Also they are too complicated for an ordinary user. A physical key is much simpler and doesn't require any setup or thinking, and can be used on multiple devices without any configuration. And doesn't require a cloud account.
cf. pass(1)[0][1]
[0] https://www.passwordstore.org/
[1] No, it's not hosted in the cloud (i.e., on someone else's servers) and that's a good thing. It's FOSS and can be compiled for Android/IOS (and has, see [2][3][4], least for Android). The DB (just a GPG store) can also be shared across multiple devices.
[2] https://f-droid.org/packages/app.passwordstore.agrahn/
[3] https://play.google.com/store/apps/details?id=dev.msfjarvis....
[4] Not sure about IOS versions, I don't have any Apple devices.
Passwords have always been bad. The problem is that users can't remember them. So they rotate, like, 3 passwords.
Which means if fuckyou.com is breached then your bank account will be drained. Great.
On top of that, the three passwords they choose are usually super easy to guess or brute force.
With a password manager, users only need to remember one password, which means they can make said password not stupid. You can automatically log in too with your new super secure passwords you never need to see.
Its the perfect piece of software. Faster, easier, more secure, with less mental load.
I don't, but even if I do, the simple fact remains that remembering one password is easier than 300.
If you have to remember 300 passwords, youre gonna choose 'password1' - 'password300'. Because we're not living hashmaps.
But with one password, I can easily make it even 40 characters and remember it. And anybody can do that.
If you DON'T use a password manager, you don't solve the problem of "everything is lost". Because people just reuse passwords as noted above.
So Experian gets breached, which is WAYYYYY more likely than your encrypted password manager getting breached, and now your bank is also open, and your Gmail, and your IRS.gov. whoops.
> does this assume you only use one device that you will always use
No, password managers work on all your devices and auto sync. How is it done so securely and without any hiccups? Because they're super simple pieces of software.
You just take the passwords, derive a key from the master password, and encrypt all the passwords. Then dump it in whatever online storage.
I could write a password manager in a couple hours.
I think you're rejecting good solutions out of hand.
Meanwhile...millions of users trusted LastPass. Twice.
I’m not going to rely on myself never making a mistake. I want a solution that protects me even during stressful moments where I have a lapse of judgement and forget to check.
/me wonders if this is a "recommend me a nice open source, offline password manager" question in disguise.
That was years ago, so I’m going to check it out again. Thanks for the pointer.
Update: One thing that stands out immediately is a confusing mess of three different projects, two of them unmaintained, which all call themselves KeePassX or KeePassXC, sometimes linking to each other’s documentation. How do I even tell I’m facing the correct KeePass(X(C)?)? project?
Yes, I’ll figure it out eventually but until then, it’s confusing. Also, if a password manager project needs to be forked over and over and over again (how can a holder of the keys to the kingdom possibly go MIA on three different occasions in basically the same project?), then does that tell us something about how the project is governed?
