Password Manager

[Jon AS]

1 hour ago, Inigima said:

I will cite Schneier on this, but suffice to say it is generally accepted that you are wrong. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

I'm aware of the article. He misconstrues where the security of the method comes from: it's not security by obscurity, it's plain, simple math. The assumption that attackers will be checking for strings of random words is built into the premise of the comic.

That's how you can calculate password entropy in the first place: you assume that the attacker knows exactly how your password was generated and has access to the full list of symbols you used. In the case of the comic the assumption is that you picked four words at random from a list of 2048 (2^11) words and that the attacker has that list and knows you used four words. This is how you get the 4*11 bits of entropy. Double the original list of words and you get 48 bits, add a fifth word and the entropy increases to 60 etc.

 

This rebuttal to Schneier's article goes into some detail and points out potential weaknesses in Schneier's suggestions that are hard to quantify (a problem the xkcd-method doesn't share): http://robinmessage.com/2014/03/why-bruce-schneier-is-wrong-about-passwords/

[ithanos]

This came in my news feed this morning that may be of interest here.

http://www.cnet.com/news/google-wants-to-help-you-manage-your-passwords/

Quote

Password manager Dashlane said Thursday it's partnering with Google on a project that will enable Android users to easily and securely log in to their mobile apps via stored passwords. It's called Open Yolo -- you only log in once. The project would involve other companies that make password managers, which automatically create, store and apply passwords for websites so you don't have to remember them.

Quote

Password managers are a viable way to avoid dealing with passwords. But multiple password managers -- including Dashlane, Roboform, LastPass and 1Password -- all try to do essentially the same job. Which one should you use? Well, the goal behind Open Yolo is to come up with a single, more seamless login process that taps into whichever password manager you use.

So far, such leading password managers as 1Password, LastPass, Keeper and KeePass are either already participating in the project or have expressed a strong interest in it, a Dashlane spokeswoman told CNET. One password manager ideal for the project is Smart Lock, a tool already built into your Google account. Introduced last year, Smart Lock can automatically log you in to an Android app and apply your username and password to websites opened through the Chrome browser.