Hacker News new | past | comments | ask | show | jobs | submit login

This is why password managers are wonderful - let it make one for you, and then it remembers it for the next time you need to hit that site.



Somehow with password managers we collectively decided that single points of failure where good…


For the 99% user, they're a huge step up in security. The password many will use for every site is itself a single point of failure on top of often being an incredibly guessable thing like "password" or "abc123". It being the same password for everything poses the security risk that a compromise of one company's data exposes your password for another company.

Now they can be told they only have to remember a single password and that makes a difference, though it does need to be stressed that this particular password should be more secure than "password". They remember a single password -- which is ideally hard to guess -- then copy the randomly generated password for whatever account and paste it in the login form.

A real worry is the possibility of a password manager service being compromised. However, these companies hire security experts and do regular audits of their systems and practices, which, when compared to the opsec of those who choose "password" for their password, is obviously beneficial. So of course we collectively decided that single points of failure are "good"; they are far better than what we had before.

(Admittedly, perhaps one attack that's enabled is to discover services that are used by an individual via compromised data from the password manager service. I still get the feeling that such a compromise, even on a wide scale, is more easily done elsewhere.)


I definitely see your point, but let's look at what Bitwarden does:

1. Back up my passwords on their server for a fee. Well, that's (alas) hackable, so if someone gets their password they will have everyone's password file. 2. Except each one is encrypted with that user's password, and in my case it's really long. So they'd then have to break each individual one. 3. Except signing in with my password on a new device requires my YubiKey as well, or one of my lost-my-YubiKey tokens, which also only I possess.

So I'm not as worried as I probably should be :-)


A rogue update to bitwarden gets uploaded by an attacker and the entire edifice collapses at once.

Security is always as weak as the weakest link.


All password managers should support downloading and backing up your passwords, right? You can even self host if you want, at least for Bitwarden.


You misunderstood: the risk isn't that the password managers can lose your password, it's that they can be compromised and when they are then all your accounts are compromised at once.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: