Scott Hardie | September 24, 2019
I don't use a password manager, but I've been tempted to get one because I keep seeing articles like this touting their benefits. If any of you use one, I'd appreciate some help figuring out one aspect that I don't understand.

I keep hearing that it's unsafe to use the same password on multiple websites. If hackers steal your data from one website, they can log into other websites as you. That makes sense.

A password manager lets you generate an infinite number of different passwords without having to remember them. But fundamentally, you're still using just one master password for the manager.

So if hackers steal your master password, isn't that just as bad as them stealing your password from a website? How is that more secure?

It's less likely to happen, because the password manager services presumably take their security more seriously than some random website. But if it does happen, you're still screwed, right?

In fact, you're even more screwed, because the password manager remembers the sites for which it's storing passwords. If a hacker steals my Google password, s/he doesn't know that I also have an Amazon account with the same password; s/he would have to go around the web trying different services and hope to find some of my logins. But once a hacker gets into my password manager account, there's a list of literally every website I access and the password to each one. Isn't that worse?

Am I wrong here? There could be something I'm not understanding.

Erik Bates | September 24, 2019
I use LastPass and find it to be incredibly useful. I make sure that I use a complex master password, and I change it a few times a year. Couple that with two-factor authentication (both in my manager and on all sites that use it, as well) and I feel pretty secure.

To your point about a hacker getting your Google password but not knowing other sites that use the same password - that's true, but I think the more likely scenario is a hacker finding out your gmail password, changing the password and locking you out, and then just sending password reset requests that they intercept with your newly hijacked account. So many websites just use your email address as a username these days.

Or, the above process could be triggered not by gmail getting hacked (which is less likely), but rather by someone finding that you have a gmail account as a username on some random website and assuming that you use that password for gmail... you get the idea.

In the end, there is no perfect system. But a secure password generator that uses strong encryption (salted hashes, etc.), coupled with GOOD two-factor authentication (none of that SMS stuff), is a pretty safe bet. LastPass was hacked a few years ago, and all the hackers got was a bunch of salted hashes of master passwords. There was no way to decrypt the passwords using any data held on LastPass's servers.

Scott Hardie | December 9, 2019
I neglected to get back to you on this, Erik, but those are good points. I don't know if it helps, but one of the advantages of owning my own domain is that every address @ my domain all routes to my real inbox elsewhere. So I can register a different email address with every service that I sign up with, AND there's no obvious login point to check the messages. I'll sign up with LastPass. Thanks for the insight. :-)

Want to participate? Please create an account a new account or log in.

Other Discussions Started by Scott Hardie

GooCon 2016

It's my pleasure to announce that GooCon will be back this October! However, unlike past years, this event will be held online, so there's no need to travel. Go »

Too Slow to Talk

One of my pet peeves with modern texting culture is that you seem to be expected to respond at all times. Go »

Altered States

I stumbled upon a history lesson today when browsing unrecognized U.S. states. How different would the country be today if Franklin, or Deseret, or Nickajack, or Westsylvania had become states? Go »

It's Not Like They Wear Armor Anyway

Kelly found naked Klingons. I would say "so the web has come to this," but the web came to this sort of thing years ago. Go »

Harry Potter and the Sorcerer's Stone

Shit. I was on the eighth paragraph of a long commentary on this movie, which Kelly and I saw yesterday, when something went buggy with Internet Explorer. Go »

Google's Big Takedown

I am appalled by the EU court ruling against Google, forcing it to comply with takedown requests. Certainly, I understand the need to leave behind your own past. Go »