Authentication is one of the riskiest and most misunderstood things that non-experts have to manage day in, day out, and even though there are lots of companies out to “kill” passwords, they’re not dead yet. For the foreseeable future, experts or not, we’re all stuck with making the best out of what we have, and as security practitioners, we need to continue focusing on improving security outcomes to set humans up for success instead of password reuse and failure.
One of the most common questions I am asked in 1000 different ways when I talk about password managers as a way to remove credential management burdens from users is, “Are password managers safe? What if they get hacked?” As a self proclaimed password truther, I don’t mind this at all— once upon a time, I got into an argument with an extremely intelligent guy at a friendly meetup who wouldn’t leave me alone about mutual authentication with TLS when I worked at 1Password— and, well, spoiler alert… we’re getting married this year. Continue reading “But what if my password manager gets hacked?! A few thoughts on how to talk about security worries with non-experts”