I keep seeing people highly recommend them, but I’ve always thought it wasn’t very secure.
Without password managers: You either have weak passwords, or you constantly forget passwords and get locked out of your accounts.
Or you can remember the password to your email then use that to reset passwords every time and slam your head on the keyboard to generate a random password that you won’t need to remember because you’ll just reset it next time, but then its a hassle and you are relying on one point of failure, and you could get locked out if you email stops working.
So in conclusion: Password Managers
I like to keep all my eggs in one basket, that way you can really keep an eye on them.
Like the other commenter said - people recommend them for peace of mind so you don’t have to think about knowing a password for the 2653rd account you set up once and are never using again. It’s the next best thing to just remembering complex passwords.
I’ve used Dashlane for years, personally, but I know people here will immediately shut that down for not being FOSS. Bitwarden is FOSS but requires some technical setup and has no redundancy.
Don’t get me wrong, I love self-hosting as much as the rest of us but I’m not trusting my server from 2013 with all my passwords to everything.
Bitwarden is FOSS but requires some technical setup and has no redundancy.
Bitwarden offers a cloud-based service in addition to self-hosted options. I choose to pay $10/year to get access to store OTP codes and easy Yubikey enrollment
Yes, but it depends on which one you use. Some are better than others. The ones that can be hosted locally (i.e. keepass) are the most secure because you are not relying on a third party to host your password vault for you. It would be helpful to know why you think they aren’t very secure, so people can help clarify.
There’s no guarantee anything is “secure,” anymore. Even if you run a self-hosted password manager, it could still be compromised at the package-level or down the road through some exploit. I will say that since I started using Bitwarden as my main password manager, I have had to worry less about company data breaches and stolen passwords. I have no need to reuse passwords for any site or service. I can use the built-in 2FA with sites that require it and don’t have to have multiple apps. I can share passwords with my wife if she needs to access something under my name.
In addition to storing logins, I can store secure notes, even storing login-specific notes within the login details for things like one-time-use passwords, etc. I can store various credit/debit cards and recall them into payment systems whenever I want, without storing them in a browser. When using the phone, I can tie the biometrics to the unlocking of my vault so, with the vault locked, I can easily unlock it to find the login/info I need to submit to an app or website.
Obviously, all this comes with their own risks, but the level of risk of a password management is far lower than the risk of reused passwords and the mismanagement of security at the corporate-level. If you’re really hard-up to keep your stuff offline, other products exist that are locally stored, but you’ll likely miss out on access from outside the home in the event you need that login info somewhere else.
I think your question has been answered by other pretty well but I’ll add: If you decide a password manager is overall beneficial and choose one that looks secure, don’t assume it will stay that way. LastPass taught us that a couple decisions that valid one day can turn into huge liabilities in a few years as threats escalate. You to have to periodically check in on what sevops pros are saying about your manager and make sure they haven’t been resting on their laurels. Security is a job we all have.
I think they can be much more secure than:
-
remembering your ( probably weak ) passwords
-
writing passwords on paper, which is slow, you can lose paper, break it, or someone can steal it
-
storing passwords in unencrypted text file
-
reusing passwords/password!
I use KeepassXC, which is offline, encrypted password manager. Every password is stored in one file, which to access, I must enter the one password I do remember. I recommend having backups of this file.
It has password generator included, so all my password are long, strong and unique. It also can auto fill password/login which saves time.
To increase security of your account even further you should also use multiple factor authentication, for example app which generates one time codes on your phone offline. It will protect you, even if your password gets leaked, or cracked.
If you write it on paper, include the same short word on the end of all your passwords that you don’t write down. Password is Hunter2duck but you only write down Hunter2.
I write my passwords on paper in code, like my dad taught me to do.
However, just a personal anectdote, my uncle passed suddenly and he had written all his passwords (not in code) on a spreadsheet with each account, which he then printed. I promise you, this single piece of paper was one of the most helpful things I could’ve asked for in sorting out all of his assets. It was a genuine lifesaver. Now I often think that maybe I should be sharing my password with an S.O. or someone else close to me just to make their life easier if I were to die tomorrow.
See you can tell your family the “duck” part. Then anyone that steals the paper still can’t do it.
This is just a hack. If you use encryption to store passwords, that becomes just a nuisance.
Unfortunately I see headlines every now and then that whatever password manager was compromised.
Hopefully passwords are encrypted so the hackers get useless data
I mean… Can’t happen if you keep your stuff encrypted like with KeePassXC. Even if someone gets my password database, it’s useless for them since they don’t know how to decrypt it. That’s why I don’t use some online service, though using one of the online services is certainly better than reusing a weak remembered password.
All I see is *******
I just see
*******duck
Does this make it so that you can only access all/any of your accounts from 1 computer ever?
No, i keep multiple copies of this file on different devices and I sync them using Syncthing.
However if you want to access your password database from many devices, using online password manager, like Bitwarden, would probably be easier.
-
It’s better than using the same few passwords everywhere. Passwords are being phased out though. The future is passkeys.
Any password manager is a good and secure alternative because they do not have any interest in knowing or exposing your password. They will run out of business very quick if they allow it! Passwords are just a method to identify you as you in the internet so they can sell you stuff! Even google will go to great extents to guarantee you is you because is at its core business. For sites where you do not trust passwords you can use 2FA of a secondary provider. For sites that are really important you probably will have a dedicated app (government ids, work…) as they do have invested interest on nobody else knowing your password. So yes, they are as secure as technically possible.
Special note about file based PM: the only person interested on that file to be secret is you! So those are great source of discomfort for me as files are heavily analyzed by systems and platforms. And any file can be brute forced open given enough processing power or enough tech (AI, Quantum computing…) So don’t lie yourself: going lone wolf do not make it safer.
They will run out of business very quick if they allow it!
I wouldn’t be so naive. Even applications advertised as “secure” may be subject to surveillance laws of various nations. Or even just plainly lying for other malicious reasons while keeping it “hidden”.
And any file can be brute forced open given enough processing power or enough tech
Which, depending on the encryption and password, may take more time than the age of the universe. Even with quantum computers, afaik. There are already a bunch of new encryption technologies undergoing standardization that are also not vulnerable to quantum computers.
With the arrival of near infinite phonebooks, the drive and know-how to remember 100s of phone numbers is lost to humanity.
Passwords present added complexity to those of phone numbers. On top of a name to number (allowing a few collisions) passwords are required to be of certain length, contain an upper case letter, lower case letter, number, special character, and more importantly, a preset lifetime.
Password managers seem to be a safer and low stress bet for the vast majority. There will always a few exceptions who can do it all in their head. They don’t tend to advertise their presence.
Can’t believe noone mentioned this yet:
Any good password manager encrypts and decrypts your password file client side. The server should not even have the ability to read your passwords.
Even in the case of a leak of all of the server’s data, as long as your password for the manager was good, you’ve got nothing to worry about.
I’d say pick a PW manager where both client and server are open source. Pick a strong passphrase. Enjoy.
I do SyncThing and KeePass.
Their URLs at time of writing are https://syncthing.net/ and https://keepass.info/
I don’t remember which KeePass UI for Android I use. I think I use Syncthing Fork on Android
That gives me the benefits of a cloud password manager, but the only cloud infrastructure is whatever SyncThing uses to do its peer-to-peer tricks. The password database is encrypted on disk with my root password, and then it’s encrypted end-to-end in transit because every SyncThing node knows the public keys of my other nodes.
I almost never upgrade KeePass because I’m afraid of losing access to my passwords on my phone. SyncThing I do upgrade because that’s easier to fix.
If you upgrade regularly, you’re vulnerable to the project being compromised. If you never upgrade, you’re vulnerable to whatever old code is vulnerable to. Personally I err on the side of not upgrading often.
I also have my own implementation of diceware https://www.eff.org/dice
I think, based on the question asked, this is a bit more complicated than OP is interested in. Just saying. But bravo for your dedication to keeping info out of corporate hands.
The only big danger of a good password manager is the fact all your passwords are stored under one.
To mitigate the risk, follow these practices:
- Use a good trusted, much preferably open-source option (for example, Vaultwarden, KeePassXC);
- Use a strong password;
- Do not EVER use the same password you use for password manager elsewhere;
- Use 2FA on both your password manager itself and all the accounts you store passwords for;
- Backup your password database in an encrypted way.
Together, these measures should save you from any trouble.
Now, why they are good:
- They can generate and store very strong passwords you would never make up, much less remember;
- You can be sure you won’t forget your password;
- They are convenient and can auto-fill passwords for you.
Generally, using a password manager is considered a superior option in terms of security and availability compared to keeping your password elsewhere, including your head.
I don’t use them. I make the effort to remember my passwords - or rather, my recipes to recreate any complex passwords.
The only safe storage form for your passwords is your noggin’. The next best thing is probably a password manager - although that depends on how trustworthy whoever coded it is - but it certainly isn’t as secure as using your brain if your brain works properly.
Also, something else that goes a long way towards making any password secure is 2FA. If you can, use it!
What makes you think they aren’t secure?
Most will tell you how the password is stored and assuming they implemented the encryption algorithm correctly it should be rather difficult to break the vault open.
