[Cryptography] Low-tech password safe was: Passwords (Smallest feasible work factor today?)

Ralf Senderek crypto at senderek.ie
Fri Sep 16 03:23:52 EDT 2022



On Thu, 15 Sep 2022, Christian Huitema wrote:

> 
> On 9/15/2022 1:05 AM, Ralf Senderek wrote:
> 
> 
>
>       On Wed, 14 Sep 2022, Ray Dillinger wrote:
> 
>
>             On 9/14/22 01:26, Ralf Senderek wrote:
>                    But if you recommend this as a better password manager its security
>                    vanishes when being used.
>
>             Couldn't I use exactly the same argument to say that the security of an electronic password
>             manager vanishes when being used?
> 
>
>       Of course you can. But the point is that the electronic one is not less
>       secure than the low tech because at some time the stored passwords are
>       being used and that is where the risk lies.
> 
> 
> As Ray said, there is quite an attack surface for password managers. What if the copy of the data in the cloud is
> somehow accessible by employees of the password management company? Yes, one can imagine forms of end-to-end
> encryption to counter that, but was that audited? Even so, what if the password manager software is "updated"? Or
> the company got hacked? Or it is pressured by some government? What if there is a bug in the software? What if the
> company loses the data? Or goes bankrupt? Don't we have examples of all of these attacks already?
> 
> -- Christian Huitema

You are copmletely ignoring the example I gave. Sure a fully-fledged
password manager with cloud dependencies is NOT the one I was asking
to hammer out. But having your passwords on the electronic device
in the best way possible is not all that insecure as it is painted
here.


     --ralf


More information about the cryptography mailing list