Software is not safe to store your passwords. If your computer is breached, they can simply copy your passwords database. Not good.
A similar problem existed with the early Bitcoin users. They stored the bitcoin keys on their computer and if some malicious user got access to the computer, they lost everything.
You could assume your computer will never be breached, but this is very optimistic. I recommend using a hardware solution or not storing them on the computer at all.
I've been a professional C, Perl, PHP and Python developer.
I'm an ex-sysadmin from the late 20th century.
These days I do more Javascript and CSS and whatnot, and promote UX and accessibility.
It is, but a computer is a general purpose device with lots of software and apps running. Compared to a Trezor or similar device that can only do one thing. That means the attack surface is a lot smaller compared to a general purpose PC. It literally saved people thousands of dollars. On top of that, every password is encrypted instead of a single password (like keepass)
Hi! I'm an aspiring computer scientist with interests in quantum computing and distributed systems. In this blog, I write about the useful things I've learned during my programming journey.
I disagree. Modern encryption is plenty secure to prevent malicious disk access, and if malware has memory access then you have bigger problems to worry about (they could just log your keystrokes). The Bitcoin situation was different as the key files were unencrypted - any good password manager will encrypt data before saving it to disk.
In the bitcoin space you can find lots of malware. Once installed, it will just wait for you to decrypt your wallet (RAT). A hardware wallet prevents this, because the private key (encryption key) never enters the computer.
The encryption used on both is the same. The difference is in attack surface. With a hardware wallet every password is encrypted and an attacker cannot copy all passwords at once with one master password (keepass). I've seen this happen in a demo of Blackhat USA.
Sure, if your computer is powned you have a bigger problem. But not having a single master key and single file is the more secure way to go imo.
A lot of these password managers offer the option to use 2FA though, which makes this progress a lot harder.
I think the idea of storing passwords under one master password is a bit like solving one problem and creating another one. The problem that's created is what you described.
However, it also solves the problem that whenever websites and applications you have an account have been breached, it's got a password that people can only use on that specific account, protecting you everywhere else. I believe that's a much more common situation than what you are saying.
People who don't store passwords and memorise all of them are going to reuse passwords. Unless they're that good at memorising every single password. I know plenty of people who just use a single password because they can't be bothered to memorise a multitude of them. Even I had a ton of different passwords but still had to reuse them because it'd otherwise be simply too hard to remember each one of them. Reusing passwords is a lot more problematic than using a password manager, and for the average person it'd be better to opt for the latter in that case. Even moreso with 2FA turned on.
Of course, you're right to say that a hardware solution is the best way to store passwords, and I'd recommend it above everything else as well. It's definitely even more important if you're in the cryptocurrency realm, but that's not so much the majority of people.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Software is not safe to store your passwords. If your computer is breached, they can simply copy your passwords database. Not good.
A similar problem existed with the early Bitcoin users. They stored the bitcoin keys on their computer and if some malicious user got access to the computer, they lost everything.
You could assume your computer will never be breached, but this is very optimistic. I recommend using a hardware solution or not storing them on the computer at all.
A computer is a hardware solution.
It is, but a computer is a general purpose device with lots of software and apps running. Compared to a Trezor or similar device that can only do one thing. That means the attack surface is a lot smaller compared to a general purpose PC. It literally saved people thousands of dollars. On top of that, every password is encrypted instead of a single password (like keepass)
I disagree. Modern encryption is plenty secure to prevent malicious disk access, and if malware has memory access then you have bigger problems to worry about (they could just log your keystrokes). The Bitcoin situation was different as the key files were unencrypted - any good password manager will encrypt data before saving it to disk.
In the bitcoin space you can find lots of malware. Once installed, it will just wait for you to decrypt your wallet (RAT). A hardware wallet prevents this, because the private key (encryption key) never enters the computer.
The encryption used on both is the same. The difference is in attack surface. With a hardware wallet every password is encrypted and an attacker cannot copy all passwords at once with one master password (keepass). I've seen this happen in a demo of Blackhat USA.
Sure, if your computer is powned you have a bigger problem. But not having a single master key and single file is the more secure way to go imo.
A lot of these password managers offer the option to use 2FA though, which makes this progress a lot harder.
I think the idea of storing passwords under one master password is a bit like solving one problem and creating another one. The problem that's created is what you described.
However, it also solves the problem that whenever websites and applications you have an account have been breached, it's got a password that people can only use on that specific account, protecting you everywhere else. I believe that's a much more common situation than what you are saying.
People who don't store passwords and memorise all of them are going to reuse passwords. Unless they're that good at memorising every single password. I know plenty of people who just use a single password because they can't be bothered to memorise a multitude of them. Even I had a ton of different passwords but still had to reuse them because it'd otherwise be simply too hard to remember each one of them. Reusing passwords is a lot more problematic than using a password manager, and for the average person it'd be better to opt for the latter in that case. Even moreso with 2FA turned on.
Of course, you're right to say that a hardware solution is the best way to store passwords, and I'd recommend it above everything else as well. It's definitely even more important if you're in the cryptocurrency realm, but that's not so much the majority of people.