[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dropbox security situation

On Thu 12 Dec 2019 at 21:13:06 +0100, l0f4r0@tuta.io wrote:

> Hi,
> 
> 10 déc. 2019 à 23:11 de ad44@cityscape.co.uk:
> 
> > On Tue 10 Dec 2019 at 22:34:07 +0100, l0f4r0@tuta.io wrote:
> >
> >> 9 déc. 2019 à 19:13 de ad44@cityscape.co.uk:
> >>
> >> > How about not having to remember (or write down) any passwords for
> >> > the places you log in to?
> >> >
> >> > https://masterpassword.app/
> >> >
> >> > Not in Debian, unfortunately.
> >> >
> >> Interesting.
> >> However, I presume that a specific password modification should not be very
> >> easy because it seems you rely on a rather fixed encryption seed...
> >>
> >
> > Modifying a password with the masterpassword app is simplicity
> > itself. There is no fixed encryption seed.
> >
> I've read the documentation. User needs to remember all of
> this:

> user-name

Real name actually. If you do not know your name you have problems. :)
Can be set in ~/.bash_rc. Cross this off the list.

> master-password

That's pretty obvious. Any password manager has something similar. We
cross this off your list.

> site-name

It is in the address bar of the site you are accessing. google.com,
debian.org, bt.com etc. What is there to remember? We cross this off
your list too.

> site-counter

I'll give you this. But it would be very unusual to want it. The
default is generally good enough.

> site-template.

I do not understand this.

> That makes a lot.

You have to know your own name, the site name and the master password.
(but see below). However, I can imagine three things would be a heavy
burden for some users.

> I know some of them should be trivial most of the time but I'm pretty
> sure they could be problematic sometimes (multiple and different
> (sub)domains for the authentication page, restrictions for the
> passwords but you don't remember that you chose a special one...).

Your own name (non-secret) can be in an environmental variable and the
site-name can be scripted. You only need to know the master password
as an essential. How does that differ from other password managers?

> However, I find the concept pretty interesting even if I'm a password
> manager enthusiast ;)

Many users store their passwords in the cloud. The provider will take
care of them for you. Some of this thread was about something fairly
trivial, like email with Google. How about a user depositing a critical
password off their system? That's trust for you! masterpassword doesn't
use the cloud.

Some users place their trust in having their passwords in plain text
files. We do not talk about that. masterpassword doesn't store passwords
anywhere - so there is nothing to steal.

Your device is stolen or destroyed? You can recover your passwords if
you can remember your own name and the master password. How about that?
What other password manager gives you this?

-- 
Brian.
Reply to: