<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>On 9/15/2022 1:05 AM, Ralf Senderek wrote:<br>
</p>
<blockquote type="cite"
cite="mid:ffe9b09d-3ba0-b25b-2bed-c846a14f81fe@senderek.com"><br>
<br>
On Wed, 14 Sep 2022, Ray Dillinger wrote:
<br>
<br>
<blockquote type="cite" style="color: #007cff;">
<br>
On 9/14/22 01:26, Ralf Senderek wrote:
<br>
<blockquote type="cite" style="color: #007cff;"> But if you
recommend this as a better password manager its security
<br>
vanishes when being used.
<br>
<br>
</blockquote>
Couldn't I use exactly the same argument to say that the
security of an electronic password manager vanishes when being
used?
<br>
</blockquote>
<br>
Of course you can. But the point is that the electronic one is not
less
<br>
secure than the low tech because at some time the stored passwords
are
<br>
being used and that is where the risk lies.
</blockquote>
<p><br>
</p>
<p>As Ray said, there is quite an attack surface for password
managers. What if the copy of the data in the cloud is somehow
accessible by employees of the password management company? Yes,
one can imagine forms of end-to-end encryption to counter that,
but was that audited? Even so, what if the password manager
software is "updated"? Or the company got hacked? Or it is
pressured by some government? What if there is a bug in the
software? What if the company loses the data? Or goes bankrupt?
Don't we have examples of all of these attacks already?</p>
<p>-- Christian Huitema<br>
</p>
</body>
</html>