I went down the path of thinking about switching to Passkeys but it seems like more hassle than it is worth, so I hoped this community could tell me if I am crazy.

I use Bitwarden to generate and save passwords for anything important and always use an authentication app when the option is present. I never use the same password. Sadly, most Canadian banks are awful and only allow SMS 2FA if anything at all. That said, of the two banks I primarily use, one does allow an authentication app and the other uses its own app to send authentication codes.

I always read that Passkeys are better for people who are lazy/bad with their passwords. For someone like me, is the security practically the same or is there still some benefit to switching everything I can to Passkeys?

I've been trying to reduce my reliance on all things Google, and one of the big ones is password management. I've tried several times to make the jump, but every time I start researching options I'm overwhelmed by the selection. There are a lot of popular options out there, and I really don't have the time/energy to endure a misstep. So without a clear idea of which manager will check all of my boxes, I end up bailing on the process and keep using chrome's built in option.

So to start, here's what I like about Chrome:

• Automatically offers to store passwords without extra clicks
• Autofills automatically where it can, and gives me an easy choice when it can't
• Works everywhere I need passwords. (basically everywhere I browse the internet since chrome works everywhere)
• Minimal overhead. This is hard to beat since Chrome just includes it, so I'm fine with a little extra setup if necessary.

I used to use keepass portable on a thumb drive (I want to say circa ~2009ish), but it became really inconvenient as my usage shifted more to mobile devices.

I see this as a first step to also reducing my reliance on Chrome so I can start to consider other browsers. Right now I feel locked in to Google's ecosystem, but I know I can break it up if I don't get too bogged down by choice. Much appreciate any help. :)

Web devs: what's up with this trend? For enterprise apps, I get it…single sign-on needs to detect what your email domain is to send you to your identity provider. For consumers, I feel like it's gotta be one of these reasons:

• Users don't know about the tab key being able to move to other fields on a page
• Mobile users don't really have a tab key, despite there being "previous/next field" arrows on the stock iOS keyboard since its inception (Android users, help me out please)
• Users tend to hit Enter after typing in their username, leading to a form submission with a blank password
• Security, maybe? In the past I have sent a link and a password in separate emails or separate communication methods entirely. Are you hashing/salting these separately for better MITM mitigation?

Did your UX team make a decision? Are my password managers forever doomed to need a "keyboard combo" value for every entry from now on?

Non-devs: do you prefer one method over the other? If so, why?

Tildes maintainers: selfishly, thanks for keeping these together :)

For a long time now, I have been using KeePassXC for desktops and KeePassDX for Android. I keep everything synchronized neatly with Syncthing, which can be configured to operate over your WiFi or the internet through their gateways. This allows me to share a single KeePass file with another individual, provided I tell them the password.

I have a co-worker who is loving 1Password and while it looks great, something irks me about paying monthly for a password manager. I looked into Bitwarden for a "local cloud" and have seen very mixed results as well as not being sure if I could trust my own security configurations to do so.

I am primarily wondering what everyone else is using in search of something a bit more convenient (I'm not opposed to using the cloud) that has an app like KeePass that I can use for desktop apps, and not just in the browser (though I don't use that function often, truthfully).

Edit: Passkey support was mentioned in this comment and made me realize how important such support will be in the coming years. For those of you with password management solutions supporting it, how has it been?

lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average user, and they have the ability to create catastrophic failstates if used incorrectly. Furthermore, even when they work well, they can still be kind of clunky (different sites use different methods; writing down/printing recovery codes feels like a dated solution alongside other tech-forward things).

Also, outside of this, password requirements are their own bugbear, with nearly every site having different criteria. Even as someone who uses a password generator and manager on the regular, I still have to adjust the password creation criteria to do things like fit character limits or specific requirements (and don't get me started on forced resets!). I totally get why so many people reuse passwords, or have a default one that they sort of modify as needed to fit a given site's needs.

From my (admittedly super limited) perspective of a lay user: usernames, passwords, 2FA and the whole stack seems like something that's suffering under the technical debt of decades' worth of web development and networking. It seems like things have inched forward and many new layers have been added to address emergent problems, but the whole system gives a sort of barely-held-together-by-tape feel.

What if we could use what we know now and redesign things from the ground up? If we could start fresh, today, what might username authentication look like beyond the usual username/password combos that we're so used to?

I'm interested in any ideas -- not necessarily just feasible ones.

Also, despite me being the one prompting this thread, don't feel the need to simplify technical explanations or anything. I'm mostly interested in lurking and seeing what all you very smart techy people have to say about the topic. :)

The reason why is to make more accounts for reddit, YouTube (one for entertainment and Portuguese content each) news sites where signing up is an alternative to pass a paywall and other sites with comment sections. ^{Bad euphemism bro.} Also some sense of "praxis" in order to gain privacy.

Edit: And also getting anxious at the idea of remembering all my passwords, and putting them in a note in my old phone, which I am not bringing into my new phone and want to use this to delete.

According to these two articles, I can save my old passwords I had before and maybe even still make new ones after, and put them in a folder behind one true (master) password, which is the one you will truly care about, and they will be saved in a way in which the managing company won't know your password?

There's also figuring out which provider to use (and probably a similar post for alt-mail providers.) This is overwhelmingly for mobile (Android). No real space constraints for apps, only price, because I'm not working age.

After being skeptic of password managers for a long time, I've decided to take the plunge and get one installed. The burden of remembering dozens of passwords is simply getting a bit too much. So, I was wondering if anyone here has any recommendations of password managers? Maybe one you or a trusted friend use? Or maybe you think password managers are rubbish, and want to share you opinion?

Any suggestions are welcome, in the interest of fostering discussion/having the thread be useful to other people too. But in my specific use case, I want to be able to sync between devices. I'd prefer something open source, but it's not a requirement.

So:

• I keep all my passwords in my password manager (Bitwarden)
• All my 2FA codes are generated by AndOTP on my phone.
• My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
• I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
• Is there anything I'm forgetting here?

I feel like it's impossible to remember passwords that are long, random, and unique for every service. I have too many accounts.

On the other hand, I don't like the idea of giving up control of my passwords to a password manager and using the ones it generates and stores. It feels weird that I wouldn't "know" my passwords.

Is this a hangup I should just get past? What do I do if I need to login somewhere but cannot access my password manager?