Ask HN: Is there a future in which password management is sane?
Password management is just terrible. Vulnerable populations stand no chance against social engineering. Password manager apps are okay but the UX is pretty awful especially for non-computer savvy folks. People who think about this a lot -- is there a sane future?
55 comments
[ 2.9 ms ] story [ 115 ms ] thread1. They would not believe it works 2. They would steal my clear text file containing all my secrets.
And also, it is complete foolishness to have a third party in possession of passwords. At least use a different one for every site for the kids who grab the rando plain text keystore on rando site.
No detail about me is secret. I always am assured that God knows all. And Angels probably hate it when I look at dirty pictures and worse.
I have no problem with your choices assuming I'm not wrong and I merely observe 2fa doesn't detract from this, and that bitwarden can be run as a server on your own hardware should you chose, or you can hand distribute the keys. The only advantage is prefilling and you may not care enough.
I sleep easy knowing that all my secrets and my os is made by all organic free range programmers who never get mad they are being taken for a ride. But for a good cause you see. Software freedom is very important. Until that day bills need to be paid and you see, sometimes ingredients to computer food are not on the box.
Oh hopefully I can tack on one last thing I think is just hard to ignore. Secret passwords in plain text are horrible I think people can agree. But people store many life details in clear files open at least to daemons and lots of little codes see even if on an encrypted drive. Think of things like tax returns, insurance forms, records for all kinds of things. Come to think of it, I never really safe guarded any of that stuff more than my plain text file that was actually encrypted and everything at one time. But no longer.
And then finally, in my system dirs I have over 500,000 files. If open source is secure like a bazaar is, there couldn't be Ali Baba and 40 thieves in there someplace? Really? Sometimes ignorance is bliss.
Until it isn't any more.
Also, password managers are just easier than copy and paste.
But don't you think quantum computers are mature somewhere by now? If you had one and you had secrets to maintain, would you be the one to spill the beans even if a VIP planning a war? I doubt the news will come as a result of a bank heist or a 51% attack. This is a Jinn that will never go back to the bottle it came from.
RSA was passed on a long time ago and AES is pretty old. I don't think people can really grasp how much progress has been made. Most people I encounter have no idea that video can be completely faked. Recently I heard an old lady explain that video evidence is basically truth. Notice how easy the eyes are fooled.
For those who have ears, may they hear.
Hopefully my parent post doesn't vanish. I realize this is a tough pill to swallow. I am pretty sure we will all have to swallow it soon.
Nope. No I don't. The amount of compute required to actually operate on Shor's algorithm is immense, to the point that it's probably smarter, faster and cheaper to bruteforce with traditional HPC these days.
We'll go back to difficulties in exchanging secrets. But encryption as a whole will still work.
My grandfather needs help to connect to wifi. Doesn’t own a cell phone. Didn’t know how to get rid of a bad extension. He does just fine with Google.
Google keeps passwords for websites and for Android apps in the same place, and you can view them both at https://passwords.google.com/
Nothing will get better because most organizations are on autopilot, only doing "best practices" even when those practices don't make any sense. For instance, typing passwords blind. It exists because CRT terminals had a wide field of view. Flat screens have a marrow field of view, and further, in the form of cellphones, are small and held close to the face. There is no reason to require blind password entry, yet it persists. All of this points to stasis, nothing getting better, and the situation probably getting worse, since there's no upside for anyone contradicting "best practices".
And, to be fair, a certain % of the population does.
I haven’t thought about passwords in at least 5 years since I started using Apple + iCloud. Apple has native password management baked into everything. My face or thumb logs me in, whether I’m using laptop or phone. When creating accounts I just use the auto-fill and generated password.
Oh, and some places don't allow "special" characters - so you have to remember multiple algorithms and counters.
It gets tiresome and unwieldy quickly.
One obvious reason is a data breach. But are they so common to be of concern?
I have a dead simple tool to generate secure scrypt hash and encode it to letters+digits+symbols.
And I do not remember my counter / rules. Whenever I need a password, I just use the default parameters, if the password fails - I could just increase counter few times until it succeeds.
Let's be real, if a service gets 5+ data breaches in less than a decade - it should be avoided.
The first leak with unhashed password will reveal your formula. Now you need to replace all passwords everywhere anyway.
Worked for me for 20 years.
Devices which support these authentication method need to become ubiquitous and their APIs need to be open and widely integrated with, including by web applications and laptop/desktop applications.
There are some hard problems to solve in the way.
You either need to make a central authority that manages the scan data or you need to figure out a way to cryptographically hash the output of a biometric scan such that it can be reliably checked against a stored value in a database. Or perhaps our AI experts on HN could comment on if there is a not too computationally expensive verification method…
But it would be nice. Overtime users could remember less.
It’s only a matter of time that retinas can be scanned too with precision cameras.
Not secure at all. You can be coerced physically to unlock something private/secure. Security should always be a combination of something you know and something you have (2FA).
Additionally, requiring a central authority to manage security is just _asking_ for trouble. Passwords work because of how de-centralized it is. Biometrics and physical-only tokens will fail the minute people realize they can just steal that data and use it to unlock everything centrally.
What we need are better tools to manage passwords in a more transparent way.
What the heck then? Here come rando guy again talking foolishness.
It's like this, what would you trade for safety? And ultimately if doing so made people that didn't make that trade incredibly vulnderable and by nature your foe? Is love at all important? One thing to note is that anyone who has studied love knows it has little to nothing to do with a carnal relation. My parents loved me when I was totally unlovable as a baby maybe but also as a full grown adult.
You can see it right here in fact. I'm not writing this to make myself popular. I'm writing this because I love people. Even people that hate me. Besides perhaps someone might have reason to hate me. Some people hate everyone, they are known as misantropes. Others can't deal with women and they become misogynists. Others are always outraged and it spills out to someone and rifts appear.
Okay, hopefully I can get to the so called solution to the so called problem of internet security which is a problem as much as the entire internet has become now.
The solution you will be presented with is the distinct pattern that is found on your right hand or on one of your eyes. Both of these patterns are so unique that I can't really find anything else more unique than them besides a DNA sequence.
I don't want you to be afraid. I want you to consider that once this is done, your uniqueness no longer belongs to you. It really never belonged to you in the first place. You could basically give something to a power bent on crushing us all that God made only for you. If a man gives up his soul for gaining the whole world, he has no soul to enjoy. You can't bring money and cool shit to heaven. But there is something you can bring. You can bring not only yourself but people you love. And you will see all kinds of people there you may not expect. I hope you can appreciate the fact that love and gratification are not the same. Don't forget someone did love you when you didn't deserve it.
I sure didn't deserve grace or love.
It's going to take time but people are going to have to get used to needing n+2 things to log into their accounts (username + password + MFA).
It starts with you managing your security, not looking for someone to dish this responsibility off onto.
My phone gives me a popup on text boxes to enter credentials. There's also a bitwarden button on my keyboard. I scan my thumb and it signs me in.
On my desktop browser, I get a badge on the bitwarden button when it detects a site it has credentials for. Two clicks signs me in. Three if my session times out and I need to put in my master password.
I have a single unique and complex password that I have to remember, and I have recovery keys stored in a physically safe location.
Bitwarden generates complex passwords with a single click, and has excellent integration with the browser.
Password management is sane. You can just use a good password manager and understand how to protect your single master password. Which basically just means never, ever type that password into anything other than your password manager.
ETA: bitwarden also syncs seamlessly between my half dozen different devices/installs. It works everywhere, and if I really cared to I could set up my own server so as to not rely on Bitwarden's infrastructure.
No there isn’t. Passwords are fine. Password managers are good enough. It takes only minutes to learn the following flow:
1) Reset password
2) Type in the new password into the app (many people are too lazy to do this)
3) Open password manager
4) Copy and paste the password into the text field
That’s all. If people can’t figure this out then quite frankly I don’t understand how they function in other areas of life.
In Europe, there is eIDAS [1], but for now this seems limited to governmental organizations, and well, to Europe.
[1] https://en.wikipedia.org/wiki/EIDAS