Web lists-archives.com

Re: Password Manager opinions and recommendations




On Tuesday, March 27, 2018 08:47:10 AM rhkramer@xxxxxxxxx wrote:
> On Tuesday, March 27, 2018 04:08:07 AM Joe wrote:
> > On Mon, 26 Mar 2018 17:38:33 -0400
> > 
> > rhkramer@xxxxxxxxx wrote:
> > > > > Yes, at least I think so, unless there is some standard for how
> > > > > to handle passwords (including changing them) on websites.  I
> > > > > suspect that there isn't. There may be some commonality in
> > > > > websites generated by a common website "generator" (one of those
> > > > > packages that help you create a website--I think they exist, but
> > > > > I've never used one--maybe Drupal is an example?
> > > > 
> > > > The standard exists. You change your password via the website. Then
> > > > you inform your password manager of the change.
> > > 
> > > Ok, but that's not the kind of standard I was hoping for--I was
> > > hoping for a (standard) programmatic way of changing the password on
> > > a website, which, being programmatic, could be initiated by the
> > > password manager.
> > 
> > Unless such a thing is a library function in JavaScript, then no
> > commercial website will contain it...
> > 
> > More seriously, I doubt that such a thing exists, it would be like the
> > backdoor in OpenSSL, an absolutely disastrous idea. Websites tend to
> > store password data (sometimes in plain text!) insecurely enough as it
> > is.
> 
> Good point, although I'd expect such a function to require authentication,
> presumably by entering the old password.
> 

Hmm, but on further (but little thought), I still would like such a function, 
maybe it could work something like this:

When you login to a site that requires authentication / a password (and you've 
fulfilled the captcha or equal), you could get a prompt something like: "Would 
you like to change the password?  (Maybe mentioning how old the password is, 
or how many times you've logged in using it).  If you answer yes to the 
prompt, the password manager starts a programmatic dialog to change the 
password, including entering the password, but (perhaps optionally, via a per 
site setting in your password manager) it requires additional authentication 
(from / with the site, not with password manager) which may include--well, 
something, maybe another captcha.  And it would only work on https:// pages or 
under similar encryption.



> > Also, many websites where security is a big issue do try to ensure that
> > logins can't be made by computer.
> 
> Oh, yeah, Captchas (and such)--how could I forget about those...