alt Hacker NewsNote that most of the signers are from companies which collect substantial consumer information for revenue purposes. Hence the emphasis on "updating". And the absence of "turn up browser security levels to max" or "get a good ad blocker".
Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.
Replies
To be fair, this letter is about information security, not privacy.
Maximizing privacy is a somewhat different goal, and recommendations for how to do so would differ from person to person. Some people really don't care about privacy. And for some other people, adblocker and tracking-blocker software is sufficient for their privacy needs. Whereas for certain people in certain parts of the world, literally the only way they can browse the Web safely is with Tor running on a temporary TailsOS drive.
> Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.
You think of someone stealing your password vault and cracking AES? The vault is E2EE.
A significant fraction of every high-profile industry security person I know has signed this thing. There are people on that list that I'm not super impressed with, but also people everybody is impressed with. No argument that this thing is motivated by commercial interests is going to survive, and a lot of this is advice that security cool kids have been giving for upwards of 10 years.
Updating software is good advice. Do you realize how many CVEs are reported on a daily basis? Once you've got a password manager you're largely protected against phishing, so the biggest target becomes your computer, and the most likely way to compromise that would be through outdated software with public vulnerabilities.
What do you expect your browser security levels to the max to do? Browsers are designed to be secure from default settings.
Max browser security levels and a good ad-blocker will not prevent you from getting phished or hacked more than an encryption-audited cloud-based zero-knowledge vault, where server compromise is irrelevant. All competent #1 cloud-based password managers are like that.
Password managers are one of those things I am still stunned is staying popular for advice, even though it's nearly akin to "use one password for everything". I assume a big part of it is the affiliate deals subscription password managers have with infosec influencers.
There are absolutely valid use cases, but they are much fewer and further between than people claim.
> Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.
The entire point of end-to-end encryption is that you don't need to trust the server. If your password manager has access to your secrets (i.e. you don't control the secret key/password itself), then you have bigger problems than a potentially untrustworthy host.