[conspire] Password managers and such (was: You're one of 131, 577, 763 people pwned in the Exactis data breach)

Ruben Safir ruben at mrbrklyn.com
Thu Jul 26 14:25:14 PDT 2018 

uuid

Works to foil my access to my hard drive


On Thu, Jul 26, 2018 at 12:57:18AM -0700, Rick Moen wrote:
> Offlist, a CABAL member asked my opinion about whether I agree with the
> the strong recommendation for '1Password' on referenced site
> https://haveibeenpwned.com/  -- whether that would be a good idea for
> the member and the member's family.
> 
> tl;dr:  No -- but it or damned near any technical solution is an
> improvement over relying on unaided human memory's totally inadequate
> ability to remember passwords & similar things.  So, if it's 1Password
> or that other thing, then 1Password.  But, really no.
> 
> Everything else below just elaborates on the above.
> 
> 
> {sigh}  I'm actually glad to hold this conversation yet again, because
> it's an important one.  Be advised, inquiring CABAL member, that
> in all past iterations this thread elicits a flurry of personal product
> testimonials from CABAL regulars who've adopted one thing, like it for
> some reason, ignore pretty much everything else everyone else is saying,
> and tout the thing they like.
> 
> Problem:  Human memory pretty much isn't good enough to keep straight an
> adequate number of strong passwords.  
> 
> Commonly, people _attempt_ to deal with that human limitation in ways
> that frankly suck rocks, such as having about three or four strong
> passwords that are used for basically everything requiring one, and
> changing them at long intervals.  This totally sucks because a site
> where one of those strong passwords has been compromised tends to lead
> to the bad guys trying that password elsewhere and breaking into other
> things you use.  (This is particularly likely if, say, you are a Gmail
> user and the bad guys use breaking into your Gmail account as a gateway
> to finding what else you use.)
> 
> The way around that suckage is to _give up_ on relying just on unaided
> human memory, with its too-limited ability to reliably remember strong
> passwords.  And the _usual_ counter-suggestion is a password-safe
> program.
> 
> This brings us to 1Password.
> 
> 1Password is a not-very-distinctive password-safe program for
> proprietary consumer desktop OSes and for proprietary smartphone OSes.
> The program is a binary-only, proprietary codebase.  It includes
> optional integration with popular Web browsers so that it can 'type'
> your creditials for you at sundry Web sites, drawing from its
> credentials database.
> 
> There are a dozen or more similar proprietary password-safe programs for
> proprietary operating systems.  If you are sensing a distinct lack of
> enthusiasm for the product category, you would be correct.  There are
> two reasons:
> 
> 1.  Proprietary code is always a security exposure.  IMO, throwing
> proprietary security-sensitive code on top of a proprietary OS is making
> your existing problem just that little bit worse.  I mean, for God's
> sake, at least make your _password safe_ program be open source, even if
> you are going with Redmondware, Googleware, or the Church of Steve for
> the device operating system.  I mean, sheesh!  For Ghod's sake, _at least_ 
> stop just piling on more purchased proprietary sh**.
> https://en.wikipedia.org/wiki/List_of_password_managers#Comparison
> 
> 2.  Really?  You're dealing with the problem of passwords by putting
> them all in one big juicy database that runs live on your terribly
> insecure desktop OS?  Seriously, you can't think of a better place?
> 
> I cannot seriously recommend this _exact_ technology in 2018, but I'm
> personally still relying on one from the 1990s that has an important
> distinction / improvement over password-safe programming run on your
> Internet-exposed, doubtful-security desktop OS.  I still have PalmOS
> PDAs.  There is an open source password-safe application for PalmOS
> called Keyring (http://gnukeyring.sourceforge.net/).  I keep my
> passwords, uniquely selected for each individual site or institution, in
> _there_, on my PDA.  
> 
> The PDA is airgapped from the Internet and from anything that reaches
> public networks, except briefly at intervals when I back up its
> encrypted database contents over USB.  PalmOS is so simple and dumb, 
> especially if you don't use its Bluetooth or wireless networking, that
> it's extremely challenging to attack.  And stealing my PDA doesn't give
> you the passwords unless you know the master password (which you don't,
> and within a reasonable number years cannot brute-force).
> 
> I don't seriously recommend getting a PalmOS PDA in 2018, _but_ the
> world really needs a small pocket-sized password-holding device with its
> functional advantages as an airgapped password holder -- and, no, I
> don't mean one you can connect to your computer and have it supply all
> your passwords to the desktop OS, but rather a standalone device that,
> say, can display a chosen password or other security-sensitive record on
> its own LCD display, but also stores all security data strongly
> encrypted.
> 
> 
> So, where does this leave you-plural.  One or two of you might try an
> old PalmOS PDA with Keyring, though I doubt it.  Y'all might want to
> look around for a modern reimplementation of the important bits of that
> idea.  But most of you will settle for some kind of non-airgapped
> password safe running directly on your desktop OS.
> 
> So, you'll look at 1Password.  But, do me this favour:  Don't settle for
> the usual proprietary crap just because it has name recognition.  Look
> at the open source competitors.   And 1Password is just the usual
> proprietary crap.
> 
> My opinion, yours for a small fee.[tm]
> 
> 
> (And now we traditionally get the rush of personal testimonials for
> this'n'that.  In the past, I can't recall any one of those bothering to 
> clarify licensing.  Assume proprietary crap unless there is clear
> information to the contrary.)
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

More information about the conspire mailing list