Password managers are best practice, but they are a reaction to the failures of passwords, rather than an attempt to replace passwords with a better proposal.
* Password Managers are good but inadequate as a solution because, at present, only a motivated set of any given number of users are likely to make use of them.
Do we want a solution that works well for all or nearly all users? Or will we simply settle for a solution that protects only ourselves?
At present, password managers are often third-party luxuries even though they are indispensable for basically every person. In truth, they are essential enough that standardized API hooks for password managers really ought to be baked into every consumer OS, and if we are serious about protecting users in a world where 86% of passwords are terrible, users should have to explicitly opt out of whether to use a password manager or not.
The only choices most users should be making are
* whether to use a default or nominated password manager,
* what physical tokens / 2FA approaches they want to use
* and whether they want their credentials to be stored in the cloud (convenient) or only ever stored locally (more secure, credential transfer fully under control of users).
Sites / Applications / etc requesting credentials should really provoke a standardized credential request UI on the OS, not have bespoke credential dialogues in a thousand different designs and approaches bleeding all over the internet.
The choice to have a distinct credential per site should not be a choice offered to most humans, because most humans will always make the wrong choice.
I do this but I'd love to have someone tell me why this is a terrible idea (apart from the obvious one of using a 3rd party sha256 calculator)
1. Have a very short prefix and a suffix I can expect to remember
2. Password for every website gets generated like this <prefix> + website name + <suffix>
3. Generate SHA256 hash of #2
4. Use #3 as password for the site.
5. Save password to password manager
Pros -
1. losing a password on one site doesn't compromise the pattern on others because cracking sha256 is still not possible (afaik)
2. relatively easy rules to create new password
3. If I HAVE to login on a computer without my password manager (e.g., public workstation), I can regenerate my password on the fly.
Cons -
1. I use an external sha-256 calculator
2. Some sites enforce password length and arbitrary case/symbols rules. Have to manipulate generated password by hand
I'm not sure what you are saying ... should I memorize dozens of passwords like WCLfx(edI%uHgjWM6RuEeC6Qh for the services I use or should I strap on getting those dozens of services to use a perfect SSO service that doesn't leak privacy and is perfectly secure and doesn't exist yet?
If it is well integrated with your browser it's quite ok. Maybe not as convenient as using the same simple password everywhere but certainly a lot better than having to remember a lot of different passwords ;)
pryce|7 years ago
* Password Managers are good but inadequate as a solution because, at present, only a motivated set of any given number of users are likely to make use of them.
Do we want a solution that works well for all or nearly all users? Or will we simply settle for a solution that protects only ourselves?
At present, password managers are often third-party luxuries even though they are indispensable for basically every person. In truth, they are essential enough that standardized API hooks for password managers really ought to be baked into every consumer OS, and if we are serious about protecting users in a world where 86% of passwords are terrible, users should have to explicitly opt out of whether to use a password manager or not.
The only choices most users should be making are
* whether to use a default or nominated password manager,
* what physical tokens / 2FA approaches they want to use
* and whether they want their credentials to be stored in the cloud (convenient) or only ever stored locally (more secure, credential transfer fully under control of users).
Sites / Applications / etc requesting credentials should really provoke a standardized credential request UI on the OS, not have bespoke credential dialogues in a thousand different designs and approaches bleeding all over the internet.
The choice to have a distinct credential per site should not be a choice offered to most humans, because most humans will always make the wrong choice.
raverbashing|7 years ago
saimiam|7 years ago
1. Have a very short prefix and a suffix I can expect to remember 2. Password for every website gets generated like this <prefix> + website name + <suffix> 3. Generate SHA256 hash of #2 4. Use #3 as password for the site. 5. Save password to password manager
Pros - 1. losing a password on one site doesn't compromise the pattern on others because cracking sha256 is still not possible (afaik) 2. relatively easy rules to create new password 3. If I HAVE to login on a computer without my password manager (e.g., public workstation), I can regenerate my password on the fly.
Cons - 1. I use an external sha-256 calculator 2. Some sites enforce password length and arbitrary case/symbols rules. Have to manipulate generated password by hand
Ensorceled|7 years ago
iliis|7 years ago
kqr|7 years ago