this post was submitted on 08 Jul 2023
-27 points (9.1% liked)

Technology

59174 readers
2161 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
-27
Password Managers. (lock.cmpxchg8b.com)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
26 comments fedilink hide all child comments
 

You don't know Tavis Ormandy? https://en.m.wikipedia.org/wiki/Tavis_Ormandy

tl;dr "If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions."

I can only speak for myself but his article confirmed my suspicion about any Password Manager, even Bitwarden and I never have or will use any online Password Managers. I create all my Passwords individually with my own algorithm in my head and can always recreate them.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I tried his "try this example if you have NordPass" page, and it didn't do anything in Brave mobile other than load a blank new tab. Maybe they've changed their mechanism, or maybe I should be less lazy and try it in another browser. For me on NordPass and Android, though, the password selection is shown on the keyboard, not within the content area.

I also don't know about his claim about the invalidity of any vendor's "we can't see your passwords" claims. If their software is audited (which is probably easiest with Bitwarden due to its open source--as long as you trust who distributed the built binary) to verify the code is encrypting your key/value store locally with your own passphrase prior to sending, they would have to crack the file to access its contents. But I take his point to be more about trusting their software to do what they claim, which, he points out, may even be out of their control if a malicious actor gets privileged access to modify their software. But, if I've understood that claim, then it is just as applicable for any centralized application; in other words, also don't use web browsers in the first place.

He's got other points about APIs I'm not familiar with, so I have to admit I've only focused on 2 of several points. But, for the 2 I thought I followed, I wasn't seeing those arguments go down the same road he did. This has gotten me thinking though, and I still won't dismiss the thought entirely. Interesting article.