Not a fan
I have never been a fan of password managers. Just another point of failure. Never been much of a fan of passwords for authentication either...
1Password unsheathes Rusty key, hopes to unlock Linux Desktop world
1Password has unveiled a full-featured desktop app for Linux, written in Rust and using the ring crypto library for end-to-end encryption. The release features encrypted browser and desktop integration and, according to the business, "uses the Linux kernel keyring to establish a fully encrypted connection between 1Password in …
-
-
Wednesday 19th May 2021 16:49 GMT bombastic bob
Re: Not a fan
So far the best password manager I've found is KeePassXC (the C language version of KeePass that can be compiled from source on Linux and FreeBSD).
There's even a button to make passwords visible. I use it a LOT so i can have longer more random ones. And though it may be possible to auto-paste into a browser, I typically just copy/pasta the passphrase from the KeePassXC 'edit' dialog box directly into the browser or ssh session. Or you could use the 'make visible' button to see the password and just type it.
(and I must have about 50 of them stored in there, now, because I *REFUSE* to use FB, T, G, or Micros~1 logins)
-
Tuesday 18th May 2021 14:13 GMT Yet Another Anonymous coward
Is that the risk?
A dodgy web site plugin requests your bank password and this software ensures that the transfer of that password to your browser is totally secure from any other apps running on your own machine?
Isn't that like insisting that you only access Facebook from a TEMPEST shielded terminal
-
Wednesday 19th May 2021 08:13 GMT big_D
Re: Is that the risk?
If you try and enter your username and password using 1Password, it won't offer you any default credentials, if you visit a phishing site (same for LastPass and all other PMs I've used). If you really want to enter your banking credentials into a phishing site, you need to open 1Password and manually search for your bank logon and manually tell 1Password (or any other PM worth its salt) to fill it in for you or to copy and paste it manually.
On my account, it offers a drop-down with credentials that are used for the current site (E.g. Amazon I have private and business accounts, the same for Microsoft 365 etc.), but it never automagically fills in the details, I have to explicitly select them to be filled in.
If you land on a phishing site, you won't be offered anything to fill in, so it is fairly obvious it is a phishing site and the fact you have to manually search for the "correct" login for that site should be a huge warning that it isn't the site you are looking for...
-
-
-
Wednesday 19th May 2021 08:22 GMT big_D
Yes, as long as the users know what they are doing. I've tried it with non-technical users and it is a pain to set it up for them on each device and train them up.
The likes of 1Password, LastPass etc. aren't as autark as I would like, but it "just works" on any new device, without having to jump through too many hoops (i.e. just install the browser add-in, sign in and go.
With you solution, they have to sign into Dropbox or Nextcloud, install the PM and set-up the PM to read the right file. For a technically versed team, no problem. For users who don't know the difference between an ERP application and an RDP client, or accidentally click the "pin" in the Outlook menu ribbon, then call up to say Outlook is broken, that is too much.
-
-
Tuesday 18th May 2021 17:40 GMT Anonymous Coward
Yeah, blah blah big password, but
While if I was just managing stuff for my self I'd be meh, since I have to work in a team having integration on the linux side isn't a bad thing, and we could see some of the good parts migrate to OSX or the ever more Unixy underlayers of Windows.
Get both of those and you get close to being able to implement a proper cross platform keyring api for passwords. And that would be great right.
Trick is we probably need to give them a little shove in that direction. So if you are applying for one of those free Linux dev accounts, put a word in their ear...
-
-
Tuesday 18th May 2021 19:41 GMT SW10
Re: Your Password Is Safe In The Cloud ...
Do continue.
Your bank is effectively in the cloud, along with tens of other repositories of sensitive information. Moreover, so is your real Achilles heel; your email account to which all password resets are sent.
You may be some kind of infosec ninja, but my mum isn’t, neither are millions of others who need to move away from Password123, or my initials and birth date
-
Tuesday 18th May 2021 22:48 GMT Anonymous Coward
Re: Your Password Is Safe In The Cloud ...
> Your bank is effectively in the cloud [ ... ]
My bank is not in the Cloud. They actually make a Big Deal out of that. I'm sorry to hear yours is.
> [ ... ] along with tens of other repositories of sensitive information.
Which do get leaked or spilled, proving my initial point. Which is why I don't reuse passwords. Which is also why I rely on my browser's local storage to save passwords.
And your point was? That using a stupid, insecure, Cloud password management service is better because ... you now have a single point of failure for spilling all your passwords on the open Internet?
-
-
Wednesday 19th May 2021 09:28 GMT Anonymous Coward
Re: Your Password Is Safe In The Cloud ...
> Your bank doesn't offer any online banking and doesn't have automated transactions with other banks?
US inter-bank transactions do not happen over some sort of Cloud.
Inter-bank transactions within the US are done through FedWire. Not on the open Internet. Doesn't run on Python on AWS.
International inter-bank transactions are done through SWIFT. Not Cloud.
Yes, my bank offers online access, bill payment service, the whole enchilada. Not on AWS or Google Cloud or any such other similar crap. They maintain their own infrastructure.
US banks have some very strict requirements when it comes to data security. They aren't willing to take the risk of spilling customers' financial data by using some general-purpose cloud provider.
-
Wednesday 19th May 2021 13:54 GMT big_D
Re: Your Password Is Safe In The Cloud ...
Yes, but still "in the cloud", as in accessible from the Internet.
There is a difference between an isolated bank that has not Internet access and one that has some server access through the Internet (i.e. the cloud, before folks at places like AWS, Microsoft Azure or Google Cloud Services made Cloud with a capital C something different).
-
-
-
-
-
-
Tuesday 18th May 2021 21:11 GMT jemmyww
Colour me surprised
I've used it for a long time, since before they had cloud accounts. It's a great service. I have a family account so my wife and I can have a shared password vault. The company I work for uses it too, and the apps work with multiple accounts.
I use it on my company Mac, my personal Linux laptop, Android, and my wife on ChromeOS. The browser extension by itself was pretty acceptable on Linux. There's also a command line version which has occasionally been useful. Happy to see this native version too, makes creating and editing entries easier.
-
Biting the hand that feeds IT
