John OpdenakkerI’ve asked this on Twitter before but let’s also try it here in the hope to reach more people outside of the #infosec bubble.
Do you use a password manager?
Reblogs appreciated!
Yes
No
What’s a password manager?
Show results
Poll ended at .
For the people that answer no, also interested to know why. Is it because you don’t trust it, or rather because you don’t know how to use it, or…?
Minihood@j_opdenakker I don't understand how it doesn't make passwords significantly less secure?
You now have one point of weakness, the password manager, which would reveal ALL your other passwords, no?
Tom@j_opdenakker @Minihood it allows me to have passwords which are completely random and have a length of 25+ which propably no one could have ever just remembered. A alternative would be to have them written down somewhere which is fair I guess, but since I don’t use cookies that would make me type them out everytime instead of c&p. If you add 2FA to all the accounts in your password manager it is not one point of weakness.
Josh Soref@Minihood @j_opdenakker if you use your browser's password manager, then your attack surface is roughly unchanged from using your browser:
•the room where you were when your browser suggested the password the first time (video camera)
•the video path from your computer to your screen when your browser suggested the password the first time (mitm)
•your operating system
•all running software on your computer
•your browser
•any add-ons for your browser
•the room where you were when your browser suggested the password the first time (video camera)
•the video path from your computer to your screen when your browser suggested the password the first time (mitm)
•your operating system
•all running software on your computer
•your browser
•any add-ons for your browser
@Minihood @j_opdenakker
Consider a pen and paper log:
•that video camera in your room is still a risk, but now it's a risk when you aren't in the room, and it's a risk each time you log into the site going forward
These are all still risks:
•your operating system
•all running software on your computer
•your browser
•any add-ons for your browser
@Minihood @j_opdenakker browser and operating system vendors invest a lot of time and resources into finding, fixing, and delivering fixes for their bugs because their reputation is really important to them.
Browser vendors will kick out evil or suspect add-ons for the same reason. OS vendors will to some extent, although depending on the OS you might supplement with anti-malware (Malwarebytes?).
@Minihood @j_opdenakker your computer should have disk encryption (modern cell phones do as does macOS with FileVault and Windows Pro with BitLocker).
@Minihood @j_opdenakker you can set up your Mac to use 2FA in the form of a YubiKey (something you have + the pin for it=something you know): https://support.yubico.com/hc/en-us/articles/360016649059
@Minihood @j_opdenakker you can do something similar for Windows: https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide
Rupert Reynolds@Minihood @j_opdenakker A single point of failure for all of a person's passwords would make it a higher priority target, I assume.
Once upon a time, a little black book of passwords was seen as a foolish move, second only to the post-it note or bit of card stuck to the side of the monitor. Oh my, how times have changed :-)