I still don’t get why someone using a password manager would make up passwords themselves instead of randomly generating long and strong passwords...
The way they implemented this is nice, but seems a bit pointless to me.
Lots of people may have recently switched to a password manager, and now use it to store old passwords that they haven't regenerated. It's very likely a common use case.
Heck, you don't even to switch to it recently!
I've imported my passwords from Firefox's password manager to a dedicated one a few years back, and I've been generating new passwords ever since.
There's still dozens of occurrences of the one-password-for-all-services I've used previously, because nobody will go through the hassle of changing passwords in hundreds of online services. I do change it whenever the autofill appears too short to be randomly generated, but I still didn't get rid of all of them.
With that said, I'm not using 1Password and I've already checked my old password in Troy's service to make sure it wasn't in a breach.
Password rotation is a major issue.
If we'd use something like certificate auth it'd be less of an issue, but currently password managers are a horrible trend because they encourage using your password for a service for kany years. Ideally you'd rotate them every 60 days. Automating that is hell.
It'd be much nicer if we could just use OIDC with user-configurable endpoint.
Password rotation has been shown time and again to be worse than just using a unique strong password.
With rotation, there is a tendency to just use the same password but increment a digit at the end, or to write them down because people forget them. A password manager helps with this, but if you're using a password manager, then you can use a different password everywhere.
Password rotation was recommended in the days when people used the same password everywhere and had to memorize them because password managers weren't a thing.
Password rotation gains you nothing if you're already using strong, unique passwords. The best it will gain you is preventing your account from being accessed if they have already breached the password file, cracked it, and come back after the rotation period. But at that point they've already had access to the system and your password is meaningless anyway, so you didn't actually gain anything.
I'm talking about automated password rotation. A new 128 byte random base64 password every month.
Rotating credentials is important, even if you automate them. For the same reason that Let's Encrypt only provides certificates with 90 days validity, and that OAuth2 Offline tokens are usually limited to 90 or 180 days.
Ideally we'd use OAuth2 for everything, as that'd allow proper usage off offline tokens that allow the client to generate short lived session tokens, but we don't, instead we're using passwords everywhere, and we'd ideally want to have the same validity there.
The optimum would even be using challenge response authentications, or client side certificates.
This isn't a comparison of manual password management to password managers, but a criticism of password managers when compared to 30-day rotation cycle of client-side certificates.
Rotating passwords is only important if the site has been compromised (or you've been compromised, such as being phished). For the former, 1Password already has the Watchtower functionality where it tells you if a site is known to have been compromised since your password was generated, and for the latter, well, if you're being phished then you'll probably figure it out pretty quickly when the attacker steals your account.
In any case, if you really want to rotate passwords, 1Password has a "Security Audit" section with sections for "3+ years old", "1-3 years old", and "6-12 months old" passwords (and duplicate passwords, and weak passwords, and watchtower alerts), so you can rotate if you want to.
Rotating credentials is also important as an additional layer of security to prevent misuse.
Sadly, currently this all is highly theoretical. The first thing we should focus on is getting 2FA (TOTP/HOTP or U2F) authenticated login on every service that doesn’t use OIDC. Even this very site, HN, has no such functionality (@dang, @pg: Why?)
This is a much more important first step, and once that’s fixed, we can look at improving credential rotation, and providing global SSO with browser credentials.
I'd wager HN doesn't have 2FA because there's not much damage you could do if you compromised someone's HN account. At best you can pretend to be someone else for a bit, but in most cases that's harmless. There's only a handful of accounts I can think of where it would be problematic if someone started impersonating them.
I work in online gambling and 2FA is a feature everyone says they want but doesn't use because it's annoying. Just query the amount of users actually using 2FA on your site if you've set it up. Now compare it to the number of people who said that they can't take your site seriously until you have it.
I'm not saying 2FA is bad, but these people like the person above lives in a hilarious bubble if they think a website like HN is missing out by not having it.
It comes off as concern-masturbation, if I may be so vulgar.
By the way, the best thing we did for security across our gambling network is to generate passwords for users. Nobody uses 2FA, and the people that use it aren't the ones that need help. But everyone reuses passwords.
I think MFA is important and have it enabled for every service that offers it, but we have MFA set up for our CLI access to AWS and I used to let out a volume of curses frequently when my token expired.
I eventually ended up adding a bash alias “damn”[0] that pipes my current MFA token into the AWS CLI so whenever it expires I can just type “damn” and be logged back in.
I like the magic link approach Slack and Medium use - although I have frequently cursed the inconvenience of having to log into gmail.
[0] why damn? Fuck was taken: https://github.com/nvbn/thefuck