Good advice, doomed to be wasted on folks who just want a quick, easy solution that lets them move on to the next item on their To Do list…
I cringe when I hear self-proclaimed experts implore everyone to “use a password manager for all your passwords” and “turn on two-factor authentication for every site that offers it.” As most of us who perform user research in security quickly learn, advice that may protect one individual may harm another. Each person uses technology differently, has a unique set of skills, and faces different risks.
…because who wants to spend time thinking about all this stuff:
In this article, I’ll start by examining the benefits and risks of using a password manager. It’s hard to overstate the importance of protecting the data in your password manager, and having a recovery strategy for that data, so I’ll cover that next. I’ll then present a low-risk approach to experimenting with using a password manager, which will help you understand the tough choices you’ll need to make before using it for your most-important passwords. I’ll close with a handy list of the most important decisions you’ll need to make when using a password manager.
Visiting the comment thread on the Bruce Schneier post to see just how many different ways a bunch of (presumably) bright people can devise to avoid using a password manager in favour of their own home-brewed solutions.
[Via Schneier on Security]
Geoff Manaugh opens his story about spending six months following round a professional safecracker with an image that might have been hand-crafted to get my attention:
The house was gone, consumed by the November 2018 Woolsey Fire that left swaths of Los Angeles covered in ash and reduced whole neighborhoods to charcoaled ruins. Amidst the tangle of blackened debris that was once a house in the suburbs northwest of Los Angeles, only one identifiable feature stood intact. It was a high-security jewel safe, its metal case discolored by the recent flames, looming in the wreckage like the monolith in 2001: A Space Odyssey.[note]In the wake of my seeing Kubrick’s masterpiece when I was young – I didn’t see in on release, what with my only being 5 years old at the time, but I did see it in the cinema just a few years later during a 1970s re-release – that experience warped me to the point where to this day I’m totally a sucker for monolith imagery.[/note]
No mysterious alien structures show up in Manaugh’s story, but it’s interesting just how much demand there apparently is for a legal safecracker. Me, I’ve never owned a safe in my life and don’t have anything I’d want to keep in one if I did have access to one.[note]I did use a safe in a hotel room once, but that was more because the hotel insisted that any valuables (which in this case amounted more to confidential work-related documentation than stuff with any particular face value in cash terms) be stored in your room safe because they couldn’t otherwise be responsible for the safety of my property while I was staying in their room. Nowadays that sort of documentation is sitting on our server or, at worst, is on my laptop’s hard disk, locked up behind BitLocker. So as long as I can trust a combination of Microsoft’s competence to write software and my determination not to reveal my BitLocker PIN even under torture then I’ll be fine. What could possibly go wrong with that plan?[/note]