30
votes
Is a password manager essential?
I feel like it's impossible to remember passwords that are long, random, and unique for every service. I have too many accounts.
On the other hand, I don't like the idea of giving up control of my passwords to a password manager and using the ones it generates and stores. It feels weird that I wouldn't "know" my passwords.
Is this a hangup I should just get past? What do I do if I need to login somewhere but cannot access my password manager?
I really like the analogy, and I hadn't thought of it like this before, but it does highlight one key difference: I mostly trust banks because they're insured and regulated. Even if they fuck up, someone's on the hook to make it right, which is why I'll happily leave significant money in the bank but won't leave a penny in my PayPal balance, even though I'm equally confident in the technical security of both.
All that said, I do still use a password manager and I'm confident it's the best option. I certainly don't have even a hypothetical solution to the problem of responsibility, whether commercial or self-hosted, but I am acutely aware of how much my life (and that of most people, I think) is dependent on those credentials. While I can do a lot to try and keep them secure, there's not a lot of recourse in the unlikely event that something serious does go wrong, and that worries me.
This was very helpful, actually! It gave me the mental nudge I needed. Thank you for framing it like this.
Yes, it is.
Better than having a common password pwned and giving up control of your accounts.
Store it on the cloud and have the cloud password be one of the few manual passwords you use, then any time you would need to access it you can.
Presumably most people have their phones with them at all times and most password managers also have phone apps as well, even KeePass (see: Contributed/Unofficial KeePass Ports) so you don't even need to store your password vault in the cloud if you're wary of such things. It can be a bit of a PITA to manually write in your password into another device when you're reading it off your phone, but that's a small price to pay for the added security a strong, non-repeated password gives you.
p.s. IMO, two-factor authentication is "essential" nowadays too.
You can also use Syncthing (it's on F-Droid, too) to have your passwords db sync directly across your own devices, without storing them on a third party server. It's what I do.
You just have to pay some attention when your passwords database is open and gets modified on more than one device, but you won't lose your passwords - you'll just have to merge them by hand.
You can also use diceware passwords to make typing them easier
This recent, albeit poorly titled-thread goes into a lot of detail about passwords and why a password manager is a very good idea. It's very little inconvenience for a lot of benefit. Pay special attention to the comments in the thread pointing out that one weak account makes everyone's life worse. You may not care about your account, but that doesn't mean someone malicious doesn't. You may not think your account can be useful if compromised, but that doesn't mean someone malicious doesn't.
This is a great point that I hadn't considered: account takeovers enable bad actors. I had only focused on the issue from my own perspective and not that of a community. Thanks for pointing this out.
I recommend KeePass (specifically KeePassXC, an active fork of KeePassX) specifically because it's open-source and completely local, no need to give control of your passwords up to any company.
It can feel weird at first, but it becomes very natural, and the added security is worth it.
I keep my database on my computer and phone, using Syncthing to automatically sync them (all over my local home network and end-to-end encrypted, no cloud services). I also keep an encrypted backup on my Google Drive just in case.
In the past, I've also carried a USB with a portable KeePass exe and my database on it so that I could access my database on other computers, but this is quite insecure (what if you lose your USB, what if the computer is untrustworthy, etc.).
Honestly, I disagree with many people here. They seem to present the argument with 2 main options:
But there is a third option, and that's to use long, secure, different passwords for each site without a password manager. This isn't as hard as it may seem. I'm sure most people have heard of the "battery horse staple" XKCD. My recommendation is to make a password like that, and then vary it a bit based on the name of the site/service you're using, in some formulaic way that allows you to easily know what your password should be for each site/service. With that, you'll be protected from automated attacks that just reuse leaked passwords, and you'll have a long, uncommon password, and you'll be able to easily recall it without needing to install a password manager.
The only way that you would be vulnerable is if you have multiple passwords leaked, and then someone purposefully reconstructs the pattern you've created, and in that case a password manager would be better.
What do you do when you need to change a password (many websites don't allow you to use last N passwords for an arbitrary value of N when you're resetting passwords, and you can't always avoid such websites)?
Fortunately I've never really encountered anything like that, but I think the easiest thing to do would be to just append a character to the end of the password, such as an exclamation point, and make a note somewhere. If you frequently have to deal with changing passwords (for example in a business setting) a password manager would definitely be more convenient.
Definitely! I even self-host Bitwarden so I get sync capability without giving control of my passwords to some company.
I’m in the boat of yes and no.
Yes:
If you’d like a quick and painless solution and don’t care about what your password is, looks like, or where it’s stored, it’s a good option. I do personally advise against cloud based password managers, as data breaches can and will continue to happen no matter what security measures are in place. If you need your passwords available on multiple devices, I recommend Enpass which is free on everything but iOS (I think it’s a $10 OTP) and isn’t cloud based. Then you can keep a full back up on a flash drive; easy and doesn’t rely on a cloud based service. If you’re not a fan of Enpass, I’ve heard Keepass is also good.
No:
A good, memorable password doesn’t need to be filled with random characters, numbers, etc. It needs to be personal to you and hard for a computer to calculate “blind.” Sure “Dogname123” is personal, but a brute force password cracker looks for things exactly like this (unless it’s salts and rainbow tables and stuff like, but that’s not my point), and your goal is not to make a password look “strong,” but to make the cracking tool take as long as possible to crack your password whether it be via a hash, salted hash, or just brute forcing it. The style I like (but change slightly from time to time) is to pick 3-5 things that are specific to you, your life, your interests, and combine them:
You then take all of these values, separate them with a special character (optional), add capital letters where you see fit (but not lIkEThIS), and then you have a personalized password that’s easy to remember since it’s similar to—if not the same as—a mnemonic and doesn’t use multiple, different special characters or rely on numbers. For each new site, you can then change the format slightly depending on the site itself (maybe for tildes I use ~ as my special character, etc). If you have a really bad memory or are afraid of forgetting your passwords, you can also go the old school route and write them down on paper and store them somewhere safe (like crypto wallet recovery keys).
In closing:
Password managers are good if you choose the “right one.” I personally can’t justify a monthly payment for “oooh salted hashes and wow aes-256 ‘government style’ encrypted databases that are owned by someone else” but that’s just me. I understand why you would want that though, as it can definitely suck sometimes managing your own passwords (as someone who just reset one of theirs today (16 year old me had great password security...)).
Sorry if this was too long or boring to read, but hopefully it cleared up some things for you. Cheers!
I see them less as "things I know" and more as "things I own". Would you be able to reproduce the keys to your house from memory? Does it matter if you do?
And yes. I consider them essential, and this hang-up something you should get past. Most password managers these days can be accessed from multiple different platforms - hell, even
passhas an Android app nowadays - but if you are really worried about losing access, stash a copy of your passwords db (possibly with links to the app & co) on a few key accounts, and memorize Diceware passphrases for those.That way, even if you lose all your devices, you'll just need an Internet connection to retrieve your store, and you'll minimize the number of passwords you need to memorize (password store, email account, secondary email).
Like others, I use Keepass. I auto-sync my DB across devices using Dropbox.
Around your password issue, I like to use pass phrases for sites. For instance, my password for tildes might be something like promoting_civil_discourse_among_netizens. The longer the better. If I use a site often, it’s easy to remember the pass phrase. If not it’s in my password manager
Is there a password manager that will do this automatically for me? I've trialed BitWarden and KeePass DX, but both of those only create untypable random sequences. I'd love one that would autogenerate and store diceware-style ones.
Bitwarden can do passphrases. Under Generate -- change it from 'password' to 'passphrase' --
cubical-outthink-canon-foodIts not true diceware, but its much easier for manually entering passwords.
Ah, thanks. It's strangely not an option on the mobile app, but I was able to access it on desktop. This is exactly what I'm looking for. Thanks!
hey yeah, its weird its not in the mobile app. I'm in the middle of changing a bunch of passwords and had just discovered the passphrases in the desktop apps moments before reading your comment.
I love bitwarden. I've spent a good deal of time with each major client / platform, and of all of them, bitwarden is the only one that just works right away without having to subscribe to anything. I was first part of the lastpass exodus when they were acquired by logmein, then went to 1pass, but dropped that since there was no Linux support at the time. keypass is ok, but the sync wasn't perfect on one system.
Anyway, I love bitwarden.
I feel that password managers are 100% needed now a days. I managed to convince my mom for me to set her up with BitWarden, because her gmail was broken into (not fully though, thankfully).
However I'm not 100% on board with trusting some random company with my data (LastPass, 1Password, etc), so what I'm doing is I'm hosting my own BitWarden server. So the passwords never leave my server.
Do you have all of your friend's phone numbers memorized? I bet you did ten years ago, but probably not today.
You store passwords in a manager just like numbers in an address book. It's only weird because you're not doing it already.
The only passwords I remember are my master password, and my email. Everything else is stored securely in KeePass.
With keepass you can have a copy of the database on your phone and your computer ect.
When are you ever without your phone? With keepass as well you can generate your own entropy for each password but you won't ever 'know' it like you said. It still works extremely well and I suggest it over having weak passwords like you most likely do now.
https://keepassxc.org/
Essential? No.
I have few accounts and i have 4 passwords. The longer and more elaborated are for banks, the second more elaborated is for email, third is for social media and the less elaborated are for superfluous things. And i have a master password for a encrypted txt file with these four passwords.
But almost all of them are hard because they are long phrases with numbers and special characters.
I never used a password manager and i don't fear my accounts being taken, i just fear i could forget my passwords. I just need to make sure i don't forget the password for the encrypted file and for that i grabbed a page of a book i like which has a passage that mentions in a simple way a word that it's in my master password.
The real risk with this approach is that a single database breach can risk all accounts that use that same password. While many sites hash+salt passwords, many others do not. It's putting a lot of faith in others to do their jobs correctly.
It is a risk, but not so much. I said it wrong when i said that there's one password only for banks. All my bank accounts and main e-mail have different passwords, so i have 3 bank accounts with different passwords and my personal e-mail. So, if somebody gets one of them, it will not work with others. These are the most important things.
The websites that use the weaker and same passwords are tildes, gmail (e-mail account for buying things and dealing with spam), facebook and virtual stores.
I'm the same as you. I have long, complex, unique passwords for the few things that really matter - banking, email, paypal, etsy and so on (most of which use 2FA as well) - but I have one password I use for things like tildes, shop accounts, etc. etc.
What I vary isn't the password, it's the email associated. I have a catchall on my domain so every login is [sitedomain]@mydomain.com/standardpassword. So you might get my password but that's all you're getting. I mean I suppose it's a fairly easy system to guess but then also I don't really care if someone compromises my reddit account or breaks in to my crazy-factory.co.uk account. I never store my payment details anywhere and even if I did, I have fraud protection on my bank accounts anyway.
Bonus - I can log in to any of my accounts from anywhere, because I know the passwords. I don't know how that works with password managers, although I'm sure there is some way around it.
Essential - no - immensely helpful? Yes
I made the switch to LastPass last year and have virtually no regrets. For me LastPass hits a balance of convenience, ease of setup, and security. It lacks the open source nature of alternatives like KeePass (highly recommended here) or Bitwarden but it is okay with me. The apps/website/chrome extension are great.
The trigger that got me onto a password manager was checking my email on: https://haveibeenpwned.com/ and running into the hassle of trying to find and change all the passwords to keep up with it.
Absolutely.
In this day and age with constant data leaks, re using the same password at multiple places is risky.
Use a password manager, make long and unique passwords, use full disk encryption, strong security backed by 2 factor verification and biometric authentication....
It’s too dangerous otherwise :/
I definitely think so. Having a password manager makes things so much easier and secure. You can have nice, crazy long secure passwords for all your accounts and you only have to remember your one master password. Like others here have mentioned, KeePass or Lastpass are both good.
I wouldn't say it's essential, but it sure helps!
In the last couple of months I started using KeePass on windows computers and KeePassDX on my android phone more and more. I synchronise the database between these computers using SyncThing (which isn't available on iOS, but is on MacOS, for Apple users among us) with versioning.
To open the database I use the key and password. The key is moved out of shared folders after a new computer needing it got it. Passwords I have to remember are lines from lyrics or nonsensical sentences I can remember.
How do you like keepassdx? Have you used keepass2android? I'm thinking if switching to DX since it's on F-Droid.
Sorry, I have no experience with KeePass2Android (or any other Android KeePass app). It's not as quick as KeePass on a desktop/laptop, but that's mostly because of the way android is supposed to be operated.
F-Droid has other KeePass compatible password managers as well.
Okay, thanks anyway! I remember I tried DX in the past, but there was some reason I didn't switch to it. Sounds like it's time to try it again.
I use lastpass and couldnt recommend it more.
I used lastpass up until about a week ago when it was pointed out how many times they've had security breaches or bugs. Sure, they fix them pretty quickly and no software is without bugs, but they seem to have more issues than other free and easy to use password managers like BitWarden.
Nah. I personally don't see the need for it at all. Seems like too much of a hassle for not that much reward. Bruteforcing takes a very long time, it's hardly a concern. If a site you're registered gets pwned just change your important passwords. Takes 15 minutes at most, depending on how many you have to change.
I have something like 300 passwords saved in my password manager. It would take a lot longer than that to change all of those.
Having a unique password for all of those sites and being able to remember them would be basically impossible for most people.
I use a single 'good' password with a site specific cypher. Is that a reasonable third option?
I think the main issue with that is if someone cracks your password on one, or a few, sites, and can figure out the pattern, they'll have access to all your passwords automatically.