Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Of course, that's a major weakness; if the password trick is simple to remember it is likely simple to figure out for a motivated attacker! But when there are millions of password leaked and your mnemonic-password doesn't contain "chase" or "paypal" but "chicken5" and "pony6" and has otherwise enough entropy, will the attackers stand around a whiteboard and crack your code or just run their scripts and take what they can get automatically?

A password manager is probably very good, but it's a single point of failure and a huge target for the black hats; it's a program on a computer or on a smartphone that (potentially) sends data back and forth as it pleases.

So maybe the idea is to use a password manager for single-use entropy and then add some mnemonic manually before submitting the password. Then it's down to keyloggers and other sophisticated attack vectors?



Couldn’t someone find all the leaks from your email and deduce a trend?

Wouldn’t work for driveby hackers, but anyone specifically interested in targeting you could get a long way with this technique.


>A password manager is probably very good, but it's a single point of failure and a huge target for the black hats; it's a program on a computer or on a smartphone that (potentially) sends data back and forth as it pleases.

What's the threat model here? If it's downloading a malicious password manager, that can be mitigated by using an open source/audited one (eg. keepass or bitwarden). If it's your browser/computer being compromised, that really isn't fixed with manually entered passwords either. If there's malware on your machine, you can assume that all your keystrokes and form submissions are logged. The only advantage is that rather than getting all your passwords, the attacker only have whatever passwords you've entered prior to detection.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: