11 votes

On password managers

11 comments

  1. [8]
    stu2b50
    Link
    Inasmuch as this has a conclusion, it is correct in each individual point, but in aggregate misses the human element of security. Unless you are a cyborg, you will inevitably get tired of...
    • Exemplary

    Inasmuch as this has a conclusion, it is correct in each individual point, but in aggregate misses the human element of security.

    You don’t have to use a password manager to do that, whatever system works for you is fine. If you want to use a notebook in a desk drawer, that’s totally acceptable.

    Unless you are a cyborg, you will inevitably get tired of laborious typing in your 16 character password from your notebook. You'll get tired of having to get your password whenever you need to login. You get tired of typing in long passwords on mobile.

    You'll start to use lower entropy passwords, and to maybe even reuse them - after all, these accounts don't really matter, it's probably okay, right?

    Same for "use your browser's password manager". The problem is that people log in to things other than websites. In particular, people have phones now, and I'd argue more people use a phone as their primary computing device now than a traditional computer.

    The threat model just doesn't match up. Don't let perfect be the enemy of good. All the exploits are based around the sad path of the internet - but most people stay on the happy path now that the web is mature. People spend WAY more time on non-malicious websites rather than random pages as opposed to the earlier wild west days of the internet.

    And on the happy path, by far the biggest danger is that one of the many websites with logins has shitty backend security and leaks passwords. Of course, people do fall off the happy path - phishing emails, crappy banner ads, whatever.

    But the underlying implication that using an extension based password manager is worse than not having one just does not match the reality of the modern internet.

    21 votes
    1. [7]
      aphoenix
      Link Parent
      This article really nailed the "guy is sublimely convinced of his own brilliance, but only thought about his own use case." Also, the problem that he describes is actually really easy to get...

      This article really nailed the "guy is sublimely convinced of his own brilliance, but only thought about his own use case." Also, the problem that he describes is actually really easy to get around - use the application outside the browser, and cut and paste. It is ever so slightly less convenient, but still much more convenient, and usable for multiple applications. Personally, my passwords are used perhaps only half the time in the browser, and I use them across 7 different devices. I'm not going to use Chrome's built in password manager; it doesn't actually solve any problems for me.

      What I will say is that this works for my dad, who is in his 70s. I've got him to start using Chrome's password manager. That's a good solution for him. He uses his computer almost exclusively for the browser, so it makes sense. For most people that I've gotten onto password managers, the browser solution is not sufficient. Even my wife, who is a relative luddite, does not find it sufficient; she has multiple applications with passwords that need to be managed, and copying them out of chrome would be pretty awkward.

      Anyways, I guess what I'm most interested in is how do these tech bros write things without giving any seeming consideration that they might not be correct, but then I realized that this guy works at Google, so that's probably it. Maybe I'm too cynical, but I imagine he isn't actually completely convinced, he's just selling.

      6 votes
      1. [6]
        hungariantoast
        Link Parent
        This is really the only major bad thing about the article's suggestion to just use the built-in browser password manager: It's a pain in the ass in both Firefox and Chrome to get those passwords...

        and copying them out of chrome would be pretty awkward

        This is really the only major bad thing about the article's suggestion to just use the built-in browser password manager:

        It's a pain in the ass in both Firefox and Chrome to get those passwords and use them in applications that are not the web browser.

        If accessing and using the browser's password management feature could be made easier and not, at least in Firefox, require something like six clicks after launching the browser, it'd be pretty much good enough for any normal user compared to something like KeePassXC or Bitwarden.

        And let's not kid ourselves with the excuse of "that's outside the scope of web browsers". Web browsers have no scope these days 🤣

        but only thought about his own use case

        Isn't it kind of weird to interpret this article as if the author were writing it for non-technical users? I mean, this is a technical article, written by a programmer, posted to that programmer's personal website, syndicated to the most technical group on Tildes. It doesn't really strike me as an article that was written for someone such as your dad, but instead more for someone like you or me.

        I guess what I'm getting at is this isn't really a case of the author forgetting non-technical users exist, as much as it's a case of the author targeting technical users with this content purposefully.

        8 votes
        1. [3]
          aphoenix
          Link Parent
          That's on me; I wasn't trying to insinuate that that's how I interpreted it - I'm clear that he was writing it for tech folks. It makes the article doubly weird for me, since in my experience,...

          Isn't it kind of weird to interpret this article as if the author were writing it for non-technical users?

          That's on me; I wasn't trying to insinuate that that's how I interpreted it - I'm clear that he was writing it for tech folks. It makes the article doubly weird for me, since in my experience, what he's suggesting doesn't work for most of the tech folks that I know. I know that he's targeting tech folks, so I'm just not clear on how he came to this conclusion. Or I wasn't until I reflected on it a bit and figured out that this person works at Google, and is likely just spreading Google Koolaid.

          3 votes
          1. [2]
            Pistos
            Link Parent
            It seems to me like an entirely legitimate concern if a browser extension's UI can be manipulated by a third party (i.e. someone other than the extension's vendor).

            It seems to me like an entirely legitimate concern if a browser extension's UI can be manipulated by a third party (i.e. someone other than the extension's vendor).

            1. aphoenix
              Link Parent
              I agree that there is a legitimate concern, but it's certainly not the only concern. There are also ways to work around this, as I spelled out above. If you don't mind a couple of extra clicks,...

              I agree that there is a legitimate concern, but it's certainly not the only concern.

              There are also ways to work around this, as I spelled out above. If you don't mind a couple of extra clicks, then you can almost completely mitigate the issue. Use your password manager without the browser integration and the password manager can no longer be manipulated. You are left with the (in my opinion) massively more convenient password manager, which syncs across devices, and has other valuable features.

              Where this article, and so many others written by tech bros, fails, is that it assumes that there is one answer to the problem, and that they have found the answer. In reality, this is rarely the case; there are almost always a multitude of ways to figure out a solution to a problem, and almost all of them have pros and cons. I am not claiming that the solution offered in the article is a bad one - it certainly works for people. As I said above, it works for my father, it clearly works for the guy in the article, and there are probably lots of other people for whom this is a viable solution.

              This whole type of article, where someone takes a complex issue and says, "I know the answer, it's [x]" are almost always not correct, because [x] is almost never the only answer. In this case, I would argue that the [x] from the article misses out on basic needs and usability for a lot of people. I haven't even touched on the fact that "use a password manager" is actually the first step in the right solution, which the author outright dismisses! Most of the rest of the solution is figuring out which password manager is the best fit for the user.

              Edit: I made a slight change - I previously said that these articles aren't usually valuable but I changed it to these articles not being correct. This article is certainly valuable - if one didn't know about the issue with password syncing in browsers, and read this article, then one would have learned something. But the end solution is not necessarily correct - using the built-in is not necessarily the best answer. It's not necessarily not the best answer either.

              3 votes
        2. [2]
          Diff
          Link Parent
          Out of curiosity, where are you pulling this from? For me, after opening the browser it only takes 4 to get to my passwords. Menu -> Passwords -> Whatever site -> Copy. I struggle to see how that...

          If accessing and using the browser's password management feature could be made easier and not, at least in Firefox, require something like six clicks after launching the browser, it'd be pretty much good enough for any normal user compared to something like KeePassXC or Bitwarden.

          Out of curiosity, where are you pulling this from? For me, after opening the browser it only takes 4 to get to my passwords. Menu -> Passwords -> Whatever site -> Copy. I struggle to see how that could be slimmed down much more. On a phone it's even easier to use Firefox to manage your passwords if you download the separate Firefox Lockwise app. It'll fill your passwords for any app as well as the sites in your browser. Was more convenient for me than trying to manage KeePass, especially since it automatically syncs across all my devices securely.

          2 votes
          1. hungariantoast
            Link Parent
            lmao I didn't even know that was there. I was doing this: Menu -> Settings -> Privacy & Security -> Saved Logins -> Site -> Copy Did they just add that item to the menu in version 89 with the UI...

            lmao I didn't even know that was there. I was doing this: Menu -> Settings -> Privacy & Security -> Saved Logins -> Site -> Copy

            Did they just add that item to the menu in version 89 with the UI update? Or has it been there for a while? I always just type about:logins into the address bar so...

            1 vote
  2. [4]
    Comment deleted by author
    Link
    1. suspended
      Link Parent
      Yeah. I'm sticking with Bitwarden.

      Yeah. I'm sticking with Bitwarden.

      12 votes
    2. Pistos
      Link Parent
      Sure, but I don't think that's what the author is arguing for. I think the point of the article is arguing against extension-based solutions used with websites.

      Sure, but I don't think that's what the author is arguing for. I think the point of the article is arguing against extension-based solutions used with websites.

      3 votes