"How one school district threw millions of dollars down the drain"

Ooh, shiny.... must be useful for educational purposes....

The problem with Egypt, Syria, Libya and Tunisia is they've suffered over a thousand years of Islam. That has left their population with a fatalistic outlook, their leaders corrupt and their drive and innovation sapped. The Internet is not going to free the billion humans who live enslaved to Islam. Unfortunately, only the people themselves can do that by throwing off the stultifying oppression of Islam, and that's not happening any time soon.

Actually, writing down your password is a good idea as long as you keep it in your wallet. People understand how to protect their wallets. Posting it in a public place is probably not such a good idea.

There are some sites where it truly doesn't matter.

I don't believe that. You may think it doesn't matter, but when it comes to identity theft, any little crumb of information may be useful to an attacker. And if you use the same weak password across a whole slew of supposedly "unimportant" sites, an attacker may be able to piece together a lot of information about you... enough to surprise you with cell phone bills you didn't sign up for, credit cards in your name, etc.

But I sure as fuck am not going to put ALL of them into ANY app or single program - there are backdoors built into routers these days, you expect some start-up (or even established) "password keeper" doesn't have that possibility? I am concerned for your common sense.

Woah, woah, woah, chill out!

I have the complete source code for my password manager. And guess what... I've even read the source code!

It uses "openssl bf" to encrypt (that's the Blowfish cipher). In spite of all the warnings about OpenSSL holes, I don't believe anyone's yet found a problem with its Blowfish implementation, and though Blowfish is old and there may be weak keys, I don't believe it has serious vulnerabilities especially when only used to encrypt small files.

If you don't have Internet access, then remembering your password for a web site is moot.

If you have only insecure Internet access, then you don't do anything important unless you can use HTTPS and make sure you validate the certificates.

That means they are both weak to being cracked/tampered with, and should your device be stolen, you are without all your passwords.

To defend against the first attack, you choose a strong master passphrase and you make sure your password manager uses a properly-implemented and secure encryption algorithm such as AES. To defend against the second attack, you regularly back up your password database. It's not rocket science.

I have two off-site backups: One to an encfs partition in my office and one to an encfs partition in a colocated server 200km away. Next question?

I use something called TkPasman, which runs on my Linux desktop. I don't use a mobile device much to surf the web, and never to log into any sites I care about because it's just too painful.

I could access it in a pinch by tunneling X over SSH back to my main computer, and I have done so in the past. Another thing I do is sync the password database to the handful of Linux desktops I use on a regular basis.

The password manager keepassx is available for Mac OS, Windows and Linux and you can sync the databases. I'm not aware of one that also works on Android or IOS, though. :(

The linked paper did mention password managers in passing, but dismissed them as being vulnerable to client-side malware which could compromise all your passwords. That assumption is true if you're running your password manager on a Windows system, I suppose, which is likely the only thing the "Redmond researchers" are even aware of. But if you keep your password manager on a separate device or run it under a secure sandbox in a secure OS, you're much better off than the paper implies.

Following up on myself: That research paper is awesome! Never before have I seen the use of partial differential equations to justify unequivocal bullshit. Amazing! They must've really worked hard on that.

That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.

The "Right to Forget" could be a good ruling if the EU added two conditions:

1. A fee (lets say between $25-$50) for each takedown request. That is a small enough fee that it won't deter someone who really wants to get rid of an embarrassing search result, but it's big enough to deter organizations like the Scientologists from making thousands of requests.
2. A determination by a judge, tribunal, etc. that taking down the search result is in the public's interest.

If I'm a victim of slander, I'll go after the slanderer and the site publishing the slander, not Google for indexing it. Existing laws are quite sufficient to handle this case.

I hope this makes people think twice before filing a forget-me request. It ensures they'll be remembered.

Is this really news? Are we going to have an exposé entitled "Meet the model railroad enthusiasts the FBI and NSA have been spying on" ?