You don’t know Tavis Ormandy? https://en.m.wikipedia.org/wiki/Tavis_Ormandy

tl;dr “If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.”

I can only speak for myself but his article confirmed my suspicion about any Password Manager, even Bitwarden and I never have or will use any online Password Managers. I create all my Passwords individually with my own algorithm in my head and can always recreate them.

  • oatmilkmaid
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    I refuse to use my brain to remember things and thus Bitwarden it is

  • Eager Eagle@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    edit-2
    1 year ago

    so your reasoning for not using a password manager is because they may be tricked by defacing or sneaky scripts, and yet you don’t consider yourself vulnerable to phishing when entering your password manually?

  • AlternateRoute@lemmy.ca
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 year ago

    Would be more relevant if you linked to something relevant to your argument not just the wiki on him.

    Travis actually recommends several https://lock.cmpxchg8b.com/passmgrs.html

    Good examples of simple and safe password managers are keepass and keepassx, or even pass if you’re a nerd.

    He doesn’t like password managers that are hosted or integrate with apps via plugins.

    • Eager Eagle@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      the post title is actually the link you pasted here, which I think it’s even worse because it demonstrates a severe lack of interpreting skills from OP.

      • AlternateRoute@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Ya the conclusion is very clear

        Conclusion If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

        I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

        Also there are studies showing how bad mental formula passwords are, while computers are not truly random, humans are even worse.

        https://lifehacker.com/password-formulas-don-t-fool-hackers-1826238163

  • redcalcium@c.calciumlabs.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Using browser’s built-in password manager means you’re locking yourself permanently in that browser, or in case of Safari, locking yourself to Apple ecosystem. I refuse to do that. Beside, I’m sure you already heard about horror stories where Google suddenly ban their accounts. Imagine if you store your passwords in chrome and your account somehow mistakenly banned by Google. What a nightmare!

    His arguments have merits though. Whenever I install my password manager extension in a new system, the first thing I do is to disable browser autofill in the password manager settings, which reduces possible exploits surface.

  • Izzy@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Password managers are technically a convenience at the cost of security. At least compared to memorizing dozens of long unique passwords. I’d probably host my own if I were going to use one. For now I just memorize a ton of random characters and then reset my password when I fail to remember. 😅

    • redcalcium@c.calciumlabs.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Dozens? Dude, I have over 700 passwords in my password manager ever since I started using them 15 years ago. No way I can remember them all.

      • Izzy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I don’t know how many things I’ve registered for, but I don’t regularly use more than 10 passwords. There might be something I need to check every few years so I just reset it then.

  • atx_aquarian@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I tried his “try this example if you have NordPass” page, and it didn’t do anything in Brave mobile other than load a blank new tab. Maybe they’ve changed their mechanism, or maybe I should be less lazy and try it in another browser. For me on NordPass and Android, though, the password selection is shown on the keyboard, not within the content area.

    I also don’t know about his claim about the invalidity of any vendor’s “we can’t see your passwords” claims. If their software is audited (which is probably easiest with Bitwarden due to its open source–as long as you trust who distributed the built binary) to verify the code is encrypting your key/value store locally with your own passphrase prior to sending, they would have to crack the file to access its contents. But I take his point to be more about trusting their software to do what they claim, which, he points out, may even be out of their control if a malicious actor gets privileged access to modify their software. But, if I’ve understood that claim, then it is just as applicable for any centralized application; in other words, also don’t use web browsers in the first place.

    He’s got other points about APIs I’m not familiar with, so I have to admit I’ve only focused on 2 of several points. But, for the 2 I thought I followed, I wasn’t seeing those arguments go down the same road he did. This has gotten me thinking though, and I still won’t dismiss the thought entirely. Interesting article.

  • Yeah2206@infosec.pubB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    He does recommend using the built-in browser’s password managers; he just had beefs with how the extensions, which the non-browser password managers have to contend with, are implemented, and with the security of the vendor’s network and software. He himself uses Chrome password manager.

    • lemba@discuss.tchncs.deOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      1 year ago

      Exactly but that’s why I will not use a password manager at all. Better safe than sorry 😜