I trust that most people would never even notice that you miraculously slipped them a magic password stealing worm, so you're welcome to use your superior than all blackhat ways to conquer the free world in no time.

Most people can safely assume they are a small target in a gigantic pool of users to steal information from.

Let's continue with that 1Password example. Each account that is synchronized with their cloud service doesn't just have a master password, it also has an email address and lengthy secret key. The web page as well as the software will remember the email address and secret key, so those won't be something you'll be seeing typed in on a regular basis, if ever. Of course, you'll just be using your magic worm's form sniffer to see the almost-completely-censored field contents, but then you'll realize you need to peek into the browser or app's local storage, and decrypt the session key using your keylogged master password.

Then, boom, you're into the cloud account, stealing all of their passwords. Each password even comes with the URL to the site where it was first generated, for your hacking convenience. What more could a blackhat ask for? Of course, they won't go undiscovered, since the app conveniently emails the owner every time one of their accounts is added to a new device, but who cares, since the hacker can just use the email credentials in the database to hack their email account as well?

Even better: Now it also has TOTP support, minus 8 digit Authy using sites, so they can crack all of your TOTP using sites as well. Why even bother?

It even has a handy feature called WatchTower, that will alert you of any passwords that were created at sites that publicly announced compromises, notifying you of any passwords that were created before the announcement. Of course, who trusts things like this to work?

The best practice is always security through obscurity. Don't tell anyone what you do, and you'll never get hacked. If you do, also never admit that you spent a week going on a mad scramble to change hundreds of passwords, either. That'll show them all.

Security through obscurity is just as bad as a idea. That's windows 98 territory. And not telling people how your secure things is not security through obscurity. Security through obscurity is when you have a major flaw and shut up about it or try to hide it hoping that it never gets exploited. I tend to fallow the need to know practice when it comes to security

Wile there definitely have been some major advancements in password managers, I have yet to see one that's worthwhile, until a password manager is made without any password storage, hashed encrypted or whatever, master password/login to unlock everything I'm not recommending them to anyone that can use unique passwords.

Your still better off with multi factor logins at this point if you ask me.The more layers the better.

Also one major problem I have with mangers is people that forget how to use them. Some one set me grandmother up with Apple's Keychain, she forgot the Keychain password witch meant she could not log into anything.
Any form of security with a single point of failure is just asking for trouble.

And that is why every household with computer users needs its own IT specialist living on premises, to serve as default tech support for everything that the computer illiterate will run into. I've already been elected into this position for my household.

dr_st wrote:

The way I see it, you either have one place where you store it (and then it's always has to be with you, and there is a risk of data loss / theft)

Uh password theft from physical attackers is a risk no matter what you do with your passwords. If you're one of the people who type and remember your passwords that's what keyloggers are for.

dr_st wrote:

The way I see it, you either have one place where you store it

You don't ever store important data in just one place.

dr_st wrote:

or you have multiple storage spots, where you have to constantly synchronize between them.

Alternatively, you don't create new accounts constantly. Why are you creating new accounts constantly?

Also when you do, are they really too important to lose? Can't be retrieved via forgotten password if worst comes to worst. This is talking about if you're synchronizing for backup purposes.

If you're synchronizing passwords because you need them on multiple devices, are you really constantly creating new accounts that you need access to on multiple devices?

It's about 6 months since I had to synchronize my passwords.

Jade Falcon wrote:

dr_st wrote:

ZellSF wrote:

Not telling people your password pattern is not and never was best practice. Not having a password pattern is best practice. That requires a password manager. Use an offline one if you don't trust the cloud.

Thats not much different then using the same password everywhere. I only need to make a worm with key logger and snatch up your password manger password . If your remember your passwords you'd likely find the worm before you give it everything.

You do know what keyloggers do to people who DON'T use password managers right?

No they wouldn't magically find the worm before they logged into important accounts, they would lose the important accounts without any specific targeting while against a password manager you'd have to actually program your worm to copy the password manager database.

Jade Falcon wrote:

A well made mangier is grate in meany ways but fundamentally bad in just as meany. The only thing you're protected from is someone at a computer tying to gees your password to Facebook or something. if they get any local accesses your screwed.

Uh, fucking duh? If a determined attacker have physical access you're ALWAYS screwed. As mentioned above that's really not an argument against password managers though.

You say you're "only" protecting against someone trying to guess your Facebook password. That's really the main threat to your account security, hackers are constantly trying to "guess" your password by using patterns they establish from looking at your previous passwords or just you know actually using your previous passwords because everyone who "remembers" their password are guilty of some level of reuse.

Of course they aren't trying to get into your Facebook account, but any account that holds money or anything that can be traded for money.

They'll also be employing phishing attacks, which password manager offers some very minimal protection from.

Sorry your argument against password managers here is laughable. You're not trying to protect against people who already have entirely compromised your computer. That's not a doable thing. You're trying to protect against internet hackers who are just trying to breach your account. Which is doable, and password managers are the best way of doing it.

Jade Falcon wrote:

Any form of security wit ha single point of failure is just asking for trouble.

Guess what human memory is? A single point of failure. I've talked to enough people that lost critical accounts. The people who've written down their passwords (a primitive password manager)? Not among them.

Jade Falcon wrote:

I'm not recommending them to anyone that can use unique passwords.

So you would recommend them to everyone?

I've yet to meet a human who's told me they can remember unique secure passwords for everything. There's always a pattern, a weakness to be exploited.

Jade Falcon wrote:

Also one major problem I have with mangers is people that forget how to use them. Some one set me grandmother up with Apple's Keychain, for forgot the Keychain password witch meant she could not log into anything.

A problem very easily solvable with very very minimal education.

Yes I know teaching users anything is hard, but educating them to deal with this is easy compared to the mess you have to teach them without password managers.

Though in that particular case you wouldn't want to educate her, but set up her system properly for her in the first place (make her type her password each time she starts her computer for example).

You do know what keyloggers do to people who DON'T use password managers right?

Passwords get stollen one at a time as apse to all at once. If you system as a well written key loger worm it may as well have a rat too. Atlest without a manager it has to wait to nab up every password. That gives you time to catch it.

I dealt with these kind of cases daily and more and more I find systems with password managers have leaks more often, in the work place that is. I come acrossed a lot of targeted malware written to attack passwords managers. I really should report them given anti malware don't always pick up on them.

So you would recommend them to everyone?
I've yet to meet a human who's told me they can remember unique secure passwords for everything. There's always a pattern, a weakness to be exploited.

No, I happen to know quite a few people that can remember several unique passwords. I have a work place requirement that requires me to memorize 37 randomly generated passwords and so does a few others key people. If one quites they all change. 😵 that was put in place before me.
A bigger problem is people that have 20 plus user accounts, personaly I have 5 accounts online in total. Not hard to remember 5 unique passwords. In the workplace if you brake up all accounts to certain users your end up with with a much better system. On one has everything or anything they don't need and only has to remember a few account logins.

Yes I know teaching users anything is hard, but educating them to deal with this is easy compared to the mess you have to teach them without password managers.

Strongly agree there.

Though in that particular case you wouldn't want to educate her, but set up her system properly for her in the first place (make her type her password each time she starts her computer for example).

Her computer is allready setup that way. She forgets it too. She's a prime example of my average client I deal with daily. Most of them would refuse to use a password manager long before them even talk to me. Or even a password.

ZellSF wrote:

Alternatively, you don't create new accounts constantly. Why are you creating new accounts constantly?

I probably find myself signing up for at least one different unique new web site at least every month. At the current rate, I probably have accounts on well over 300 unrelated web sites, and unique services passwords on 20+ IRC networks. I also have four different personal email accounts.

Some of these services, which I may not even use for years after first signing up for them, but will wish to have access to at a moment's notice, expire their accounts. Among those is the annoying 4shared, which I've had to sign up for at least three times in the past decade, as some asshole uses them to post a file, and I'm forced to register to download it.

I probably shouldn't be saying this, but I reuse the same login password for my master key, and for my OS login keys on most of my operating systems, except for my Microsoft account, which is a combination of epithets yelled at them for making me change my password that day. Go ahead and worm my computer, by that point I'm totally compromised anyway.

I doubt most people would even recognize that they have a key logger installed on their machine, even if you started stealing their accounts, until such time as you start doing silly things like typing things on their inputs and randomly ejecting their optical drive, if they still have one. At which point they may think their computer is on the fritz and call upon someone smarter to examine it more thoroughly.

Memorizing 37 passwords, congratulations, that's a new low. Especially if they're all shared with everyone in the office, and a single personnel loss means changing all of them simultaneously. I mean, come on.

Then again, that reminds me of my dad's old office, where everyone knew everyone else's login password (some of them not case sensitive) and posted them on their monitors, and noted on papers in their drawers as well. I don't even think they bothered to rotate passwords when old personnel left the ecosystem.

ZellSF wrote:

If you're synchronizing passwords because you need them on multiple devices, are you really constantly creating new accounts that you need access to on multiple devices?

Not constantly, but regularly, yes.

Also, the worst thing is that, as kode54 mentioned, some services you don't use can expire, and even worse - a lot of services dealing with sensitive information (financial/medical) set up a system that forces you to periodically change your password, due to some dumb notion that it's more secure this way.

It wasn't such a dumb notion, back in the days when some evil player could be sitting there, brute forcing every possible combination of passwords against your account over months of time, until they finally hit jackpot. Of course, this level of stupidity has been negated long ago with the invention of retry delays and limited retry accounts before they lock out your access.

Even that example in itself is not enough.

Suppose that the evil player is in the middle of his bruteforcing and you just changed your password? Does it affect at all any of his chances of success? Not the slightest. The new password, just like the old password, is exactly one random combination out of the set of all combinations. His chances of guessing the new one are exactly the same as his chances of guessing the old one.

The only thing periodical password changes protect against is silent spies - if your passwords was guessed and leaked, and someone is just using it periodically to monitor your activity without doing anything to announce his presence. Then if you change it, he is locked out again.

Jade Falcon wrote:

You do know what keyloggers do to people who DON'T use password managers right?

Passwords get stollen one at a time as apse to all at once. If you system as a well written key loger worm it may as well have a rat too. Atlest without a manager it has to wait to nab up every password. That gives you time to catch it.

Time to catch it? If it goes undetected in the first place, it will go undetected long enough for it to get your critical logins.

There might be like, one or two dudes on the entire planet who will somehow magically find malware in before logging in to critical accounts who has failed to find it previously when it first showed up, but this is a ridiculous thing to suggest as best practice.

Most people are not looking for malware all the time. If they didn't detect it when it showed up, they won't detect it until someone else looks at their computer.

At any rate, it's a meaningless argument since this is a very very uncommon problem. People mostly steal accounts in other ways (by exploiting password patterns because crazy "IT professionals" keep telling people they should memorize their passwords), if they have access to your computer they try to gain money via ransomware.

Jade Falcon wrote:

No, I happen to know quite a few people that can remember several unique passwords. I have a work place requirement that requires me to memorize 37 randomly generated passwords and so does a few others key people.

Protip: at least five of those people have those passwords written down and if you're recommending against password managers, probably not in a secure way. And the passwords are probably comparatively weak if you ask people to memorize 37 of them.

And 37 passwords isn't a lot. Lots of people have over a 100 accounts outside of work. Humans just can't memorize that many long randomly generated strings.

Jade Falcon wrote:

I dealt with these kind of cases daily and more and more I find systems with password managers have leaks more often, in the work place that is. I come acrossed a lot of targeted malware written to attack passwords managers. I really should report them given anti malware don't always pick up on them.

Either your workplace is a very secure and targeted facility in which case it really doesn't apply to most people or that's bullshit. Considering it's telling people to memorize 37 random passwords (and it doesn't enforce password management policies), I'm going with bullshit.

I've never even heard of anyone losing their accounts to malware hijacking their password managers. People who lose their accounts due to hackers "guessing" their passwords and/or phishing schemes? Yeah I run into those quite a bit.

dr_st wrote:

Also, the worst thing is that, as kode54 mentioned, some services you don't use can expire, and even worse - a lot of services dealing with sensitive information (financial/medical) set up a system that forces you to periodically change your password, due to some dumb notion that it's more secure this way.

At most that's every 90th day though (sadly, that's my current workplace requirement...). Hardly constantly.

kode54 wrote:

I probably find myself signing up for at least one different unique new web site at least every month.

Not really constantly either, connecting your phone and a usb drive to your PC once a month isn't a whole lot of work is it? And again, how many of those logins do you need to backup and how many of them do you need access to on all your devices?

ZellSF wrote:

And 37 passwords isn't a lot. Lots of people have over a 100 accounts outside of work. Humans just can't memorize that many long randomly generated strings.

There is no need to use randomly generated strings for passwords. Passphrases are much better, but not all services allow them.

ZellSF wrote:

At most that's every 90th day though (sadly, that's my current workplace requirement...). Hardly constantly.

That makes two of us. But it's not just the workplace. I have at least 10 different services that require periodical password changes.

ZellSF wrote:

Not really constantly either, connecting your phone and a usb drive to your PC once a month isn't a whole lot of work is it? And again, how many of those logins do you need to backup and how many of them do you need access to on all your devices?

That's as "constantly" as it gets, and yes, if you have like 5-6 PCs you can use regularly + a phone + who knows what else, it's already annoying, even if it's once a month. Because it's not the kind of thing you do routinely. You will want to check something quick, and will suddenly realize that you need to get your USB drive and sync now, which is just not something you want to deal with when you want to check something quick.

Ultimately it depends on the kind of person you are. If you are one of the few that can do this regular synchronization proactively, you will not be bothered. If you only have one device that you use 99% of the time, you will not be bothered. If you are like me, with multiple devices, you will be. I know that I get rather annoyed from having to manually synchronize anything. I'd rather just remember semi-strong passwords.

dr_st wrote:

ZellSF wrote:

And 37 passwords isn't a lot. Lots of people have over a 100 accounts outside of work. Humans just can't memorize that many long randomly generated strings.

There is no need to use randomly generated strings for passwords. Passphrases are much better, but not all services allow them.

Better as a security/convenience tradeoff for some people, maybe. Better overall? No.

I've heard of passphrases as the next big recommendation and I just don't get it. Say with standard passwords, a hacker has gotten these two passwords from you:

P$ssword1
P$ssword2

He can easily guess your password for any other service you use but using passphrases like this:

My password is 1
My password is 2

Isn't any better. You might say that's stupid, but it's what people do. They use simple, predictable patterns, because remembering lots of passwords is difficult to them.

Now you can say you can teach people to generate passphrases that are unguessable, but if you're going to teach them something why not teach them to use password managers? The possibilities of human error goes drastically down that way.

A long passphrase is better than a short password with special characters, in the sense that it is easier to remember and harder to crack.

However, unless you are a fast typer, it is longer to input.

You do have a point that without education, people will continue using stupid passphrases just like they use stupid passwords. Still it will be harder to crack than a password, but if you have a stupid pattern (or just use the same one everywhere), it will be just as easy to extrapolate.

So, a long randomly generated password is better in the security sense, but it makes an intermediary service (password manager) mandatory. You don't have a problem with that, many people I know don't have a problem with that, but to me it is just inconvenient, so I'd rather not use it.

Also, if/when password managers become standard, and people start relying on them exclusively, the crackers will start with focused attacks on password managers, and inevitably some cases of cracks/leaks will happen, and the affected users will have all their passwords compromised at once. It will be the next worst thing after an identity theft.

In general, length beats complexity. Here's a great brute force calculator to play around with:
https://www.grc.com/haystack.htm

edit:

So...

1xJ1%^ao2I,

can be brute-forced much faster than

1Joe's Crab Shack

if there's no rainbow table being used.

dr_st wrote:

Also, if/when password managers become standard, and people start relying on them exclusively, the crackers will start with focused attacks on password managers, and inevitably some cases of cracks/leaks will happen, and the affected users will have all their passwords compromised at once. It will be the next worst thing after an identity theft.

1: Email
2: Phone

That's your recovery options (because you have to memorize your password, those are needed). That's what crackers are launching focused attacks on now. The scenario you're thinking of already exists. It's not going to change with password managers, they're just going to move from one target to a different one.

That scenario you're fearing? It results in less account compromises than password reuse.

clueless1 wrote:

In general, length beats complexity. Here's a great brute force calculator to play around with: https://www.grc.com/haystack.ht […]
Show full quote

In general, length beats complexity. Here's a great brute force calculator to play around with:
https://www.grc.com/haystack.htm

edit:

So...

Copy code to clipboard

1xJ1%^ao2I,

can be brute-forced much faster than

Copy code to clipboard

1Joe's Crab Shack

if there's no rainbow table being used.

No one's brute forcing passwords though.

ZellSF wrote:

No one's brute forcing passwords though.

If that's true, then why are there so many brute force tools?

Passphrases are good. I've been using a short line from an obscure 16th century play to encrypt my most important data for many years. I don't have this written down anywhere.

I don't think there's anything wrong with having passwords written down, provided they are in a secure place. Some people with highly secure passwords keep them on paper or a USB stick in a safety deposit box, for example. If your house is secure enough for you, then on a piece of paper in your drawer is fine. Everyone has a different balance between convenience and security in their individual environments. Someone living in a free country in a gated community has a different security mindset then someone living in an oppressed country.

clueless1 wrote:

ZellSF wrote:

No one's brute forcing passwords though.

If that's true, then why are there so many brute force tools?

Probably because skids think they get leet skid street cred by releasing their own brute forcing tool. They're still really only useful against local files, not network resources.

clueless1 wrote:

ZellSF wrote:

No one's brute forcing passwords though.

If that's true, then why are there so many brute force tools?

I should have specified, no one brute forces passwords to online accounts.

Even for offline passwords, brute forcing is a last resort. Who doesn't try "Password" before they try "xJ1%^ao2I,"? It only makes sense if you know the password is randomly generated and most people don't do that.