Passwords versus Certificates

[golden_labels]

Exactly. And even a bit of common sense and engineering mindset (technical thinking) gets you far.

Engineering mindsets commonly overestimate their abilities and knowledge, misled by apparent “rationality.” Most prominently outside their area of expertise, but not only. So I call this a poor argument.

For example: I'm not a security expert at all and never have been security professional. Yet it was always obvious to me that password changing rules are counterproductive,

Moving away from the practice is rooted in things one shouldn’t know before late 2010s or without having access to a vast body of statistical data. At the same time, obsoleting password cycling isn’t denying validity of the past argument. This is different from the “must contain $foo” policies, which were recognized as a reasoning mistake. So how was it obvious?

as are strict "include 1 number, 1 special character and 1 big letter" rules.

Which stands in opposition to the “engineering mindset” and “common sense” claim. It weren’t laypeople, who promoted it. It weren’t complete ignorants repeating “good advice,” who formed the principal force behind its use. It were people, who had “engineering mindset,” and who had knowledge ranging from basic to expert level. And the final, crucial ingredient was following “common sense,” instead of doing a cold, rational check of one’s own thinking process.

The problem is, the claim is valid. Not only it is valid, but it is sound. There is no error in logic. It is maths schoolchildren can do, and correctly come to the same conclusion, so “even an idiot” can see it’s right. Where is the catch? The original, perfectly good statement is declarative in its nature. But who would care about such subtle details, except perhaps some silly pedants? At some point it was taken as a normative statement. This is where things went south. This silently changed the premises, but only a few were careful enough to notice. I wasn’t among them.

The problem was further amplified on the recipient side. Blame the phenomenon, that may be summed up as “better therefore desired.” A thing which, again, “engineering mindsets” seem to me vulnerable to more than anybody else. It gives us the feel of “rationality” we so much appreciate.

"Best practice" lists are good food for thought, like "these could be good ideas", but critical thinking should be still applied. Security is not entirely rocket science, one can actually logically think about threat models and even calculate probabilities - which is all basic high school math.

I would say: depends on who makes the list. Is it just a random list on the internet? Probably not good even as “brainfood”: many are made to attract clicks, blindly copied from whatever the content creator could scavenge. To the point of being self-contradicting or off-topic. Things are different, when it comes from a well-curated source or from somebody with some authority, repeats what others in the field say. This kind of advice is well founded. Everything may be challenged and history teaches us it should. But one should have a sane dose of respect towards the opponent. Otherwise, though history shows clemency and forgets most of such attempts, one makes a fool of oneself.

[Siwastaja]

So how was it obvious?

It was obvious because I myself had those yellow Post-it stickers with passwords, and I myself changed passwords by adding 1, 2, 3 etc. at the end. Many people I talked with awkwardly admitted doing the same. It was a running joke, but the joke was funny exactly because it was true.

Sometimes using common sense works better than getting too autistic and requiring scientific evidence for everything. This is a typical case study of experts disagreeing with each other with varying arguments, and finally reaching the same conclusion "laymen" intuitively knew all along. It is not surprising, because those "laymen" knew their own behavior. They chose stupid passwords in anger as a response to rules they felt are stupid, and in that way made the rules even more inefficient they already were.

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time; and one stronger password for that, which I don't have to change, and thus have better chances of remembering.

The problem is, the claim is valid. Not only it is valid, but it is sound. There is no error in logic. It is maths schoolchildren can do, and correctly come to the same conclusion

Even an average highschooler can calculate the probability of guessing two passwords: one which can contain any set of any symbols, and other which has some groups of symbols fixed to something known in advance by the attacker. It is weaker even without taking stuff like human behavior and dictionary attacks into account. If you add human behavior from practical experience (like yourself adding "!1" at the end of every password when encountered with those infuriating requirements), the result is even worse. It is again simple high-school math and logic that a longer freely chosen password is safer than password of the same length as before but with !1 appended at end and first letter capitalized.

The whole argument by "experts" at the time was solely based on one assumption (with absolutely no proof that the assumption would ever work): that people would "normally" choose short password with only letters [a-z], but requirement of addition of numbers, special letters and symbols would somehow motivate people to use [a-z] [A-Z] [0-9] completely randomly over the entire password. The burden of proof for this assumption is on the one making the claim. Even laymen's intuition was right about this assumption being blatantly incorrect. For the small minority capable of remembering passwords with truly random distribution of [a-z] [A-Z] [0-9], they would have used such passwords already. For the rest of us, the change in behavior would be bare minimum to just satisfy the rules - and the rules were known to an attacker too. What made this rule especially bad was that at the time, increasing the length of the password was somehow not considered that important by the same experts.

And this isn't just hindsight. Laymen intuitively understood this already back then. Experts should take note.

[Halcyon]

... it is not too difficult to write a browser extension for Chrome or Firefox that
does about the same thing he did with the keylogger.

Not just that, but we are seeing a huge increase in credential stealers targeting stored passwords in browsers. Don't ever store your passwords in your browser. Use a proper password vault (BitWarden, 1Password etc...)

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time

Anyone who claimed to be a security expert back then and said reputable password managers were a bad idea are either now eating humble pie, or were never actually experts to begin with.

[tggzzz]

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time; and one stronger password for that, which I don't have to change, and thus have better chances of remembering.

How does that work if you use multiple machines, with similar and/or different operating systems.

[JohanH]

I have hopes for the new passkey concept, even if I don't use it yet. It's still not supported as well as it has potential for, and the different platforms are competing with their own implementations and cloud stores (so it might cause issues to switch between e.g. a Mac and a Windows PC). The best way to use it is to have your own FIDO compatible hardware key where the certificate is stored.

It basically works like good old PGP, where you exchange and sign cryptographic keys, but it happens automatically. I hope it takes on.

[Halcyon]

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time; and one stronger password for that, which I don't have to change, and thus have better chances of remembering.

How does that work if you use multiple machines, with similar and/or different operating systems.

A lot of the decent password managers are cross-platform. They upload an encrypted copy of the database to the cloud, but ones like Bitwarden also let you export a backup copy locally that can be imported into other tools. I use Bitwarden on Windows, Mac and Android. There are also native iOS and Linux versions. If you don't like the idea of cloud, you can self-host a Bitwarden instance yourself, however I wouldn't recommend it unless you knew what you were doing. The source code is also available for review.

It's a bit like Authy. All machines are kept in-sync and changes are replicated across all your devices.

[JohanH]

A lot of the decent password managers are cross-platform. They upload an encrypted copy of the database to the cloud, but ones like Bitwarden also let you export a backup copy locally that can be imported into other tools. I use Bitwarden on Windows, Mac and Android. There are also native iOS and Linux versions. If you don't like the idea of cloud, you can self-host a Bitwarden instance yourself, however I wouldn't recommend it unless you knew what you were doing. The source code is also available for review.

It's a bit like Authy. All machines are kept in-sync and changes are replicated across all your devices.

Agree. I've been using Keepass for many years, then moved to Bitwarden, because keeping the DB synced on all devices was a pain with Keepass. Keepass is still good if you don't need the multiple platform and device scenario. Just make sure to back up the DB to at least one other device.

Personally, I dislike the in-browser only password managers. There have been security issues and incidents. A password manager that is separate from the browser is more work for you when you have to manually search for and copy passwords, but that's the way I like it and it feels safer. In combination with an OTP 2-factor app, e.g. on your phone, this is secure as you can do it today.

[tggzzz]

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time; and one stronger password for that, which I don't have to change, and thus have better chances of remembering.

How does that work if you use multiple machines, with similar and/or different operating systems.

A lot of the decent password managers are cross-platform. They upload an encrypted copy of the database to the cloud, but ones like Bitwarden also let you export a backup copy locally that can be imported into other tools. I use Bitwarden on Windows, Mac and Android. There are also native iOS and Linux versions. If you don't like the idea of cloud, you can self-host a Bitwarden instance yourself, however I wouldn't recommend it unless you knew what you were doing. The source code is also available for review.

It's a bit like Authy. All machines are kept in-sync and changes are replicated across all your devices.

Potentially interesting, and I've skimmed the Bitwarden site - but found it too full of low IQ marketing guff. Hence a few questions...

Are the user's passwords stored locally?
What happens if their site is inaccessible or the company folds?
Is it possible for an authorised user to exfiltrate the stored passwords, e.g. to move to a different password service? Or is it "write only"?
What's to prevent the company (or whoever buys the company) moving to a "pay us or lose access to your passwords" business model. SOP truism: "the first one is always free".

Basically for any critical infrastructure service it is necessary to understand the escape routes when (not if) enshittification starts happening.

[Halcyon]

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time; and one stronger password for that, which I don't have to change, and thus have better chances of remembering.

How does that work if you use multiple machines, with similar and/or different operating systems.

A lot of the decent password managers are cross-platform. They upload an encrypted copy of the database to the cloud, but ones like Bitwarden also let you export a backup copy locally that can be imported into other tools. I use Bitwarden on Windows, Mac and Android. There are also native iOS and Linux versions. If you don't like the idea of cloud, you can self-host a Bitwarden instance yourself, however I wouldn't recommend it unless you knew what you were doing. The source code is also available for review.

It's a bit like Authy. All machines are kept in-sync and changes are replicated across all your devices.

Potentially interesting, and I've skimmed the Bitwarden site - but found it too full of low IQ marketing guff. Hence a few questions...

Are the user's passwords stored locally?
What happens if their site is inaccessible or the company folds?
Is it possible for an authorised user to exfiltrate the stored passwords, e.g. to move to a different password service? Or is it "write only"?
What's to prevent the company (or whoever buys the company) moving to a "pay us or lose access to your passwords" business model. SOP truism: "the first one is always free".

Basically for any critical infrastructure service it is necessary to understand the escape routes when (not if) enshittification starts happening.

To answer your questions:

1. Yes, credentials are accessible offline and are cached locally. Obviously any changes would rely on an internet connection/cloud infrastructure to be working.
2. See above. However you also have the options of backing up/exporting your entire vault in JSON, CSV or JSON (Encrypted) formats which, worst case, are human readable.
3. You can move them to another service as long as they are able to read the exported formats.
4. They can fuck right off if they try to hold your data to ransom (as long as you have your own, secure, backups, which is always recommended!)

I just did a test export to CSV and all the vault fields (including passwords) are in plain text (once you satisfy the security criteria of course and decrypt the vault). Needless to say, if you do backup your exports somewhere (which you should), store them very carefully!

For what it's worth, Bitwarden only stores data in Microsoft Azure (with servers located in the US and EU), participates in bug bounty programs, and third-party code reviews: https://bitwarden.com/help/is-bitwarden-audited/#third-party-security-audits

[madires]

I have hopes for the new passkey concept, even if I don't use it yet.

Passkeys are hyped by the big players at the moment. But they come with some nasty drawbacks hidden in the details, e.g. vendor lock-in. There are already many blog posts on the drawbacks if you like to learn more.

[tggzzz]

Now I use a password manager like suggested by many experts (and strongly shunned by others experts) at the time; and one stronger password for that, which I don't have to change, and thus have better chances of remembering.

How does that work if you use multiple machines, with similar and/or different operating systems.

A lot of the decent password managers are cross-platform. They upload an encrypted copy of the database to the cloud, but ones like Bitwarden also let you export a backup copy locally that can be imported into other tools. I use Bitwarden on Windows, Mac and Android. There are also native iOS and Linux versions. If you don't like the idea of cloud, you can self-host a Bitwarden instance yourself, however I wouldn't recommend it unless you knew what you were doing. The source code is also available for review.

It's a bit like Authy. All machines are kept in-sync and changes are replicated across all your devices.

Potentially interesting, and I've skimmed the Bitwarden site - but found it too full of low IQ marketing guff. Hence a few questions...

Are the user's passwords stored locally?
What happens if their site is inaccessible or the company folds?
Is it possible for an authorised user to exfiltrate the stored passwords, e.g. to move to a different password service? Or is it "write only"?
What's to prevent the company (or whoever buys the company) moving to a "pay us or lose access to your passwords" business model. SOP truism: "the first one is always free".

Basically for any critical infrastructure service it is necessary to understand the escape routes when (not if) enshittification starts happening.

To answer your questions:

1. Yes, credentials are accessible offline and are cached locally. Obviously any changes would rely on an internet connection/cloud infrastructure to be working.
2. See above. However you also have the options of backing up/exporting your entire vault in JSON, CSV or JSON (Encrypted) formats which, worst case, are human readable.
3. You can move them to another service as long as they are able to read the exported formats.
4. They can fuck right off if they try to hold your data to ransom (as long as you have your own, secure, backups, which is always recommended!)

I just did a test export to CSV and all the vault fields (including passwords) are in plain text (once you satisfy the security criteria of course and decrypt the vault). Needless to say, if you do backup your exports somewhere (which you should), store them very carefully!

For what it's worth, Bitwarden only stores data in Microsoft Azure (with servers located in the US and EU), participates in bug bounty programs, and third-party code reviews: https://bitwarden.com/help/is-bitwarden-audited/#third-party-security-audits

I suspected it would be faster for you to demonstrate the answers than me to trawl through bumpf Thanks.

For me a significant threat vector would be someone on a bike stealing my phone while I was using it; not uncommon around here If they then kept the screen open, they would have access to everything in the vault. (ISTR that police forces have kept phone screens open until the phone had been cloned for forensic examination.)

As for secure storage, I could do worse than store them on paper in my filing system, in the folder with old papers on n-path filters. Security by obscurity at its finest

[Siwastaja]

For me a significant threat vector would be someone on a bike stealing my phone while I was using it; not uncommon around here If they then kept the screen open, they would have access to everything in the vault.

I'm not an expert on this, but AFAIK the whole point is that opening the password storage is behind a password - it is not coupled to the phone screen being open. It's not a huge inconvenience because you do not need to enter passwords/secrets all the time. So you unlock (decrypt) the storage every time, and it closes automagically soon if you forget to close it. Thus the time window for attack is very small, basically only when you are in the middle of logging in to some service.

[tggzzz]

For me a significant threat vector would be someone on a bike stealing my phone while I was using it; not uncommon around here If they then kept the screen open, they would have access to everything in the vault.

I'm not an expert on this, but AFAIK the whole point is that opening the password storage is behind a password - it is not coupled to the phone screen being open. It's not a huge inconvenience because you do not need to enter passwords/secrets all the time. So you unlock (decrypt) the storage every time, and it closes automagically soon if you forget to close it. Thus the time window for attack is very small, basically only when you are in the middle of logging in to some service.

Possibly; I'm not in a position to know.

Your observation raises the issue of a single password gaining access to all passwords in the vault.

On smartphones it appears that with common services (gmail, fleabay) you remain logged in (even across shutdowns) unless you explicitly log out. Sigh.

[Siwastaja]

Your observation raises the issue of a single password gaining access to all passwords in the vault.

That was really the argument against password managers. Now the consensus is that the benefits outweigh it:
* This single password will be much stronger; there is motivation to make it strong, and it is possible for a normal human being to remember one strong password (but not 100)
* This single password is only used for that one piece of software, which can be engineered to be safer not to leak it (compare to any random web service which could store your password plain-text, use poor hashing functions, or leak their passwords)
* If you use old-school local password manager and not a cloud one, it is also tied to your particular machine, so you need to steal the machine and guess the master password.

But in the end,
https://xkcd.com/538/

[tggzzz]

Your observation raises the issue of a single password gaining access to all passwords in the vault.

That was really the argument against password managers. Now the consensus is that the benefits outweigh it:
* This single password will be much stronger; there is motivation to make it strong, and it is possible for a normal human being to remember one strong password (but not 100)
* This single password is only used for that one piece of software, which can be engineered to be safer not to leak it (compare to any random web service which could store your password plain-text, use poor hashing functions, or leak their passwords)
* If you use old-school local password manager and not a cloud one, it is also tied to your particular machine, so you need to steal the machine and guess the master password.

But in the end,
https://xkcd.com/538/

That's a rare case where xkcd isn't spot on. Traditionally s/wrench/rubber hose/.

[JohanH]

Passkeys are hyped by the big players at the moment. But they come with some nasty drawbacks hidden in the details, e.g. vendor lock-in. There are already many blog posts on the drawbacks if you like to learn more.

Whatever the hype, there's a sound and proven technology behind it: signing and exchanging cryptographic keys. Everyone who has tried to use PGP know the pain in the a** to handle, sign and exchange keys. But the underlying technology is known and good. Passkeys are meant to simplify and automate this. The "nasty drawbacks", might refer to the issue with cloud key stores that don't work cross-platform, so kind-of vendor lock-in (but they are still your keys). For tech aware people, the solution is to use hardware (FIDO) keys and store the crypto keys yourself. However, not all platforms and applications support hardware keys with passkeys yet.

[madires]

Some passkey drawbacks more:
- Authenticator Selection Extension
- from https://docs.yubico.com/hardware/yubikey-guidance/best-practices/all-faq-passkeys.html#how-are-passkeys-different-from-yubikeys

Currently, YubiKeys can store a maximum of 25 passkeys.

- Passkeys: A Shattered Dream (https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/)

I don't want to discourage you from using passkeys, but it's good to know about limitations and drawbacks. You can easily shoot yourself in the foot when just following the hype and ignoring boring facts.

[dferyance]

Having a password manager upload your password database to the cloud is unnecessary in most cases and just a way to cost you more money. Most people have a local network, nothing prevents you from syncing files on the local network or throwing it on a NAS. Of course you have the risk of your local network security but you already have this with cloud storage. I use a tool to sync my database between devices when connected to my home network.

While a password database will be encrypted, I don't know why we think it is a good idea to store this on someone else's computer. Its not like you change your passwords every hour or something that everything needs to sync all the time.

[abeyer]

For tech aware people, the solution is to use hardware (FIDO) keys and store the crypto keys yourself. However, not all platforms and applications support hardware keys with passkeys yet.

That's still not really a complete solution.

For individual use where you don't have an organization admin who can do disaster recovery for you and you have to take that on yourself you can't rely on a single piece of hardware that could be lost/stolen/damaged/destroyed. The procedure to properly back up your hardware token is kind of a non-starter... you either need to have your second backup device with you all the time (which defeats the purpose if you then lose both of them at the same time) or need some complex hand-off where you store one securely somewhere but then immediately get it and and sync it to changes on the other whenever they happen (which is almost certainly bound to get missed at some point, and you won't discover that until you try access something and are locked out.)

There's also the issue of each service having to implement passkeys correctly, there's a surprising (or perhaps unsurprising) number who get it wrong in ways that break portability, like only allowing a single passkey per account, not supporting updates/rotation on them when needed, allowing to bypass them, etc...

And finally, password managers that implemented passkey support were pitched as a "fix" to this issue for a while... but now the powers that be behind passkeys are bullying them to remove the ability to import/export/migrate passkeys in a way that's actually controlled by the user.

[JohanH]

That's still not really a complete solution.

For individual use where you don't have an organization admin who can do disaster recovery for you and you have to take that on yourself you can't rely on a single piece of hardware that could be lost/stolen/damaged/destroyed. The procedure to properly back up your hardware token is kind of a non-starter... you either need to have your second backup device with you all the time (which defeats the purpose if you then lose both of them at the same time) or need some complex hand-off where you store one securely somewhere but then immediately get it and and sync it to changes on the other whenever they happen (which is almost certainly bound to get missed at some point, and you won't discover that until you try access something and are locked out.)

There's also the issue of each service having to implement passkeys correctly, there's a surprising (or perhaps unsurprising) number who get it wrong in ways that break portability, like only allowing a single passkey per account, not supporting updates/rotation on them when needed, allowing to bypass them, etc...

And finally, password managers that implemented passkey support were pitched as a "fix" to this issue for a while... but now the powers that be behind passkeys are bullying them to remove the ability to import/export/migrate passkeys in a way that's actually controlled by the user.

Maybe not. You are right that you need at least two hardware tokens. I don't see that as an issue. The people that use hardware keys are probably aware of these things. But you are right about the other things. It's not a ready solution yet.

[Halcyon]

For me a significant threat vector would be someone on a bike stealing my phone while I was using it; not uncommon around here If they then kept the screen open, they would have access to everything in the vault. (ISTR that police forces have kept phone screens open until the phone had been cloned for forensic examination.)

As for secure storage, I could do worse than store them on paper in my filing system, in the folder with old papers on n-path filters. Security by obscurity at its finest

If you're running the latest version of Android, you can mitigate that attack vector by enabling "Theft Protection" (not sure if it's make/model dependant). On my Pixel, it's under Settings > Security and Privacy > Device Unlock > Theft Protection. It will automatically lock your device if it's snatched and someone runs off with it. There's also an option to automatically lock if it's taken offline (a common tactic to prevent devices being remotely located).

Having a password manager upload your password database to the cloud is unnecessary in most cases and just a way to cost you more money. Most people have a local network, nothing prevents you from syncing files on the local network or throwing it on a NAS. Of course you have the risk of your local network security but you already have this with cloud storage. I use a tool to sync my database between devices when connected to my home network.

While a password database will be encrypted, I don't know why we think it is a good idea to store this on someone else's computer. Its not like you change your passwords every hour or something that everything needs to sync all the time.

Of course, but for me, having a cloud backup is crucial. I was in a situation last year where I dropped my phone and the touch screen became unusable. From any other device with a web browser, I could still access my passwords.

But as I mentioned earlier, with Bitwarden, if you don't like the idea of having your password database stored elsewhere, you can always self-host it: https://bitwarden.com/help/install-on-premise-linux/