Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But if my machine were compromised, my 1password password would be compromised too, wouldn't it?


Maybe. It has some defenses against keyloggers. The local data is encrypted so the attacker would need your master password, which hopefully you wouldn’t have stored in plaintext on the same machine.

Regardless, the idea is still that a secure password manager would put you in a better situation more often than would a plain text file, cloud notes, physical notebook/sticky, etc.


But the reasonable comparison wouldn't be "a plain text file" it would something like Jason Donenfield's pass (https://www.passwordstore.org/)

Now, there are some potential usability improvements they can offer by giving the passwords to "some company" but there's a serious price (not only financial) to pay for that.

Also, because it's designed as a standard Unix tool if you're comfortable in Unix (as we may suppose more Linux users are) you'll find pass fits better than 1password or similar programs. When did you change the password for your Hacker News account? You can use 'git' to ask like you would anything else. How will you ensure the passwords survive a house fire? They're on your filesystem and will be preserved with everything else in your backups (you do have backups and use encrypted storage for them right?).

And so on.


If talking to a typical person I wouldn’t assume they would stick with a method like pass, or a synced keepass file (methods I like just fine personally.) UI affordances and multi-device convenience aren’t just fun, they make good security easier for people who are tired or in a hurry.


PassFF gives me a UI affordance (password dialogs on web sites in my Firefox get an icon, and context UI menus to auto-fill from pass)

and I automatically synchronise the git repo to an Android phone that likewise has affordances.

They're nicer in some alternatives like 1password but they aren't absent in the pass ecosystem and of course I can customise these as I prefer (indeed one of my patches is landed in PassFF so I no longer run a fork)


Yes, it’s not that they don’t exist, but more that the burden is on the user to be aware of them, implement consistently on all devices and perform a degree of maintenance. Generally, speaking about users in aggregate, that is less conducive to good security practices in the long run than one nice, maintained piece of software with multiple clients and a team keeping sync running well. There’s a meta-affordance to consider, if you will.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: