Inasmuch as this has a conclusion, it is correct in each individual point, but in aggregate misses the human element of security. Unless you are a cyborg, you will inevitably get tired of...
Exemplary
Inasmuch as this has a conclusion, it is correct in each individual point, but in aggregate misses the human element of security.
You don’t have to use a password manager to do that, whatever system works for you is fine. If you want to use a notebook in a desk drawer, that’s totally acceptable.
Unless you are a cyborg, you will inevitably get tired of laborious typing in your 16 character password from your notebook. You'll get tired of having to get your password whenever you need to login. You get tired of typing in long passwords on mobile.
You'll start to use lower entropy passwords, and to maybe even reuse them - after all, these accounts don't really matter, it's probably okay, right?
Same for "use your browser's password manager". The problem is that people log in to things other than websites. In particular, people have phones now, and I'd argue more people use a phone as their primary computing device now than a traditional computer.
The threat model just doesn't match up. Don't let perfect be the enemy of good. All the exploits are based around the sad path of the internet - but most people stay on the happy path now that the web is mature. People spend WAY more time on non-malicious websites rather than random pages as opposed to the earlier wild west days of the internet.
And on the happy path, by far the biggest danger is that one of the many websites with logins has shitty backend security and leaks passwords. Of course, people do fall off the happy path - phishing emails, crappy banner ads, whatever.
But the underlying implication that using an extension based password manager is worse than not having one just does not match the reality of the modern internet.
This article really nailed the "guy is sublimely convinced of his own brilliance, but only thought about his own use case." Also, the problem that he describes is actually really easy to get...
This article really nailed the "guy is sublimely convinced of his own brilliance, but only thought about his own use case." Also, the problem that he describes is actually really easy to get around - use the application outside the browser, and cut and paste. It is ever so slightly less convenient, but still much more convenient, and usable for multiple applications. Personally, my passwords are used perhaps only half the time in the browser, and I use them across 7 different devices. I'm not going to use Chrome's built in password manager; it doesn't actually solve any problems for me.
What I will say is that this works for my dad, who is in his 70s. I've got him to start using Chrome's password manager. That's a good solution for him. He uses his computer almost exclusively for the browser, so it makes sense. For most people that I've gotten onto password managers, the browser solution is not sufficient. Even my wife, who is a relative luddite, does not find it sufficient; she has multiple applications with passwords that need to be managed, and copying them out of chrome would be pretty awkward.
Anyways, I guess what I'm most interested in is how do these tech bros write things without giving any seeming consideration that they might not be correct, but then I realized that this guy works at Google, so that's probably it. Maybe I'm too cynical, but I imagine he isn't actually completely convinced, he's just selling.
That's on me; I wasn't trying to insinuate that that's how I interpreted it - I'm clear that he was writing it for tech folks. It makes the article doubly weird for me, since in my experience,...
Isn't it kind of weird to interpret this article as if the author were writing it for non-technical users?
That's on me; I wasn't trying to insinuate that that's how I interpreted it - I'm clear that he was writing it for tech folks. It makes the article doubly weird for me, since in my experience, what he's suggesting doesn't work for most of the tech folks that I know. I know that he's targeting tech folks, so I'm just not clear on how he came to this conclusion. Or I wasn't until I reflected on it a bit and figured out that this person works at Google, and is likely just spreading Google Koolaid.
It seems to me like an entirely legitimate concern if a browser extension's UI can be manipulated by a third party (i.e. someone other than the extension's vendor).
It seems to me like an entirely legitimate concern if a browser extension's UI can be manipulated by a third party (i.e. someone other than the extension's vendor).
I agree that there is a legitimate concern, but it's certainly not the only concern. There are also ways to work around this, as I spelled out above. If you don't mind a couple of extra clicks,...
I agree that there is a legitimate concern, but it's certainly not the only concern.
There are also ways to work around this, as I spelled out above. If you don't mind a couple of extra clicks, then you can almost completely mitigate the issue. Use your password manager without the browser integration and the password manager can no longer be manipulated. You are left with the (in my opinion) massively more convenient password manager, which syncs across devices, and has other valuable features.
Where this article, and so many others written by tech bros, fails, is that it assumes that there is one answer to the problem, and that they have found the answer. In reality, this is rarely the case; there are almost always a multitude of ways to figure out a solution to a problem, and almost all of them have pros and cons. I am not claiming that the solution offered in the article is a bad one - it certainly works for people. As I said above, it works for my father, it clearly works for the guy in the article, and there are probably lots of other people for whom this is a viable solution.
This whole type of article, where someone takes a complex issue and says, "I know the answer, it's [x]" are almost always not correct, because [x] is almost never the only answer. In this case, I would argue that the [x] from the article misses out on basic needs and usability for a lot of people. I haven't even touched on the fact that "use a password manager" is actually the first step in the right solution, which the author outright dismisses! Most of the rest of the solution is figuring out which password manager is the best fit for the user.
Edit: I made a slight change - I previously said that these articles aren't usually valuable but I changed it to these articles not being correct. This article is certainly valuable - if one didn't know about the issue with password syncing in browsers, and read this article, then one would have learned something. But the end solution is not necessarily correct - using the built-in is not necessarily the best answer. It's not necessarily not the best answer either.
Out of curiosity, where are you pulling this from? For me, after opening the browser it only takes 4 to get to my passwords. Menu -> Passwords -> Whatever site -> Copy. I struggle to see how that...
If accessing and using the browser's password management feature could be made easier and not, at least in Firefox, require something like six clicks after launching the browser, it'd be pretty much good enough for any normal user compared to something like KeePassXC or Bitwarden.
Out of curiosity, where are you pulling this from? For me, after opening the browser it only takes 4 to get to my passwords. Menu -> Passwords -> Whatever site -> Copy. I struggle to see how that could be slimmed down much more. On a phone it's even easier to use Firefox to manage your passwords if you download the separate Firefox Lockwise app. It'll fill your passwords for any app as well as the sites in your browser. Was more convenient for me than trying to manage KeePass, especially since it automatically syncs across all my devices securely.
Sure, but I don't think that's what the author is arguing for. I think the point of the article is arguing against extension-based solutions used with websites.
Sure, but I don't think that's what the author is arguing for. I think the point of the article is arguing against extension-based solutions used with websites.
Inasmuch as this has a conclusion, it is correct in each individual point, but in aggregate misses the human element of security.
Unless you are a cyborg, you will inevitably get tired of laborious typing in your 16 character password from your notebook. You'll get tired of having to get your password whenever you need to login. You get tired of typing in long passwords on mobile.
You'll start to use lower entropy passwords, and to maybe even reuse them - after all, these accounts don't really matter, it's probably okay, right?
Same for "use your browser's password manager". The problem is that people log in to things other than websites. In particular, people have phones now, and I'd argue more people use a phone as their primary computing device now than a traditional computer.
The threat model just doesn't match up. Don't let perfect be the enemy of good. All the exploits are based around the sad path of the internet - but most people stay on the happy path now that the web is mature. People spend WAY more time on non-malicious websites rather than random pages as opposed to the earlier wild west days of the internet.
And on the happy path, by far the biggest danger is that one of the many websites with logins has shitty backend security and leaks passwords. Of course, people do fall off the happy path - phishing emails, crappy banner ads, whatever.
But the underlying implication that using an extension based password manager is worse than not having one just does not match the reality of the modern internet.
This article really nailed the "guy is sublimely convinced of his own brilliance, but only thought about his own use case." Also, the problem that he describes is actually really easy to get around - use the application outside the browser, and cut and paste. It is ever so slightly less convenient, but still much more convenient, and usable for multiple applications. Personally, my passwords are used perhaps only half the time in the browser, and I use them across 7 different devices. I'm not going to use Chrome's built in password manager; it doesn't actually solve any problems for me.
What I will say is that this works for my dad, who is in his 70s. I've got him to start using Chrome's password manager. That's a good solution for him. He uses his computer almost exclusively for the browser, so it makes sense. For most people that I've gotten onto password managers, the browser solution is not sufficient. Even my wife, who is a relative luddite, does not find it sufficient; she has multiple applications with passwords that need to be managed, and copying them out of chrome would be pretty awkward.
Anyways, I guess what I'm most interested in is how do these tech bros write things without giving any seeming consideration that they might not be correct, but then I realized that this guy works at Google, so that's probably it. Maybe I'm too cynical, but I imagine he isn't actually completely convinced, he's just selling.
That's on me; I wasn't trying to insinuate that that's how I interpreted it - I'm clear that he was writing it for tech folks. It makes the article doubly weird for me, since in my experience, what he's suggesting doesn't work for most of the tech folks that I know. I know that he's targeting tech folks, so I'm just not clear on how he came to this conclusion. Or I wasn't until I reflected on it a bit and figured out that this person works at Google, and is likely just spreading Google Koolaid.
It seems to me like an entirely legitimate concern if a browser extension's UI can be manipulated by a third party (i.e. someone other than the extension's vendor).
I agree that there is a legitimate concern, but it's certainly not the only concern.
There are also ways to work around this, as I spelled out above. If you don't mind a couple of extra clicks, then you can almost completely mitigate the issue. Use your password manager without the browser integration and the password manager can no longer be manipulated. You are left with the (in my opinion) massively more convenient password manager, which syncs across devices, and has other valuable features.
Where this article, and so many others written by tech bros, fails, is that it assumes that there is one answer to the problem, and that they have found the answer. In reality, this is rarely the case; there are almost always a multitude of ways to figure out a solution to a problem, and almost all of them have pros and cons. I am not claiming that the solution offered in the article is a bad one - it certainly works for people. As I said above, it works for my father, it clearly works for the guy in the article, and there are probably lots of other people for whom this is a viable solution.
This whole type of article, where someone takes a complex issue and says, "I know the answer, it's [x]" are almost always not correct, because [x] is almost never the only answer. In this case, I would argue that the [x] from the article misses out on basic needs and usability for a lot of people. I haven't even touched on the fact that "use a password manager" is actually the first step in the right solution, which the author outright dismisses! Most of the rest of the solution is figuring out which password manager is the best fit for the user.
Edit: I made a slight change - I previously said that these articles aren't usually valuable but I changed it to these articles not being correct. This article is certainly valuable - if one didn't know about the issue with password syncing in browsers, and read this article, then one would have learned something. But the end solution is not necessarily correct - using the built-in is not necessarily the best answer. It's not necessarily not the best answer either.
Out of curiosity, where are you pulling this from? For me, after opening the browser it only takes 4 to get to my passwords. Menu -> Passwords -> Whatever site -> Copy. I struggle to see how that could be slimmed down much more. On a phone it's even easier to use Firefox to manage your passwords if you download the separate Firefox Lockwise app. It'll fill your passwords for any app as well as the sites in your browser. Was more convenient for me than trying to manage KeePass, especially since it automatically syncs across all my devices securely.
Sure, but I don't think that's what the author is arguing for. I think the point of the article is arguing against extension-based solutions used with websites.
You could use both?