1. 4

    I see all these fancy password managers and I think… why not simply use an encrypted text file with your passwords on it? Less code, fewer vulnerability vectors.

    1. 16

      Actually, there are potentially more vulnerability vectors.

      1. On a number of platforms (Windows, OS X, Android, and Linux), any application can subscribe to the clipboard. So if you’re copying your login credentials, anything on your system that might be compromised can grab it.
      2. Along the same lines, the vectors for leaking an unencrypted text file are actually quite high. While all of the password managers I know of are vulnerable to various forms of scanning (except 1Password on Windows when operated on the secure desktop), the text file is likely to be unencrypted in full in scroll back history or something similar for quite some time. There are ways to avoid this, but they’re tricky and error-prone; you can look at the history of PGP secure notes for some background here on all the ways to mess things up.
      3. An encrypted text file can also be difficult to merge. While you may be able to automate the process to a degree, you are again put into a position where you have to run your decrypted password file through multiple tools, which again increases your attack surface. E.g., most naïve ways of doing this would at least temporarily store both versions of your file unencrypted on disk to feed to a merge tool.
      4. An encrypted text file also cannot store anything other than logins and passwords, which makes storing other forms of secure data hard. E.g., in 1Password, I track what login pages of sites I haven’t been to look like, and explicitly track the full login page URLs, so that I can catch myself if I somehow fall for the first part of a phishing attempt. You can obviously do that without a password manager, but you’re now reaching for something like a LibreOffice document, which expands your attack surface and increases complexity.
      5. Finally, most modern password managers provide several things beyond mere storage, including cryptographically secure password generation, service exploitation monitoring (e.g., WatchTower for 1Password), which lets you know when a site you use has had its passwords compromised, and more. It’s not that you cannot do these things yourself, but it requires a lot of effort (monitoring HaveIBeenPwned, hoping you know to use arc4random or an equivalent with proper distribution across your alphabet, etc.). Collectively, these can dramatically decrease your attack surface, by allowing you to respond more effectively and proactively to site compromises.

      If storing all your passwords in an encrypted text file works for you, that’s fine; more power to you. But I don’t think it’s accurate anymore to claim that going that route is more secure than alternatives.

      1. 7

        For the same reason you don’t manually decrypt and paste in your ssh private key every time you log in to a host—convenience.

        A password manager can also do some checks that humans may miss or flub, like stopping the pasting of your Gmail password into a convincing phishing site.

        1. 4

          You would like pass(1)

          1. 1

            That’s a bit presumptuous – I’m not pizzaiolo, but while I do personally employ (essentially) the encrypted-text-file method, I think “pass” is actually pretty grossly misdesigned.

            1. 1

              I have some issues with pass too: namely, it leaks metadata like names, creation time, and change history, and it encrypts without authenticating. Is there anything else I should know about?

              1. 2

                There are little things like its somewhat oddball dependency list (tree? what?), but the metadata-in-the-clear aspect is definitely the major one for me (the gross misdesign I referred to).

          2. 2

            That would be hard to use on a mobile phone I think.

            1. 0

              I think it is not that hard to write a GUI application able to decrypt GPG encoded files, or read stdout by making subsequent calls to pass.

              1. 4

                This is getting pretty seriously far away from the implied simplicity of “simply use an encrypted text file”.

            2. 1

              Depending on your use case, this might be the solution. I have written my own at http://pestilenz.org/~ckeen/blog/posts/pee.html

            1. 2

              This is the first I’ve heard of it, and I’m left wondering what their business model is/will be.

              1. 9

                This guy obviously isn’t thinking about Vim users when he says that the Escape key isn’t gone, it’s just not a physical key any more..

                Vim users hit the Escape key easily every 10-20 keystrokes. How accurate will they be trying to strike a touch pad thingie?

                1. 6

                  “Just use caps lock” = “you’re doing it wrong.”

                  I configure my editor and CLI such that it has a few nice shortcuts, but it is pretty close to stock. The advantage of this is that I can sit down elsewhere (read: ssh into a box) and get things done without having to set everything up again. Remapping core keys (and, by extension, muscle memory), breaks this completely.

                  1. 7

                    vi was apparently developed on a keyboard like this. I have also been told that control+[ should be used directly, instead of using escape.

                    Sadly, my muscle memory for escape is pretty baked in. I might give the capslock key a try though. I’m not so old that I can’t learn any new tricks. ;)

                    1. 6

                      I have also been told that control+[ should be used directly, instead of using escape.

                      I didn’t know about this, but I just tried it after using vi/vim for a little over 20 years, and it’s a revelation. Not just because of my now-renewed confidence in my continuing ability to give Apple yet more money, but because I think I might start trying to force myself to use it anyway, even in the shell. Less finger-travel than esc by quite a margin. Thanks!

                      1. 2

                        Lenovo, amongst constantly screwing things up, did experiment very briefly with a double-height escape key that, other than size, is in the normal place. I like it a lot—it’s very easy to hit without confusing your muscle memory for “normal” keyboards.

                        1. 1

                          I wonder if removing the caps-lock key entirely (maybe putting escape there!!) would be passable. I can’t remember the last time I used caps-lock intentionally. I imagine the COBOL and Fortran people would throw a fit though.

                          1. 3

                            I remap caps lock to control so I can use Vim without breaking my left pinky finger. There’s actually a handy check box in the Mac OS preferences, so I can’t be the only one who does this.

                            1. 3

                              I believe that macOS option only appeared in Sierra. Escape is not present as one of the dropdown options for caps-lock in yosemite – not really an issue on any current model laptop though…Apple must have planned this in relation to the touchbar thingy.

                              1. 2

                                He said he remaps Caps Lock to Ctrl, not to Esc. That option has been available in System Preferences since the dawn of time.

                                1. 1

                                  lol. Thanks for that. Reading comprehension fail on my part.

                                2. 1

                                  it’s been there at least since el cap and I am almost 95% sure that it was there since mavericks and snow leopard.

                                  1. 1

                                    Maybe it depends on the model? I have the option to change they caps-lock key, but escape is not one of the options – example.
                                    MacBookPro5,3 running macOS 10.11.6

                          2. 1

                            try putting this in your .vimrc:

                            inoremap jj <Esc>
                            inoremap jk <Esc>
                            inoremap kj <Esc>
                            

                            I prefer only jj but you can just mash the jk keys together and it escapes from insert mode.

                          3. 3

                            The advantage of this is that I can sit down elsewhere (read: ssh into a box)

                            So, when you type ssh hostname, this resets your keyboard configuration in System Preferences?

                            1. 1

                              I don’t think that’s a very charitable interpretation of my comment. :)

                              It’s more of being able to sit down at any box and be productive rather than mess with preferences before getting down to work.

                              1. 1

                                No, it definitely wasn’t charitable. ;)

                                More seriously, you should consider caps->escape for your short list of configs, now that macOS 10.12 supports it natively and it’s quite easy to set. It’s truly a night and day difference, and not just for vim. For example, I didn’t start using escape to safely exit form fields until I bound it to the more accessible caps lock.

                                1. 1

                                  I’ve got a couple of months before I jump to Sierra, unfortunately (due to GPGTools).

                                  Can I use the caps lock key like normal with something like Fn-Caps Lock? I use it for writing SQL and a few other random things where it’s needed. I think I want Karabiner, IIRC.

                                  1. 2

                                    unfortunately (due to GPGTools).

                                    What’s up with GPGTools? I use it just fine on Sierra right now…

                                    1. 1

                                      The Mail.app plugin is broken

                                      1. 1

                                        Oh I see. I don’t use GPGMail or whatever they call it, mostly because I don’t use Mail.app at all. We generally use Box or some other mechanism for coordination, Mail is all for UNCLAS types of information.

                                    2. 1

                                      Karabiner is the one. It will be harder to configure though. I personally never use caps lock, and write all SQL in lower case.

                                      1. 1

                                        Karabiner doesn’t yet work on Sierra, although I believe with Karabiner Elements now working, it’s being updated.

                                        I never use Caps Lock, even when typing long swathes of upper case text (like SQL). I’ve remapped it to Ctrl everywhere, so even if I wanted to, I couldn’t use it for its intended purpose :)

                                2. 1

                                  I’d recommend capslock -> control, and then using ctrl-[ (a default binding). I stand by escape is definitely doing it wrong.

                                  1. 1

                                    Escape is one of keys I press most (if not the most) when using vim, why would I want that to require pressing two keys? It’s also useful in other applications, such as irssi. I think I’m happy doing it wrong because it seems to be less effort.

                                  2. 1

                                    I’m an Emacs user, but this is much of why I don’t fault vim users for being upset about this.

                                    Most Emacs users take customization and not having ssh-ability for granted, we use TRAMP and the like instead.

                                    This is also why the Emacs emulation in most text editors is useless to me. I don’t use “Emacs”, I use (Emacs <> ChrisConfig). I leave defaults alone where I can (my Emacs is considerably simpler than SpaceEmacs), but there’s a lot of tweaks I’ve developed muscle memory around in my dotfiles.

                                  3. 4

                                    The noise from vim users seems to be overrepresented. Now, I happen to use vim and would have some reservations about buying a laptop without an escape key, but we’re talking about less than 10% of the market. (Apples portion of laptop market.) How many Apple users prefer sublime or atom or whatever now? How many Apple users are even developers?

                                    By now I’d wager that literally every single Mac vim user has weighed in, but none of the twenty Mac users sitting around me have made a peep.

                                    1. 3

                                      To me it’s not about losing the escape key, I would happily give it up to get something awesome in return. But is the little OLED strip thingy really that great? What can it do that couldn’t be done before? How many people are going to get significant value out of it? The demo showed that it can be used as a scrubber (or whatever those video / audio gizmos are called), how many people need that? Why can’t the huge touchpad do the same thing with the interface shown on the screen? I haven’t heard anyone make a convincing case for HAVING the new feature. It just seems like a gimmick that I would have expected out of HP or some other mediocre manufacturer trying to differentiate their bland products.

                                      1. 2

                                        The scrubber sounds pretty nice actually.

                                        I’m not totally sure what it will be used for either, but I trust Apple to drive the technology as a new and useful way to interact with laptops. If not, I pretty much only used that bar of keys for volume and play/pause anyway, I don’t think that functionality will be degraded.

                                        As an example: I was convinced the Apple Watch was worthless, especially since I had a Google Watch with my Nexus 5 and thought that was worthless. But a friend of mine whose judgement I value recommended the watch to me, and based on her points I decided to try it out. I now wear it every day.

                                        If you boil down the Apple and Google watches to a feature list, they’re mostly identical. But on Google’s I would check the time and the screen wouldn’t always activate, so I kept the habit of checking time on my phone. Apple’s works perfectly. I would read a new message, but scrolling to read longer messages was tedious, so I never built that habit either. Again, Apple’s watch has no issues. In general, Google’s constantly annoyed me, and Apple’s constantly surprised and impressed me. It’s the little things.

                                        You’re surely correct, if HP or some other mediocre manufacturer built this feature, it would be a gimmick. But Apple has a way of taking a gimmick and actually building something useful out of it. I’m not claiming this revolutionizes the modern computing era, but I expect it will be a nice incremental improvement on my laptop experience when I next need to upgrade. Of course not everyone will find it useful, but not everyone finds every feature useful anyway.

                                        1. 2

                                          Not that I disagree, but isn’t a hurricane of complaints a little much for a silly gimmick? I mean, it’s already a well known fact that everything Apple makes is technically inferior overpriced crap that only sells because their marketing department tricks stupid hipsters into buying it. Right? The fact that a useless toy got a little more useless would usually be beneath my notice. :)

                                          1. 1

                                            While I would love to ignore all the idiotic things Apple does, other hardware manufacturers love to blindly adopt anything they do, good or bad, so my hope in complaining about “useless toys” that I’ll never use is that the infection can be contained there and not spread to things that aren’t “useless toys”.

                                            Of course, since literally the entire laptop market is blanket unacceptable to me now, I guess I’ve looped back around to not caring. The patient is dead, no need for a doctor.

                                            1. 2

                                              the entire laptop market is blanket unacceptable to me now

                                              I feel you. I think I’ll invest in a new battery for my current laptop and wait until it dies.

                                          2. 1

                                            Outside of directly manipulating objects with the touch bar, for anyone who works day-to-day on these machines I’m not sure how the touch bar helps; you’re hopefully using keyboard shortcuts for most of what you do during the day.

                                            I still want to try it out, but I haven’t seen much that made me say, “yes, that! I’ve been doing that poorly all along, and the touch bar helps me do that faster!”

                                            1. 1

                                              I don’t use that many keyboard shortcuts. If it’s more than one modifier key I probably won’t remember it.

                                              Although I have big hands and I can manipulate the mouse quickly and accurately with my thumb without moving my fingers from typing position. I don’t think many other people do that?

                                          3. 1

                                            … because they’re all running Linux? :)

                                          4. 3

                                            I use Karabiner to map caps lock to both escape and control at the same time. (Tap for escape, hold for control.) Try it–it’ll change your life. OK, no, but it’ll reduce finger stretch in vim a lot!

                                          1. 7

                                            Infosec Twitter has been doing a really good job at breaking this down: https://twitter.com/pwnallthethings/status/793241430659567617

                                            And the FBI agrees: http://mobile.nytimes.com/2016/11/01/us/politics/fbi-russia-election-donald-trump.html

                                            But the F.B.I. ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.

                                            1. 1

                                              If it’s automated, then how do you explain the extremely irregular timestamps?

                                              1. 3

                                                And how about those chemtrails?!

                                                1. 1

                                                  I don’t know much about them as most sources are questionable. The Navy might be able to help you debunk the myths of military deploying anything in American cities.

                                                  https://en.wikipedia.org/wiki/Operation_Sea-Spray

                                                  Maybe not… :P

                                                  1. 1

                                                    Okay, I understand what you meant now. I really don’t appreciate the snark.

                                                    1. 1

                                                      Not quite sure what you’re getting at.

                                                      1. 3

                                                        I think his point is that looking at “extremely irregular timestamps” is grasping at straws, and amounts to little more than a conspiracy theory based on little to no evidence.

                                                        1. 1

                                                          I’m not posing a theory; I’m merely pointing out that there’s an unexplained piece of evidence. I’m perfectly willing to believe that it’s innocuous if someone can make sense of it.

                                                1. 6

                                                  If web JS wasn’t bad enough… now we’ll have binaries, running mystery code on our browsers ):

                                                  1. 15

                                                    With the tendency to “minimize” and obfuscate JavaScript, we’re essentially already running binaries, aren’t we.

                                                    1. 7

                                                      But it’ll be fast mystery code!

                                                      1. 10

                                                        I’m sure web designers and advertisers will find ways to keep the web slow.

                                                        1. 6

                                                          Since this is smaller and faster than javascript, we’ll be able to pack even more code into our webpages!

                                                        2. 6

                                                          I think the idea is that this will be a portable and relatively safe analogue of assembly in the browser. And you can disable it in browsers that implement it if you want. I hope they have some form of signed executables for this format.

                                                          1. 3

                                                            Does it actually have any more privileges than straight JavaScript would? Not that JS is currently “safe” at all, but we don’t need to elevate privs away from the baseline we have now.

                                                            1. 1

                                                              I’m saying it would be good to require a signature in order to reach the privilege baseline in the first place.

                                                          2. 3

                                                            function(e){function t(e,t,n,i){var r,o,s,a,l,c,d,f,p,m;if((t?t.ownerDocument||t:P)!==&&D(t),t=t||,n=n||[],!e||“string”!=typeof e)return n;

                                                            Is honestly harder to read than assembly.

                                                            1. 1

                                                              Or the classic Google Analytics example:

                                                              (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
                                                                (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
                                                                m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
                                                                })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
                                                              

                                                              Objects and functions can make obfuscated code even more disgusting.

                                                          1. 5

                                                            fwiw, you can run OpenBSD on many cloud hosting platforms which only advertise Linux, as long as they utilise KVM (or similar) virtualization. (openvz is more like a container than a proper virtual machine).

                                                            Here is a good guide explaining the process. With different ISPs you might need to adjust the parameters you give to grub slightly.

                                                            This is nice because vultr is quite expensive and goes down frequently (apparently, I’ve never used them). Any cheap KVM VPS with VNC access will work great with openbsd.

                                                            1. 1

                                                              Hi, I’m the author of the article, and I haven’t had trouble with Vultr yet despite some service warnings about degraded network service due to some recent DDOS issues. I’ve been using it a few months. I’ve only been spending $5/month since I just need the smallest tier for my little server.

                                                              I appreciate that Vultr has built-in support for mounting the OpenBSD ISO and just running with it. That said, the link you posted is still a fairly simple process, so that’s nice.

                                                              1. 2

                                                                I have been running with Vultr for the past 2 years. I do experience semi frequent issues with my node there but it’s a non typical vm (a SATA node). What I can say though is Vultr has great customer support, to the point they helped me solve a routing issue with several upstream peering ISP’s by leveraging their contacts that I would not be able to solve myself (as my provider is small & didn’t care).