Consider dropping or moving stateless password managers #187

New Issue

Closed

opened 2017-03-01 12:30:54 +00:00 by graysonkent · 6 comments

graysonkent commented 2017-03-01 12:30:54 +00:00 (Migrated from github.com)

Copy Link

See article here: https://lwn.net/SubscriberLink/715090/e426fd5aff3e366d/

I'm not sure if you guys advocate for the most secure way or just low hanging fruit for most people, but if it the former then I think that Keepass+Addon should at least be moved to the first position. Thoughts?

See article here: https://lwn.net/SubscriberLink/715090/e426fd5aff3e366d/ I'm not sure if you guys advocate for the most secure way or just low hanging fruit for most people, but if it the former then I think that Keepass+Addon should at least be moved to the first position. Thoughts?

👍 1

ghost commented 2018-04-06 14:42:32 +00:00 (Migrated from github.com)

Copy Link

Agreed with this. Another article about it: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers

BitWarden seems quite popular for online storage of passwords.

Agreed with this. Another article about it: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers BitWarden seems quite popular for online storage of passwords.

ghost commented 2018-04-06 16:23:57 +00:00 (Migrated from github.com)

Copy Link

@graysonkent We might point out that the security isn't as good as that of local password managers, but I don't think we should be dropping these password managers altogether.

@sevengali

The most common solution to this problem is to abandon “sync-free” operation and keep some state about tweaks to the password generation scheme which produce passwords that meet the policy for a specific site. Unfortunately, by doing so we lose the #1 selling point for these schemes, and now have state that needs to be synced between devices.

For many sites, they work great. I use KeePass for the important stuff and LessPass for the less important stuff and I've never ran into a password policy problem with LessPass. Actually, once. Character limit. So I just remeber to delete the last 4 characters on one forum.

I just find the combination of a local password manager and something like LessPass very powerful. Former is secure and latter is better than bloating your database or opening it when you don't need to or using a separate password for all unimportant websites.

Great point:

Exposure of the master password alone exposes all of your site passwords

I think we should recommend local password managers as the secure ones and stateless password managers as a less harmful alternative to one password for less important websites.

@graysonkent We might point out that the security isn't as good as that of local password managers, but I don't think we should be dropping these password managers altogether. @sevengali > The most common solution to this problem is to abandon “sync-free” operation and keep some state about tweaks to the password generation scheme which produce passwords that meet the policy for a specific site. Unfortunately, by doing so we lose the #1 selling point for these schemes, and now have state that needs to be synced between devices. For many sites, they work great. I use KeePass for the important stuff and LessPass for the *less* important stuff and I've never ran into a password policy problem with LessPass. Actually, once. Character limit. So I just remeber to delete the last 4 characters on one forum. I just find the combination of a local password manager and something like LessPass very powerful. Former is secure and latter is better than bloating your database or opening it when you don't need to or using a separate password for *all* unimportant websites. **Great point:** > Exposure of the master password alone exposes all of your site passwords I think we should recommend local password managers as the secure ones and stateless password managers as a less harmful alternative to one password for less important websites.

g-monk commented 2018-04-08 03:47:31 +00:00 (Migrated from github.com)

Copy Link

I suggest why don’t we add the new sources and tell about the “flaws” as keep in mind safety measures. This is because in the recommendation for Wire, on the site it tells the company keeps a record of people you chatted with.

However, I feel like we should also have a stable recommendation, because I use Encryptr by SpiderOak, but because it was removed, I am now having to decide which one works the best.

Granted that softwares and going decentralized to all forms is a bit of a challenge but a stable pick or recommendation can help with the goal of - easy to use, decentralized and meeting the original criteria.

I suggest why don’t we add the new sources and tell about the “flaws” as keep in mind safety measures. This is because in the recommendation for Wire, on the site it tells the company keeps a record of people you chatted with. However, I feel like we should also have a stable recommendation, because I use Encryptr by SpiderOak, but because it was removed, I am now having to decide which one works the best. Granted that softwares and going decentralized to all forms is a bit of a challenge but a stable pick or recommendation can help with the goal of - easy to use, decentralized and meeting the original criteria.

Vincevrp commented 2018-11-22 00:47:13 +00:00 (Migrated from github.com)

Copy Link

Master Password was moved to "Worth mentioning" in #587.

Master Password was moved to "Worth mentioning" in #587.

ghost commented 2018-11-22 05:53:39 +00:00 (Migrated from github.com)

Copy Link

It's the same with LessPass. The issue with these password managers:

• not as secure, each password is based in your master password which some people don't like as they see that as a potential attack vector
• your master password being leaked results in all your passwords being leaked.

I think we should recommend local password managers as the secure ones and stateless password managers as a less harmful alternative to one password for less important websites.

It's the same with LessPass. The issue with these password managers: - not as secure, each password is based in your master password which some people don't like as they see that as a potential attack vector - your master password being leaked results in all your passwords being leaked. > I think we should recommend local password managers as the secure ones and stateless password managers as a less harmful alternative to one password for less important websites.

beerisgood commented 2018-11-22 12:29:38 +00:00 (Migrated from github.com)

Copy Link

Yeah. Set KeePass as best solution and add cloud solution a warning label

Yeah. Set KeePass as best solution and add cloud solution a warning label

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

master

dependabot/bundler/nokogiri-1.13.6

dependabot/bundler/addressable-2.8.0

freddy-m-patch-3

pr-add_RemoveMyPhone_sponsor

pr-browser_cleanup_1257_1328_1430

freddy-m-patch-2

freddy-m-patch-1

pr-vpn_hated_one_video

cdn

update-nitrohorse-image

promote-metager-to-card

hardware

pr-add_azirevpn

pr-add_mailfence

shop

1673

pr/1658

i18n-simple

sponsorship-edits-nov2019

i18n

ipfs

blacklight447-ptio-patch-3

blog

remove-windows-icons

pr/1147

i18n-testing

add-beautify

Labels

Clear labels   

🔍🤖 Search Engines

  

approved

approved, waiting for a PR

  

dependencies

Pull requests that update a dependency file

  

duplicate

  

feedback wanted

  

high priority

  

I2P

The Invisible Internet Project (I2P)

  

iOS

  

low priority

  

OS

Operating Systems

  

Self-contained networks

  

Social media

  

stale

A label for stalebot if it gets added

  

streaming

Anything related to media streaming.

  

todo

  

Tor

Anything covering the Tor network

  

WIP

active work in progress, do not merge or PR (yet)!

  

wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

  

XMPP

Extensible Messaging and Presence Protocol

  

[m]

Matrix protocol

  

₿ cryptocurrency

  

ℹ️ help wanted

  

↔️ file sharing

  

⚙️ web extensions

Browser Extension related issues

  

✨ enhancement

  

❌ software removal

  

💬 discussion

  

🤖 Android

  

🐛 bug

  

💢 conflicting

  

📝 correction

Correction of content on the website

  

🆘 critical

  

📧 email

  

🔒 file encryption

  

📁 file storage

  

🦊 Firefox

Firefox & forks, about:config etc.

  

💻 hardware

  

🌐 hosting

  

🏠 housekeeping

Anything primarily related to site cleanup.

  

🔐 password managers

  

🧰 productivity tools

  

🔎 research required

  

🌐 Social News Aggregators

  

🆕 software suggestion

  

👥 team chat

  

🔒 VPN

Virtual Private Network

  

🌐 website issue

*Technical* issues with the website.

  

🚫 Windows

  

👁️ browsers

  

🖊️ digital notebooks

  

🗄️ DNS

Domain Name System

  

🗨️ instant messaging (im)

  

🇦🇶 translations

Anything covering a translated version of the site

No Label

🔍🤖 Search Engines

approved

dependencies

duplicate

feedback wanted

high priority

I2P

iOS

low priority

OS

Self-contained networks

Social media

stale

streaming

todo

Tor

WIP

wontfix

XMPP

[m]

₿ cryptocurrency

ℹ️ help wanted

↔️ file sharing

⚙️ web extensions

✨ enhancement

❌ software removal

💬 discussion

🤖 Android

🐛 bug

💢 conflicting

📝 correction

🆘 critical

📧 email

🔒 file encryption

📁 file storage

🦊 Firefox

💻 hardware

🌐 hosting

🏠 housekeeping

🔐 password managers

🧰 productivity tools

🔎 research required

🌐 Social News Aggregators

🆕 software suggestion

👥 team chat

🔒 VPN

🌐 website issue

🚫 Windows

👁️ browsers

🖊️ digital notebooks

🗄️ DNS

🗨️ instant messaging (im)

🇦🇶 translations

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#187

No description provided.