[conspire] Password managers and such (was: You're one of 131, 577, 763 people pwned in the Exactis data breach)

[Rick Moen]

Offlist, a CABAL member asked my opinion about whether I agree with the
the strong recommendation for '1Password' on referenced site
https://haveibeenpwned.com/  -- whether that would be a good idea for
the member and the member's family.

tl;dr:  No -- but it or damned near any technical solution is an
improvement over relying on unaided human memory's totally inadequate
ability to remember passwords & similar things.  So, if it's 1Password
or that other thing, then 1Password.  But, really no.

Everything else below just elaborates on the above.


{sigh}  I'm actually glad to hold this conversation yet again, because
it's an important one.  Be advised, inquiring CABAL member, that
in all past iterations this thread elicits a flurry of personal product
testimonials from CABAL regulars who've adopted one thing, like it for
some reason, ignore pretty much everything else everyone else is saying,
and tout the thing they like.

Problem:  Human memory pretty much isn't good enough to keep straight an
adequate number of strong passwords.  

Commonly, people _attempt_ to deal with that human limitation in ways
that frankly suck rocks, such as having about three or four strong
passwords that are used for basically everything requiring one, and
changing them at long intervals.  This totally sucks because a site
where one of those strong passwords has been compromised tends to lead
to the bad guys trying that password elsewhere and breaking into other
things you use.  (This is particularly likely if, say, you are a Gmail
user and the bad guys use breaking into your Gmail account as a gateway
to finding what else you use.)

The way around that suckage is to _give up_ on relying just on unaided
human memory, with its too-limited ability to reliably remember strong
passwords.  And the _usual_ counter-suggestion is a password-safe
program.

This brings us to 1Password.

1Password is a not-very-distinctive password-safe program for
proprietary consumer desktop OSes and for proprietary smartphone OSes.
The program is a binary-only, proprietary codebase.  It includes
optional integration with popular Web browsers so that it can 'type'
your creditials for you at sundry Web sites, drawing from its
credentials database.

There are a dozen or more similar proprietary password-safe programs for
proprietary operating systems.  If you are sensing a distinct lack of
enthusiasm for the product category, you would be correct.  There are
two reasons:

1.  Proprietary code is always a security exposure.  IMO, throwing
proprietary security-sensitive code on top of a proprietary OS is making
your existing problem just that little bit worse.  I mean, for God's
sake, at least make your _password safe_ program be open source, even if
you are going with Redmondware, Googleware, or the Church of Steve for
the device operating system.  I mean, sheesh!  For Ghod's sake, _at least_ 
stop just piling on more purchased proprietary sh**.
https://en.wikipedia.org/wiki/List_of_password_managers#Comparison

2.  Really?  You're dealing with the problem of passwords by putting
them all in one big juicy database that runs live on your terribly
insecure desktop OS?  Seriously, you can't think of a better place?

I cannot seriously recommend this _exact_ technology in 2018, but I'm
personally still relying on one from the 1990s that has an important
distinction / improvement over password-safe programming run on your
Internet-exposed, doubtful-security desktop OS.  I still have PalmOS
PDAs.  There is an open source password-safe application for PalmOS
called Keyring (http://gnukeyring.sourceforge.net/).  I keep my
passwords, uniquely selected for each individual site or institution, in
_there_, on my PDA.  

The PDA is airgapped from the Internet and from anything that reaches
public networks, except briefly at intervals when I back up its
encrypted database contents over USB.  PalmOS is so simple and dumb, 
especially if you don't use its Bluetooth or wireless networking, that
it's extremely challenging to attack.  And stealing my PDA doesn't give
you the passwords unless you know the master password (which you don't,
and within a reasonable number years cannot brute-force).

I don't seriously recommend getting a PalmOS PDA in 2018, _but_ the
world really needs a small pocket-sized password-holding device with its
functional advantages as an airgapped password holder -- and, no, I
don't mean one you can connect to your computer and have it supply all
your passwords to the desktop OS, but rather a standalone device that,
say, can display a chosen password or other security-sensitive record on
its own LCD display, but also stores all security data strongly
encrypted.


So, where does this leave you-plural.  One or two of you might try an
old PalmOS PDA with Keyring, though I doubt it.  Y'all might want to
look around for a modern reimplementation of the important bits of that
idea.  But most of you will settle for some kind of non-airgapped
password safe running directly on your desktop OS.

So, you'll look at 1Password.  But, do me this favour:  Don't settle for
the usual proprietary crap just because it has name recognition.  Look
at the open source competitors.   And 1Password is just the usual
proprietary crap.

My opinion, yours for a small fee.[tm]


(And now we traditionally get the rush of personal testimonials for
this'n'that.  In the past, I can't recall any one of those bothering to 
clarify licensing.  Assume proprietary crap unless there is clear
information to the contrary.)