Ask HN: If you're not using a password manager tool, what's stopping you?

9 points by tim_nuwin ↗ HN

29 comments

[ 4.4 ms ] story [ 69.3 ms ] thread
1. Disbelief in encryption tech used for the tool.

2. No guarantees that it won't be vulnerable at some point.

Would you be more apt to use a password management tool if you hosted the service yourself?
You mean have it access my home server from the outside when needed? (shiver)
I would use any tool I can compile myself and run on my local computer.
I use different passwords for almost every site and so if one is compromised my risk is fairly limited. If the password manager was compromised in some way it would raise my exposure significantly.
Do you remember all your passwords in your head?
Not all, the rarely used (but needed) ones are stored, and I am old school, they are printed and stored in a safe. But the ones I use every week, yea, I remember them. Part of my ability to do that is I also shutdown accounts if I am not actively using them to keep it a manageable number. Mostly because there is no way I could remember too many at once and not screw up by having some easily guessable pattern.
I am using a password tool, and I wish it provided the following:

1) Seamless sync between my devices. I want to be able to access my accounts on any laptop or mobile device. I use a BlackBerry, so good luck with that! (I can sideload the Android app, if that helps. :P)

2) Automatic encrypted backups. Sure, I can throw the database into Dropbox or something, heck I can set it up to sync back to my tarsnap account. But if you do this for me, I'll pay you.

3) Shared accounts. This is useful in two scenarios:

a) Accounts & passwords for use within teams/companies/etc.

b) Sharing accounts with my wife.

Right now, she doesn't have full access to my financial accounts. I really want to change that. Make it easy for me to do that.

4) Dead Man's Switch. IMO, the value of a centralized password manager is this last feature. Heaven forbid that I'm no longer around, I'd like my family to have access to my complete online & offline life to take care of things as needed.

Thanks for the feedback HorizonXP! Does SAML integration matter to you?
No problem.

Considering that I had to look up what SAML was, no. That said, it looks interesting, but follow what your customers are asking for. If they're asking for it, then do it.

I am using Mitro, it has all of the features you wanted except the Dead Man's switch, but you could probably overcome that with shared accounts.

https://www.mitro.co

I also use Mitro. It is free, has strong crypto, allows sharable secrets, works cross-platform.

I wish there was an API. I would use it for storing integration test accounts.

Convenience.

Trust.

Fear that the tool (or database) will become corrupted and lose all of the passwords that are stored in it.

Don't trust a 3rd party with my passwords.
How about if you hosted the service on your own server?
Setting up and securing a server would be a lot of extra work, and then also wouldn't trust the 3rd party software that would need to run. Not trying to be a negative nelly, just giving honest feedback.
It doesn't stop me from using one but I am frequently forced to use the clipboard to get the password into the software I want. So integration is a big pain point.
I don't use a password manager tool because I don't feel I need to. I take a kind of algorithmic approach to generating unique passwords for each site I use. I have a root password which contains the usually required alphanumeric with an upper case letter and some special characters. The rest of the password is based on the site or service I'm logging into.

A really simple example would be:

cabbage123!face <- Facebook cabbage123!goog <- Google cabbage123!twit <- Twitter

I only have two things to remember - the root part of the password and the way to generate the last part. Obviously, just using the first four characters isn't the best idea, but you can change that part to whatever you want to - it's kind of your own secret key.

2 problems;

1) Some sites place rules on the password. A bank I used limited passwords to 6 characters! Can believe someone thought that was a good idea.

2) If you use this on random sites someone might pick up the format quite easily if they are targeting you. I'd suggest using layers of 'root' so random sites you sign-up use one root (e.g. HN), mid-security sites use another root (e.g FB), and high need for security sites use a third root (Financial). I do something like this to limit risk and it's not too hard to remember.

Regarding the single point of failure which I believed previously was a problem with password managers, Voxic11 explained otherwise a couple months back in a previous thread:

"LastPass and other password services don't actually store your information in any way they can read them. What they do is store the password information as a encrypted blob and the public key derived from your password. When you "log in" you actually are running the key derivation function on your password locally then signing a message with your private key and sending that to Lastpass. When they receive the signed message they check it against your public key and if it passes they send you your password information. Which you then decrypt clientside. So anyone who compromises lastpass gets nothing except a bunch of encrypted blobs and public keys. The only way to get at your lastpass information is to retrieve the unencrypted copy off your computers memory, but if a hacker can do that they can just steal your passwords as your type them in anyways."

> 1) Some sites place rules on the password. A bank I used limited passwords to 6 characters! Can believe someone thought that was a good idea. That's true, but I haven't recently come across a service that I want to use on a regular basis which has that restriction. If I do need to sign up to a site which has a similar restriction it's normally something I'm going to use once so I use a garbage password and rely on their password reset mechanism if I need to use the service again.

2 is a good idea and I'll start doing that. It still keeps what you need to remember to a minimum while adding greater uniqueness to passwords.

What happens if you suffer a memory-loss causing brain-injury?
What happens if you suffer that and lose the master password to your password vault?

His method, though flawed in other regards, would potentially work out better for this problem--if he could work out one password, he could probably guess at the rest.

I like the concept, I've just never had the patience to go through the entire on-boarding procedure for any of them.
I don't, because I don't feel comfortable with the idea of a single-point-of-failure for all my passwords. I'd rather keep them distributed across a variety of storage mechanisms than any one tool.
A combination of:

i) I want it to sync across all my devices but

ii) I don't trust cloud providers. I especially do not trust the cryptography people use.

Also, I am poor / mean and I the price I am prepared to pay is below what people are prepared to charge.

I wish they would just work. Example: I use LastPass, and everytime when I log in to Twitter, it asks me if I wanna save my password even though I logged in 100 times before and saved it previously. it always does this.

Lastly, it's too time consuming sometimes when I need to login to a critical service in a PC in a public place. I need to install LastPass (and hope I can install it), then login. if I remembered my password I could just login without LastPass. Those precious few mins are critical if I need to login to my host provider if my site goes down for example.

I use Keepass + $cloudsyncprovider so that my KDB file is available where ever I need it.
I use a gnupg file.