Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8

[Steven Schveighoffer]

On Fri, 11 Apr 2014 11:57:27 -0400, Dicebot <public at dicebot.lv> wrote:

> On Friday, 11 April 2014 at 15:50:47 UTC, Steven Schveighoffer wrote:
>> On Fri, 11 Apr 2014 11:39:33 -0400, Dicebot <public at dicebot.lv> wrote:
>>
>>> On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
>>>> If, after the last year of hacking, and the heartbleed bug, people  
>>>> are not using password tracker/generators, you haven't learned  
>>>> anything :)
>>>
>>> Remembering 15-20 different passwords is less of a burden to me than  
>>> regularly verifying the code of password tracker browser extensions  
>>> and infrastructure involved. And blindly using 3d-part tool for  
>>> something that critical just does not make sense.
>>
>> So you don't use browsers? Or did you write your own?
>>
>> -Steve
>
> Don't use browser password managers for sure and don't use closed source  
> browsers :) Trusting that it does not bluntly dump my text from all html  
> inputs is necessarily evil borderline I need to not cross, that is true.  
> If source is worked with by many different people continuously, it at  
> least takes some skill to inject some security hole comparing to random  
> 3-d party tool no one even looks inside.

Do you put a foil hat on your computer too? ;)

I understand what you are saying, but I don't think it's even remotely  
likely something like that would happen, due to the possible reputation  
lost. You're more likely to be attacked via the server accepting the  
password than the browser. The truth probably is that nobody will likely  
have access to either of our accounts. There are enough people out there  
who use "12345" and "password" as their main passwords, that there isn't  
much reason to go after paranoid people like you and me. We can't be 100%  
sure of all code we use, so it's really just a matter of personal choice  
what level of trust to have.

-Steve