• 0xD@infosec.pub
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Okay and now let’s get into threat modelling and risk management.

    What is the purpose of a password manager? What are the possible threats against them, and what are those against singular passwords for services? What is the risk of each of those?

    • Kedly@lemm.ee
      link
      fedilink
      arrow-up
      9
      arrow-down
      2
      ·
      1 year ago

      Guys, before you argue with me, password security is something that EVERYONE in the 1st world has to deal with, not just tech nerds. If you need to grow up around computers or take a class for it to be a good form of security, its a shit form of security for the general public

      • 0xD@infosec.pub
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        But you don’t?

        Password managers really are not hard to use. Also there’s stuff like the password manager built into iOS, for example, which you don’t even have to think about.

        My comment about threat modelling was that you do not seem to understand the purpose of password managers. A way bigger problem for the average person online is password reuse, not targeted attacks against password vaults. That is the problem they solve.

        • wewbull@iusearchlinux.fyi
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          The weird trope I’ve seen now is “don’t use the password manager in your browser”. For the life of me, I can’t think why some think a browser plugin to a commercial password manager is safer than the built in version.

          • Gestrid@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            They probably think it’s safer somehow. But I don’t really get how.

            Most built-in password managers allow for you to setup a master password of sorts if you try to sync everything to a new device, and most also require you to use your computer’s native verification to view a single password in plaintext or export all of them as plaintext. (For browsers on Windows, they use Windows Hello; for browsers on Android, they use the fingerprint scanner or the lock screen pin.)

      • Comment105@lemm.ee
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        1 year ago

        I’ve had security fatigue for years now. I’m sure most of you have. I’ve written down so many usernames and passwords and it’s still not half of what I have, and to top it off, several of the written passwords are now wrong after obligatory password changes and I don’t remember the new ones.