Hacker News new | ask | show | jobs
by Someone1234 41 days ago
Right; but in the scenario of this Tweek, you've invited someone untrustworthy into the vault and are then freaking out because they can see the post-it note of passwords. It is inherently irrational.

This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure. No obfuscation will work, because the password manager itself needs to de-obfuscation it before use (and that memory too is dump-able).

All adding in-memory obfuscation does it make ignorant people feel better, while not moving the security needle even an inch.
2 comments
stouset 41 days ago
I think we’re largely in agreement. I do think there’s some benefit in reducing the amount of time that a password is in cleartext in memory. But it’s pretty far down the list.
link
ignoramous 41 days ago
> This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure

Usually the confidential bits are hardware isolated away from the supervisor (host kernel/OS) in Enclaves/TEEs, Realms, Secure Elements, Security chips, etc.

link
oasisaimlessly 40 days ago
No, that is actually very rare, not typical. Do you have any examples of password managers that do that?
link
jazzyjackson 41 days ago
One more reason to use hardware-bound passkeys and not passwords.
link
Someone1234 41 days ago
True. But then your hardware dies, and you're locked out of every account you own. It is objectively good security, but has a ton of usability headaches yet to be really solved.

I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.

link
alterom 41 days ago
>your hardware dies

Or your backpack gets stolen.

Oops.

I swear, people who idolize passkey security must never travel anywhere.

PS: "just have more devices with passkeys", they invariably say.

Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.

link
StilesCrisis 41 days ago
I've been avoiding passkeys but more and more websites are trying to push them, and one website I use now requires them. I've already got a password manager! I don't need to change everything again!
link
dboreham 40 days ago
The good thing about this is they thereby also support FIDO2 hard tokens such as Yubikey. The UI is often confusing but you can always tell it to provision the key to your Yubikey rather than the OS enclave.
link
stouset 41 days ago
Your password manager almost certainly already has baked-in passkey support.
link
Barbing 41 days ago
>"just have more devices with passkeys"

Confirms that strategy then

For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.

It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)

link
alterom 40 days ago
>It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft

Literally happened to me in Poland, which is why I avoid passkeys like the plague.

(The thief got caught months later. That didn't help me.)

>Maybe no big deal if you can port your number to a new phone right away.

T-Mobile won't mail a SIM card overseas, and I doubt others will either. There is no "maybe", it's a certainty that you won't be able to.

>Or maybe the trusted friend can help

Yeah, my wife literally mailed me SIM card to Poland.

It took over week.

And a "trusted friend" would first have had to get it somehow.

>Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)

At least I logged into my accounts from that city before the laptop and phone were stolen, so my logins were not "suspicious".

That's with a password.

_____

PS: screw Citibank's mandatory phone -based "2FA".

link
slau 41 days ago
I travel a lot. By train, plane, and car. I also use passkeys when possible. I have multiple Yubikeys, stored in different locations. I also have a password manager, where I typically keep track of which logins aren’t yet backed up across physical tokens.

It takes a bit of effort, but it’s not impossible.

Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.

link
alterom 40 days ago
>Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.

No need to imagine!

Remove all passkeys from your phone and laptop, then go somewhere overseas without any of those Yubikeys.

Have fun enjoy a "not truly problematic" scenario of getting your Yibikeys from "multiple locations" you don't have access to, while being cut off from your messengers, email, bank account, etc.

Bonus points for having your card locked or stolen at the same time.

Or, imagine the backpack with your passkeys devices being stolen on an overseas trip.

Again: pray tell, then what?

link
Joker_vD 40 days ago
> It takes a bit of effort

That's a wild understatement. For most users, having a password manager is already very near to the upper bound of acceptable friction.

link
jazzyjackson 41 days ago
oh lawd, yes it does come down to 'who has the power to reset your account', and very few people want to take the path of 'no one has the power' in the case of lost credentials.
link
kenniskrag 40 days ago
> But then your hardware dies

A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.

Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.

link
kenniskrag 40 days ago
Edit:

Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.

link
themaninthedark 40 days ago
At my work we required a complex password <15 characters lower + cap, number and symbols.

Updated to Windows Hello and passkey.

Now I can use a 4 digit pin to login.

link
mjmas 40 days ago
Yes, but the pin uses the TPM which allows other things like only ever allowing a low number of guesses before requiring a reset of the pin (using a password or other mechanism)
link
themaninthedark 33 days ago
Thanks, didn't know that!
link
Barbing 41 days ago
>It is objectively good security, but has a ton of usability headaches yet to be really solved.

Thank you, then this is still true today?

Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.

link