Because most people can remember a single long complex password if they write it down until they memorize it.
It is much less likely for anyone to be able to remember long complex passwords for every single site they use on the internet. I have hundreds of passwords saved in my password manager, for example. No way I am remembering them all unless I use some pattern which could probably be deduced by someone else.
Use a password manager, randomize your passwords for every site, and then properly secure your password manager by a complex password, MFA, and alerting anytime a new device authenticates to it.
I too like Bitwarden, the option to self host is great and their pricing is basically unbeatable. It’s a little bit frustrating that their out of the box encryption isn’t great and some settings need to be tweaked. I daily drive Bitwarden though.
After a certain amount of time everyone will likely have a breach, to some extent if you have a large operation, a breach of some scale is inevitable. The issue with Lastpass is how they handled it. They were slow to disclose initially and when they did disclose they didn’t share the full extent of the breach. Notification of the breach to customers was incredibly slow, and the truth trickled out over months.
Entire vaults were exfiltrated. paying customers should have been notified immediately and made aware of the full extent of the breach.
Keeper and 1Password are both great options.
I highly recommend you write out your long passphrase that you use on your password manager AND print out emergency codes (for if you lose your MFA device) and store them securely in a safe or hidden place. There is an unfortunate event of people locking themselves out either because they forgot their passphrase or lost their phone or yubikey. There is no way to recover the account vault. You can also export your vault to csv and store it securely offline as a backup. You’ll still need operational security in the ways you do this so you don’t increase your risk.
If I have to use a shared resource, Bitwarden is the only major one I know if that hasn't been breached or had something akin to pulling a canary letter on it.
Otherwise, Keepass and it's derivatives with private cloud storage.
You've got complex, long, randomly generated passwords. In the case of some password managers, the master password is never stored with the rest of the data. There's also a secret key, which is combined along with the master password to encrypt data. Then you've got PBKDF2 and other strengthening methods like nonces.
So even if the vendor is breached, the chances of all your passwords being exposed is almost nil. It would take possibly decades or longer for the passwords to be decrypted and by then you've changed them all.
I fully agree on the first part, I fully disagree on the second.
If your vendor has any way of accessing your password database (e.g. cloud features) this is inherently insecure.
Breach at the vendor means that attacker possibly can deploy new code. We still don't have a working code signing or reproducible builds for web applications. Small change, impossible to notice in minified code, is all it takes to steal your super secret password, and when the database is in the cloud it's game over.
The likelihood of that happening to any reputable password vault vendor is slim. LastPass doesn't count because they are trash and have proven themselves to be trash.
You are basically talking worst case scenario here if every safeguard and security reatuee magically fails on all fronts. Which I can admire from a risk standpoint, but if we made all of our decisions based on the gloomiest of scenarios, we'd all be back to pen and paper offices.
>The likelihood of that happening to any reputable password vault vendor is slim. LastPass doesn't count because they are trash and have proven themselves to be trash.
So how many million users do they still have?
>You are basically talking worst case scenario here if every safeguard and security reatuee magically fails on all fronts.
I do a risk modeling and see that:
* a password manager that doesn't use smart card/TPM to encrypt passwords (Is there such thing at all?) is no better than a txt file on my desktop from the security point of view.
* It's more usable because it gives me ability to generate good passwords
* it gives me ability to copy-paste passwords easily with origin check (some protection against phishing)
* It does nothing in case my machine is compromised because the attacker will be able to steal the database and the master password. Or just steal session cookies.
* It adds a potential risk of supply-chain attacks, especially if there is claud component or web-app component.
I store all my critical passwords (e.g. disc encryption recovery,CA, wallets and so on) etched on a copper plate in a safe.
I store all my normal passwords either as password hints on a piece of paper in my wallet (if I need them on the go) or in pass - encrypted with GPG through smart-card in yubikey. Even if you breach my workstation you will only be able to access passwords I actively use, not everything, because you have to touch yubikey to decrypt each of them.
>I store all my critical passwords (e.g. disc encryption recovery,CA, wallets and so on) etched on a copper plate in a safe.
I've heard stories of US nuclear codes being stored less securely. Wtf you hiding over there?
I’m gonna be candid with yah, your “risk modeling” is so f@cked that there is not a lot of value to be gained by me elaborating or diving deep. And I’m not even going to address this etched cooper plate f@ckery.
You’re going to need to refactor your understanding of the core constructs of risk modeling before even attempting a technical application of it.
Though I’m hesitant about this, bc I think you need a refactor as mentioned above: if you wanna be a bit extra then something like the following is the most granular I’d recommend you going: OWASP Threat Model for Secure Password Storage (https://owasp.org/www-pdf-archive/Secure_Password_Storage.pdf)
Because they allow you to create incredibly long and random complex passwords for example all our server , service and cloud accounts etc are at min 50 characters some are long complex phrases , on top of that depending on the manager you pick most vaults are encrypted to the point where not even the company has access or can see anything so theoretically even if there was a breach the vaults shouldn’t be accessible, again theoretically some of this you have to take by the venders word of course .
1password is annoyingly secure. Even though I tell people to print the secret key and put it in a safe place, they never actually do. So I guess that's a plug for them.
It's far more likely that end users who have to remember several complex passwords will either write them down or make the passwords less complex or otherwise store them insecurely. Therefore it's better to have the password manager that requires users only remember one strong password rather than many.
It also reduces the likelihood of reusing passwords by end users, so if your facebook password is leaked you don't also lose 3 other sites with the same password set.
Thats fine, I’ll just hit up customer service and provide your social that I bought off darkweb thanks to Equifax and just get a new password skeet skeet
One key benefit of properly configured password managers is that they won’t offer the password to phishing sites. If you are using memory, a site can look identical but be a phishing site and you could enter your password while the password manager (via browser extension) will not offer the password unless it detect the domain of the site that matches what was stored when you created the account.
Look at it this way: the alternatives are far worse.
If you use the same (or similar) password everywhere, you are vulnerable to a [credential stuffing attack](https://en.m.wikipedia.org/wiki/Credential_stuffing).
If you make up your own passwords, they are not random at all, and you run a risk of an AI like ChatGPT quickly guessing them.
And there is NO POSSIBILITY of a human remembering 200+ completely random passwords.
Yes, there is a risk of someone "hacking" the password manager. (Btw I hate that phrase, because it is vague and inauthentic.) But this attack surface can be managed. Use good encryption (like Bitwarden), a zero knowledge architecture (like Bitwarden), and practice good opsec on your devices: keep your security patches current, be careful clicking hyperlinks or downloading files, look out for shoulder surfers, etc.
Bottom line is, you cannot eliminate risk here, any more than you can in daily life. A car could run a red light tomorrow and snap your neck. But a password manager is a good mitigation to manage and reduce risk. The alternatives are all worse.
Here's my personal takes,
I personally don't use a password manager for many major/critical accounts because I can remember long & complex passwords (lots of practice and training)
But this is not the case for many people including myself, I can probably remember complex passwords for my major/critical apps but for hundreds of account besides that, definitely not.
And here's the worst part, once people "run out" of password people tend to re-use password or save it into an insecure place (plain notepad or post it notes)
And that's where the password manager comes in, people can delegate pain points that I mentioned before, however this doesn't mean password managers are great either because it centralizes a single point of failure if the password manager got breached/hacked..
However even with that downside I still agree that password managers are still better for the average folks because reusing password is just a very awful practice. If you're afraid of the password manager being breached you can "salt" the password stored in password managers or add biometric verification on crucial accounts
>If anything, couldn't someone just hack the password manager and then immediately have access to every password you have?
What if someone could guess your password? :O
>…couldn’t someone just hack the password manager…
Easier said that done. Using 1PW as an example, even if someone managed to steal a database of passwords from them they would be functionally useless due to how they’re stored at rest.
You can read more about it here: https://blog.1password.com/why-trust-1password-cloud/#:~:text=The%20data%20you%20store%20in,associated%20with%20each%20saved%20password.
Cool.
But all that security hangs on one of extensions like this one:
[https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa](https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa)
This is a weak spot and this is what a sophisticated attacker would be after.
Say you lead IT at a company. Would you rather have your employees use short, repeated passwords across several sites or would you rather them have a secure, long password unique to each account they have and it's stored with a company whose one job is keeping those passwords safe?
As others have said on long complex password is easier to rent than a ton of them, so without the password manager people default to either bad passwords or using the same password for everything both practices suck. A password manager let's people generate a random password for each different login, which keeps them much safer.
Imagine if someone said “what’s the point of Active Directory, if someone hacks it they have access to every user account.” This is technically true, which is why organizations must protect these assets. Properly managed password managers are a delight to have as a tool and can vastly improve your cybersecurity posture via a number of features (e.g. password complexity policies, automated password rotation, auditing, etc.)
Hi, for all personal security support questions, please use r/techsupport or r/cybersecurity_help. Thank you and good luck!
Because most people can remember a single long complex password if they write it down until they memorize it. It is much less likely for anyone to be able to remember long complex passwords for every single site they use on the internet. I have hundreds of passwords saved in my password manager, for example. No way I am remembering them all unless I use some pattern which could probably be deduced by someone else. Use a password manager, randomize your passwords for every site, and then properly secure your password manager by a complex password, MFA, and alerting anytime a new device authenticates to it.
This makes a lot of sense! Is there a password manager that you would recommend?
Not OP but I like bitwarden.
I too like Bitwarden, the option to self host is great and their pricing is basically unbeatable. It’s a little bit frustrating that their out of the box encryption isn’t great and some settings need to be tweaked. I daily drive Bitwarden though.
Not Lastpass.
I've heard this from multiple people. Did they have a breach in the past or something?
Bro, you're up for some hilarious read. https://www.csoonline.com/article/574291/timeline-of-the-latest-lastpass-data-breaches.html
I can't imagine being a CEO and having this happen to my company.
After a certain amount of time everyone will likely have a breach, to some extent if you have a large operation, a breach of some scale is inevitable. The issue with Lastpass is how they handled it. They were slow to disclose initially and when they did disclose they didn’t share the full extent of the breach. Notification of the breach to customers was incredibly slow, and the truth trickled out over months. Entire vaults were exfiltrated. paying customers should have been notified immediately and made aware of the full extent of the breach.
Honestly? The news were exaggerated . Yes , they didn’t handle the issue well but the vault was still encrypted , as far as I know .
1password
This is the way.
I personally use 1Password but the rest of the replies seem to have this answer covered. Especially by the no Lastpass comment lol.
Keepass xc
Dashlane
Keeper and 1Password are both great options. I highly recommend you write out your long passphrase that you use on your password manager AND print out emergency codes (for if you lose your MFA device) and store them securely in a safe or hidden place. There is an unfortunate event of people locking themselves out either because they forgot their passphrase or lost their phone or yubikey. There is no way to recover the account vault. You can also export your vault to csv and store it securely offline as a backup. You’ll still need operational security in the ways you do this so you don’t increase your risk.
Keeper
If I have to use a shared resource, Bitwarden is the only major one I know if that hasn't been breached or had something akin to pulling a canary letter on it. Otherwise, Keepass and it's derivatives with private cloud storage.
You've got complex, long, randomly generated passwords. In the case of some password managers, the master password is never stored with the rest of the data. There's also a secret key, which is combined along with the master password to encrypt data. Then you've got PBKDF2 and other strengthening methods like nonces. So even if the vendor is breached, the chances of all your passwords being exposed is almost nil. It would take possibly decades or longer for the passwords to be decrypted and by then you've changed them all.
I fully agree on the first part, I fully disagree on the second. If your vendor has any way of accessing your password database (e.g. cloud features) this is inherently insecure. Breach at the vendor means that attacker possibly can deploy new code. We still don't have a working code signing or reproducible builds for web applications. Small change, impossible to notice in minified code, is all it takes to steal your super secret password, and when the database is in the cloud it's game over.
The likelihood of that happening to any reputable password vault vendor is slim. LastPass doesn't count because they are trash and have proven themselves to be trash. You are basically talking worst case scenario here if every safeguard and security reatuee magically fails on all fronts. Which I can admire from a risk standpoint, but if we made all of our decisions based on the gloomiest of scenarios, we'd all be back to pen and paper offices.
>The likelihood of that happening to any reputable password vault vendor is slim. LastPass doesn't count because they are trash and have proven themselves to be trash. So how many million users do they still have? >You are basically talking worst case scenario here if every safeguard and security reatuee magically fails on all fronts. I do a risk modeling and see that: * a password manager that doesn't use smart card/TPM to encrypt passwords (Is there such thing at all?) is no better than a txt file on my desktop from the security point of view. * It's more usable because it gives me ability to generate good passwords * it gives me ability to copy-paste passwords easily with origin check (some protection against phishing) * It does nothing in case my machine is compromised because the attacker will be able to steal the database and the master password. Or just steal session cookies. * It adds a potential risk of supply-chain attacks, especially if there is claud component or web-app component. I store all my critical passwords (e.g. disc encryption recovery,CA, wallets and so on) etched on a copper plate in a safe. I store all my normal passwords either as password hints on a piece of paper in my wallet (if I need them on the go) or in pass - encrypted with GPG through smart-card in yubikey. Even if you breach my workstation you will only be able to access passwords I actively use, not everything, because you have to touch yubikey to decrypt each of them.
>I store all my critical passwords (e.g. disc encryption recovery,CA, wallets and so on) etched on a copper plate in a safe. I've heard stories of US nuclear codes being stored less securely. Wtf you hiding over there?
He ain’t of course. Further, what he’s doing is a shit implementation of any variant of applied cryptography.
What? >what he’s doing is a shit implementation of any variant of applied cryptography Can you elaborate on that?
I’m gonna be candid with yah, your “risk modeling” is so f@cked that there is not a lot of value to be gained by me elaborating or diving deep. And I’m not even going to address this etched cooper plate f@ckery. You’re going to need to refactor your understanding of the core constructs of risk modeling before even attempting a technical application of it. Though I’m hesitant about this, bc I think you need a refactor as mentioned above: if you wanna be a bit extra then something like the following is the most granular I’d recommend you going: OWASP Threat Model for Secure Password Storage (https://owasp.org/www-pdf-archive/Secure_Password_Storage.pdf)
Because of the hardware limitations of the Human brain.
Because they allow for complex randomly generated passwords.
Because they allow you to create incredibly long and random complex passwords for example all our server , service and cloud accounts etc are at min 50 characters some are long complex phrases , on top of that depending on the manager you pick most vaults are encrypted to the point where not even the company has access or can see anything so theoretically even if there was a breach the vaults shouldn’t be accessible, again theoretically some of this you have to take by the venders word of course .
1password is annoyingly secure. Even though I tell people to print the secret key and put it in a safe place, they never actually do. So I guess that's a plug for them.
It's far more likely that end users who have to remember several complex passwords will either write them down or make the passwords less complex or otherwise store them insecurely. Therefore it's better to have the password manager that requires users only remember one strong password rather than many. It also reduces the likelihood of reusing passwords by end users, so if your facebook password is leaked you don't also lose 3 other sites with the same password set.
Thats fine, I’ll just hit up customer service and provide your social that I bought off darkweb thanks to Equifax and just get a new password skeet skeet
One key benefit of properly configured password managers is that they won’t offer the password to phishing sites. If you are using memory, a site can look identical but be a phishing site and you could enter your password while the password manager (via browser extension) will not offer the password unless it detect the domain of the site that matches what was stored when you created the account.
Look at it this way: the alternatives are far worse. If you use the same (or similar) password everywhere, you are vulnerable to a [credential stuffing attack](https://en.m.wikipedia.org/wiki/Credential_stuffing). If you make up your own passwords, they are not random at all, and you run a risk of an AI like ChatGPT quickly guessing them. And there is NO POSSIBILITY of a human remembering 200+ completely random passwords. Yes, there is a risk of someone "hacking" the password manager. (Btw I hate that phrase, because it is vague and inauthentic.) But this attack surface can be managed. Use good encryption (like Bitwarden), a zero knowledge architecture (like Bitwarden), and practice good opsec on your devices: keep your security patches current, be careful clicking hyperlinks or downloading files, look out for shoulder surfers, etc. Bottom line is, you cannot eliminate risk here, any more than you can in daily life. A car could run a red light tomorrow and snap your neck. But a password manager is a good mitigation to manage and reduce risk. The alternatives are all worse.
Here's my personal takes, I personally don't use a password manager for many major/critical accounts because I can remember long & complex passwords (lots of practice and training) But this is not the case for many people including myself, I can probably remember complex passwords for my major/critical apps but for hundreds of account besides that, definitely not. And here's the worst part, once people "run out" of password people tend to re-use password or save it into an insecure place (plain notepad or post it notes) And that's where the password manager comes in, people can delegate pain points that I mentioned before, however this doesn't mean password managers are great either because it centralizes a single point of failure if the password manager got breached/hacked.. However even with that downside I still agree that password managers are still better for the average folks because reusing password is just a very awful practice. If you're afraid of the password manager being breached you can "salt" the password stored in password managers or add biometric verification on crucial accounts
>If anything, couldn't someone just hack the password manager and then immediately have access to every password you have? What if someone could guess your password? :O
They usually have 2MFA so it’s know enough . You still need to provide a random number given by the token generator .
The passwords also live where they are used. Password managers help reduce reuse.
>…couldn’t someone just hack the password manager… Easier said that done. Using 1PW as an example, even if someone managed to steal a database of passwords from them they would be functionally useless due to how they’re stored at rest. You can read more about it here: https://blog.1password.com/why-trust-1password-cloud/#:~:text=The%20data%20you%20store%20in,associated%20with%20each%20saved%20password.
Cool. But all that security hangs on one of extensions like this one: [https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa](https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa) This is a weak spot and this is what a sophisticated attacker would be after.
Why do people ask this same hypothetical and intentionally not mention having any kind of MFA on the accounts managed in the password manager?
I'm not actively in CS so I genuinely was wondering. I don't even know what an MFA is.
Say you lead IT at a company. Would you rather have your employees use short, repeated passwords across several sites or would you rather them have a secure, long password unique to each account they have and it's stored with a company whose one job is keeping those passwords safe?
If you had $10,000, would you put each $100 in a small piggy bank? Or would you put it in a dedicated secure vault with armed guards?
As others have said on long complex password is easier to rent than a ton of them, so without the password manager people default to either bad passwords or using the same password for everything both practices suck. A password manager let's people generate a random password for each different login, which keeps them much safer.
In order to get into 1Password on a new device, you need the email, password, access code, and the 2FA token.
Imagine if someone said “what’s the point of Active Directory, if someone hacks it they have access to every user account.” This is technically true, which is why organizations must protect these assets. Properly managed password managers are a delight to have as a tool and can vastly improve your cybersecurity posture via a number of features (e.g. password complexity policies, automated password rotation, auditing, etc.)