[Cryptography] Low-tech password safe was: Passwords (Smallest feasible work factor today?)

Christian Huitema huitema at huitema.net
Fri Sep 16 00:57:13 EDT 2022


On 9/15/2022 1:05 AM, Ralf Senderek wrote:

>
>
> On Wed, 14 Sep 2022, Ray Dillinger wrote:
>
>>
>> On 9/14/22 01:26, Ralf Senderek wrote:
>>>  But if you recommend this as a better password manager its security
>>>  vanishes when being used.
>>>
>> Couldn't I use exactly the same argument to say that the security of 
>> an electronic password manager vanishes when being used?
>
> Of course you can. But the point is that the electronic one is not less
> secure than the low tech because at some time the stored passwords are
> being used and that is where the risk lies. 


As Ray said, there is quite an attack surface for password managers. 
What if the copy of the data in the cloud is somehow accessible by 
employees of the password management company? Yes, one can imagine forms 
of end-to-end encryption to counter that, but was that audited? Even so, 
what if the password manager software is "updated"? Or the company got 
hacked? Or it is pressured by some government? What if there is a bug in 
the software? What if the company loses the data? Or goes bankrupt? 
Don't we have examples of all of these attacks already?

-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220915/d0e1f930/attachment.htm>


More information about the cryptography mailing list