The truth is the password is just another failed security concept- because those that work, cant be remembered by the users.
So ones security researches terrible, is a neurologists reasonable. The actually embarrassing part is that after years of research- we still do not have a alternative.
We do have alternatives — global open cross-platform standards such as hard tokens based on the FIDO U2F and WebAuthN standards even. We're just not at the point where both users and services are willing to use these technologies.
Password managers are a band-aid on a fundamentally flawed technology. They are what we have now, so (if your tech savvy) that's what you're using. But it's an absolute shame that this is where we're at.
I'm optimistic about the FIDO standard as a password replacement. Exciting things happening in that space recently!
Password managers are best practice, but they are a reaction to the failures of passwords, rather than an attempt to replace passwords with a better proposal.
* Password Managers are good but inadequate as a solution because, at present, only a motivated set of any given number of users are likely to make use of them.
Do we want a solution that works well for all or nearly all users? Or will we simply settle for a solution that protects only ourselves?
At present, password managers are often third-party luxuries even though they are indispensable for basically every person. In truth, they are essential enough that standardized API hooks for password managers really ought to be baked into every consumer OS, and if we are serious about protecting users in a world where 86% of passwords are terrible, users should have to explicitly opt out of whether to use a password manager or not.
The only choices most users should be making are
* whether to use a default or nominated password manager,
* what physical tokens / 2FA approaches they want to use
* and whether they want their credentials to be stored in the cloud (convenient) or only ever stored locally (more secure, credential transfer fully under control of users).
Sites / Applications / etc requesting credentials should really provoke a standardized credential request UI on the OS, not have bespoke credential dialogues in a thousand different designs and approaches bleeding all over the internet.
The choice to have a distinct credential per site should not be a choice offered to most humans, because most humans will always make the wrong choice.
I do this but I'd love to have someone tell me why this is a terrible idea (apart from the obvious one of using a 3rd party sha256 calculator)
1. Have a very short prefix and a suffix I can expect to remember
2. Password for every website gets generated like this <prefix> + website name + <suffix>
3. Generate SHA256 hash of #2
4. Use #3 as password for the site.
5. Save password to password manager
Pros -
1. losing a password on one site doesn't compromise the pattern on others because cracking sha256 is still not possible (afaik)
2. relatively easy rules to create new password
3. If I HAVE to login on a computer without my password manager (e.g., public workstation), I can regenerate my password on the fly.
Cons -
1. I use an external sha-256 calculator
2. Some sites enforce password length and arbitrary case/symbols rules. Have to manipulate generated password by hand
1. This relies on a mistaken expectation that all sites you use being able to accept SHA256 output - presumably in Base64 or similar- as an acceptable password. You will likely have to compromise this.
2. You have no credential expiry built into this approach. Even should you decide to not use credential expiry, if one site demands it, your strategy doesn't work.
3. You are still at risk of having your passwords leak because: Anyone who compromises a public machine on which you generated your password manually (eg leaving any traces in logs, bash history etc) who eyeballs your SHA256 input prefix_ashleymadison.com_suffix , now has very clear reasons to expect they can generate passwords based on prefix_facebook.com_suffix and pre_barclaysbank.com_suffix because your credentials between sites are now not independent of each other, and worse, directly suggest each other.
Ignoring keyloggers and bash history issues etc any simple 'over the shoulder' attacker, likewise, get a pretty good guess at all of your passwords all at once by observing you generate a password for one site just once.
In short, if you attempt to use an approach like this, you no longer just have to protect your password, you have to absolutely protect the knowledge of the algorithm by which you generate your password for different sites. This being compromised just once potentially compromises all your passwords, substantially widening the ways in which you can be harmed.
At some point a site you use will be compromised, so you have a problem as that site will require a new password.
So your login routine is now:
* Generate your password via hash(prefix + sitename + suffix), and use it on every site, except that compromised one. Because it invalidated your old password and won't let you reuse it.
In short you have a versioning problem. And you have to remember it. The problem compounds for each site you use which insists upon a change for whatever reason.
(Also your own "con" - different sites have different restrictions/caveats for password formats.)
Use a password-manager, it really is the best way to have a unique and secure password for each site.
I do use my Mac's Keychain Access. My issue started when I had to use a work computer for logging into a newspaper account and I couldn't remember what it was because it was saved on my personal laptop. That's when I came up with this scheme.
> versioning problem
Someone else pointed this out as well. Thanks for thinking this thru.
I'm not sure what you are saying ... should I memorize dozens of passwords like WCLfx(edI%uHgjWM6RuEeC6Qh for the services I use or should I strap on getting those dozens of services to use a perfect SSO service that doesn't leak privacy and is perfectly secure and doesn't exist yet?
(And you do need to memorize your password manager password - and your main email account password as well)
Also a lot of leaked passwords were strong, they just got compromised because someone didn't know about 70's password security basics.
Should we just never use any leaked password ever again? (Note I'm not saying: with the same login - or any of the "top 100") Should we really trust all of our passwords to one service that might get compromised or just go away?
Should we bother creating a strong unique password for that new cool SF startup that doesn't know how to use bcrypt?
If it is well integrated with your browser it's quite ok. Maybe not as convenient as using the same simple password everywhere but certainly a lot better than having to remember a lot of different passwords ;)
I personally prefer _not_ integrating my password manager with my browser, even though the option is available. Instead my password manager performs manually-activated autotyping which, while less convenient, does at least 'feel' like it's more secure.
I trust my OS to isolate applications from eachother more than I trust my browser to isolate extensions from the page they run on. LastPass in particular have had their browser extension exploited[0].
So ones security researches terrible, is a neurologists reasonable. The actually embarrassing part is that after years of research- we still do not have a alternative.