| Walt Mankowski via plug on 30 Apr 2022 17:26:43 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Correct Horse Battery Staple |
On Sat, Apr 30, 2022 at 07:17:53PM -0400, Steve Litt via plug wrote: > K.S. Bhaskar via plug said on Sat, 30 Apr 2022 17:59:15 -0400 > > >Horse battery staple is a terrible idea. If you have to remember five > >random sequences of four words each, you can, but if you have to > >remember 20 (most people have logins for at least e-mail, social > >media, banking, etc.) it's questionable whether you can. Horse battery > >staple may be a good idea for a master password for a password > >manager, but that's it; certainly not for a bunch of accounts. Instead > >of random sequences of words, most people will end up using meaningful > >phrases like “Mikey's high school PTO” which have far less entropy. > > The preceding is exactly what I was going to say. The preceding is an argument for using a password manager. > There are three kinds of password users: > > 1) Dingbats who user their wife's birthday. > 2) People who use a keychain and hope nothing technical ends up losing > every password. > 3) People using their own personal combination of good passwording > principles and security by obscurity. These 3 aren't equivalent. Most web browsers these days can generate strong passwords and store them securely. My problem was that I bounce between Linux, macOS, iOS, and Windows on a nearly daily basis, and keeping the passwords synced was becoming a problem. Password managers do basically the same thing, but the app runs on all the platforms and syncs the database for me. Now the only passwords I need to memorize are for the password manager itself (1Password in my case) and the systems themselves. The app takes care of everything else. It's true that I need to trust that the company I'm using is storing things securely and isn't hacked. 1Password claims [1] that they only keep encrypted copies of passwords and that they can't access any of the raw data themselves. You can certainly choose not to trust them. I know. I did this all myself for decades. Now I see that the big benefit of using an app that's designed for managing passwords is that it makes doing things the right way the easy way. All of the totally legitimate concerns that people have brought up in this thread go away when you have a tool to manage the complexity for you. 1P can even do Authenticator- style 2FA, so I don't have to fumble around for a separate app every time I need to login to my bank's website anymore. I've turned on 2FA on a lot more sites now that it's no longer a hassle to use. Note -- I don't intend this to be a commercial for 1Password. They've got competitors who make similar claims, so do your due diligence if you're interested. Walt 1. https://1password.com/security/
Attachment:
signature.asc
Description: PGP signature
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug