorp]

> and encrypt your passwords at rest

I haven't turned off my desktop this year. How does encryption at rest help?

[doubled112]

My password manager locks when I lock my screen. You can configure it to lock after some time.

The database is encrypted at rest.

[necovek]

Locking is not sufficient: it would need to overwrite the memory where passwords were decrypted to. With virtual memory, this becomes harder.

[compootr]

What's sufficient depends on your threat model.

Normal dude in a secure office? An auto-locking password manager would suffice.

Someone that should be concerned with passwords in-memory is someone who believes another has full physical access to their computer (and can, say, freeze RAM in nitrogen to extract passwords

My largest concern would be an adversary snatching my phone while my password manager was actively opened

[necovek]

Locking a password manager and your computer is certainly good enough in many cases. But gaining access to memory might not need the sophistication of using nitrogen (see eg https://en.m.wikipedia.org/wiki/DMA_attack).

[supertrope]

https://keepass.info/help/base/security.html#secmemprot

[necovek]

> On Unix-like systems, KeePass 2.x uses ChaCha20, because Mono does not provide any effective memory protection method.

So only Windows seems to use secure memory protection.

[freeone3000]

But still not particularly hard. mmap has a MMAP_FIXED flag for this particular reason — overwrite the arena you’re decrypting to, and you should be set.

[borski]

https://1passwordstatic.com/files/security/1password-white-p...

[marshray]

When your old hard drive turns up on ebay.

[nottorp]

It's not safe to sell SSDs is it?

And even if it were, who would buy a used SSD with unknown durability gone?

[ziml77]

If the data was always encrypted, then simply discarding the keys effectively means the drive is left filled with random data. Also, NVMe drives can be sent the sanitize command which can erase/overwrite the data across the entire physical drive rather than just what's mapped into the logical view. I believe there's SATA commands to perform similar actions.

[justsomehnguy]

> t's not safe to sell SSDs is it?

Bitlocker (or anything comparable) makes it safe or ATA Secure Erase if you can issue it (not usable for the system drive most of the times) and check it afterwards.

> And even if it were, who would buy a used SSD with unknown

it doesn't worth it for $30 drive, for the multi-TB ones it's quite common, especially for the ssrver grade ones (look for the PM1723/PM1733)

[unethical_ban]

The one password and the app that uses it are more secure than most other applications. Lock out is just another term for DDoS if a bad actor knows usernames.

I love proton pass.