Monday, July 27, 2015

I use a password manager...

I use a password manager ... (1Password, which I recommend), so this post on Slashdot caught my eye.  Why do I use one?  That's easy: at the moment, I have 582 logins stored in my 1Password “vault”.  Probably 100 or so of them I've used in the past year.  Who on earth could possibly remember even that smaller number of secure passwords – much less the larger number?

So I do what many other security-conscious people do, especially those people with some understanding of cryptography: I secure my password “vault” with a very secure password that I have memorized – just the one, thank you – and then all my other passwords are randomly-generated strings between 12 (because some web sites limit me to that) and 24 (because I'm paranoid about advances in hash crackers) characters long, using a random combination of letters, numbers, and punctuation.  On my most important accounts, I change passwords fairly often (as 1Password makes this quite painless).

I've been doing this for quite a long time now.  I didn't record my first use of a password manager, but I believe it was in 1998 or 1999.  I can't even imagine going back to the regime of memorizing a password for every account.  And I certainly would never rely on a single password for multiple accounts ('cause then if a hacker somehow cracked any one account, he's into all of them that use the same password).

One consequence of using a password manager is that you'll find yourself frequently copying-and-pasting from the password manager into the web application you're logging into.  Something I've noted recently (the past couple of years) is that more and more web sites are preventing pasting into password fields.  I'm not sure what their motivation is, though I'm pretty certain it's misguided.  One thing they are definitely doing, though, is making life tough for people who use password managers – something I think they'd not want to do, since the careful use of a password manager clearly improves security.  Only a small minority (under 5%, possibly under 1%, depending on whose statistics you choose to believe) of users make use of password managers, though, so perhaps these web sites just don't care about them.  In any case, I certainly wish they would stop it!  And that's the subject of the post I linked.

That post really didn't have a lot of information in it.  Far more interesting to me were the series of poorly informed comments to it.  There are a few voices of sanity in there, but most of the comments are more like disinformation than they are useful.  That makes me wonder if the ratio of well-informed to poorly-informed comments reflects the sophistication of Slashdot users – whom I'd think would be much more sophisticated (about cryptography) than a random group of citizens.  If so, then no wonder there are relatively few users of password managers!

No comments:

Post a Comment