Beware the Google Password Manager fasterthanli.me
Submitted by voxpoplar in technology
Comments
devtesla wrote
The google password manager is particularly bad because it can learn password that you didn't particularly want it to learn.
A third party password manager like 1Password is great, it'll never do something that you didn't want it to do and the design is secure. I've used it for years. Can't vouch for other methods though
twovests wrote
Yeah, Google is kind of like this unknowable extremely complex eldtritch being that you can't comprehend all at once, has tentacles in all manner of affairs, and is kinda fucked up.
1Password (and other managers!) has a single, solitary focus. I'd expect if it's compromised, it's less of a mistake on their end and more of a new piece of security research. (Or, on a personal level, malware.)
I think security keys are a really good thing and I hope we can all settle on USB C soon so they can be ubiquitous. Physical keys for electronic doors are really easy for almost anybody to understand, even people with no technology knowledge.
Dogmantra wrote
I getcha, I'm just in that awkward middle ground where I know enough about tech stuff to understand why it's good but not enough to be satisfied that it's secure. I'm probably bein way too cautious about this and not cautious enough about other stuff tho.
voxpoplar wrote
That's fair. I think with this stuff the cloud things are going to be inherently more risky even if they're more convenient because you're relying on the company hosting it not fucking things up way more.
I use KeePass now which just saves passwords in an encrypted file that you unlock with a programme. It's open source so there's a bunch of different versions of the UI for it and you don't need to worry about a single company going bankrupt for it. If someone wants to steal the passwords they need both the file itself and the master password to open it. There's phone versions too so you don't need to have access to your passwords tied to your desktop. And if you do want to sync it between systems you can sync it like an ordinary file in Dropbox etc, taking into account the risks that can pose too if someone steals those accounts.
twovests wrote
This is definitely a fair question. It's not entirely verifiable by onesself, and there's a lot weird security things to consider.
I also use 1Password. In terms of trusting someones server, that's actually a big reason they use end-to-end encryption. It means the server holds encrypted data, but not the means to un-encrypt. So, if 1Password's servers were compromised and the encrypted password vaults were downloaded, it'd still be extremely difficult and expensive to extract someones passwords from it. (They have a blogpost on this.) There'd be easier ways to get that information from someone. Relevant XKCD.
In terms of trusting code, it's rather difficult. There are open-source components that people may look at, but it's possible to sneak things in to code in a litany of ways. (Most popular: Ken Thompson's "compiler hack", 1984).
I don't know if I'm more tech savvy than you, but I can't verify any of this on my own. I do have some cryptography experience and I can vouch that 1Password's methods seem 1. Good, and 2. Rad as fuck. But my faith is in the vocal, extremely-critical, and never-satisfied tech community that is always prepared to rip to shreds any security company that fails.
Anyways, all this rambling aside, passwords are outdated but we still need them, and password managers are the only real option around the flaws of passwords. MFA / 2FA is also very very good, so even if your passwords are lost, they'll need to do more to get into your accounts. I use 2FA, so I could list my passwords here and still feel safe.
Dogmantra wrote
so as someone who is more tech savvy than the average person but not as much as an IT professional, I've always been wary of password managers. they remind me of those phone cases that have space to put your cards and cash in: a great way to lose your phone and wallet at the same time.
while I get that this is a specific case and relies on user error while doing stuff I wouldn't do, the conclusion is that there are genuine security flaws in the way google handles/d password management. So how can I, as someone who doesn't have the time or knowledge to verify things like this, be sure that a password manager I'm using is safe? This is a genuine question btw. I know that my current password method is somewhat insecure, but I feel like password management is relying too much on the integrity of someone else's server and code that I can't verify.