20
Vent: Everyone says use a password manager but nobody warns you about this
Was sitting in a coffee shop downtown around 2pm last Tuesday when my phone buzzed with a password reset confirmation for my email. I hadn't requested that. Turned out someone got into my password manager vault because I'd reused the master password on a sketchy online store three years ago. The password manager had great encryption, but it was completely useless since my master password was compromised. I spent the next 4 hours locked out of my bank, social media, and work accounts while customer support sorted it out. Has anyone else dealt with this loophole where the master password becomes the single point of failure?
3 comments
Log in to join the discussion
Log In3 Comments
derek6567d ago
Actually the master password isn't really the loophole here, that's more of a user error thing. The real issue is that most password managers don't lock you out after a few failed attempts like a normal website would. I tested this with Bitwarden last year, you can brute force the master password all night long and it never slows down or locks you out. That's the scary part nobody talks about, not the reused password problem.
3
the_laura6d ago
Kelly from the Bitwarden forums actually did some testing on this last year, she ran a script against her own vault for 72 hours straight. Bitwarden never locked her out once, it just kept accepting attempts. What nobody talks about though is the offline attack problem. Even if the service does lock you out, if someone steals your encrypted vault file they can just brute force it on their own computer with no limits. The real fix is having a master password that's genuinely impossible to guess, like 6 random words long or something. Most people pick something short and memorable, and that's the actual weak link nobody wants to admit.
-1
kelly3856d ago
I think Derek made a good point about the brute force thing, but doesn't a good password manager let you set up two-factor authentication on the vault itself? Like, isn't that the fix for all of this, or am I missing something obvious?
3