Viewing a single comment thread. View all comments

ADroopyMango t1_j82r8m1 wrote

you could also just write some down, can't hack paper

edit: seriously, think about it. why would you want to put ALL of your passwords into the hands of ONE vendor or company? it makes no sense. those services are so worthwhile to hack, it's almost certain they will be targeted. the company may even get hacked and not disclose anything about it to cover their own ass.

just think twice before trusting a random company with the keys to your life. anything you can say about how "secure" 1Password or BitWarden is was probably said about LastPass.

Hacking 1Password

Bitwarden password vaults targeted in Google ads phishing attack

−5

rastilin t1_j82y9fk wrote

I don't get the anger against paper. Do people think that there's someone going through their drawers and all the notebooks in them? If someone's in your house and reading all your notes you already have a much bigger problem than them getting into some random site.

9

Dominicus1165 t1_j83syqq wrote

I habe around 150-200 passwords. Writing them all down is lots of work. But not only that. Maybe I need them somewhere else. Like on my phone on the go. So I need to take all my passwords with me.

And that paper can be stolen or lost easily. Like in a restaurant when going to the toilet or in a club.

Super insecure

11

ADroopyMango t1_j846964 wrote

a piece of paper is much more secure than a database. physical access will literally always take more effort than if I can just steal your shit from the comfort of my own home.

you're talking about trading security for convenience. and you can do that as long as you use some common sense.

for example, you could write down your most sensitive passwords (bank etc.) and do your best to commit those to memory if you're "at the club" as opposed to your ESPN account or whatever where the hack to life impact ratio is minimal. store those in your password manager all you want.

there is no easy way to have 200 passwords lol. it's like having 200 keys on a keychain.

−5

SlowMotionPanic t1_j85cc8d wrote

> a piece of paper is much more secure than a database.

Hard disagree. Just require authentication with something like a Yubikey for the best of both worlds. People can take vaults all they want, but they are never getting in it without both the master password and a Yubikey and a biometric component if also enabled.

Unless they kidnap you, in which case you have bigger problems on your hand.

Or one is talking about seed phrases for crypto wallets, in which case they better stamp it into metal and hide it well.

Paper burns and you’ll be locked out for a good long time if not forever. Yubikeys can have a duplicate kept in a safe deposit box. Can’t do that with a paper book in active use.

4

[deleted] t1_j844jgu wrote

Because it's a dumb way to go about it and a waste of time. Are you going to be writing down all of your passwords by hand? Manually updating it as you change them? Getting the paper out of the drawer every time you need to log in? What if you need to log in on your phone when you're away from home?

None of these hacks result in your password being usable. The data these hackers get is a non-sensical string that they can't do anything with. I still wouldn't stick with LastPass. It's clear they give zero shits about internal security at this point. But saying that paper is an equal substitute to a password manager is just wrong.

4

ADroopyMango t1_j848ne3 wrote

ok, you're just talking about trading convenience for security. you're saying it's a waste of time aka inconvenient. that doesn't mean the paper method is less secure.

nobody said anything about an "equal substitute." there are obvious tradeoffs.

1

ecksfiftyone t1_j85xkhj wrote

Because you're missing the whole point. Password managers are there so you can generate a password like G&li/PdsZH-)73m?Df78:+pJS*(9dD79. You don't have to remember it and the password manager "should" be secure and encrypted. The Password manager will auto fill in the password across your devices so you don't need to dig out your notebook and type that thing in. You also wouldn't be able to log into your bank account app, or other apps or websites from your phone if your password isn't saved unless you always carry that paper with you.

Then, there is the sharing part. I share passwords for sites with members of my family. I have to share thousands of passwords with members of my team at work. A shared vault that's encrypted and secure works great for that.

Paper is great for my mother. 1 computer in her house, doesn't use her smartphone for anything smart. Wouldn't need those passwords away from home. Doesn't need to share. She actually uses an address book with the little alphabetical tabs. If she needs her google password, she flips to G.

3

SlowMotionPanic t1_j85b8os wrote

The BitWarden example isn’t even comparable. It is 100% user error to use an unknown login portal based off an explicit paid advertisement result in Google.

A paper password book user would fall for the same scam but for whichever targeted sites. They are, in fact, more likely to get scammed because they lack an app like BitWarden which can identify and fill the actual portals thus removing the potential for error.

Password managers with a Yubikey are probably the strongest option for most people honestly.

4

Admetus t1_j83ft2i wrote

To be honest, not even paper. I would place a website and password clue in a text file. I'm not talking something simple like animal+49 = giraffe49, I'm talking about a clue where you already remember a whole bunch of passwords, you just need to know which one you used for that specific site so that you don't have to annoyingly try them all or get locked out.

1

Dominicus1165 t1_j83t3hj wrote

Oh yes. A list of 150 passwords.

And still super insecure. A good hacking tool would need like 0.0001 seconds to check them all. With 4GHz and 6 cores (24 million tries per second), this is an easy task.

1

Admetus t1_j84dpa7 wrote

Nah, a reference to each password completely internal to your head. Even if it's something like 'password 1, password 2, etc.' There's zero correlation between the passwords and what I stated.

1

Admetus t1_j84dqlk wrote

Nah, a reference to each password completely internal to your head. Even if it's something like 'password 1, password 2, etc.' There's zero correlation between the passwords and what I stated.

1

Dominicus1165 t1_j84vfnr wrote

But again. With 150 services it’s quite hard to remember even with reference. And I look it up again. I have exactly 241 passwords in my manager.

They each need to be secure and not dependent on each other.

2

altodor t1_j86hz7f wrote

This sounds like a very complicated Caesar cipher mixed with password reuse to me.

1