the very existence of password managers seems like a sign that we're doing computer security wrong.

Let me unpack that one a bit. Keys work because users don't have to memorize the shape of every one of their dozens of keys, and recall every detail of them blindfolded every time they need to unlock stuff. They just need to be able to recognize the right key from the set on their keyring. Nothing sensitive is given away if they can't, and just try them all one by one. The key does all the important memorizing about how to open the lock it goes with.

AFAIK passwords were a security measure originally designed for multi-user mainframes. Computers whose users were generally known to each other, or at least affiliated with the same institution, and before the emergence of ubiquitous networking, usually airgapped. The consequences of security failures were not world-shattering, and users generally didn't have dozens of passwords to remember.

Everything about how computers are set up and used has changed since the invention of passwords, except that we still secure almost every kind of user identification with passwords. I think we need to take a step back, and completely rethink what we're trying to achieve with passwords and password managers, from first principles.

there are some programs that generate passwords using a master password + URL name or other variable so you only need to remember one password. Then there's SQRL. You're not wrong though.

@georgia a hash of master password + URL? Or just plain text. Medium just sends a login link to the email address associated with the account. In this scenario, the email account is the password manager. If every internet service offered this option, users would only need to remember one strong password, on their email account.

while certainly better than the status quo that's sort of already the case with password recovery. email itself is insecure, and addresses are the first thing to appear in most data breach dumps alongside usernames.

@georgia email doesn't need to be secure because the URLs are single-use, sent only when needed, and expire quickly. But the point is this; imagine users only had to remember one passphrase, because they only *had* one (for their email account), and the security of all their things depended on it. Chances are they would make a damn strong one, and change it every time there was any hint it might be compromized. Chances are they wouldn't sticky note it on their monitor. Email could use 2FA too.

It's a very good concept, but personally I have little faith in the prudence of the average end-user. If passwords didn't require capitals or numbers most people wouldn't use them. I guess what I'm getting to is that there really needs to be a cultural shift for such a change in implementation to work as intended. :/

@georgia haven't heard of , I'll have to look that one up. Any good intro links you can recommend?

@georgia I just found an interesting discussion of username/password and SQRL that begins here:

its an authentication standard almost akin to OpenID. There's an app on FDroid.

From the basics - computer security has three factors - "Something you know", "Something you have", "Something you are". There is nothing more. Passwords are the "know", while certificates or keys are "have", biometrics is "are". 2FA means using two factors together. If you think about it, password manager is actually already 2FA, because you need to "know" the master password, and "have" the password database file. So it's actually a step up.

@chebra thanks, this a very clear, concise summary. Can you recommend a good link for a first principles discussion that lays out things like those 3 basic factors?

Hmm, I actually learned that at uni. Maybe sources like Khan Academy could have more of that ground work. But mind you, good passwords are about the best thing we have. Each factor has its downsides (such as you can never change your biometrics if they get compromised) and passwords became so popular because the downsides are smallest. Every bit of convenience sacrifices a bit of security.

@strypey @chebra

Actually, the basic is "who you are".

The problem is trying to find a practical demonstration of that identity, that isn't subject to trivial spoofing.

@strypey Yeah! For an example bitwarden uses the same practice, it has master password so to hack all ur passwords they just need to crack master key of RSA they store on their servers :) People should use KeePass or stuff like that to be really secured! KeeWeb is also gut!

Sign in to participate in the conversation
Mastodon - NZOSS

This Mastodon instance is provided gratis by the NZ Open Source Society for the benefit of everyone interested in their own freedom and sharing with others. Hosting is generously provided by Catalyst Cloud right here in Aotearoa New Zealand.