Hacker News new | past | comments | ask | show | jobs | submit login

Indeed, which is why Bitwarden should disallow pin-only access for offline vault data altogether. Admittedly, I'm valuing a safe interface for users much more highly than one that is convenient or ergonomic.



If it’s n or convenient then users won’t use a password manager at all:


It's the user's choice.


I mean, sure, but if the user isn’t appropriately informed of the risks (such as this attack) how would you expect them to make a good choice?


Currently it is, yes. In this case, I'm arguing that it should not be.


That would go against the nature of such software. Let's treat users as adults. There should be warnings. But this is a feature. Users shouldn't be able to eg. select weak crypto algos, there is no additional functionality in that. But setting whatever pin is a convenience, and users should be able to decide what threat vectors they accept.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: