Ask HN: How do password managers make things better?
If I use a password manager (1Pass, LastPass, etc.), then all my passwords are in one place. There is literally One Password To Rule Them All™.
How is this less dangerous than the alternative?
How is this less dangerous than the alternative?
41 comments
[ 2.6 ms ] story [ 104 ms ] threadMost people use simple passwords like cat12345. Or they use more complex passwords but share them between sites. Pw manager fixes that.
It's not perfect, but for most of us it's much better than most obvious alternatives.
I use the online version. There's a browser plugin.
To venture a few theoretical mitigation turtles down, one could keep a string in their head that they type in before pasting the password from their database meaning that the database only has part of the password. Some might consider that too much friction and some might see that as a fun prank for the password database vendors that theoretically work for intelligence agencies.
Companies are using these for their convenience (AD based access to passwords, without even knowing the actual pswds). Individuals can also have great benefits as they can shuffle their pswds, get notified about weak pswds, or breaches.
How about 1Password?
It could be mitigated with recovery procedures using a backup code + waiting time, but at that point it wouldn't be zero knowledge.
Even where that's not true, the tradeoff with a password manager is in strengthening defenses broadly in exchange for a more central point of failure, compared to weak defenses all around but no single point that gives everything away. The idea being that you can remember one, really good high entropy password, vs. having a bunch of weak passwords.
Of course, the theoretical ideal would be having lots of different strong passwords, but that's not how human memory works.
Buy a domain and set up a catch-all email address, use a unique one for each service. Alternative options exist as well (Apple's "Hide My Email" for ex.)
Don't do the "add a plus sign at the end of your username to create unique addresses" thing. You still have a single point of failure and it causes weird bugs in poorly designed email addresses validation.
The only benefit is that when a website decides to sell your data or leak it, you know who is to blame and you can block that one e-mail they send the spam to.
Password managers offer convenience for "don't reuse passwords". You want to "don't reuse emails" become the norm? Implement a tool that removes all the hassle.
The security risk in general is not that your main password is guessed or cracked. It’s that a shared password is compromised.
Having said that as someone else mentioned in this post, your email password reset flows become a point of failure: if someone can get into your email address, they can essentially reset your password to whatever they want. This is why I also enable 2FA on every site I can, and have recently started using unique email aliases per website.
I'm considering getting a couple of YubiKeys instead of using something like Google Authenticator, but not really sure if that would result in a more secure setup overall yet.
The only security feature that password managers bring to the table is eliminating password reuse. Some will monitor for breaches, but you can also do that yourself.
There are also conveniences, which is why I use one.
The best way I've managed to come up with is to use a password manager but then secure the hell out of it by using hardware keys as a second factor to access it, and only allowing getting around that with a printed out backup key.
This way you have the convenience of all the passwords as you need them on verified devices, but strong security (+ inconvenience) if you want to access them on a new device.
I did this, then my phone broke and I was the only one with access to a particular system at work. It was miserable getting back in. I think harder about how I set myself up now.
Most websites including financial ones fail on the second point. And it worries me because SIM swapping is real and does happen to people you know.
I won't spoil it, but I will say that everything suddenly clicked in. Password managers solve so many problems at once, including problems we don't intuitively understand. Contrary to other comments here, password managers aren't " a trade off between security and convenience", security is a process and not a tool, and password managers regiment a very important process of password security for regular people.
For me password manager is all about practicality.
For the former, use auth app-based 2FA against your master password to guard against unwarranted access, preferably using a physical key.
For the latter, review the security protocols your third-party provider specifies for how they protect your data. That should give you confidence about the likelihood of database leakage. If even that doesn't give you confidence, look at keepass where you can control where and how your passwords are stored.
Remember: you always had a password database in one place (your head), you just leaked information about it everywhere because you invested in a mnemonic for easy lookup. With a password manager, you've only increased the number of database accessors by one while guaranteeing significantly less leakage of your mnemonic, which was always the most likely danger.
There are a few ideas, first is as you mentioned, it’s 1 password to remember, the rest can be randomly generated and you don’t need to know them.
In the case of 1Password, data is stored at rest, if the vaults locked it can’t be read, well, not easily.
Auto fill helps detect phishing attempts, if the domain is different 1Password won’t auto fill
It also can detect breaches and store TOTP if that tickles your fancy.
Auto fill is the key point of a good password manager, it makes entering logins trivial, I use biometrics to unlock on all my devices, then it fills in my details for me and away I go.
In my case we use 1Password for families .. which means my SO and kids also use it. Good password management from the get go is well worth it. It works on all your devices and automatically syncs across all of them.
Remember the alternative for most people is using the same password on every single site. When a password (along with your email) is leaked from one website, then people can gain access to whatever other sites you use the same email/password combination on.
AFAIK there is no way to prove that the cloud storage only stores an encrypted version at all times. Even if i audited the source and checked the network activity a few times, all it would take is one auto update that skips encryption, uploads the unencrypted passwords to a server and then restores the original binary. The only proof would be a network request if i was even actively logging and monitoring every single outgoing packet.
So even if someone had access to my password manager, the passwords in there are just partials.
- One password per service, so if a service leaks it it affects nothing else.
- Super strong passwords, random long passwords way beyond what I can remember making them more secure from guessing/brute forcing.
Indeed, if someone gains access to your password manager you are not going to have a good time. So you have take all necessary precautions like 2FA, and even better hardware security keys, and you have to put trust in the service you use, they should be stored encrypted etc etc.
If it's less dangerous depends on your situation and what you are defending against. For me and I think for most "normal" folks, it's much safer as most risk comes from having bad passwords, reusing passwords, and services leaking your reused passwords.
That's the big question: what is the alternative? In most cases, it's way worse.
Another mitigating factor is that for important services you should enable 2fa anyway. If you keep your 2nd factor out of the pw manager (hardware security keys!) you add another layer.
I have just one ridiculous master password that I have memorized (1Password has a great blog post talking about how to use the diceware method to pick a truly random yet fairly easy to memorize master password). With just that one password there is now not a penalty to keep individual, random passwords on all my accounts.
Password managers like 1Password are also integrating google auth support for two factor authentication and again in iOS in particular it's a VERY seamless experience to authenticate with 2 factor. macOS Monterey brought some further integrations but it's still not as seamless as iOS.
And I think that's what's really key - it's not like we all don't know passwords are a pain in the ass. OS vendors need to keep stepping up and making integrations with things like password managers easier until we finally come up with something that can replace them.
This year, I’ve had to work with different laptops (linux and Macs) and switch my browser up a few times.
I’m so glad I was already moving away from iOS’s built in password manager before my old mbp died and I had to replace it with a borrowed linux laptop which got replaced with my wife’s decade old linux laptop, which finally got replaced with an M1 air.
I can’t imagine the world of pain if only ios knew my passwords. The above hops would have been impossible!