Yeah, that’s going to be a terrible system. The human brain isn’t capable of keeping track of enough entropy to create a secure password system.
More generally, it’s a big red flag when anybody thinks they can make a better system than publicly available and verified systems. You’re not capable of that, I’m not capable of that, Bruce Schneier is not capable of that. No matter how smart you are, you missed something. That’s why I didn’t need to know a single detail.
he human brain isn’t capable of keeping track of enough entropy to create a secure password system.
What an idiotic argument, the level of entropy comes from the rules first and foremost, putting a 1 and an A together is the exact same entropy as using 2 and B. Randomizing it one way instead of another doesn’t change entropy much.
More generally, it’s a big red flag when anybody thinks they can make a better system than publicly available and verified systems.
You completely fail to understand the argument. I’m not arguing my passwords are stronger, I’m arguing they are SAFER! because they are not stored on any system, much less 3 different systems, one of which could theoretically have a vulnerability.
What an idiotic argument, the level of entropy comes from the rules first and foremost, putting a 1 and an A together is the exact same entropy as using 2 and B.
Oh dear, no. You cannot match a cryptographic (P)RNG for generating passwords. Not even close.
True, my argument is that in practice it doesn’t matter. How many passwords of REASONABLE strength are brute forced? Opposed to how many are lifted from services with lacking security?
Quite a few. Data dumps of passwords from sites can be from sites that used full hashing. If you used a fully random password of at least 20 characters, even unsalted md5 storage would be unbreakable.
That’s true. But how does a randomized password generated by a password manager work when the service is accessed from 3 platforms? Like for instance Windows, Linux and Android?
Seems to me that you need 3 different pieces of software, and just 1 getting compromised would compromise everything.
It’s generally one piece of software, a browser extension, that works for all. Even mobile apps are often just webpages with extra steps, so the code base is the same.
The underlying storage must be encrypted the same way on each.
Yes, there are still potentially issues. I’ll come back to what I said at the start: passwords are a bad system in general, all methods for handling them are flawed, but password managers have the fewest flaws.
Yes, there are still potentially issues. I’ll come back to what I said at the start: passwords are a bad system in general, all methods for handling them are flawed, but password managers have the fewest flaws.
Well that I can actually mostly agree on, IDK how we got into a disagreement on that in principle? For me personally though, I trust myself more, than a software manager. I’m pretty sure my passwords are strong enough, even if a software manager can make even stronger passwords.
What? What kind of system do you think I have? The only vulnerability is if they can hack my brain.
Yeah, that’s going to be a terrible system. The human brain isn’t capable of keeping track of enough entropy to create a secure password system.
More generally, it’s a big red flag when anybody thinks they can make a better system than publicly available and verified systems. You’re not capable of that, I’m not capable of that, Bruce Schneier is not capable of that. No matter how smart you are, you missed something. That’s why I didn’t need to know a single detail.
What an idiotic argument, the level of entropy comes from the rules first and foremost, putting a 1 and an A together is the exact same entropy as using 2 and B. Randomizing it one way instead of another doesn’t change entropy much.
You completely fail to understand the argument. I’m not arguing my passwords are stronger, I’m arguing they are SAFER! because they are not stored on any system, much less 3 different systems, one of which could theoretically have a vulnerability.
Oh dear, no. You cannot match a cryptographic (P)RNG for generating passwords. Not even close.
True, my argument is that in practice it doesn’t matter. How many passwords of REASONABLE strength are brute forced? Opposed to how many are lifted from services with lacking security?
Quite a few. Data dumps of passwords from sites can be from sites that used full hashing. If you used a fully random password of at least 20 characters, even unsalted md5 storage would be unbreakable.
That’s true. But how does a randomized password generated by a password manager work when the service is accessed from 3 platforms? Like for instance Windows, Linux and Android?
Seems to me that you need 3 different pieces of software, and just 1 getting compromised would compromise everything.
It’s generally one piece of software, a browser extension, that works for all. Even mobile apps are often just webpages with extra steps, so the code base is the same.
The underlying storage must be encrypted the same way on each.
Yes, there are still potentially issues. I’ll come back to what I said at the start: passwords are a bad system in general, all methods for handling them are flawed, but password managers have the fewest flaws.
Well that I can actually mostly agree on, IDK how we got into a disagreement on that in principle? For me personally though, I trust myself more, than a software manager. I’m pretty sure my passwords are strong enough, even if a software manager can make even stronger passwords.