Walt Mankowski via plug on 30 Apr 2022 17:26:43 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Correct Horse Battery Staple


On Sat, Apr 30, 2022 at 07:17:53PM -0400, Steve Litt via plug wrote:
> K.S. Bhaskar via plug said on Sat, 30 Apr 2022 17:59:15 -0400
> 
> >Horse battery staple is a terrible idea. If you have to remember five
> >random sequences of four words each, you can, but if you have to
> >remember 20 (most people have logins for at least e-mail, social
> >media, banking, etc.) it's questionable whether you can. Horse battery
> >staple may be a good idea for a master password for a password
> >manager, but that's it; certainly not for a bunch of accounts. Instead
> >of random sequences of words, most people will end up using meaningful
> >phrases like “Mikey's high school PTO” which have far less entropy.
> 
> The preceding is exactly what I was going to say.

The preceding is an argument for using a password manager.

> There are three kinds of password users:
> 
> 1) Dingbats who user their wife's birthday.
> 2) People who use a keychain and hope nothing technical ends up losing
>    every password.
> 3) People using their own personal combination of good passwording
>    principles and security by obscurity.

These 3 aren't equivalent. Most web browsers these days can generate
strong passwords and store them securely. My problem was that I bounce
between Linux, macOS, iOS, and Windows on a nearly daily basis, and
keeping the passwords synced was becoming a problem. Password managers
do basically the same thing, but the app runs on all the platforms and
syncs the database for me.

Now the only passwords I need to memorize are for the password manager
itself (1Password in my case) and the systems themselves. The app
takes care of everything else.

It's true that I need to trust that the company I'm using is storing
things securely and isn't hacked. 1Password claims [1] that they only
keep encrypted copies of passwords and that they can't access any of
the raw data themselves.

You can certainly choose not to trust them. I know. I did this all
myself for decades. Now I see that the big benefit of using an app
that's designed for managing passwords is that it makes doing things
the right way the easy way. All of the totally legitimate concerns
that people have brought up in this thread go away when you have a
tool to manage the complexity for you. 1P can even do Authenticator-
style 2FA, so I don't have to fumble around for a separate app every
time I need to login to my bank's website anymore. I've turned on 2FA
on a lot more sites now that it's no longer a hassle to use.

Note -- I don't intend this to be a commercial for 1Password. They've
got competitors who make similar claims, so do your due diligence if
you're interested.

Walt

1. https://1password.com/security/

Attachment: signature.asc
Description: PGP signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug