A million copies of this article exist, and some have even come through lobste.rs. What does this one add to the conversation?
Maybe you’re a lot more well-Internet-read than I am, but this is actually the first article I’ve seen on how to do a first-pass evaluation of a password manager. (That’s different from the 8,000,000 articles on “ECB is bad”.) I like that it gives heuristics that a non-expert can use.
Fair enough :) and hah I’m not that well-read, perhaps I just jump on crypto-related posts when they appear.
I agree regarding heuristics. Few people can declare a password manager “secure enough” but it’s healthy and important that many of us have the ability to call one insecure with good reasons
I hadn’t heard about that particular password manager before “Password Depot”. That some random password manager has loads of security holes is not remotely surprising. Building a password manager is very easy (because minus the security implications it is a very simple KV store). Building one that has a hope of being secure is much harder, and building one that is secure enough to actually use is very hard, unfortunately.