ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Password Managers ... vs. Not

<< < (2/6) > >>

wraith808:
The thing that makes me shudder is that online password managers are such a juicy target. In just the past few days one succumbed to an attack and was plundered. :o
 
-cranioscopical (June 03, 2017, 07:37 PM)
--- End quote ---
 

It happens.  Just because it's not perfect doesn't mean that they are not better than the alternative.

Tuxman:
Data you store on other people's computers can and will eventually be read by other people.

dr_andus:
Data you store on other people's computers can and will eventually be read by other people.
-Tuxman (June 04, 2017, 08:48 AM)
--- End quote ---

But you got to balance that with the risk of catastrophic hardware or software failure at your end, at which point you'd lose access to everything (let's say fire or flooding that destroys both your main PC and your local backup harddrives). I'd rather risk the former than the latter.

f0dder:
1) Why is the server allowing thousands of attempts on your account so that the entire dictionary is traversed until a successful hit is achieved?-MilesAhead (June 03, 2017, 07:53 AM)
--- End quote ---
Rate-limiting the service doesn't help if hackers are able to exploit servers and snatch the entire (encrypted) database and do offline attacks.

2) What is to stop the dictionary attackers from just using permutations of numbers and letters just like the unmemorable password generators produce?  If the server is going to allow thousands of logon attempts to the same account why not just brute force it?-MilesAhead (June 03, 2017, 07:53 AM)
--- End quote ---
Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.

Lately there seems to be a tendency to make using the internet and computers generally nearly more of a pain in the ass than it is worth.  Especially with phone logon it is a real pita to have to fat finger passwords with mixed case letters plus numbers and funky symbols.  It just seems like it is getting to the point where everyone can get into my account but me.-MilesAhead (June 03, 2017, 07:53 AM)
--- End quote ---
Your definition of worth is probably different from other people's. Getting key email accounts breached could be enough to cause severe financial harm for some companies, or even death for individuals.

Proper 2-factor authentication is one of the most effective ways to stay safe even in the face of password breaches. I'm pretty happy about services that offer YubiKey (or other FIDO device) with Google Auth (or other TOTP app) as backup.

Tuxman:
If you, for any valid or not-so-valid reason, insist on using passwords you can not remember without technical support (ref. xkcd) and you plan to store them on other people's computers, you are the one in charge to make sure that everything is safely encrypted. Nobody but you should have a key for the decryption - because if there is a key stored on somebody else's computer... well, see LastPass's numerous "incidents".

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version