I think your barrier for dismissal is way too high. Simultaneously, the more popular a password manager / autofill is the more it gets tested as part of a QA or best practices process.
Agreed, also anything that defeats a password manager is a red flag for me.
I've seen sites that break a password manager's autofill AND disallow pasting a password. It's like they want me to use a bad password.
My password manager autofilling will always be faster than any other option, especially one that requires me to pull out my phone, navigate to my authenticator app, switch to your app (which will only become more time-consuming as more sites require it), then type in the code by hand.
The only thing that can compete with password managers on user experience is just actually remembering they're logged in instead of pointlessly logging them out every single day for no reason.
I don't understand why so many password managers go through so much trouble to implement auto-fill. This one has an interesting approach that seems to be slightly less intrusive than what, say, Lastpass is doing but I still don't really see the value outweighing the cost.
Yes, auto-fill - if implemented well - can add some convenience for the user but it usually adds a significant amount of complexity to the codebase and comes with some challenges regarding security. In fact, LastPass' autofill feature is/was the root cause of some very scary vulnerabilities[1].
Copy&paste is simple, broadly understood and supported in much the same way on every single platform. And in my experience, it's really not that much slower than auto-fill.
It seems to me that most password managers these days are to tick off a list of features rather than focussing on security and usability. Mind you, Secret 2 is definitely not the best example for this - I actually quite like the clean look and simple user interface. Still, it seems like most people nowadays are judging the value of a password manager by the number of features rather than, say, security.
<shameless-plug>Padlock[2] is a minimalist, open source password manager without auto-fill, browser-integration or any other 'advanced' features. We believe that when it comes to features, less is often more, and it seems there is plenty of people agree with us.</shameless-plug>
I think it’s mostly for everyone else. I’m very successfully using a password manager. I’ve tried to talk nearly everyone I know into using one as well, and it’s really painful for them. Even for people I can help daily, their setup somehow gets complicated enough that they go back to using their default 5 letter password for new things until I fix it.
A password manager can be an extra 10 seconds of work up front in some edge cases — input not detected correctly, signing up in an app, trying to quickly get through a flow when your password manager is logged out… People just revert back to the easiest path, which is their 5 letter password they’ve already used on a billion services.
Oh, and another rough edge case is when the autogenerated password doesn’t match the password requirements. Using a disallowed symbol, too long, etc
I know but it comes at a price of some users who don't use a password manager setting silly weak passwords.
In one of my mobile apps that manages KeyChain user/passwords correctly, I still see a lot of password reset requests. I can't even think of a reason why people would ignore autofill so often. The result is, although I haven't checked, but wouldn't be surprized if there were still a lot of "password123"'s in the DB.
Furthermore many sites make it difficult to use a password manager because it's hard to block automated password guessers and not interfere with password managers trying to enter passwords.
On the other hand, having as many users as possible use any password manager at all is an immense challenge as-is. It really doesn't matter what gets them using one as long as they do. If an OS-native one happens to have the lowest friction, so be it.
For everyone else, sure, there might be 100 people in the world that will actually audit their open source password managers. But that isn't exactly moving the rest of the industry forward (be it from the engineering perspective or the user perspective).
In this case, (almost) perfect is the enemy of good.
We've handled this by mandating password manager use and pushing length requirements to absurd levels to where it truly is easier to just use the manager, which has two factor.
reply