Password management is just terrible. Vulnerable populations stand no chance against social engineering. Password manager apps are okay but the UX is pretty awful especially for non-computer savvy folks. People who think about this a lot -- is there a sane future?
I use bitwarden and I don't understand the question.
My phone gives me a popup on text boxes to enter credentials. There's also a bitwarden button on my keyboard. I scan my thumb and it signs me in.
On my desktop browser, I get a badge on the bitwarden button when it detects a site it has credentials for. Two clicks signs me in. Three if my session times out and I need to put in my master password.
I have a single unique and complex password that I have to remember, and I have recovery keys stored in a physically safe location.
Bitwarden generates complex passwords with a single click, and has excellent integration with the browser.
Password management is sane. You can just use a good password manager and understand how to protect your single master password. Which basically just means never, ever type that password into anything other than your password manager.
ETA: bitwarden also syncs seamlessly between my half dozen different devices/installs. It works everywhere, and if I really cared to I could set up my own server so as to not rely on Bitwarden's infrastructure.
No. As long as mediocre programmers and organizations require BLIND entry of very complicated passwords on mobile phone teeny weeny virtual keyboards TWICE, nothing will get better.
Nothing will get better because most organizations are on autopilot, only doing "best practices" even when those practices don't make any sense. For instance, typing passwords blind. It exists because CRT terminals had a wide field of view. Flat screens have a marrow field of view, and further, in the form of cellphones, are small and held close to the face. There is no reason to require blind password entry, yet it persists. All of this points to stasis, nothing getting better, and the situation probably getting worse, since there's no upside for anyone contradicting "best practices".
What is the idea behind this? The only thing I can think of (I’m not a web developer, so might be missing something obvious) is that it would ‘stop’ third party tools from being able to automate the login flow. But if that was the case, couldn’t they just change the html/JavaScript to allow pasting again? As far as I know, blocking of pasting into forms is a fully client-side setting.
I had assumed that some governments would take on responsibility for identity management, and things would grow from there. It seems somewhat odd that companies such as Google and Meta are now providing this service, but these companies are more at ease with globalization than the nation states are.
In Europe, there is eIDAS [1], but for now this seems limited to governmental organizations, and well, to Europe.
> Password management is just terrible. Vulnerable populations stand no chance against social engineering. Password manager apps are okay but the UX is pretty awful especially for non-computer savvy folks. People who think about this a lot -- is there a sane future
No there isn’t. Passwords are fine. Password managers are good enough. It takes only minutes to learn the following flow:
1) Reset password
2) Type in the new password into the app (many people are too lazy to do this)
3) Open password manager
4) Copy and paste the password into the text field
That’s all. If people can’t figure this out then quite frankly I don’t understand how they function in other areas of life.
I'm going to find out all the sites I use that have the SSPR vulnerability, and I'm going to use SSPR every single time to login, so in lieu of using my passwords or Authenticator app, I'll just pretend it's a "magic link" login.
No need for a manager. Use a simple formula based on the company or service name. That way you can remember one base password and slightly modify it for any service. No need to copy and paste, no need to trust other companies with all of your passwords. No need for any software.
I haven’t thought about passwords in at least 5 years since I started using Apple + iCloud. Apple has native password management baked into everything. My face or thumb logs me in, whether I’m using laptop or phone. When creating accounts I just use the auto-fill and generated password.
Having your Hotmail password be liamtoh1! is great... Until you need to update your password. Now you need to remember your base algorithm plus a counter.
Oh, and some places don't allow "special" characters - so you have to remember multiple algorithms and counters.
One obvious reason is a data breach. But are they so common to be of concern?
I have a dead simple tool to generate secure scrypt hash and encode it to letters+digits+symbols.
And I do not remember my counter / rules. Whenever I need a password, I just use the default parameters, if the password fails - I could just increase counter few times until it succeeds.
Let's be real, if a service gets 5+ data breaches in less than a decade - it should be avoided.
Sure, if they had many passwords from different services and then cracked the formula. It was deterministic based on company name but not immediately obvious. I had a separate “master” password for email and computer, because those were more important.
That works okay for single device users, but I suppose my bigger concern for non tech savvy folks is social engineering. But the auto-fill in Chrome doesn't scale all that well for more tech-inclined people, especially for things like mobile apps
This has been solved for me for a few years since I started using iOS’ password manager. Syncs all my computers and mobile devices to my Apple ID. Seems to scale pretty well.
This is on them for not having a scannable code to take you to a sign in to authorize the device. It’s been solved for a while but some devs hate their users.
I think you’re pointing out a problem which mobile has begun trying to solve - passwords are probably not the right long term solution to authentication for the majority of the population or usecases - the right solution is something more like an automatic biometric scan that doesn’t require remembering anything - just presenting yourself ie. Fingerprint scan, retina scan, faceID etc.
Devices which support these authentication method need to become ubiquitous and their APIs need to be open and widely integrated with, including by web applications and laptop/desktop applications.
There are some hard problems to solve in the way.
You either need to make a central authority that manages the scan data or you need to figure out a way to cryptographically hash the output of a biometric scan such that it can be reliably checked against a stored value in a database. Or perhaps our AI experts on HN could comment on if there is a not too computationally expensive verification method…
But it would be nice. Overtime users could remember less.
Not secure at all. You can be coerced physically to unlock something private/secure. Security should always be a combination of something you know and something you have (2FA).
Additionally, requiring a central authority to manage security is just _asking_ for trouble. Passwords work because of how de-centralized it is. Biometrics and physical-only tokens will fail the minute people realize they can just steal that data and use it to unlock everything centrally.
What we need are better tools to manage passwords in a more transparent way.
There is a solution coming that I believe will be 100% fool proof except for the strange nature of foolishness vs wisdom. Wisdom says becoming rich and successful, having fame and reward from your peers, respect from friends as well as enemies. But there is a different wisdom that does not care about money, crowd following, fame, status, or even social gratification. Most people would say, pure foolishness man wtf? Of course we all want to be Bezos or Jobs. Look how happy they are. Or were..
What the heck then? Here come rando guy again talking foolishness.
It's like this, what would you trade for safety? And ultimately if doing so made people that didn't make that trade incredibly vulnderable and by nature your foe? Is love at all important? One thing to note is that anyone who has studied love knows it has little to nothing to do with a carnal relation. My parents loved me when I was totally unlovable as a baby maybe but also as a full grown adult.
You can see it right here in fact. I'm not writing this to make myself popular. I'm writing this because I love people. Even people that hate me. Besides perhaps someone might have reason to hate me. Some people hate everyone, they are known as misantropes. Others can't deal with women and they become misogynists. Others are always outraged and it spills out to someone and rifts appear.
Okay, hopefully I can get to the so called solution to the so called problem of internet security which is a problem as much as the entire internet has become now.
The solution you will be presented with is the distinct pattern that is found on your right hand or on one of your eyes. Both of these patterns are so unique that I can't really find anything else more unique than them besides a DNA sequence.
I don't want you to be afraid. I want you to consider that once this is done, your uniqueness no longer belongs to you. It really never belonged to you in the first place. You could basically give something to a power bent on crushing us all that God made only for you. If a man gives up his soul for gaining the whole world, he has no soul to enjoy. You can't bring money and cool shit to heaven. But there is something you can bring. You can bring not only yourself but people you love. And you will see all kinds of people there you may not expect. I hope you can appreciate the fact that love and gratification are not the same. Don't forget someone did love you when you didn't deserve it.
Think of it this way: there is no reason to have any faith that encryption works anymore and no reason to believe that if you are interesting enough that some how enough determination will fail to reveal a secret.
And also, it is complete foolishness to have a third party in possession of passwords. At least use a different one for every site for the kids who grab the rando plain text keystore on rando site.
No detail about me is secret. I always am assured that God knows all. And Angels probably hate it when I look at dirty pictures and worse.
So far you've indicated you don't use a second factor and you have a file. So, I'm going with you've chosen long passwords with good randomness which don't match the rainbow tables and exceed some brute force cost in time you impute the bad actors use as a "move on" threshold, and your second observation is avoid reuse so there's no cheap uplift into other services.
I have no problem with your choices assuming I'm not wrong and I merely observe 2fa doesn't detract from this, and that bitwarden can be run as a server on your own hardware should you chose, or you can hand distribute the keys. The only advantage is prefilling and you may not care enough.
Rando site with rando signup has a non zero chance of being stupid enough to store the passwords in clear text. And I've had quite a few letters in the mail about disclosure that our accounts were hacked, were sorry, boo hoo for us, nuttin for you. But unless the site is completely bonk, I always make rando passwords with my special secret rando key maker which is called pwgen.
I sleep easy knowing that all my secrets and my os is made by all organic free range programmers who never get mad they are being taken for a ride. But for a good cause you see. Software freedom is very important. Until that day bills need to be paid and you see, sometimes ingredients to computer food are not on the box.
Oh hopefully I can tack on one last thing I think is just hard to ignore. Secret passwords in plain text are horrible I think people can agree. But people store many life details in clear files open at least to daemons and lots of little codes see even if on an encrypted drive. Think of things like tax returns, insurance forms, records for all kinds of things. Come to think of it, I never really safe guarded any of that stuff more than my plain text file that was actually encrypted and everything at one time. But no longer.
And then finally, in my system dirs I have over 500,000 files. If open source is secure like a bazaar is, there couldn't be Ali Baba and 40 thieves in there someplace? Really? Sometimes ignorance is bliss.
Honestly this comes across as paranoid yet defeatist. You don't believe encryption works? Really? All encryption? Do you think cryptography researchers are all in collusion or just inept?
Paranoia is pretty common but I think in this case it is more realism than defeatism. After all I feel no defeat at all about this particular issue as I don't have much hope in the internet really.
But don't you think quantum computers are mature somewhere by now? If you had one and you had secrets to maintain, would you be the one to spill the beans even if a VIP planning a war? I doubt the news will come as a result of a bank heist or a 51% attack. This is a Jinn that will never go back to the bottle it came from.
RSA was passed on a long time ago and AES is pretty old. I don't think people can really grasp how much progress has been made. Most people I encounter have no idea that video can be completely faked. Recently I heard an old lady explain that video evidence is basically truth. Notice how easy the eyes are fooled.
For those who have ears, may they hear.
Hopefully my parent post doesn't vanish. I realize this is a tough pill to swallow. I am pretty sure we will all have to swallow it soon.
> But don't you think quantum computers are mature somewhere by now?
Nope. No I don't. The amount of compute required to actually operate on Shor's algorithm is immense, to the point that it's probably smarter, faster and cheaper to bruteforce with traditional HPC these days.
Ah okay well if you think that quantum computing has been cracked then take some solace in the fact that symmetric encryption should be resistant to attacks in a post quantum world.
We'll go back to difficulties in exchanging secrets. But encryption as a whole will still work.
Not to mention that clipboards can be read in rando tab. I didn't say my way is perfect it is just that I've not been ruined yet by it. But now my secret is no longer a secret, its just a matter of time that <EOL>
My phone gives me a popup on text boxes to enter credentials. There's also a bitwarden button on my keyboard. I scan my thumb and it signs me in.
On my desktop browser, I get a badge on the bitwarden button when it detects a site it has credentials for. Two clicks signs me in. Three if my session times out and I need to put in my master password.
I have a single unique and complex password that I have to remember, and I have recovery keys stored in a physically safe location.
Bitwarden generates complex passwords with a single click, and has excellent integration with the browser.
Password management is sane. You can just use a good password manager and understand how to protect your single master password. Which basically just means never, ever type that password into anything other than your password manager.
ETA: bitwarden also syncs seamlessly between my half dozen different devices/installs. It works everywhere, and if I really cared to I could set up my own server so as to not rely on Bitwarden's infrastructure.