On Wed, 6 May 2020 20:37:13 -0400 Kent Borg <[email protected]> wrote:
> Choose and deploy password in such a way that you can survive many > bugs. I'll counter with: you should stop making assumptions. First of all, this: > Which is near where we started. By having passwords so cumbersome > that they require convenience-driven password management you are > betting that your password manager software is, for some magical > reason, bug-free. I don't use a password vault because I use cumbersome passwords. I use a vault because I can't keep track of literally hundreds of unique site passwords regardless of how memorizable each one might be. And this: > Why do you care about rainbow attacks? Once a site is so badly > compromised that an attacker the account database...what difference > does it make if your plaintext password can be acquired? They are so > owned. Because I can. > What if my password encryption has a really bad flaw? No big deal if If you were following along you'd know that I use GnuPG for the primary encryption. While it's possible that GPG has such a flaw I can be confident that it will be fixed quickly, and reencrypting the vault is not difficult. > I also go to significant effort to prevent anyone from getting a copy > of it. By having a limited feature password database it is possible At rest, my vaults reside on BitLocker encrypted virtual disks which are tied to each machine's TPM on machines I physically control and locked with passwords different from the account logins. In flight, SyncThing uses TLS 1.3 which is as good as we can reasonably get right now. > to put a layer of security around it. But if it is sitting between > you and the internet, doing stuff automatically, then it is *on* the > internet. And you should be scared. I think you also missed the part where I explained that I don't use Lastpass or 1Password. My passwords aren't "sitting between me and the Internet". > Most people should keep their password list, somewhat obfuscated, > hand written, on paper, and then guard that paper carefully, as > though it were very important. I'm not "most people", and keeping 250+ passwords and growing handwritten on a piece of paper is entirely unusable. -- Rich Pieri _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
