Am I the only one freaked out about the use of password managers? We already had one hacked this year. Having a single source of failure of millions of people’s credentials seems pretty horrible compared to only one individual’s.
I guess the only solution is to answer those recovery questions with Quantum Truth™. Answers that are in a truthful superposition, neither true nor false, and change every time they’re examined (for MaXXimum Security!™). Oh wait, that’s getting into politics. My bad.
Yeah, I’d rather have a password manager on my phone with a backup on a USB stick than have to carry around a backpack full of 150 dongles, and have to constantly dig through it to find the right one before the login timed out.
I wouldn’t use one of those for personal use. Some are local and don’t sync or keep a backup anywhere online unless you explicitly set that up. While it’s possible that I might lose my USB stick or phone, and someone who finds it might hack the password manager data file, it’s a lot less likely than an always on cloud service with millions of people’s valuable passwords getting hacked.
On one occasion, I did leave a copy of my personal password manager open on a computer, but I realized it right away and was able to reset all the important passwords before I got home; did the rest of them later that evening.
Dongles were a big enough pain when every high end piece of software on my Mac required a separate one to be actively connected to the computer - and those were dongles I didn’t have to carry around with me.
the fido key is a simple usb dongle that does the job
but first might make it clear …if it does not get a bluetooth
connection it is rendered ambiguous …if someone can tell apple
they may be able to force quit does not work in reverse
That’s my problem. Also, we’ll start seeing things try to compromise the clipboard, because all anyone does using password managers is cut & paste. Get access to the clipboard, you have the keys w/o ever having to crack an account.
Hell, Facebook is always showing me my clipboard contents and trying to suggest I post any link in it publicly to FB!!! I did not paste into FB!!! FB has no legitimate business pulling strings out of my clipboard unless I use the paste command. Someday I’m going to slip and accidentally post some embarrassing URL. Grrrrrr. (“I swear, I was just looking at Breitbart.com for opposition research! Really!”)
So, something I’ve also wondered about (and feel free, security folks, to fork to a new topic):
Biometrics. Let’s call it fingerprints, handwriting, mouse gesture patterns, brainwaves, etc. My fingerprints have been changed slightly by accidents fishing (probably not enough to fool fingerprint ID’s, though), but still it got me thinking.
Catastrophic damage to your body can alter those things, rendering you unable to access your accounts in addition to being potentially disabled.
A question I don’t see being asked (let alone answered): How do we develop identity management solutions that are secure, and uniquely identify us, but have contingency plans for the parts of us that can change in a tragic instant? (Or are resistant to such changes?)
I agree. But if someone wants to get into my computer so badly that they’re willing to hack my local machine, intercept the trashbin, look through all of the recovered screencaps in order to get security question answers so that they can then hack that account…well…I don’t know that there’s a great deal more I might be able to do to protect myself.
I mean, I’m typing this from behind, like, the fourth or fifth firewall…
That shows one of the big problems with biometrics. You can easily create unique passwords for each system, but you can’t easily create a new retina for each system. That means if any system gets compromised, they’re all compromised. Fingerprints are even worse because you leave copies of them everywhere in the real world. And while you can easily go in and change your password if you need to, you can’t easily change your retinas. But as you mentioned, they may change without you intending to change them.
Because of their drawbacks, they aren’t intended to be used instead of passwords, but people are doing that. They’re also no good for pseudonymous accounts.
Public-private key pairs with web-of-trust and revocation certificates generally hit on the necessary problems (and can be used for group identities and role identities, as well as allowing multiple identities). It’s not perfect though - still seems awkward and confusing to non-techies, web of trust is a difficulty, and certificate revocation isn’t sufficiently guaranteed (until the recipient receives the revocation, they still think the key is valid). Identity and security are the easy parts, it’s trust and communication that are difficult.