I've set up a 1password family and set up accounts/vaults on everyone's computers/phones/tablets, yet they still find it too troublesome to use rather than simply writing passwords down in plaintext on their notes apps or just on sticky notes attached to their computers etc. My entire family has had their emails hacked at least twice due to poor/reused passwords that have been in leaks, constantly forget IDs/passwords, and are constantly overwhelmed with the idea that they need to keep track of all these things. Perhaps my 900 secrets are too much for a password manager to handle but I don't think whatever computation the program does on the encrypted secrets warrants this much overhead.įor me the main barrier has been convincing my family to actually take password management seriously. I like Bitwarden's browser integrations for the most part but the nice GUI comes at a big performance cost. I also remember going from my self hosted Bitwarden instance to Vaultwarden and seeing he memory requirement drop several gigabytes. I'm tempted to write my own Bitwarden compatibility library and maybe a command line or GUI that doesn't require an outdated copy of Chrome to run, but doing security software right takes time and research I don't want to commit right now. When I first read about the command line Bitwarden client I just laughed at its absurdity. Integration with my keyboard of choice (SwiftKey) is also questionable and then Firefox adds another layer of weird behaviour that makes autofills too difficult for me to recommend it to my family. On my phone, simply opening the password manager to unlock the vault can be enough to make the application I was trying to log into go OOM. ![]() The lamentations about Bitwarden's heavy clients really ring true. It takes a bit of ingenuity to make that work but it usually boils down to multi device/factor authentication with some ultimate fallback. Password less logins are now a thing with several companies. Forcing them to remember lots of different passwords backfired and necessitated password managers. ![]() We need to make it simpler for them to stay secure, not harder. There's a group of users for whom all this security stuff is just way too difficult. Ultimately, that's why we need to get rid of passwords. It helps but people default to doing the wrong things. And yes, we do have a security policy that spells all of this out. But it's not really a scalable solution because I don't have the time or patience to coach all of our people. But at least they now come from a password manager. From what I've seen she doesn't and she uses a small set of easily guessable passwords all over the place. Bonus points if she starts using 2FA for her private accounts. Next she'll be using it to use generated passwords. And then I discovered that she was copy pasting passwords from this stupid text file. The reason I discovered this was that I had to talk her through setting up 2FA for our company's Google account because she lost her phone. ![]() This is what real people do when you confront them with a lot of complex security. I recently had to coach a co-worker to do something more sane than store her passwords in a plain text file on her private Google Drive (seriously!). While putting some bumps in their way at this point is nice, I guess, there's nothing stopping them from keylogging their way past any password manager you choose. The attacks your links are talking about start by assuming someone has full access to your computer. Here is where your parent's comment on Google's security is relevant: Google (disclosure: I used to work there) has an excellent security team and there are few companies I would trust more to keep cloud vaults secure. For (3) you want disk encryption, which is now standard on phones and is an easy option on laptops as well.Īfter these, my next concern would be compromise of the cloud-based password backups. Lost device, where someone finding it can easily impersonate you on any site you're logged into.Ī password manager handles (1), and if it auto-fills reliably on websites (as Chrome's does) that handles (2) as well. Phishing, where you enter your password on a fake login page.ģ. Password reuse, where a relatively unimportant account (shopping site) getting cracked gives the attacker the same password you used for a critical account (email).Ģ. The biggest threats I see for most users are:ġ. It's all a question of your threat model.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |