[HN Gopher] Password Managers ___________________________________________________________________ Password Managers Author : arthurmorgan Score : 143 points Date : 2021-06-05 18:52 UTC (4 hours ago) (HTM) web link (lock.cmpxchg8b.com) (TXT) w3m dump (lock.cmpxchg8b.com) | ferdowsi wrote: | It's curious that we haven't seen dedicated effort towards a | consistent password autofill API in browsers, like what is | present in Android. Even the Credential Management API seems to | have not picked up traction for passwords, though it was extended | for use with FIDO2 security keys. | scrollaway wrote: | Is there one present in Android? My understanding is password | managers on Android and iOS abuse a11y interfaces. (I'm not a | mobile dev) | cianmm wrote: | iOS has a dedicated API for password managers - Password | Autofill (https://developer.apple.com/documentation/security/ | password_...). It presents passwords in password managers the | same way it would passwords in iCloud Keychain. | | You still sometimes need to use the interfaces you mention, | but increasingly rarely. | InvertedRhodium wrote: | The latest version of Android does, yes. Though they can | still abuse the accessibility API for injecting password into | applications that don't support this API. | pta2002 wrote: | This used to be the case, but somewhere around Android 7 | (might've been 8 or 9) added proper support for autofill | services. | devoutsalsa wrote: | One attack vector is consolidating all your passwords into a | password manager, and then being able to unlock the password | manager on your phone w/ biometrics (e.g. face, fingerprint). | foobarbazetc wrote: | You still have to unlock your phone and any competent password | manager makes you type the password at least once and has | options for how often you have to. | | If someone has your phone and your phone passcode you're kind | of hosed anyway. | devoutsalsa wrote: | Well someone can drug you and use your face while you're | passed out, but they can't make your unconscious self share | your pin code. This all assumes your attacker doesn't think | to just scare you into sharing by threatening you with a | hammer. | | I was actually thinking more about law enforcement being the | most likely to try gaining access to your phone. They can | make you use your face or fingerprint, but they can't force | you to reveal your pin code. | theshrike79 wrote: | If your threat model includes someone using drugs/violence | to get your passwords, then choosing the correct password | manager is the least of your problems =) | devoutsalsa wrote: | Well the only time I've been mugged was by a cop, so | there's that. | 627467 wrote: | I share the conclusion and for those friends and family who use | chrome across devices I've been recommending to just activate 2FA | (not sms) and use the built in password manager. | | But relying on chrome as password manager - even on Android - has | drawbacks as it seems not to support all apps and fields one | needs to. | | I personally use bitwarden because it seems to work - when I | enable all assistive tech - on 99% of situations. I also don't | use chrome anymore so using Google password manager isn't as | useful. | dtx1 wrote: | This does not reallz discuss offline password managers like | keepassx except for this one sentence | | > Conceptually, what could be simpler than a password manager? | It's just a trivial key-value store. In fact, the simplest | implementations are usually great. Good examples of simple and | safe password managers are keepass and keepassx, or even pass if | you're a nerd. | | I think keepass synched via nextcloud is a great solution, e2e | encrypted, works basically everywhere (windows mac linux osx ios | android) and it keeps the sync and backup in your hands. If copy | and pasting a password or using autofill for keepass is too much | to ask, then you propably don't care about security. | randomlurking wrote: | What's is the difference between keepass synced by X and | another service which is completely online? Simplified with | keepass I have a) the database and b) an online accessible | Location for storage. If I use Bitwarden, I still have a) and | b), right? So for keepass to be better it would need to be | better (as in safer) for one of those. I'm not sure if that's | the case (you can even selfhost both Bitwarden and nextcloud to | have ,,trusted" storage, although it shouldn't matter). But: if | you don't need multiple devices, Keepass is the surest choice. | | With that in mind, I'm rolling with Bitwarden (maximal security | afaik and great usability - it's even linked with my iPhone) | for personal stuff and keepass for work as I only have one | machine I need passwords on. I don't like Setting up something | to sync a file if I don't need to, so I'd never use keepass for | multiple devices | codazoda wrote: | One advantage is that the password manager encrypts the | password database on your device. So the encryption part is | decoupled from the online service part. | JackGreyhat wrote: | Using keepass would decouple password management from your | browser. Bitwarden, for example, usually runs as a browser | addon. | gruez wrote: | https://bitwarden.com/download/ | | They seem to have desktop/mobile apps as well? | dtx1 wrote: | For one, it's completly free. I use a free nextcloud 1gig | instance, you might use dropbox, onedrive, gdrive whatever. I | don't think a trivial application like a password safe should | require a personal server or a suscription, as the author | rightly noted, it's not much more than a very, very small key | value store | kbuck wrote: | I'm a little disappointed in the conclusion because there are | more secure password managers out there that still offer the same | level of convenience as the browser built-in password manager. | Yes, if you use a password manager that's implemented entirely as | a browser extension, you may as well use the browser's built-in | password management features. However, if you're an advanced user | and are comfortable using a separate password management | application, there are options out there that don't force you to | choose between a difficult-to-use app and the convenience of | something in-browser. | | For example, exploiting a browser-based password manager likely | means escaping the sandbox that contains web pages and accessing | the shadow DOM. But this is still a larger surface area than | 1Password, where the password selection menu (on Windows at | least...) is actually rendered by an entirely separate process on | the system. (I.e., clicking the icons that the extension displays | triggers the 1Password desktop application to display UI at the | cursor's current position. Picking a password from this UI will | transmit it to the browser extension for filling. The password is | only present in the browser's memory once you've interacted with | the desktop application's UI.) | | As always, do your research. Don't get suckered into paying a | subscription fee for a browser extension that offers the same | functionality your browser has built-in. But realize that there | are other options out there that _may_ actually be worth | investing in. | | Disclaimer: I've been a happy 1Password customer for a few years | now. | bstar77 wrote: | I'm also a 1password customer and curious how the attack vector | of spoofing the 1password input icon can harm the user. They | might be able to get your master password, but that doesn't | mean they gain access to anything. | | Also, I never use that icon and exclusively use the shortcut. | I'm curious if that can be spoofed somehow. But again, they can | only get your master password. In the case of 1password, I'm | pretty sure they would need direct access to the computer to | gain access to your vault. | kennywinker wrote: | His conclusion seems off to me too. I got "Password managers | that use content scripts are bad" not "password managers are | bad". | | Edit: I just cracked open the 1password extension, and it does | indeed use a content script. Glancing over the code I only see | stuff related to locating which fields are the username and | password field - but I was mistaken in thinking that they | didn't use a content script. | MonaroVXR wrote: | I need to share my passwords between multiple devices and | browsers, that's why I use a password manager. I have a second | one, called: pass. | | But I didn't check to synchronise it with devices. | mgarfias wrote: | I tried to read this, but my head is too swimmy from all the | allergy meds. I'll have to come back to It. | prophesi wrote: | tl;dr: browser extensions are bad therefore all password managers | are bad | | Also find it odd the author uses Chrome, which doesn't even let | you set a master password to E2E encrypt its password store. | arkadiyt wrote: | That's not true, you can set a sync passphrase which e2e | encrypts your synced content (all of it, not just passwords). | richardwhiuk wrote: | It's usually encrypted with your Windows / Mac / Linux login | password. | MonaroVXR wrote: | I use Linux ( Fedora) and it doesn't do that? * | | *I have a password sentence. | | Maybe because my disk is encrypted and I need to fill in a | password when I login. | | When I had auto login enabled, I had to fill in the Chrome | password. | RcouF1uZ4gsC wrote: | > If you want to use an online password manager, I would | recommend using the one already built into your browser. They | provide the same functionality, and can sidestep these | fundamental problems with extensions. | | What would be really great if the major browser vendors would get | together and come up with a way to reliable, secure, cross- | browser syncing of passwords. | | The main reason I use a password manager instead of the browser's | password storage is because I use different browsers both on the | same device and an different devices. I might use Firefox in my | Linux desktop and Safari on my Mac. Using a third-party password | manager allows me to have the same set of shared passwords on | both. | cosmotic wrote: | The blog suggest using Chrome's password manager. I used MacOS | KeyChain as my primary store and Chrome's password manager for my | secondary store for years and finally gave up because KeyChain | didn't work with Chrome or sync with anything (unless maybe I | used iCloud) and Chrome only synced with and worked with Chrome | and too often it didn't save passwords properly. For all other | browsers, apps, or uses, Chrome password manager is useless. | | Fortunately I could export Chrome to CSV and use some third party | applescript to export KeyChain and import into KeePassXC. It's | not perfect but it's better than the built in stuff. | | Maybe W3C could standardize a protocol for password managers so | we don't have this insane vendor lock in. | foobarbazetc wrote: | For what it's worth, the keychain now syncs with iCloud and | across all your Apple devices and it's end to end encrypted by | your system or phone passwords. | | The password interface in iOS has improved a whole bunch (tells | you about weak passwords, reused passwords, etc) but doesn't | support attaching a TOTP to an entry. | | Which may or may not be a big deal now what everyone is moving | to U2F etc. | rendall wrote: | > _The blog suggest using Chrome 's password manager_ | | That's not what the article said | howolduis wrote: | what about Bitwarden? | ajsnigrutin wrote: | For my parents, i tell them to just write the password down on a | piece of paper. | | If someone breaks in their house,they have a bigger problem than | someone reading their emails, and since they live off givernment | pensions, there is not a lot of money that can be stolen via the | internet. | [deleted] | Wowfunhappy wrote: | I wouldn't be worried about someone breaking in, so much as the | paper getting lost. | tomger wrote: | Given this advice I would - turn off any webpage integration | LastPass does - still use LastPass to store my passwords in the | cloud so I can share passwords between iOS apps and web. | A4ET8a8uTh0 wrote: | After building my new rig, I also made a successful jump from | Windows 7 to PopOS. It was mostly a very smooth transition, but I | am having real problems with replacing Password Safe I used on | Win. | | I eventually defaulted to using FF for passwords, but it still | feels wrong. Password Safe had password generators, space for | notes.. lil things that I keep missing. | r6203 wrote: | I'm using KeepassXC [1] for that. | | [1]: https://keepassxc.org/ | hobos_delight wrote: | I recently moved my passwords from an expired 1Password account | to Bitwarden (right at the time they announced linux support | actually, which was always the biggest thing I missed). | Bitwarden has a FF extension and allows me to use it across | mac/windows/linux. | dijksterhuis wrote: | I was looking at Bitwarden yesterday as I've been putting off | moving over from LastPass and 1Password seemed weird with | importing from it. | | Is Bitwarden decent enough? The fact that it has a cli, FF | extension etc. on a free plan is pretty tempting. | curmudgeon22 wrote: | I've been a happy Bitwarden user for 2 or 3 years. Recently | upgraded to the family plan for shared passwords and that | is working well. | howolduis wrote: | Bitwarden is ALL what you need. It's much better than all | these paid apps. | samsquire wrote: | I don't think you need your password manager to inject the | password into a web site for you. I think you can just copy and | paste from Keepass. | | I want account management protocols so I can rotate all my | passwords automatically via my password manager. That would be | awesome. | stunt wrote: | If you are paranoid enough, you would think of Password Managers | as an obvious must-have business to tap into for the NSA. | jdeibele wrote: | The major problem with the built-in password managers is that | they don't store more than the password. If there's a site that | has security questions, I use LastPass to keep track of the | security questions and my answers. I have to do this because I | don't give real answers to security questions. | | A minor annoyance is that Safari will not let me treat sites | which use multiple domains as equivalent. So Discount Tire uses | dt.com and discounttire.com but Safari flags this as a security | problem because I'm using the same password with both. LastPass | lets me set them as equivalent domains, though the process is | probably too difficult for most people. | | LastPass made free users decide whether to use it either on | computers or phones & tablets but not both. Because I use FireFox | on my Mac, I used LastPass on computers. I rely on Safari to sync | for my phone and tablet. I think it's inevitable that LastPass | will continue making life more difficult for free users and I may | end up with a flat file or Apple Notes file to store the security | questions and answers. | howolduis wrote: | password managers? more like: why tf anyone would use chrome? | chrisan wrote: | > This problem is pervasive among online password managers, you | can never be sure if you're interacting with a website or your | password manager. | | Isn't this true for any scenario, password manager or not? If a | site has been compromised without you knowing and you enter your | password from memory, paste, or a password manager, that password | is at risk. | | Is the author saying that he is able to access ALL passwords in | the password manager via a single malicious site? | richardwhiuk wrote: | That's the vulnerability he's targeting, yes. | pleb_nz wrote: | Personally using a browser based password manager is too | restrictive in that you need a browser to access passwords. | | I use passwords in a lot of places outside of browsers and often | the interface I'm using has no browser capabilities. | | Understand using browser based password management if you only | ever use passwords on the web. But I'm sure a lot of others, like | me, need them outside of that context. | 1cvmask wrote: | I worked on the design of adding passwordless 2fa to the Saas | Pass password manager. In addition the saas pass password manager | identifies websites that you can add 2FA to as well. | 1cvmask wrote: | More details on adding 2fa to a password manager and figuring | out websites and services you can add it to: | | https://blog.saaspass.com/saaspass-password-manager-authenti... | makach wrote: | First of all, a very interesting topic! Author is obviously | someone with a lot of knowledge. Nevertheless he is employed at | Google(https://en.wikipedia.org/wiki/Tavis_Ormandy) and | recommends Chrome? ..combined with lack of references and | research material this all seems a little bit sus to me. | quesera wrote: | > I use Chrome, but the other major browsers like Edge or | Firefox are fine too. They can isolate their trusted UI from | websites, they don't break the sandbox security model, they | have world-class security teams, and they couldn't be easier to | use. | | This is about as low-key of a recommendation as you can | construct. | | Curious that he omits Safari though. | xyse53 wrote: | It says it's an opinion piece. He's written other more | technical things elsewhere. One takeaway you can have is to | combine the opinion with impressive track record... I think the | opinion alone carries weight. | | I may be biased though because I agree with the opinion. I use | a combination of my browser's support and `pass`. | thomascgalvin wrote: | > I use Chrome, but the other major browsers like Edge or | Firefox are fine too. | | There's nothing sus here; he's saying that the password | managers built into the browser use a more secure model than a | plugin that uses javascript to communicate with a web page. | That seems to be 100% accurate. | | If a Chrome dev had said we should use Chrome's password | manager because Mozilla's in fundamentally broken, I would want | more proof of that claim, but he did a fine job of explaining | the vulnerabilities of a plugin versus a native manager. | raldi wrote: | I don't understand the Nordpass demo. What would double-clicking | actually do? | gruez wrote: | Seems like a clickjacking attack. Presumably you can use this | to reveal passwords for other sites, depending on how the ui is | coded. | raldi wrote: | Sure, but where do the clicks actually end up? | gruez wrote: | The ui of the password manager, as demonstrated in the | demo. | raldi wrote: | What parts of the UI of the password manager? What do the | clicks actually _do?_ The demo doesn 't show that; it | just shows the mouse being followed by a "(i)". So what? | What does clicking "(i)" do? | Wowfunhappy wrote: | > If you want to use an online password manager, I would | recommend using the one already built into your browser. They | provide the same functionality, and can sidestep these | fundamental problems with extensions. | | Unfortunately, it also means I can basically never switch web | browsers again, so it's an absolute non-option for me. I don't | want to be locked into Chrome forever. | jsnell wrote: | Chrome's password manager has an export feature. Are you | perhaps thinking of some other browser? | Wowfunhappy wrote: | Currently, I use Chrome on my desktop, mobile Safari on my | phone, and Safari on my Macbook. I need to sync my passwords | across them! | xaduha wrote: | Passwords are a lost cause. This doesn't mean that you need to | give up on using good practices, just don't go overboard trying | to plug all the theoretical holes. It's not all or nothing, | sometimes it's OK to be good enough. For everything important you | oughta use 2FA anyway. | KronisLV wrote: | > Passwords are a lost cause. | | I never really understood this. Ed25519 keys use SHA-512 and | are considered secure. They're still just long secrets, aren't | they? | | What's to prevent me from using a similarly long, randomly | generated secret as my password, using a different one for | every site? Because that's what I'm doing with KeePass. | | Backing up the auth database/file and having enough redundancy | in place, as well as having a sufficiently secure master | password take some effort, but the rest is just copying and | pasting those long secrets when you want to log in. | | Of course, 2FA is a necessity for everything important as well, | but it feels to me like the kinds of passwords that many people | use are the problem, not the concept of passwords. | nicoburns wrote: | There is a difference between passwords and certificates: you | have to send the password over the network every time you | login, whereas the private key is never shared. | | But in general I agree with the rest of your comment. | sascha_sl wrote: | The difference is that you're never entrusting the | authenticating party with any secret. Even if their entire | full-cleartext database leaks, an attacker could not even | authenticate against that _same_ site. | xaduha wrote: | Don't cherry pick, read the rest of my comment. It wasn't at | all about any individual password complexity, it was about | password managers that work with browsers in context of the | blog post. | | Out of curiosity, what does haveibeenpwned.com say about your | most used email? | ajsnigrutin wrote: | One half of 2FA is a password.... saying 1/2 of that is a lost | cause is stupid. | | Passwords are great, because they're in your head and can be | changed at will (unlike biometrics), and phishing 2fa from (eg | old people) is not any harder than phishing for a password. | amachefe wrote: | I used to like Chrome password manager, but since moving back to | Firefox, I like their password manager more. | | I havent been comfortable with other 3rd party password managers | and their integration feels forced | dogma1138 wrote: | This somewhat overlooks the main threat model that password | managers solve - leaked credentials. | | People can't remember 80 passwords so they reuse the same one, | that password eventually gets leaked and 9/10 times it doesn't | get leaked due to a targeted attack or a compromised machine but | rather due to a breach of a service you signed up too. | | Sure password managers have issues, they don't solve user related | errors and can even add to the attack surface of a machine they | are running on but that's really not important... | | Using password managers and generating different passwords for | each service reduces the blast radius from any breach. | | This is why I don't care if the password manager has the best | encryption, or does it even encrypts at all or does it uses the | clipboard vs some more secure side channel. Yeah that's nice but | that's not in my threat model. | | Which is why I don't care if your password manager is a | spreadsheet, it's a terrible choice for a business because their | threat landscape and the fact that a spreadsheet won't allow you | to audit who has access to what but for you or your mom even that | is better than using the same password everywhere else. | | Heck at home print your passwords and store them somewhere | safe... put them on a post note for all I care as long as you | live alone or at least not with anyone you wouldn't want | stumbling on that list... | hsn915 wrote: | How does this address the point of the article? Which is that | you should use the browser's builtin password manager and not a | third party manager that injects user scripts into all websites | and break the sandbox model? | true_religion wrote: | If you are on Safari, your browsers' builtin password manager | is unfortunately Keychain and you cannot easily export your | passwords out of keychain. | | Additionally, if you use two different browsers or operating | systems you'll need a 3rd party tool to keep your passwords | in sync. | | For me, that's why I use a 3rd party. | | --- | | Funny thing is though, I consider myself the 1st party. The | website or app I am using is the 2nd party. Anyone else | including the browser is a 3rd party. Neither Google, nor | Apple, nor Mozilla, to name a few of the top browser-makers, | are anything more than middlemen. | | I think it's better to trust them with _less_ rather than | allow them to keep the passwords as well since they have no | incentive to make them portable between competing browsers. | 542458 wrote: | The point is that while yes, many 3rd party password managers | have issues, the overwhelming majority of attacks are not | against password managers but against reused passwords - so | honestly either the 1st or 3rd party choice is a win over | using neither. | H8crilA wrote: | Ok so: | | 1) not use any manager => bad | | 2) use a 3rd party => pretty crap as the article says | | 3) use a built-in => great | | Why would you ever use 2? This is almost as bad as Bitcoin, | which not only solves nothing but also destroys a ton of | energy. | | I have never used a manager except for the builtins. And I | would have never expected them (prior to reading this | article) to be such utterly junk solutions to just inject | additional code into the website itself. I thought there's | a dedicated browser API or something. | kennywinker wrote: | 3rd party password managers have a bunch of useful | features, which is why I use one. Here are the first few | that come to mind: | | - portability, if I use chrome on my desktop, firefox at | work, and safari on mobile I'm out of luck. | | - built-in password managers only work for websites - I | store many non-website security credentials in my | password manager | | - extra details - I often add the security questions for | a site into my password manager | | - compromised password warnings (maybe some of the built | in password systems do this now?) | H8crilA wrote: | 2, 3, 4 are handled by Chrome, for example. These really | are trivial features that any decent corpo can get right. | | 1 obviously isn't. | kennywinker wrote: | Oh, yes, I forgot a pretty important one, I don't want to | upload all my passwords to google. Offline storage, and | direct device-to-device syncing. | gruez wrote: | That's only because there are more people who reuse | passwords than people who use online password managers. As | they're becoming popular, more cybercriminals are going to | exploit it. | hmsimha wrote: | Speaking to the section on "Vendor claims" | | > An attacker (or malicious insider) in control of the vendor's | network can change the code that is served to your browser, and | that code can obviously access your passwords. This isn't | farfetched, altering the content of websites (i.e. defacement) is | so common that it's practically a sport. | | Is this actually true? For Lastpass, I would assume the code run | in the browser comes from the extension directly, and (for | Chrome), the extension comes from the Chrome Web Store. There are | some problems here, but in theory the system could be improved so | that modifications to the extension in Google Web Store are very | obvious, and an attacker couldn't just inject code into the | extension and update it without someone noticing immediately. | sneak wrote: | uncharitable tldr: Google employee says that for Chrome users, | using the password manager in Chrome is your best option. | | He's a brilliant researcher, but I think he's wrong on this one, | and the blog post is an appeal to authority and ends with | basically a 'I've already heard your counter arguments and you're | wrong'. | | He should show his work. | yurlungur wrote: | I have no complaints of keepass on my desktop. I tried using it | on mobile but decided it wasn't worth the trouble to get it | working as I wanted in terms of syncing and autofill. Instead I | just use a select few logged in apps that I either memorize the | password or use fingerprints. I don't really like the idea of | syncing all my passwords with any online service. | blfr wrote: | The built-in browser password manager is the only one that ever | made sense for me. You want the machine to verify the domain for | you so you don't enter your credentials into some other site (no | copying and pasting) and all third-party scripts are always | clunky. | | I use Firefox with Lockwise[1] for Android and pass[2] as | overflow for more involved secrets. This is a solo solution | though that doesn't solve sharing these secrets with others. | | [1] https://www.mozilla.org/en-US/firefox/lockwise/ | | [2] https://www.passwordstore.org/ | treszkai wrote: | > and all third-party scripts are always clunky | | > I use [...] pass as overflow for more involved secrets | | Why don't you consider pass a third-party script here in this | context? Don't you use the Firefox plugin passFF? | zmmmmm wrote: | I use unix pass as my "source of truth" and then individual | browser password managers (mostly Firefox) as a local "cache" for | sites where it is painful to manually go out to pass too often. | Honestly it works brilliantly, pass syncs using git which I do to | a bare ssh repo on a server I control (although it would be | perfectly safe to put on github tbh). | | I really feel like people overthink this sometimes. | teeray wrote: | It's irritating to me that there's no standard integration | between password managers and authentication elements on a page. | We can do this correctly if we want. Furthermore, I'd love some | standard programmatic way to change passwords and communicate | complexity and rotation timelines. If I use a password manager | anyway, it should just deal with changing my password if some | organization decides to use a backwards rotation policy with | specific special characters. | xyse53 wrote: | I agree that there will always be a need due to other bits of | information, but IMO if you follow this train of thought for | authentication specifically you wind up at "passwordless" | WebAuthn. | freitasm wrote: | Malicious site | freitasm wrote: | Sorry, to clarify Norton raised an alert on this domain. So | proceed with caution. | ptomato wrote: | yeah, funny how antivirus software would complain about the | website of somebody known, among other things, for | demonstrating a lot of security flaws in antivirus software. | austinkhale wrote: | How is Tavis Ormandy's blog a malicious site? | [deleted] ___________________________________________________________________ (page generated 2021-06-05 23:00 UTC)