What have you learned about passwords and password security that you wish everyone knew? Share your insights!
I found this chart to be really helpful when choosing an appropriate master password that is both memorable and secure (Source: Are Your Passwords in the Green?):
Three things that come to mind:
As demonstrated by the chart @dh024 provided in his post, learning to use passphrases instead of passwords can be significantly more secure. Not only are phrases easier to remember than one or two words, but the length of characters in a password raises entropy exponentially on a given password dramatically making you less likely to have password cracked.
Many people will see something like a password book to be insecure and will inevitably mock or joke about someone who utilizes one. This ignores the user’s threat model as well as the accessibility needs of a given user. As an example, an elderly users who are not as technically savvy or feel overwhelmed by their computers are also the kind of user who would be difficult to get them to use a password manager or to have excellent recall of their passwords/passphrases. Writing them down in a password book (not just on a random sticky note) and putting it away in a secure location (like a locked desk drawer or cabinet) is better than a user that reuses password that could lead to credential stuffing and even other people in the infosec industry concur with this idea. The exposure of a user’s credentials in that scenario will be really small and fairly limited making them less prone to use the same password over and over again.
Despite what PCI-DSS compliance will force on your users based on NIST’s earlier recommendations, NIST has since rescinded those recommendations citing usability concerns that will likely lead to a user engaging in other bad security practices (e.g, predictable passwords, writing them down on sticky notes, storing them in a plain text document or spreadsheet).
So i replied to a post in Passwordless Login to web vault Passwordless login to web vault - #8 by qFKesZC77KY83rJHoJs
It got me thinking about security.
So what is security in the first place. I think it means I should be able to do just about anything and not compromise my website logins or have anyone clone copy or otherwise access my personal information.
A few points.
I am somewhat paranoid about security and privacy.
I use a password Manager because I can have many different long complicated passwords and never have to reuse one.
I use a very long Master Password but I only have to remember this one password.
I use several devices and use the Password Manager to sync passwords across devices.
I want Password Manager to persist whilst I am using the device, but want to lock it with distinct timeout on no activity of an app (usually the browser) and shutdown of the device. I do not want it to lock every time I close the browser. I do not leave my browser running in the background.
I am fairly certain 2FA as implemented on most websites is flawed.
I like the IDEA of Zero Trust Authentication, but a drill down into who is fully embracing it and what it actually means is REALLY concerning.
As people start to take their privacy more seriously and realize that security and privacy are intimately linked.
I use Firefox because of its privacy protections. This has hurt Google, Microsoft, Amazon, Facebook, (& Apple) and websites generally because a great deal of the data they rely on for their Advertising algorithms is denied to them
Well Zero Trust Authentication will circumvent all those protections, by using things like device identification IP address, operating system versions, names, email addresses, date of birth just to authenticate. “but it will all be encrypted and not on sold”…yep as Zuckerberg has said to the senate multiple times "we will just have to do better, but he never does)
Now back to passwordless logon.
So now I can authenticate by effectively once verifying my credentials which will produce a token so I don’t have to plug in my password.
So now my device can login without any interaction from me. Security is effectively now handle/moved to my security of how I login to my device (face, fingerprint, pin, password)
The consummate zero trust authentication. If I can logon to my device, then that device is now able to automatically login to my password manager and all my passwords are now exposed to my device. Only my device can get to my passwords.
BUT how secure is this? Well it is SUPER, SUPER, secure PROVIDED I DON’T LOSE MY DEVICE or leave it open and misplace it or have someone clone my sim.
So let me recap. As long as I keep my device itself super secure then that is all it takes.
So why not just have my Passwords in plain text on my phone? Why use a password manager at all?
I could use a long and complicated method to access my device, but to make it easier I will write down the instructions and keep it with my phone.
Please pick holes in my logic.
So is security just that someone else external can’t login to my account?
Or is it that almost no matter what I do (lose my device, have my sim cloned, leave my device permanently open I still have some layers of protection?
One thing that is of some concern is that the login password to the website where my vault is kept and my the master are the same. It means I cannot store configuration information for the password manager itself on the website, unless the vault is unlocked. It does mean the website owners cant see ANY of my data that is not encrypted.