{"id":4306,"date":"2019-12-25T19:26:21","date_gmt":"2019-12-25T17:26:21","guid":{"rendered":"http:\/\/www.laurentmarot.fr\/wordpress\/?p=4306"},"modified":"2019-12-25T19:30:27","modified_gmt":"2019-12-25T17:30:27","slug":"gestionnaires-de-mot-de-passe","status":"publish","type":"post","link":"https:\/\/www.laurentmarot.fr\/wordpress\/?p=4306","title":{"rendered":"Gestionnaires de mot de passe"},"content":{"rendered":"

Bien aim\u00e9 cet article qui m’\u00e9vitera de partir from scratch quand on me re-demandera mon avis sur le sujet.<\/p>\n

Je le reprends donc ci-dessous int\u00e9gralement en y int\u00e9grant mes commentaires afin que personne ne puisse penser qu’il puisse s’agir d’un abominable plagiat.<\/p>\n

 <\/p>\n

A couple of years ago, there was some debate over the usefulness of password<\/a> managers. Some argue that password managers<\/a> are a bad idea, because they create one vector of attack<\/a> that can breach<\/a> all of your online credentials. These concerns were hightened when OneLogin was subject to a major cyber attack<\/a> on May 31st<\/sup>, 2017. From OneLogin<\/a>:<\/p>\n

\u201cOur review has shown that a threat actor<\/a> obtained access<\/a> to a set of AWS<\/a> keys and used them to access the AWS API<\/a> from an intermediate host<\/a> with another, smaller service provider<\/a> in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff<\/a> was alerted of unusual database<\/a> activity around 9 am PST<\/a> and within minutes shut down the affected instance as well as the AWS keys that were used to create it…<\/p>\n

The threat<\/a> actor was able to access database tables that contain information about users<\/a>, apps, and various types of keys. While we encrypt<\/a> certain sensitive data<\/a> at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt<\/a> data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.\u201d<\/p>\n

Troy Hunt of Have I Been Pwned<\/a> fame argues that password managers are very necessary, you just need to choose a good one and practice good opsec (operational security) with your use of it. Keep in mind that he has an endorsement deal of some sort with 1Password<\/a>, which is a password manager. But despite this possible conflict of interest, I think his advice is good<\/a>:<\/p>\n

\u201cYour brain is a very bad password manager. It’s incapable of storing more than a couple of genuinely random strings of reasonable length (apologies if you’re a savant and I’ve unfairly characterised you in with the rest of our weak human<\/a> brains). That leads to compromises. If you’re one of these people who says \u2018I’ve got a formula that always gives me unique passwords<\/a> that are strong,\u2019 no you don’t, they probably aren’t and no they’re not. You’re making concessions on what we empirically know is best practice and you’re kidding yourself into thinking you aren’t. I’ve had this debate many times before and there’s dozens of comments raging backwards and forwards about this in my post<\/a> on how the only secure<\/a> password is the one you can’t remember.\u201d<\/p>\n

My friend John Opdenakker<\/a>‍ also has good advice about password managers. He likes the password manager<\/a> that\u2019s built into Firefox. While you\u2019re there, I recommend you check out the rest of his very informative blog<\/a>. But without further ado, here\u2019s some of what he has to say about password managers<\/a>:<\/p>\n

\u201cThe security of most browser’s built-in password managers is still inadequate. At the moment Firefox<\/a> is the most secure. The built-in password managers of the discussed browsers and Google’s (cloud-based) password manager still can’t compete with the most third party<\/a> password managers. Both when it comes to security and integration<\/a> of necessary features.<\/p>\n

If you want to use a built-in password manager Firefox is the best choice at the moment. If you want to use a cloud-based<\/a> password manager I recommend you to do some research and choose a third-party password manager that is most suitable for you. If a password manager is nothing for you use a password book that you keep close to you.<\/p>\n

Keep in mind that the goal is to create strong passwords and store them in a secure way. Which tool<\/a> you use is irrelevant, as long as it supports you to reach that goal.\u201d<\/p>\n

And here\u2019s my own general advice about password managers, in a nutshell:<\/p>\n