Path: csiph.com!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Keith Thompson <Keith.S.Thompson+u@gmail.com>
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Tue, 20 Jul 2021 15:52:43 -0700
Organization: None to speak of
Lines: 36
Message-ID: <87im141ttw.fsf@nosuchdomain.example.com>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me> <DbgJI.45173$h8.20921@fx47.iad> <87r1fu18j7.fsf@nosuchdomain.example.com> <ewGJI.48839$h8.31881@fx47.iad>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="3dbb069d6fac32b4b637197387ebf1ae"; logging-data="27993"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/hbBt1AckGPQ/yBmkLnrct"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Cancel-Lock: sha1:2juWPJYRjY12EJ9GWwIq6MyViS4= sha1:6gDdrm7fBXLBDUhEL9B6IUJAw2w=
Xref: csiph.com comp.sys.mac.system:137314 comp.sys.mac.misc:8127 comp.unix.misc:321 comp.misc:21114

Alan Browne <bitbucket@blackhole.com> writes:
> On 2021-07-19 14:08, Keith Thompson wrote:
>> Alan Browne <bitbucket@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.
>
> First off there is a difference between a "key" and a "password".

Sure (but sometimes they can be the same, right?).

> If the password is "a", the key will still be extremely strong at 256
> bits and would look completely different to the key for password "b". 
> Of course that is not a recommendation.

Are you talking about a key being algorithmically derived from the
password?  If the string "a" is all the information you need to unlock
an encrypted file, then an attacker is going to be able to unlock it,
whether it first has to be translated to a 256-bit key or not.  (Or I'm
missing something.)

> As to passwords, it's trivial to make strong and easy to remember
> passwords with a few misspelled words, mixed case, some symbols and
> digits.

Sure.  It's also easy for a password to leak in any of a number of ways.

-- 
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */