Main Area and Open Discussion > General Software Discussion
Chrome’s insane password security strategy
Renegade:
So don't let it store passwords at all, and do something with lastpass / roboform / password gorilla / keepass / whatever instead. Or, hell, run your browser from a Truecrypt container.
There's always another way to skin any given cat. :)
-oblivion (August 21, 2013, 01:50 AM)
--- End quote ---
Now that you mention it... I get pretty bent out of shape about this... As is really bloody pissed.
----- Going to be a bit of history for those that don't know me -----
I first found DC through a review of ALZip here. I worked for ESTsoft at the time.
--- Enough history ---
ALPass does what 99.999% of people need/want. If you lose your ALPass master password, you're hosed. Completely hosed. Toast. Dead. Screwed.
http://www.altools.com/ALTools/ALPass.aspx
ALPass (and ALToolbar) is a password manager where all encryption/decryption is done client side. ESTsoft couldn't help you recover a password if it wanted to.
THAT is what most people want. Clear text is just madness.
oblivion:
There's always another way to skin any given cat. :)
-oblivion (August 21, 2013, 01:50 AM)
--- End quote ---
Now that you mention it... I get pretty bent out of shape about this... As is really bloody pissed.
-Renegade (August 21, 2013, 09:44 AM)
--- End quote ---
Easy, tiger. :)
ALPass does what 99.999% of people need/want.
--- End quote ---
I thought, here’s one I haven’t heard of, let alone tried. Oo. Roboform plus support and maybe even some integrity. Mm. Lots of yummy features. Excellent.
Then I saw the last line of text on the page.
ALPass requires Internet Explorer. It does not currently support Firefox, Opera, or other alternative web browsers.
--- End quote ---
Really? Even now?
Is there an emoticon for “disappointed”? :o
If you lose your ALPass master password, you're hosed. Completely hosed. Toast. Dead. Screwed.
--- End quote ---
I know people get worried about the cloud, but the same is supposed to be true of Lastpass. Lastpass have Firefox and Chrome versions, I even managed -- after a fashion, and before I finally abandoned it -- to use the published workarounds for Opera. They even have an Android variant -- although that’s outside the things that are available for free, and it wasn’t quite as functional as I’d like.
Keepass (I seem to recall) has a linux variant. For that matter, although we’re all wary of the company behind the product after lots of us (yes, me included) had our lifetime licenses summarily revoked, Roboform’s security and functionality was years ahead of everyone else.
If these products delivered what people wanted, everyone would have them already. Something. Any-bloody-thing. No, what people want is not to have to think about it, and to be able to use PASSWORD123 on every website, banking service, data repository and fire alarm they ever meet or, better yet, nothing at all, and still to be able to complain, loudly and bitterly, that they’ve been let down by IT when their security is breached by some script kiddie with nothing better to do for ten minutes.
THAT is what most people want. Clear text is just madness.
--- End quote ---
I think, if I’m honest, most people want to feel secure without having to take many actions to ensure their own security. I KNOW I take password security more seriously than almost every normal (ie non-techie, non-geek) person I’ve ever met, and even I have a few frequently-used passwords stored in a CHS database. But there are people (no names, no pack drill) I know who COMPLAIN when their (carefully chosen and configured) DNS service stops them from routing a url via one of the snoopiest websites known to man because it means they can’t always click on a link in an email to a “bargain” new shiny thing.
There IS an overkill issue. Throw enough computer power at any stored, encrypted password and it’ll -- eventually -- be hacked. We tell people this and then that they have to use passwords they’ll struggle to remember and the last bit -- there’s a thing they can use to remember their passwords for them -- doesn’t make them feel that there’s a solution to the problem, it makes them feel like they’re handing over even more control to the technology brigade. And we wonder why people write their passwords down?
Vurbal:
On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much. While that's fine for keeping your roommate from accessing your passwords if that's all you're worried about either you're not worried enough about online security or you really need a different roommate.
Personally I use KeePass. Besides storing passwords it also makes for a reasonably secure file container for a few small files I like to keep on my thumb drive which also has KeePass on it. It's also a much better generic solution since it's not limited to entering passwords in browsers and has pretty good functionality for sending information to other programs.
Besides, even if Chrome had a password encryption scheme it would automatically be suspect as long as the NSA has Google at least halfway under their thumb. Which seems to justify my general policy of not trusting anybody to provide me with both cloud services and any type of sensitive information beyond the scope of those services.
wraith808:
Besides, even if Chrome had a password encryption scheme it would automatically be suspect as long as the NSA has Google at least halfway under their thumb. Which seems to justify my general policy of not trusting anybody to provide me with both cloud services and any type of sensitive information beyond the scope of those services.
-Vurbal (August 21, 2013, 02:51 PM)
--- End quote ---
(thanks Ren!)
tomos:
(see attachment in previous post)
(thanks Ren!)
-wraith808 (August 21, 2013, 03:10 PM)
--- End quote ---
Favourite to win The Most Popular Gif for 2013 Award :up:
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version