• How Password Managers Work (and yes, you should get one) [Computerphile]
    8 replies, posted
Sean Riley: "Would you recommend a password manager?" Dr. Mike Pound: "A 100% yes." Michael P. Pound is a researcher at the University of Nottingham known for his work in bioimage analysis, computer vision, image recognition, and computer security. Although he is not a security researcher, he does heed the consensus among security experts (who themselves use password managers). I'm looking forward to the FP armchair experts somehow justifying yet again that the common user shouldn't use a password manager still, over the advice of security experts. https://youtu.be/w68BBPDAWr8
I was a bit reluctant to switch to a password manager, and when I finally did it was one of the best decisions I've ever made. No longer worried about remembering a million passwords for different services, or whether my passwords are unique enough from one another. When a major leak happens I don't bat an eye, I just regenerate all my important passwords and move on with my day. Its a minor initial inconvenience and change in routine that you immediately get used to and has huge benefits. I can't see how anyone is genuinely against them, they're usually just lazy or scared of change.
It usually comes down to the fact that the best case scenario (keeping a handwritten note of all passwords) is marginally more secure but in practice it's too inconvenient and easily leads most people to go recede into old habits and then you're back to square one. Usability is as much a factor of security as any other component.
A password manager combined with a system for generating random, yet memorable passwords (such as diceware) is perfect. You end up being able to create and memorize unique passwords for every service you use with the manager acting as a backup in case you forget one.
I forget how long I've been using KeePass (now using KeePassXC) for all my passwords, but it is such a boon to have. It's nice to just have a program come up with secure randomly generated passwords and remember them for me, and with browser extensions even allowing for things like autofill, it also removes the inconvenience of having to even open the program and copy paste. Yeah, there's some potential security risk if you have that data stored online to sync (either via LastPass or putting it on something like Google Drive), but typically unless you have a weak password for those services along with a lack of 2FA, the chances of someone breaking in and stealing your shit is pretty low. Someone would have to pretty much break into my house and log into my computer to get my passwords at this point, and seeing as I use Windows Hello to log into my desktop, I wish them luck with that.
Once upon a time, I used KeePass for all of my passwords, but over time I fell off using it. It, ironically, became more inconvenient for me to use than just remembering my individual passwords, due to the fact that I used a stupidly long 72-character password for the master, and I never allow anything to autofill passwords, be it online or offline. So I had to type it in every single time. My Steam password pretty much pushes the limit of how long a password I can comfortably remember and type in every time, at 27 characters. Anything more than that just becomes a slog. Most of my other passwords hover around the 16-character area. Password managers are great for laymen though, and I absolutely encourage them. This video does a good job handling just how well secured they are, especially if you watch the supplemental videos on what a hash function is and how it works, to fully drive home just how infeasible it is to break the layers of hashing used in password managing.
I don't use a password manager and just remember all my passwords. Though this is because I both don't ever save passwords so I have to type them in every time and I use pass phrases which are infinitely easier to remember, while also being longer. Also my pass phrases have nothing to do with the website I log into or any of my interests, they're just random shit I come up with off the top of my head (they often are quite fucking stupid). Also, I've mentioned this before but fuck whoever it was at Microsoft who decided a max password length of 16 was a good idea for the 360. My entire Microsoft account is less secure because of this shit.
Seeing leaks every now and then and then this video, I'm a bit interested. What are some good password managers I (or others that have become interested after this video) should take a look at?
So interesting bit of information, you can set your Keepass database to work via a few special options, most obviously-an extremely strong master password (mine in particular is around 60 characters). But you can also have it require a certain keyfile be present that it checks for, usually by having the keyfile on a usb drive and plugging it in when you need it. You can use whichever one(s) you want, depending how secure you want to get. The advantage of having an extremely strong password is for safety. Not only does an intruder need the database (which isn't easy to get in the first place!), they would need your very strong master-password. The first option is brute forcing. Thanks to database settings, you can make bruteforcing even more time consuming than it already is. Combined with a long+complicated enough password, brute forcing becomes nearly impossible. https://i.imgur.com/pmYxBI3.png The next thing to be worried about is keyloggers. Fortunately, keepass has a setting (which isn't enabled by default) that prevents keyloggers from working, with the exception of those specifically developed to counteract it. Detailed below - https://i.imgur.com/lNtmwk9.png Unless there is some secret backdoor into the software or database or unless you have the government after your precious pornhub account, odds are no one is going to get into your database. In my case, even if someone got in, a select few very-important passwords such as my email are not inside there. If someone gets onto my precious twitter account and starts spamming I can just lock it because I still have access to my email. I chose keepass in particular because I am the retainer of my own database. The amount of people who would attack me directly is much, much smaller when compared against a huge company like LastPass. While I'm sure LastPass's security is leagues better than anything I could ever manage, it feels better to know my database is safe on my computer.
Sorry, you need to Log In to post a reply to this thread.