[HN Gopher] Password Managers
___________________________________________________________________
Password Managers
Author : arthurmorgan
Score : 143 points
Date : 2021-06-05 18:52 UTC (4 hours ago)
(HTM) web link (lock.cmpxchg8b.com)
(TXT) w3m dump (lock.cmpxchg8b.com)
| ferdowsi wrote:
| It's curious that we haven't seen dedicated effort towards a
| consistent password autofill API in browsers, like what is
| present in Android. Even the Credential Management API seems to
| have not picked up traction for passwords, though it was extended
| for use with FIDO2 security keys.
| scrollaway wrote:
| Is there one present in Android? My understanding is password
| managers on Android and iOS abuse a11y interfaces. (I'm not a
| mobile dev)
| cianmm wrote:
| iOS has a dedicated API for password managers - Password
| Autofill (https://developer.apple.com/documentation/security/
| password_...). It presents passwords in password managers the
| same way it would passwords in iCloud Keychain.
|
| You still sometimes need to use the interfaces you mention,
| but increasingly rarely.
| InvertedRhodium wrote:
| The latest version of Android does, yes. Though they can
| still abuse the accessibility API for injecting password into
| applications that don't support this API.
| pta2002 wrote:
| This used to be the case, but somewhere around Android 7
| (might've been 8 or 9) added proper support for autofill
| services.
| devoutsalsa wrote:
| One attack vector is consolidating all your passwords into a
| password manager, and then being able to unlock the password
| manager on your phone w/ biometrics (e.g. face, fingerprint).
| foobarbazetc wrote:
| You still have to unlock your phone and any competent password
| manager makes you type the password at least once and has
| options for how often you have to.
|
| If someone has your phone and your phone passcode you're kind
| of hosed anyway.
| devoutsalsa wrote:
| Well someone can drug you and use your face while you're
| passed out, but they can't make your unconscious self share
| your pin code. This all assumes your attacker doesn't think
| to just scare you into sharing by threatening you with a
| hammer.
|
| I was actually thinking more about law enforcement being the
| most likely to try gaining access to your phone. They can
| make you use your face or fingerprint, but they can't force
| you to reveal your pin code.
| theshrike79 wrote:
| If your threat model includes someone using drugs/violence
| to get your passwords, then choosing the correct password
| manager is the least of your problems =)
| devoutsalsa wrote:
| Well the only time I've been mugged was by a cop, so
| there's that.
| 627467 wrote:
| I share the conclusion and for those friends and family who use
| chrome across devices I've been recommending to just activate 2FA
| (not sms) and use the built in password manager.
|
| But relying on chrome as password manager - even on Android - has
| drawbacks as it seems not to support all apps and fields one
| needs to.
|
| I personally use bitwarden because it seems to work - when I
| enable all assistive tech - on 99% of situations. I also don't
| use chrome anymore so using Google password manager isn't as
| useful.
| dtx1 wrote:
| This does not reallz discuss offline password managers like
| keepassx except for this one sentence
|
| > Conceptually, what could be simpler than a password manager?
| It's just a trivial key-value store. In fact, the simplest
| implementations are usually great. Good examples of simple and
| safe password managers are keepass and keepassx, or even pass if
| you're a nerd.
|
| I think keepass synched via nextcloud is a great solution, e2e
| encrypted, works basically everywhere (windows mac linux osx ios
| android) and it keeps the sync and backup in your hands. If copy
| and pasting a password or using autofill for keepass is too much
| to ask, then you propably don't care about security.
| randomlurking wrote:
| What's is the difference between keepass synced by X and
| another service which is completely online? Simplified with
| keepass I have a) the database and b) an online accessible
| Location for storage. If I use Bitwarden, I still have a) and
| b), right? So for keepass to be better it would need to be
| better (as in safer) for one of those. I'm not sure if that's
| the case (you can even selfhost both Bitwarden and nextcloud to
| have ,,trusted" storage, although it shouldn't matter). But: if
| you don't need multiple devices, Keepass is the surest choice.
|
| With that in mind, I'm rolling with Bitwarden (maximal security
| afaik and great usability - it's even linked with my iPhone)
| for personal stuff and keepass for work as I only have one
| machine I need passwords on. I don't like Setting up something
| to sync a file if I don't need to, so I'd never use keepass for
| multiple devices
| codazoda wrote:
| One advantage is that the password manager encrypts the
| password database on your device. So the encryption part is
| decoupled from the online service part.
| JackGreyhat wrote:
| Using keepass would decouple password management from your
| browser. Bitwarden, for example, usually runs as a browser
| addon.
| gruez wrote:
| https://bitwarden.com/download/
|
| They seem to have desktop/mobile apps as well?
| dtx1 wrote:
| For one, it's completly free. I use a free nextcloud 1gig
| instance, you might use dropbox, onedrive, gdrive whatever. I
| don't think a trivial application like a password safe should
| require a personal server or a suscription, as the author
| rightly noted, it's not much more than a very, very small key
| value store
| kbuck wrote:
| I'm a little disappointed in the conclusion because there are
| more secure password managers out there that still offer the same
| level of convenience as the browser built-in password manager.
| Yes, if you use a password manager that's implemented entirely as
| a browser extension, you may as well use the browser's built-in
| password management features. However, if you're an advanced user
| and are comfortable using a separate password management
| application, there are options out there that don't force you to
| choose between a difficult-to-use app and the convenience of
| something in-browser.
|
| For example, exploiting a browser-based password manager likely
| means escaping the sandbox that contains web pages and accessing
| the shadow DOM. But this is still a larger surface area than
| 1Password, where the password selection menu (on Windows at
| least...) is actually rendered by an entirely separate process on
| the system. (I.e., clicking the icons that the extension displays
| triggers the 1Password desktop application to display UI at the
| cursor's current position. Picking a password from this UI will
| transmit it to the browser extension for filling. The password is
| only present in the browser's memory once you've interacted with
| the desktop application's UI.)
|
| As always, do your research. Don't get suckered into paying a
| subscription fee for a browser extension that offers the same
| functionality your browser has built-in. But realize that there
| are other options out there that _may_ actually be worth
| investing in.
|
| Disclaimer: I've been a happy 1Password customer for a few years
| now.
| bstar77 wrote:
| I'm also a 1password customer and curious how the attack vector
| of spoofing the 1password input icon can harm the user. They
| might be able to get your master password, but that doesn't
| mean they gain access to anything.
|
| Also, I never use that icon and exclusively use the shortcut.
| I'm curious if that can be spoofed somehow. But again, they can
| only get your master password. In the case of 1password, I'm
| pretty sure they would need direct access to the computer to
| gain access to your vault.
| kennywinker wrote:
| His conclusion seems off to me too. I got "Password managers
| that use content scripts are bad" not "password managers are
| bad".
|
| Edit: I just cracked open the 1password extension, and it does
| indeed use a content script. Glancing over the code I only see
| stuff related to locating which fields are the username and
| password field - but I was mistaken in thinking that they
| didn't use a content script.
| MonaroVXR wrote:
| I need to share my passwords between multiple devices and
| browsers, that's why I use a password manager. I have a second
| one, called: pass.
|
| But I didn't check to synchronise it with devices.
| mgarfias wrote:
| I tried to read this, but my head is too swimmy from all the
| allergy meds. I'll have to come back to It.
| prophesi wrote:
| tl;dr: browser extensions are bad therefore all password managers
| are bad
|
| Also find it odd the author uses Chrome, which doesn't even let
| you set a master password to E2E encrypt its password store.
| arkadiyt wrote:
| That's not true, you can set a sync passphrase which e2e
| encrypts your synced content (all of it, not just passwords).
| richardwhiuk wrote:
| It's usually encrypted with your Windows / Mac / Linux login
| password.
| MonaroVXR wrote:
| I use Linux ( Fedora) and it doesn't do that? *
|
| *I have a password sentence.
|
| Maybe because my disk is encrypted and I need to fill in a
| password when I login.
|
| When I had auto login enabled, I had to fill in the Chrome
| password.
| RcouF1uZ4gsC wrote:
| > If you want to use an online password manager, I would
| recommend using the one already built into your browser. They
| provide the same functionality, and can sidestep these
| fundamental problems with extensions.
|
| What would be really great if the major browser vendors would get
| together and come up with a way to reliable, secure, cross-
| browser syncing of passwords.
|
| The main reason I use a password manager instead of the browser's
| password storage is because I use different browsers both on the
| same device and an different devices. I might use Firefox in my
| Linux desktop and Safari on my Mac. Using a third-party password
| manager allows me to have the same set of shared passwords on
| both.
| cosmotic wrote:
| The blog suggest using Chrome's password manager. I used MacOS
| KeyChain as my primary store and Chrome's password manager for my
| secondary store for years and finally gave up because KeyChain
| didn't work with Chrome or sync with anything (unless maybe I
| used iCloud) and Chrome only synced with and worked with Chrome
| and too often it didn't save passwords properly. For all other
| browsers, apps, or uses, Chrome password manager is useless.
|
| Fortunately I could export Chrome to CSV and use some third party
| applescript to export KeyChain and import into KeePassXC. It's
| not perfect but it's better than the built in stuff.
|
| Maybe W3C could standardize a protocol for password managers so
| we don't have this insane vendor lock in.
| foobarbazetc wrote:
| For what it's worth, the keychain now syncs with iCloud and
| across all your Apple devices and it's end to end encrypted by
| your system or phone passwords.
|
| The password interface in iOS has improved a whole bunch (tells
| you about weak passwords, reused passwords, etc) but doesn't
| support attaching a TOTP to an entry.
|
| Which may or may not be a big deal now what everyone is moving
| to U2F etc.
| rendall wrote:
| > _The blog suggest using Chrome 's password manager_
|
| That's not what the article said
| howolduis wrote:
| what about Bitwarden?
| ajsnigrutin wrote:
| For my parents, i tell them to just write the password down on a
| piece of paper.
|
| If someone breaks in their house,they have a bigger problem than
| someone reading their emails, and since they live off givernment
| pensions, there is not a lot of money that can be stolen via the
| internet.
| [deleted]
| Wowfunhappy wrote:
| I wouldn't be worried about someone breaking in, so much as the
| paper getting lost.
| tomger wrote:
| Given this advice I would - turn off any webpage integration
| LastPass does - still use LastPass to store my passwords in the
| cloud so I can share passwords between iOS apps and web.
| A4ET8a8uTh0 wrote:
| After building my new rig, I also made a successful jump from
| Windows 7 to PopOS. It was mostly a very smooth transition, but I
| am having real problems with replacing Password Safe I used on
| Win.
|
| I eventually defaulted to using FF for passwords, but it still
| feels wrong. Password Safe had password generators, space for
| notes.. lil things that I keep missing.
| r6203 wrote:
| I'm using KeepassXC [1] for that.
|
| [1]: https://keepassxc.org/
| hobos_delight wrote:
| I recently moved my passwords from an expired 1Password account
| to Bitwarden (right at the time they announced linux support
| actually, which was always the biggest thing I missed).
| Bitwarden has a FF extension and allows me to use it across
| mac/windows/linux.
| dijksterhuis wrote:
| I was looking at Bitwarden yesterday as I've been putting off
| moving over from LastPass and 1Password seemed weird with
| importing from it.
|
| Is Bitwarden decent enough? The fact that it has a cli, FF
| extension etc. on a free plan is pretty tempting.
| curmudgeon22 wrote:
| I've been a happy Bitwarden user for 2 or 3 years. Recently
| upgraded to the family plan for shared passwords and that
| is working well.
| howolduis wrote:
| Bitwarden is ALL what you need. It's much better than all
| these paid apps.
| samsquire wrote:
| I don't think you need your password manager to inject the
| password into a web site for you. I think you can just copy and
| paste from Keepass.
|
| I want account management protocols so I can rotate all my
| passwords automatically via my password manager. That would be
| awesome.
| stunt wrote:
| If you are paranoid enough, you would think of Password Managers
| as an obvious must-have business to tap into for the NSA.
| jdeibele wrote:
| The major problem with the built-in password managers is that
| they don't store more than the password. If there's a site that
| has security questions, I use LastPass to keep track of the
| security questions and my answers. I have to do this because I
| don't give real answers to security questions.
|
| A minor annoyance is that Safari will not let me treat sites
| which use multiple domains as equivalent. So Discount Tire uses
| dt.com and discounttire.com but Safari flags this as a security
| problem because I'm using the same password with both. LastPass
| lets me set them as equivalent domains, though the process is
| probably too difficult for most people.
|
| LastPass made free users decide whether to use it either on
| computers or phones & tablets but not both. Because I use FireFox
| on my Mac, I used LastPass on computers. I rely on Safari to sync
| for my phone and tablet. I think it's inevitable that LastPass
| will continue making life more difficult for free users and I may
| end up with a flat file or Apple Notes file to store the security
| questions and answers.
| howolduis wrote:
| password managers? more like: why tf anyone would use chrome?
| chrisan wrote:
| > This problem is pervasive among online password managers, you
| can never be sure if you're interacting with a website or your
| password manager.
|
| Isn't this true for any scenario, password manager or not? If a
| site has been compromised without you knowing and you enter your
| password from memory, paste, or a password manager, that password
| is at risk.
|
| Is the author saying that he is able to access ALL passwords in
| the password manager via a single malicious site?
| richardwhiuk wrote:
| That's the vulnerability he's targeting, yes.
| pleb_nz wrote:
| Personally using a browser based password manager is too
| restrictive in that you need a browser to access passwords.
|
| I use passwords in a lot of places outside of browsers and often
| the interface I'm using has no browser capabilities.
|
| Understand using browser based password management if you only
| ever use passwords on the web. But I'm sure a lot of others, like
| me, need them outside of that context.
| 1cvmask wrote:
| I worked on the design of adding passwordless 2fa to the Saas
| Pass password manager. In addition the saas pass password manager
| identifies websites that you can add 2FA to as well.
| 1cvmask wrote:
| More details on adding 2fa to a password manager and figuring
| out websites and services you can add it to:
|
| https://blog.saaspass.com/saaspass-password-manager-authenti...
| makach wrote:
| First of all, a very interesting topic! Author is obviously
| someone with a lot of knowledge. Nevertheless he is employed at
| Google(https://en.wikipedia.org/wiki/Tavis_Ormandy) and
| recommends Chrome? ..combined with lack of references and
| research material this all seems a little bit sus to me.
| quesera wrote:
| > I use Chrome, but the other major browsers like Edge or
| Firefox are fine too. They can isolate their trusted UI from
| websites, they don't break the sandbox security model, they
| have world-class security teams, and they couldn't be easier to
| use.
|
| This is about as low-key of a recommendation as you can
| construct.
|
| Curious that he omits Safari though.
| xyse53 wrote:
| It says it's an opinion piece. He's written other more
| technical things elsewhere. One takeaway you can have is to
| combine the opinion with impressive track record... I think the
| opinion alone carries weight.
|
| I may be biased though because I agree with the opinion. I use
| a combination of my browser's support and `pass`.
| thomascgalvin wrote:
| > I use Chrome, but the other major browsers like Edge or
| Firefox are fine too.
|
| There's nothing sus here; he's saying that the password
| managers built into the browser use a more secure model than a
| plugin that uses javascript to communicate with a web page.
| That seems to be 100% accurate.
|
| If a Chrome dev had said we should use Chrome's password
| manager because Mozilla's in fundamentally broken, I would want
| more proof of that claim, but he did a fine job of explaining
| the vulnerabilities of a plugin versus a native manager.
| raldi wrote:
| I don't understand the Nordpass demo. What would double-clicking
| actually do?
| gruez wrote:
| Seems like a clickjacking attack. Presumably you can use this
| to reveal passwords for other sites, depending on how the ui is
| coded.
| raldi wrote:
| Sure, but where do the clicks actually end up?
| gruez wrote:
| The ui of the password manager, as demonstrated in the
| demo.
| raldi wrote:
| What parts of the UI of the password manager? What do the
| clicks actually _do?_ The demo doesn 't show that; it
| just shows the mouse being followed by a "(i)". So what?
| What does clicking "(i)" do?
| Wowfunhappy wrote:
| > If you want to use an online password manager, I would
| recommend using the one already built into your browser. They
| provide the same functionality, and can sidestep these
| fundamental problems with extensions.
|
| Unfortunately, it also means I can basically never switch web
| browsers again, so it's an absolute non-option for me. I don't
| want to be locked into Chrome forever.
| jsnell wrote:
| Chrome's password manager has an export feature. Are you
| perhaps thinking of some other browser?
| Wowfunhappy wrote:
| Currently, I use Chrome on my desktop, mobile Safari on my
| phone, and Safari on my Macbook. I need to sync my passwords
| across them!
| xaduha wrote:
| Passwords are a lost cause. This doesn't mean that you need to
| give up on using good practices, just don't go overboard trying
| to plug all the theoretical holes. It's not all or nothing,
| sometimes it's OK to be good enough. For everything important you
| oughta use 2FA anyway.
| KronisLV wrote:
| > Passwords are a lost cause.
|
| I never really understood this. Ed25519 keys use SHA-512 and
| are considered secure. They're still just long secrets, aren't
| they?
|
| What's to prevent me from using a similarly long, randomly
| generated secret as my password, using a different one for
| every site? Because that's what I'm doing with KeePass.
|
| Backing up the auth database/file and having enough redundancy
| in place, as well as having a sufficiently secure master
| password take some effort, but the rest is just copying and
| pasting those long secrets when you want to log in.
|
| Of course, 2FA is a necessity for everything important as well,
| but it feels to me like the kinds of passwords that many people
| use are the problem, not the concept of passwords.
| nicoburns wrote:
| There is a difference between passwords and certificates: you
| have to send the password over the network every time you
| login, whereas the private key is never shared.
|
| But in general I agree with the rest of your comment.
| sascha_sl wrote:
| The difference is that you're never entrusting the
| authenticating party with any secret. Even if their entire
| full-cleartext database leaks, an attacker could not even
| authenticate against that _same_ site.
| xaduha wrote:
| Don't cherry pick, read the rest of my comment. It wasn't at
| all about any individual password complexity, it was about
| password managers that work with browsers in context of the
| blog post.
|
| Out of curiosity, what does haveibeenpwned.com say about your
| most used email?
| ajsnigrutin wrote:
| One half of 2FA is a password.... saying 1/2 of that is a lost
| cause is stupid.
|
| Passwords are great, because they're in your head and can be
| changed at will (unlike biometrics), and phishing 2fa from (eg
| old people) is not any harder than phishing for a password.
| amachefe wrote:
| I used to like Chrome password manager, but since moving back to
| Firefox, I like their password manager more.
|
| I havent been comfortable with other 3rd party password managers
| and their integration feels forced
| dogma1138 wrote:
| This somewhat overlooks the main threat model that password
| managers solve - leaked credentials.
|
| People can't remember 80 passwords so they reuse the same one,
| that password eventually gets leaked and 9/10 times it doesn't
| get leaked due to a targeted attack or a compromised machine but
| rather due to a breach of a service you signed up too.
|
| Sure password managers have issues, they don't solve user related
| errors and can even add to the attack surface of a machine they
| are running on but that's really not important...
|
| Using password managers and generating different passwords for
| each service reduces the blast radius from any breach.
|
| This is why I don't care if the password manager has the best
| encryption, or does it even encrypts at all or does it uses the
| clipboard vs some more secure side channel. Yeah that's nice but
| that's not in my threat model.
|
| Which is why I don't care if your password manager is a
| spreadsheet, it's a terrible choice for a business because their
| threat landscape and the fact that a spreadsheet won't allow you
| to audit who has access to what but for you or your mom even that
| is better than using the same password everywhere else.
|
| Heck at home print your passwords and store them somewhere
| safe... put them on a post note for all I care as long as you
| live alone or at least not with anyone you wouldn't want
| stumbling on that list...
| hsn915 wrote:
| How does this address the point of the article? Which is that
| you should use the browser's builtin password manager and not a
| third party manager that injects user scripts into all websites
| and break the sandbox model?
| true_religion wrote:
| If you are on Safari, your browsers' builtin password manager
| is unfortunately Keychain and you cannot easily export your
| passwords out of keychain.
|
| Additionally, if you use two different browsers or operating
| systems you'll need a 3rd party tool to keep your passwords
| in sync.
|
| For me, that's why I use a 3rd party.
|
| ---
|
| Funny thing is though, I consider myself the 1st party. The
| website or app I am using is the 2nd party. Anyone else
| including the browser is a 3rd party. Neither Google, nor
| Apple, nor Mozilla, to name a few of the top browser-makers,
| are anything more than middlemen.
|
| I think it's better to trust them with _less_ rather than
| allow them to keep the passwords as well since they have no
| incentive to make them portable between competing browsers.
| 542458 wrote:
| The point is that while yes, many 3rd party password managers
| have issues, the overwhelming majority of attacks are not
| against password managers but against reused passwords - so
| honestly either the 1st or 3rd party choice is a win over
| using neither.
| H8crilA wrote:
| Ok so:
|
| 1) not use any manager => bad
|
| 2) use a 3rd party => pretty crap as the article says
|
| 3) use a built-in => great
|
| Why would you ever use 2? This is almost as bad as Bitcoin,
| which not only solves nothing but also destroys a ton of
| energy.
|
| I have never used a manager except for the builtins. And I
| would have never expected them (prior to reading this
| article) to be such utterly junk solutions to just inject
| additional code into the website itself. I thought there's
| a dedicated browser API or something.
| kennywinker wrote:
| 3rd party password managers have a bunch of useful
| features, which is why I use one. Here are the first few
| that come to mind:
|
| - portability, if I use chrome on my desktop, firefox at
| work, and safari on mobile I'm out of luck.
|
| - built-in password managers only work for websites - I
| store many non-website security credentials in my
| password manager
|
| - extra details - I often add the security questions for
| a site into my password manager
|
| - compromised password warnings (maybe some of the built
| in password systems do this now?)
| H8crilA wrote:
| 2, 3, 4 are handled by Chrome, for example. These really
| are trivial features that any decent corpo can get right.
|
| 1 obviously isn't.
| kennywinker wrote:
| Oh, yes, I forgot a pretty important one, I don't want to
| upload all my passwords to google. Offline storage, and
| direct device-to-device syncing.
| gruez wrote:
| That's only because there are more people who reuse
| passwords than people who use online password managers. As
| they're becoming popular, more cybercriminals are going to
| exploit it.
| hmsimha wrote:
| Speaking to the section on "Vendor claims"
|
| > An attacker (or malicious insider) in control of the vendor's
| network can change the code that is served to your browser, and
| that code can obviously access your passwords. This isn't
| farfetched, altering the content of websites (i.e. defacement) is
| so common that it's practically a sport.
|
| Is this actually true? For Lastpass, I would assume the code run
| in the browser comes from the extension directly, and (for
| Chrome), the extension comes from the Chrome Web Store. There are
| some problems here, but in theory the system could be improved so
| that modifications to the extension in Google Web Store are very
| obvious, and an attacker couldn't just inject code into the
| extension and update it without someone noticing immediately.
| sneak wrote:
| uncharitable tldr: Google employee says that for Chrome users,
| using the password manager in Chrome is your best option.
|
| He's a brilliant researcher, but I think he's wrong on this one,
| and the blog post is an appeal to authority and ends with
| basically a 'I've already heard your counter arguments and you're
| wrong'.
|
| He should show his work.
| yurlungur wrote:
| I have no complaints of keepass on my desktop. I tried using it
| on mobile but decided it wasn't worth the trouble to get it
| working as I wanted in terms of syncing and autofill. Instead I
| just use a select few logged in apps that I either memorize the
| password or use fingerprints. I don't really like the idea of
| syncing all my passwords with any online service.
| blfr wrote:
| The built-in browser password manager is the only one that ever
| made sense for me. You want the machine to verify the domain for
| you so you don't enter your credentials into some other site (no
| copying and pasting) and all third-party scripts are always
| clunky.
|
| I use Firefox with Lockwise[1] for Android and pass[2] as
| overflow for more involved secrets. This is a solo solution
| though that doesn't solve sharing these secrets with others.
|
| [1] https://www.mozilla.org/en-US/firefox/lockwise/
|
| [2] https://www.passwordstore.org/
| treszkai wrote:
| > and all third-party scripts are always clunky
|
| > I use [...] pass as overflow for more involved secrets
|
| Why don't you consider pass a third-party script here in this
| context? Don't you use the Firefox plugin passFF?
| zmmmmm wrote:
| I use unix pass as my "source of truth" and then individual
| browser password managers (mostly Firefox) as a local "cache" for
| sites where it is painful to manually go out to pass too often.
| Honestly it works brilliantly, pass syncs using git which I do to
| a bare ssh repo on a server I control (although it would be
| perfectly safe to put on github tbh).
|
| I really feel like people overthink this sometimes.
| teeray wrote:
| It's irritating to me that there's no standard integration
| between password managers and authentication elements on a page.
| We can do this correctly if we want. Furthermore, I'd love some
| standard programmatic way to change passwords and communicate
| complexity and rotation timelines. If I use a password manager
| anyway, it should just deal with changing my password if some
| organization decides to use a backwards rotation policy with
| specific special characters.
| xyse53 wrote:
| I agree that there will always be a need due to other bits of
| information, but IMO if you follow this train of thought for
| authentication specifically you wind up at "passwordless"
| WebAuthn.
| freitasm wrote:
| Malicious site
| freitasm wrote:
| Sorry, to clarify Norton raised an alert on this domain. So
| proceed with caution.
| ptomato wrote:
| yeah, funny how antivirus software would complain about the
| website of somebody known, among other things, for
| demonstrating a lot of security flaws in antivirus software.
| austinkhale wrote:
| How is Tavis Ormandy's blog a malicious site?
| [deleted]
___________________________________________________________________
(page generated 2021-06-05 23:00 UTC)