![]() The industry has been trending towards passwordless solutions for years now (OTP, FIDO, WebAuthn, etc.), and the current passkey iteration by Google might be something that could have mass adoption. What we need is a solution that is more secure, but crucially also easier to use. They're a hassle to use and a huge security risk, especially centralized ones. It could even be used by non technical users, depending on the device.īut password managers aren't a solution for digital identity. This isn't a solution that will have mass adoption, but the UX is much better and more secure than using a secret key. another, stronger, password? How would your mother use 1Password if she now has to remember _two_ passwords?īoth LastPass and Bitwarden (and 1Password) support 2FA. So your more secure solution involves using. ![]() ![]() Hopefully this forces BitWarden and LastPass to change and introduce generated secret keys in their account creation phase. I wasn't surprised when LastPass was hacked - indeed, I've been expecting it for years - poor software quality and bad security choices were the red flags. After a few weeks, my mother changed her complex password back to a simple one behind my back - the only time she's learnt computer functionality on her own.ġPassword's whitepaper, IMO, also shows that it's ahead of the game in general. Everyone I have helped set up a LastPass or Bitwarden account have chosen simple passwords, and are extremely resistant to the point of anger if you make them choose a complex one. It provides entropy where the user will refuse to. The average consumer needs an autogenerated secret key. It is dangerous design, prioritizing ease of onboarding over actual security. I've always thought it foolish to recommend solutions like LastPass and BitWarden, which don't require a secret key. This is why I prefer 1Password, as it requires the secret key to be compromised in addition to the Master Password, thus providing protection against a weak master password.
0 Comments
Leave a Reply. |