I keep seeing people highly recommend them, but I’ve always thought it wasn’t very secure.

  • LambdaRX@sh.itjust.works
    29·
    12 days ago

    I think they can be much more secure than:

    • remembering your ( probably weak ) passwords

    • writing passwords on paper, which is slow, you can lose paper, break it, or someone can steal it

    • storing passwords in unencrypted text file

    • reusing passwords/password!

    I use KeepassXC, which is offline, encrypted password manager. Every password is stored in one file, which to access, I must enter the one password I do remember. I recommend having backups of this file.

    It has password generator included, so all my password are long, strong and unique. It also can auto fill password/login which saves time.

    To increase security of your account even further you should also use multiple factor authentication, for example app which generates one time codes on your phone offline. It will protect you, even if your password gets leaked, or cracked.

    • BarqsHasBite@lemmy.world
      121·
      12 days ago

      If you write it on paper, include the same short word on the end of all your passwords that you don’t write down. Password is Hunter2duck but you only write down Hunter2.

      *Actually this might be a good idea for password managers too. Brb. **I wonder if hackers thought of this too. If so this could be easy to crack if they get past the password manager. Maybe inserting a letter into the password after the nth character would work better.

      • garbagebagel@lemmy.world
        3·
        11 days ago

        I write my passwords on paper in code, like my dad taught me to do.

        However, just a personal anectdote, my uncle passed suddenly and he had written all his passwords (not in code) on a spreadsheet with each account, which he then printed. I promise you, this single piece of paper was one of the most helpful things I could’ve asked for in sorting out all of his assets. It was a genuine lifesaver. Now I often think that maybe I should be sharing my password with an S.O. or someone else close to me just to make their life easier if I were to die tomorrow.

          • PlexSheep@infosec.pub
            3·
            11 days ago

            I mean… Can’t happen if you keep your stuff encrypted like with KeePassXC. Even if someone gets my password database, it’s useless for them since they don’t know how to decrypt it. That’s why I don’t use some online service, though using one of the online services is certainly better than reusing a weak remembered password.

            • Cethin@lemmy.zipEnglish
              1·
              10 days ago

              Yep. Theoretically a vulnerability could be found (or manufactured) for KeePass, but it’s much less likely than an online service, and it’s extremely common and open source, so if there are issues then there’s a fairly good chance it’ll be noticed.

    • Sc00ter@lemmy.zip
      1·
      11 days ago

      Does this make it so that you can only access all/any of your accounts from 1 computer ever?

      • LambdaRX@sh.itjust.works
        2·
        11 days ago

        No, i keep multiple copies of this file on different devices and I sync them using Syncthing.

        However if you want to access your password database from many devices, using online password manager, like Bitwarden, would probably be easier.

  • Sunsofold@lemmings.world
    20·
    12 days ago

    It’s a balance of probabilities, like everything in security. Which is more likely? A. People are careful, using good, strong passwords, and maintain vigilance, but are targetted by an advanced attacker who will hack the protonpass system to get their database and the necessary keys to open it? Or B. People get lazy, use the same password for everything because remembering stuff is hard, and everything they own ends up protected by the modern equivalent of combo 1, 2, 3, 4, 5?

    If you are truly capable of generating and memorizing enough good passwords to handle all of your accounts, that is technically more secure, because a password manager can create a single point of failure for all accounts. However, most people aren’t able to do that and will resort to crap passwords or using the same single crap password for every site.

  • DeathByBigSad@sh.itjust.works
    13·
    12 days ago

    Without password managers: You either have weak passwords, or you constantly forget passwords and get locked out of your accounts.

    Or you can remember the password to your email then use that to reset passwords every time and slam your head on the keyboard to generate a random password that you won’t need to remember because you’ll just reset it next time, but then its a hassle and you are relying on one point of failure, and you could get locked out if you email stops working.

    So in conclusion: Password Managers

  • CompactFlax@discuss.tchncs.deEnglish
    11·
    12 days ago

    Risk assessment is a big part of this. Risk when reusing passwords is very high. Risk of forgetting passwords or using weaker/guessable passwords when they’re unique, is high. Password manager mitigates these risks. A good one will also bark at you when you try to use a password in a website that isn’t the one you saved it in (ie phishing warning)

    The risk of your PW manager somehow leaking passwords is worth considering. So we ask: How are the passwords stored? Where are they stored? How are they accessed? Different tools work differently; some keep the storage local but others sync in the cloud. Local storage can also mean “in my Dropbox folder”. If it’s a secure format with a strong password (or perhaps Yubikey), that’s fine, but if it’s an excel sheet, you’re leaking to Dropbox. But is that really a problem for you? Think of the steps between an adversary and your password file.

    1Password has some white papers published about how they secure the data you entrust them with.

    It is my strong opinion, and that of most security experts, that using a password manager to create unique, long, and secure passwords is a lot better than the alternative. It’s usually the opinion that a password notebook in a reasonably secure location (in your desk at home) is better than recycling weak passwords.

  • cecilkorik@lemmy.caEnglish
    11·
    12 days ago

    There are weaknesses and attack vectors, but they are in my opinion more secure than almost all realistic alternatives. If you think you’ve come up with a better system, by all means, implement it. I commend your skepticism of following the herd and may it serve you well. But beware of pursuing security through obscurity. People recommend password managers because they are one of the best solutions available for navigating this complex threat environment we live in and they are appropriate for most people’s situations.

  • 👍Maximum Derek👍@discuss.tchncs.deEnglish
    10·
    12 days ago

    I think your question has been answered by other pretty well but I’ll add: If you decide a password manager is overall beneficial and choose one that looks secure, don’t assume it will stay that way. LastPass taught us that a couple decisions that are valid one day can turn into huge liabilities in a few years as threats escalate. You to have to periodically check in on what secops pros are saying about your manager and make sure they haven’t been resting on their laurels. Security is a job we all have.

  • povario@discuss.tchncs.deEnglish
    7·
    12 days ago

    Remembering (and inevitably) forgetting passwords for all your different accounts is inconvenient, frustrating, and arguably less secure than a randomly generated password unique to each account.

    Additionally, it can be tempting to reuse passwords for multiple accounts, which is trouble when a less-than-reputable service that you used that password on is breached, since that password wasn’t unique.

    If you use an open-source, tried and true password manager (Bitwarden, Vaultwarden, KeePassXC) and keep a passphrase unique to that password manager only, you avoid the problems above which are way more likely to occur than Bitwarden passwords getting breached in plaintext, or a security vulnerability to the KeePass database.

    Plus, most password managers offer support for passkeys, which are easier to register/use than passwords. They usually only require a “verify with passkey” button on a given website.

    Bottom line, password managers are probably (definitely) more secure than any other reasonable solution that anyone has come up with.

  • PlzGivHugs@sh.itjust.worksEnglish
    7·
    12 days ago

    To oversimplify:

    Very secure, unique passwords written on paper and stored safely > Local password manager using secure passwords > cloud/synced password manager with secure passwords > anything with insecure passwords.

    The trick is, will you actually maintian these security practices or will you start getting lazy if its too inconvenient (such as using a long password, and having to manually type it out).

  • sbird@sopuli.xyzEnglish
    5·
    12 days ago

    It means that you can use more secure passwords rather than using easy to guess passwords/one password for everything. Using cloud based ones like Bitwarden means you have to trust the company hosting your passwords to not screw up and suffer from a data leak. I think Bitwarden is pretty trustworthy, but I might be wrong on that one.

    Alternatively, you could selfhost (with something like Vaultwarden) or just use something local like KeePass. For the latter, you can choose to sync with SyncThing if you want.

    I personally use KeePass, but don’t use SyncThing.

  • Allero@lemmy.today
    4·
    11 days ago

    The only big danger of a good password manager is the fact all your passwords are stored under one.

    To mitigate the risk, follow these practices:

    • Use a good trusted, much preferably open-source option (for example, Vaultwarden, KeePassXC);
    • Use a strong password;
    • Do not EVER use the same password you use for password manager elsewhere;
    • Use 2FA on both your password manager itself and all the accounts you store passwords for;
    • Backup your password database in an encrypted way.

    Together, these measures should save you from any trouble.

    Now, why they are good:

    • They can generate and store very strong passwords you would never make up, much less remember;
    • You can be sure you won’t forget your password;
    • They are convenient and can auto-fill passwords for you.

    Generally, using a password manager is considered a superior option in terms of security and availability compared to keeping your password elsewhere, including your head.

  • slazer2au@lemmy.worldEnglish
    4·
    12 days ago

    What makes you think they aren’t secure?

    Most will tell you how the password is stored and assuming they implemented the encryption algorithm correctly it should be rather difficult to break the vault open.