--On Wednesday, June 5, 2024 21:58 -0400 Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote: > > On 6/5/24 04:16, Jay Daley wrote: >> The use of password managers is good security practice and >> strongly recommended. > > Trusting all of your passwords with ANY service is poor security > practice, and IETF should not be recommending it. Keith, While largely agreeing with Joel, let me see if I can complete the picture. First, I hope we can agree that trying to maintain different passwords for different sites and keeping those passwords long and moderately complex is somewhere between "good idea" and "necessary" in these troubled times. Like many or most of those who specialize in computer security, I wish we could do away with passwords entirely and replace them with more secure and easier to use mechanisms but that does not seem to be happening very quickly. Absent the ability to remember dozens (or more) long, non-mnemonic and unrelated passwords, "password managers" are almost inevitable, whether they be a software-supported "vault", a carefully safeguarded sheet of paper from which one can copy things, or anything else. And there is no need to use a "service", much less to entrust the service with passwords in the clear. I know people who encrypt a password collection, with or without specialized software, put it on the equivalent of a USB stick and carry it around with them, extracting passwords one at a time as needed. Or one might encrypt the vault and store it "in the cloud" or with some service but keep the encryption keys local and be sure that passwords are available in the clear only on one's own trusted equipment. Seems to me that, short of memorizing lots of long passwords, those methods are not inherently unreasonable even though storing passwords in the clear with a third party might be. best, john > > Keith >
