I don't know, maybe I'm old-fashioned, but I never used and never will use a password manager. I can't think of a reason to let a business know all my passwords while also making it my single point of failure.
Fwiw, most good password managers don’t necessarily let the business know your passwords, the passwords are encrypted before transport, and the business has no access to your data. All decryption can be client side only. You pay for storage and hosting of encrypted data, i.e., access from anywhere, and browser+mobile apps.
This means losing the master password is dangerous, so some people still choose to allow a host-side override where the business has some access, in order to enable account recovery in the case of a lost password.
How do you manage your credentials then? Before using a password manager, the best thing I could manage was variations on a similar password. But sites with arcane password requirements tend to break this.
I was _really_ disappointed when 1password dropped support for Dropbox sync and pushed everyone onto their storage. I'm uncomfortable, like you, with the truly single point of failure this way: I would much rather diffuse the storage and master credentials to separate parties.
I do like you said, small variations. Things get difficult once there are bizarre requirements, but then I just login by "forgot my password". Another commenter replied (s)he has over 400 credentials; I don't think I have even 100 let alone 400 logins.
Why is that the real question? The advantage of a password manager is you can default to max security with no more effort than poor security. Many of my accounts have changed over time, it’s not uncommon to add payment to a trial account, or for personal information to accumulate. There are plenty of good reasons to always use maximum security in order to lower your risk and prevent future accidents.
What's your alternative? If it's just memorizing a huge set of passwords plus the ability to add to that set whenever you need, that's awesome.
But if you're doing what most people do instead of a password manager, which is just re-use two or three passwords for everything, then you don't just have a single point of failure. You have dozens of points of failure. You're not letting "a business" know all your passwords, you're letting many businesses know your password, singular.
Also, password managers don't only come from "businesses". I use pass[0], which just gpg encrypts passwords in a git repo. If you're willing to set up sshd, git, and gpg on your devices, you can use pass.
That said I still recommend that people coming from the "old way" use something like 1Password or LastPass if self-hosted is not for them. I share your distaste for giving the keys to the kingdom to a single business, but it's better than the alternative. I trust LastPass more than I trust the weakest member among a random set of other businesses.
You don't. Password managers like Bitwarden are basically cloud storage for an encrypted blob that happens to contain your passwords wrapped up with a nice UI/UX and handle all the syncing for you between your devices. They don't "know" your passwords. They sync that blob and then all encryption and decryption is done on your device.
Not to mention with Bitwarden you can run your own server if you are comfortable doing so and don't want to rely on their servers.
> making it my single point of failure
So maintain backups of your encrypted vault. Also Bitwarden (which is what I use) doesn't require an internet connection to unlock your vault so even if you're stuck somewhere with no net access you can still access all your data. Export it, etc. It is 100% offline for use, internet connection is only needed to sync the encrypted blob.
---
IMHO the benefits of a good password manager with nicely integrated password management, history, generation, MFA, etc. far outweigh the drawbacks of your account being hacked.
I have over 300 logins in my password manager.
I only have to remember a few actually important passwords in my brain which makes life exponentially easier when logging in to so many different services each day.
The reality is that it's unreasonable to expect users to maintain passwords that are both unique and memorable. My password manager tells me I have over 400 credentials saved. There's no way I can keep track of that in my head.
To solve this, you can drop either one of the "memorability" or "uniqueness" requirements. Most people naturally drop "uniquness" and reuse the same passwords everywhere. Or you can use a password manager and drop the "memorability" requirement. It's safer and more usable to do the latter. Even writing it down in a physical notebook is an improvement over reusing the same password.
I highly recommend keepass + syncthing. Avoid some third party having access to your password store while keeping it backed up wherever you need it to be.
I'll never use a centralized one like that. I use a password manager that keeps my vault file locally and is synchronized through any cloud storage provider of my choice. I chose OneDrive, but if I was more insistent on absolute privacy it could also synchronize to a WebDAV server I set up myself.
Interestingly, if you think about it, this is pretty much equivalent to what Bitwarden is doing. You trust the (open source) client to not leak your passwords and to encrypt them properly, and then you use an online service to sync an encrypted blob. A "custom" sync solution is less prone to a targeted attack due to the obscurity, but otherwise is largely equivalent to using Bitwarden (or any other provider with an open-source client and encrypted vault sync).
I feel that way about online password managers, but an offline open source password manager is a huge quality of life (not to mention security) improvement when all of your accounts have different passwords. I'd highly recommend giving it a shot.
It’s just terribly insecure. Humans are really bad at making unique passwords. I have around 500 unique passwords in my password manager. No way I could do that manually.
This is my concern as well. The whole idea of my passwords being in a black box that is tied to my hardware seems like a recipe for disaster if I am traveling and my hardware gets stolen, lost or destroyed.
(maybe there is something that I am failing to understand, but I've watched several videos that attempt to explain how a PW manager works and I've not found an answer)
- the master key derives from 1. your password, and 2. a long, random key that you type manually on each new device (so you can’t brute-force the password just from the server’s data, and you can’t decrypt the data just from your hard drive without the master password),
- none of these keys ever leave your devices (encryption and decryption happen client-side),
- the key is deleted from RAM, locking the vault, if you’re inactive for too long.
That makes some attacks hard. It will be defeated if malware can get 1. your secret key and 2. your master password. But in that case, your login cookies and what you type in login forms are vulnerable too, so there isn’t much difference.
You don't need to let a business know anything. Run your own self-hosted instance via a dedicated server or WebDAV, or use the password database totally offline. SaaS is not the only option here (and IMO, I wouldn't even consider using a password manager unless I could do so without involving any other companies).
It sounds like a cloud hosted password manager isn't a good choice for you. However not all password managers are cut from the same cloth. There are many offline/locally encrypted options.
If you or they are not technically inclined, write them down on a piece of paper, stored safely.
If you are, encrypt a file or volume on your computer and use that.
I've done and advised this forever and each little story like this leaves me convinced that these ways, while not perfect, definitely beat all the others.
Right, I suppose what I mean is "local software" over "centralized service."
Frankly, I'd even avoid Dropbox here. No need; and slightly reduced threat model (e.g. you happen to pick a bad encryption scheme). Syncthing, if anything.
