top | item 36245748

(no title)

fps | 2 years ago

Modern password managers run into issues regularly that still require a user to copy/paste a password out of a secure location. I don't know what the solution is for these situations with passkeys, but I know I don't trust password managers to do it right.

I've used iCloud, Google Chrome, Lastpass, and 1password, and they all break consistently in a few scenarios. Three that come to mind are:

  - SSO or other systems where multiple logins are linked to the same account on different host names. The password manager will require you to essentially create a separate entry for the new site that becomes disconnected from the original. 

  - Having multiple logins for the same site.  This breaks especially with services that use a multi-stage login, but in general it breaks frequently.  If you have kids or parents whose accounts you manage, password managers will invariably ask to update the wrong password, or attempt to auto-fill the wrong password regularly.

  - Sites that request you enter the old password at the same time as you enter your new password for verification when changing a password.  Password managers can't figure this out, and as a result whenever I have a password manager generate a new credential, I also make sure to copy it to a temporary location until I've verified that it was saved. Typically, because you entered the old password on the password change page, that save doesn't go through.

In the end, all these security features just boil down to how secure your password reset/customer support function is. If you're going to require people to reset their passkey every time they log into your site, why not just use a "magic link" email session initiator and be done with it?

discuss

piloto_ciego|2 years ago

I don’t know, I’ve found quite a few work arounds for stuff like this with BitWarden where the experience is pretty seamless and I routinely deal with all of these issues except SSO.

BitWarden has its problems but generally I find the experience pretty good - indeed far superior to the other services you mentioned. The ability to use “secure notes” and the convenient way that has been implemented in BW has allowed me to be fine in all the scenarios you’re mentioning.

Of course, you’re right, you still have to copy the password in somewhere, but ultimately I feel like that’s a lower threat if properly handled than what I used to do (shitty insecure passwords).

The other thing is I barely ever use the browser extension for the password manager. All of the browser extensions I’ve tried other than BitWarden have been janky and even that’s only ok. Still, try BW I like it way better than lastpass and 1password.