Some are online, but encrypted, with options to export the passwords in case the service goes down.
“Why should I trust them?”
Well, the software is open source, and regularly audited by people using it. Many password managers, such as Bitwarden (not sponsored, although I’d like to get a sponsorship) uses end-to-end encryption to secure the passwords so someone hacking the servers or a rogue employee can’t access anything, It would just look like random noise. You don’t have to know coding, you just have to trust that someone in the world will have the knowledge to inspect the code and report any suspicious code. Just regularly back up the passwords to a local file so you still have them in case they shut down.
Trying to remember passwords made me constantly stressed trying to remember them. A password made life much easier. Better than a single point of failure like your brain. One password is much easier to remember, and that one password can be as complex as you want, because that’s the only one you’d have to worry about.
Sincerely,
Someone who’s depressed af and constantly forget passwords
Encryption can be decrypted. A password manager encrypting your passwords is like saying your car has working brakes. It’s totally unsafe to even consider operating without but it doesn’t say much when it is there.
It’s not a matter of “why should I trust them” but “why should I trust them more than the system that already exists”. I get the appeal, but the hole is big.
If I forget a password I reset it. If I forget my manager’s password can it be reset? Is the reset option, if extent, susceptible to attack?
If an account gets compromised it could have moderate repercussions, but probably minimal depending on the account, with maybe a couple exceptions. If managed passwords get compromised that’s potentially everything. There has not, and likely never will be, an impenetrable system, so it is a possibility if not a concern.
Heres a novel I wrote since some may see this as a reason not to use password managers. There are several steps to mitigate all of these concerns. For instance, using a hardware security key for cloud based managers in order to basically stop the biggest threat to you which is phishing. For forgetting your master password, the solution is an emergency sheet, have at least one backup offsite. Arguably the best thing you can do to keep yourself safe is having multiple backups of your vault, just follow the 3,2,1 rule like how you should be doing to begin with other important documents. Its true that theres no absolutes in this world but “cracking” the encryption and bypassing any other security obstacles put in place by an actual reputable manager or yourself should be the very least of your concerns. Companies recognize that people dont practice good security thats why 2fa is pushed on to them but that shouldnt be a replacement for good security practices especially if the 2fa is weak to begin with. Thank god we will be using passkeys soon tho. Also to answer the question the password managers I used dont allow the vaults password to be reset as a security measure but do allow the vault to be deleted so keep your email at the very least protected as much as you can, as you should be doing already, since if that gets overtaken youre shit out of luck with all the accounts tied to that email which brings up the topic of email masking/alias but thats a different burrito altogether.
By “emergency sheet” are you suggesting writing the access-to-everything password down somewhere? If so I’m hard pressed to think of many things less secure. If not I’m genuinely curious what it is.
I can’t imagine a scenario in which I wouldn’t have backups, but I appreciate the mention.
I also am generally not concerned with someone pickpocketing my house keys, but that’s not to say it isn’t a possibility. Awareness is the first step to mitigation.
Email has to be the most protected, I absolutely agree. But I definitely wouldn’t be comfortable with the possibility of needing to reset everything else if I lost my master password. But I don’t know that I’m more comfortable with the ability to reset. It really kinda feels lose-lose to me.
I don’t think we’ll move to passkeys any quicker or easier than we moved to 2FA. I’m glad we’re getting better options but we’re bound by the weakest links and they don’t like change.
Spoken like someone who has never had to deal with corporate ‘security’ before. Password managers are great, but if your workplace has incompetent IT (e.g. probs 90% of workplaces), then you’re SOL and must play the increments game.
Yeah, I switched from LastPass (after one of their many data breaches) to 1Password. I don’t know any of my passwords anymore because they’re all just generated and saved automatically. And that’s a good thing.
Because I want control of my passwords in my head not some software, it’s not like a string of random characters is any more secure than one that can actually be remembered
Yes because I have an easily remembered system for a unique passphrase for any given site. Not trying to shit on password managers though, just providing a different perspective
deleted by creator
Because it’s much more fun to come up with passphrases like Correct Battery Horse Staple.
It’s a lot easier to remember that than #@?Zk23!nPw
You are not supposed to have to remember anything but your master password. :)
I’d rather try and remember than have a single point of failure for all my accounts’ security.
If the passwords are stored offline then I can’t get at them if I’m away from where they’re stored. If they’re stored online they’re not secure.
Some are online, but encrypted, with options to export the passwords in case the service goes down.
“Why should I trust them?”
Well, the software is open source, and regularly audited by people using it. Many password managers, such as Bitwarden (not sponsored, although I’d like to get a sponsorship) uses end-to-end encryption to secure the passwords so someone hacking the servers or a rogue employee can’t access anything, It would just look like random noise. You don’t have to know coding, you just have to trust that someone in the world will have the knowledge to inspect the code and report any suspicious code. Just regularly back up the passwords to a local file so you still have them in case they shut down.
Trying to remember passwords made me constantly stressed trying to remember them. A password made life much easier. Better than a single point of failure like your brain. One password is much easier to remember, and that one password can be as complex as you want, because that’s the only one you’d have to worry about.
Sincerely,
Someone who’s depressed af and constantly forget passwords
Encryption can be decrypted. A password manager encrypting your passwords is like saying your car has working brakes. It’s totally unsafe to even consider operating without but it doesn’t say much when it is there.
It’s not a matter of “why should I trust them” but “why should I trust them more than the system that already exists”. I get the appeal, but the hole is big.
If I forget a password I reset it. If I forget my manager’s password can it be reset? Is the reset option, if extent, susceptible to attack?
If an account gets compromised it could have moderate repercussions, but probably minimal depending on the account, with maybe a couple exceptions. If managed passwords get compromised that’s potentially everything. There has not, and likely never will be, an impenetrable system, so it is a possibility if not a concern.
Heres a novel I wrote since some may see this as a reason not to use password managers. There are several steps to mitigate all of these concerns. For instance, using a hardware security key for cloud based managers in order to basically stop the biggest threat to you which is phishing. For forgetting your master password, the solution is an emergency sheet, have at least one backup offsite. Arguably the best thing you can do to keep yourself safe is having multiple backups of your vault, just follow the 3,2,1 rule like how you should be doing to begin with other important documents. Its true that theres no absolutes in this world but “cracking” the encryption and bypassing any other security obstacles put in place by an actual reputable manager or yourself should be the very least of your concerns. Companies recognize that people dont practice good security thats why 2fa is pushed on to them but that shouldnt be a replacement for good security practices especially if the 2fa is weak to begin with. Thank god we will be using passkeys soon tho. Also to answer the question the password managers I used dont allow the vaults password to be reset as a security measure but do allow the vault to be deleted so keep your email at the very least protected as much as you can, as you should be doing already, since if that gets overtaken youre shit out of luck with all the accounts tied to that email which brings up the topic of email masking/alias but thats a different burrito altogether.
By “emergency sheet” are you suggesting writing the access-to-everything password down somewhere? If so I’m hard pressed to think of many things less secure. If not I’m genuinely curious what it is.
I can’t imagine a scenario in which I wouldn’t have backups, but I appreciate the mention.
I also am generally not concerned with someone pickpocketing my house keys, but that’s not to say it isn’t a possibility. Awareness is the first step to mitigation.
Email has to be the most protected, I absolutely agree. But I definitely wouldn’t be comfortable with the possibility of needing to reset everything else if I lost my master password. But I don’t know that I’m more comfortable with the ability to reset. It really kinda feels lose-lose to me.
I don’t think we’ll move to passkeys any quicker or easier than we moved to 2FA. I’m glad we’re getting better options but we’re bound by the weakest links and they don’t like change.
Thanks for the answers
deleted by creator
Tacking onto this, because I mix password types too, I don’t want all my passwords in the same (even pseudorandom) style.
Spoken like someone who has never had to deal with corporate ‘security’ before. Password managers are great, but if your workplace has incompetent IT (e.g. probs 90% of workplaces), then you’re SOL and must play the increments game.
Yeah, I switched from LastPass (after one of their many data breaches) to 1Password. I don’t know any of my passwords anymore because they’re all just generated and saved automatically. And that’s a good thing.
Tons of websites reject pseudo randomly generated passwords, too
deleted by creator
That’s inherently blocking pseudo random password generators.
Max length doesn’t bother me if it’s at least 128 characters, but only allowing specific special characters is a sin.
As of last year, Wells Fargo’s passwords were even cause insensitive. Dunno if they’ve fixed it since then, but probably not
Because I want control of my passwords in my head not some software, it’s not like a string of random characters is any more secure than one that can actually be remembered
deleted by creator
Yes because I have an easily remembered system for a unique passphrase for any given site. Not trying to shit on password managers though, just providing a different perspective