top | item 34122126

(no title)

xconverge | 3 years ago

If one site gets breached/exposed, your memorized username/password combination used all across the internet is now immediately available to the bad actors and you might not even know or remember everywhere it was used. Having a unique password for each site is the main advantage of a password manager to mitigate the damage in this case (to just the 1 site that was breached). Talking about your vault/passwords and "single basket" being obtained is relevant when using a password manager, especially with articles/news like this but just a different attack vector.

discuss

thot_experiment|3 years ago

I don't think that having a unique password per site is unachievable. I do it and I don't use a PW manager. Even something as simple as prepending the site name in ROT13 to a reused password greatly reduces your exposure to the sort of background infosec threat radiation that's like 99.99% of the threat model for most people

CJefferson|3 years ago

That gets broken as soon as some site requires you rotate your password, or you choose to rotate it (maybe you entered it on a device you become suspicious of). Now how do you remember the password for every website? You could keep some kind of.. list, but then we are getting close to being back to password managers.

george_probably|3 years ago

Cool, now go explain that to your parents. NOW make sure they go through and change every single password on every single account they currently have and don't just get annoyed like 5 passwords deep and decide not to bother.

The issue isn't you or me, it's what 99% of the world has to use. For the large majority of people, a password manager with one super strong password (and 2FA) makes WAY more sense.

civopsec|3 years ago

> Even something as simple as prepending the site name in ROT13 to a reused password greatly reduces your exposure to the sort of background infosec threat radiation that's like 99.99% of the threat model for most people

If one goes with the infosec advice that you should calculate the entropy of passwords based on the assumption that the attacker knows the password scheme, then this password scheme provides zero entropy. So if there is zero cost for the cracker to pwn you as well as all the others that don’t have this kind of leetspeak obfuscation then you’re still pwned.

unknown|3 years ago

[deleted]

voidfunc|3 years ago

Doesn't this assume the passwords aren't hashed and salted?

xconverge|3 years ago

Yes my comment made a lot of assumptions, but the original post invited them I think. Reading the other comments from the original poster changes the tone of the original message a lot. I think for someone who knows the term "infosec" and has a mental algorithm, a password manager isnt necessary per-se. If we are talking about the general public, in a constantly evolving digital world, I think password managers are a good thing. I think this site is a tiny fraction of the potential userbase for a password manager