[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[OT] Master Password (was: dropbox security situation)

Hi,

13 déc. 2019 à 00:29 de ad44@cityscape.co.uk:

> On Thu 12 Dec 2019 at 21:13:06 +0100, l0f4r0@tuta.io wrote:
>
>> 10 déc. 2019 à 23:11 de ad44@cityscape.co.uk:
>>
>> > On Tue 10 Dec 2019 at 22:34:07 +0100, l0f4r0@tuta.io wrote:
>> >
>> >
>> I've read the documentation. User needs to remember all of
>> this:
>>
>
> > user-name
>
> Real name actually. If you do not know your name you have problems. :)
> Can be set in ~/.bash_rc. Cross this off the list.
>
You are weakening security if you write down or save in specific files some elements used for the password generation. But I agree with you, it's not the most problematic one ;)

>> site-name
>>
> It is in the address bar of the site you are accessing. google.com,
> debian.org, bt.com etc. What is there to remember? We cross this off
> your list too.
>
As I was explaining before, I'm pretty sure some cases are not so obvious (like sites where authentication page is deported/redirected so as time is passing you don't remember which "site" you used the first time, same issue with websites on multiple domains, sometimes you need to specify the subdomain as well...).

>> site-counter
>>
> I'll give you this. But it would be very unusual to want it. The
> default is generally good enough.
>
As discussed after my answer, this is a point.
>> site-template.
>>
You didn't answer to that but that's one more thing to remember especially if you needed a custom password initially.

Let's be clear, I think this solution Master Password is original and I'm not saying it's impossible to remember all these criteria for most of us. But I know it can be problematic for some people, especially site-counter and site-template in addition to a master password. Each element is generally easy but all of them can be a burden for some people with time passing.

> Many users store their passwords in the cloud. The provider will take
> care of them for you. 
>
Not if there is a master password like any serious password manager.
You can put this file in an encrypted container as well but I agree that makes the process heavier.
Best regards,
l0f4r0
Reply to: