12 votes

What I Learned Trying To Secure Congressional Campaigns

3 comments

  1. [2]
    Deimos
    Link
    Great article, as always. I think one of the key points is how awful password managers are for non-technical people to use. It's not necessarily the developers' fault because it's difficult to...

    Great article, as always.

    I think one of the key points is how awful password managers are for non-technical people to use. It's not necessarily the developers' fault because it's difficult to interact with all the things they need to, but it makes it practically impossible to get someone to use one unless they're technical enough to be able to figure out all the random issues that come up all the time.

    I'd love to be able to get some non-technical family/friends to use one, but there are just way too many times that showing someone how to use a password manager goes something like: "Okay, so now you've generated a password and you click 'Register' and... oh hold on, the page redirected for some reason and the pop-up to save the account info is gone, so, uh... well, I think there's a generated-password history page somewhere, let me just look through the Settings area even though it's not a setting... okay, there it is, so it should be this one. I'll just copy that and now I have to create a new vault entry for the site manually by typing in everything and pasting this password in there, and then..."

    It's terrible, because a password manager that would just work and stay out of the way could make such a huge difference to general account security, but they all seem to still be difficult to use and require you to have a pretty good understanding of what's going on to be able to deal with random problems.

    7 votes
    1. clerical_terrors
      Link Parent
      I think even the larger password managers like Lastpass, Dashlane, or Onepass are in this unenviable position of having to interface between the user browser and the website via Javascript,...

      I think even the larger password managers like Lastpass, Dashlane, or Onepass are in this unenviable position of having to interface between the user browser and the website via Javascript, meaning there are one-hundred and one breaking points which could be the fault of either them, the user, or the site itself.

      To give a clear example: I use Lastpass, and one of the big issues I've been having recently is the fact that my school's blackboard implementation uses password protected digital tests. Meaning anytime I enter the provided password in the respective field Lastpass sends me a notice asking me if I want to add it as the password for the website, if I did have my password stored (I don't since it controls ALL University app access) and accidentally clicked yes I'd override my password and would have to go back into the database and change it back to the real one.

      Something like KeePass I've found sometimes works better in those instances, because it is seperate from the browser window and so less prone to these kinds of accidents, but at the cost of ease-of-use (not to mention KeePass' interface isn't easy to parse at first)

      4 votes
  2. rkcr
    Link
    I love how this article highlights security theory vs practice. You can come up with best practices that lock out all but the savviest hackers and it won't matter one bit because most people don't...

    I love how this article highlights security theory vs practice. You can come up with best practices that lock out all but the savviest hackers and it won't matter one bit because most people don't know the first thing about digital security.

    5 votes