[Cryptography] Possible reason why password usage rules are such a mess

Tue Nov 17 20:45:51 EST 2020

On 11/16/20 1:16 PM, Arnold Reinhold via cryptography wrote:
> o Encouraging people to use password managers, at least for most 
> passwords
>
> o Encouraging people to write down non-managed passwords, with 
> suggestions for safe places. It’s no longer reasonable to expect 
> ordinary users to memorize all the passwords or passphrases users 
> need, if they are to be strong enough.

Allow me to be controversial: We should be badly worried by password 
managers:

First, why should we trust that the user's machine that it is running on 
is secure? People get infected by malware all the time.

Second, why should we trust that password manager software is somehow 
immune to having bugs?

> Other suggestions welcome.

  o Don't recycle passwords for different purposes. (Though everyone 
does, worth repeating again…)

Back to the controversy:

It is completely unreasonable to expect users to remember a zillion 
unique passwords. They have to record them somewhere. So how to do that?

- Loudly tell users it is okay to write down passwords. There is an 
article of religious faith that needs to be overturned here, people need 
to be understand it IS okay to write down passwords. (And, once someone 
writes down an important password, take very good care of that paper. 
Pretend it is a hundred dollar bill if that helps focus the mind.)

- However passwords are to be recorded, the more off-line, and the 
simpler and more manual, the better. Offline and simple and manual will 
reduce both the number of bugs and the reduce severity of the consequences.

Personally I do use a password manager—but I use it very little, and it 
is very manual. (No auto-pasteing of passwords when some software infers 
I would like that.) Most of the time I need a password I type. 
(Diabolically simple!) Without looking it up, because I remember my 
frequently used passwords, because they are frequently used. I only look 
up a password when I need one I don't remember.

But I run my password manager on a Linux machine that I am very 
conservative about what other software runs on it; I wouldn't *think* of 
trusting my regular Android cellphone with my password records.

These last points start to get pretty subtle, which is why most people 
should write down passwords on paper, with NO electronic technology 
involved. Wanna backup? Do not take picture of your passwords list with 
your cellphone, don't photocopy it with anything that is also online. 
Best keep two copies of your list in two places. After you add a new 
password to one list, later update the other copy.

Yes, passwords are a mess. alas the magic bullets proposed all make it 
worse, so people need to be taught how to do the work to manage them 
better, and people like us can't agree. (See controversy above.)

-kb

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201117/20353ca5/attachment.htm>