[liberationtech] And now for some completely different flame... Chrome + password management
Patrick Mylund Nielsen
cryptography at patrickmylund.com
Thu Aug 8 09:01:34 PDT 2013
On Thu, Aug 8, 2013 at 8:56 AM, Kyle Maxwell <kylem at xwell.org> wrote:
> Must every app data store reinvent the wheel rather than use operating
> system functionality?
>
>
Agree in theory, but do all operating systems have standard data stores
that are encrypted with the user's password? They don't.
> On Thu, Aug 8, 2013 at 10:42 AM, R. Jason Cronk <rjc at privacymaverick.com>
> wrote:
> > I'll bite. You design your systems for the threats your users face. As
> many
> > have mentioned, the threat most users face is from a spouse, partner,
> > business associate, sibling, parent, children. Password fields don't
> display
> > typed text to protect against shoulder surfers. It clearly doesn't
> protect
> > again other adversaries such as keyloggers or others with access to the
> > browser DOM. In this light, I think it is reasonable to encrypt the site
> > passwords with a master password or at least have require a master
> password
> > to display the cleartext. It could always have an option to disable or
> use a
> > blank default master password for those who don't face the threats
> > illustrated above.
> >
> > Really, however, we need to move to a post password model, that combines
> > security and useability.
> >
> > My 2 cents.
> >
> > Jason
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130808/ee447f8b/attachment.html>
More information about the liberationtech
mailing list