[Cryptography] Low-tech password safe was: Passwords (Smallest feasible work factor today?)
Ralf Senderek
crypto at senderek.ie
Fri Sep 16 03:23:52 EDT 2022
On Thu, 15 Sep 2022, Christian Huitema wrote:
>
> On 9/15/2022 1:05 AM, Ralf Senderek wrote:
>
>
>
> On Wed, 14 Sep 2022, Ray Dillinger wrote:
>
>
> On 9/14/22 01:26, Ralf Senderek wrote:
> But if you recommend this as a better password manager its security
> vanishes when being used.
>
> Couldn't I use exactly the same argument to say that the security of an electronic password
> manager vanishes when being used?
>
>
> Of course you can. But the point is that the electronic one is not less
> secure than the low tech because at some time the stored passwords are
> being used and that is where the risk lies.
>
>
> As Ray said, there is quite an attack surface for password managers. What if the copy of the data in the cloud is
> somehow accessible by employees of the password management company? Yes, one can imagine forms of end-to-end
> encryption to counter that, but was that audited? Even so, what if the password manager software is "updated"? Or
> the company got hacked? Or it is pressured by some government? What if there is a bug in the software? What if the
> company loses the data? Or goes bankrupt? Don't we have examples of all of these attacks already?
>
> -- Christian Huitema
You are copmletely ignoring the example I gave. Sure a fully-fledged
password manager with cloud dependencies is NOT the one I was asking
to hammer out. But having your passwords on the electronic device
in the best way possible is not all that insecure as it is painted
here.
--ralf
More information about the cryptography
mailing list