password manager vs writing it down

[Space Lynx]

Passkeys may not be for you, but they are safe and easy—here’s why

Answering common questions about how passkeys work.

arstechnica.com

Passkeys—Microsoft, Apple, and Google’s password killer—are finally here

It only took 50 years, but there’s finally a replacement that’s safer and easier to use.

arstechnica.com

passkeys are the future imo, currently switching over to this myself. about halfway done.

 

[Sithaer]

Honestly, I'm not a prime example when it comes to password security. Still, haven't ever lost a dollar to anyone because of it. Then again I don't write it down either. I just have it in my head.

Most likely I'm even worse in that regard, I have no backups of anything cause I have no real important stuff on my PC and I have my passes written down in a random text file. 'got too many by now to remember + got older too'
Never had an issue cause of this, the only time I had one of my emails breached is cause it was linked to my NEXUS account 'the mod site' and their database got hacked one time and bunch of user data got out including mine.
That caused a bit of a headache but nothing was lost, got back all of my game accounts in a week or so.

I've added an authenticator to my Blizzard account and changed all of my passes and thats it, nothing happened ever since and this was like 6+ years ago.
Nobody touches my PC physically other than me so thats a non issue either, not even my family.

Tbh I'm more paranoid about taking the local bus or any public transport than about my tech security.

 

[cvaldes]

passkeys are the future imo, currently switching over to this myself. about halfway done.

I am sitting on the sidelines to see how passkeys evolve.

Most likely my 2+ year old iPhone won't work with whatever Apple adopts. With nearly a thousand logins, password management is a drag for me.

While I understand its theoretical increased security, I can't stand two-factor authentication (2FA). Those methods are even more inconvenient and awkward. I've stayed away from 2FA as much as possible until something better replaces it.

I've also refused to buy security fobs, etc.

Not all of life online is particularly enjoyable. Online security is a real drag these day.

In 2023 I am balking more frequently at signing up for an online service due to account creation procedures. Credit cards, addresses, mobile numbers, date of birth have all halted me at one point or another in online account creation. I have to weigh the pros and cons of giving that information up to access the services from that provider. "What do I get from these people that my current providers don't offer?" More frequently these days, the answer is coming back as "no, I am not filling out that form."

 

[Chrispy_]

Most likely I'm even worse in that regard, I have no backups of anything cause I have no real important stuff on my PC and I have my passes written down in a random text file. 'got too many by now to remember + got older too'
Never had an issue cause of this, the only time I had one of my emails breached is cause it was linked to my NEXUS account 'the mod site' and their database got hacked one time and bunch of user data got out including mine.
That caused a bit of a headache but nothing was lost, got back all of my game accounts in a week or so.

I've added an authenticator to my Blizzard account and changed all of my passes and thats it, nothing happened ever since and this was like 6+ years ago.
Nobody touches my PC physically other than me so thats a non issue either, not even my family.

Tbh I'm more paranoid about taking the local bus or any public transport than about my tech security.

The headache you experienced was because you shared credentials between different sites.
Even if you use a shit, free, password manager - you at least get unique credentials per site.

 

[cvaldes]

The headache you experienced was because you shared credentials between different sites.
Even if you use a shit, free, password manager - you at least get unique credentials per site.

Even just using a free password manager solely for the password generation tool is worth it. Passwords of variable length with or without special characters.

Note that the login credentials consists of a user name (typically an e-mail address these days) and a password. Most people use a limited number of e-mail accounts for their online activities, that part is easy enough to guess.

So for Joe Consumer their only real line of security is to change up their password. On more sensitive accounts (including your e-mail accounts), this should be done regularly. No one wants to go through the hassle of changing their e-mail account's password every week/month but realistically that would be a great starting point.

These days I'm storing more passwords in Apple's Keychain. I trust Apple more than I trust Google that's for sure.

 

[Deleted member 230939]

Lets say my password is Fanatic.

I work in a place where I need to remember the passcode to enter doors, so I will then add the passcode of the doors from work to my password.

It is now Fanatic190903

Most websites remind us to use special characters.

My password is now !@Fanatic190@903!

We can now recognize a pattern with how I have created the memory which helps form the memory of the password it's self.

Next time we simply change it all around.

Website two's passowrd is 190@Fanatic!!@903


There are limitations, finite creativity.

So you then make a new word.

Yeast, I found a number I remember and use daily, add numbers.. use different characters.

 

[Sithaer]

The headache you experienced was because you shared credentials between different sites.
Even if you use a shit, free, password manager - you at least get unique credentials per site.

Well I don't do that anymore, I've made sure to have a different pass combination everywhere or at least for the more important ones.
I've changed every pass I had and trashed that crappy email acc I had registered from a provider in my country. 'pretty much only using Gmail now'

For me thats enough to sleep comfortably at night and not care further about this, not that I suggest being this careless but its just my nature I guess.

 

[Ruru]

I'm just sceptical that what if that service gets hacked? I just keep my passwords in my head, with little variations on different sites/services. And I can always recover those via email if I forgot those passwords.

"but what if your email gets hacked", meh. It has a strong password yet still easy to remember.

 

[Deleted member 230939]

It pays to exercize your brain and password creativity lends a hand to helping your brain become creative, so it has it's up sides.

 

[cvaldes]

Lets say my password is Fanatic.

I work in a place where I need to remember the passcode to enter doors, so I will then add the passcode of the doors from work to my password.

It is now Fanatic190903

Most websites remind us to use special characters.

My password is now !@Fanatic190@903!

We can now recognize a pattern with how I have created the memory which helps form the memory of the password it's self.

Next time we simply change it all around.

Website two's passowrd is 190@Fanatic!!@903


There are limitations, finite creativity.

So you then make a new word.

Yeast, I found a number I remember and use daily, add numbers.. use different characters.

That scales poorly. I did stuff like that twenty years ago. I had way fewer logins in those days and the passwords weren't as long.

At some point, you'll start confusing variants. "Was it @903 or 903@ ? Or maybe I switched the 3 to an E so @90E? Or maybe I flipped the number order to 309? Or maybe it was the middle numbers 9090?"

 

[Deleted member 230939]

That scales poorly. I did stuff like that twenty years ago. I had way fewer logins in those days and the passwords weren't as long.

At some point, you'll start confusing variants. "Was it @903 or 903@ ? Or maybe I switched the 3 to an E so @90E? Or maybe I flipped the number order to 309? Or maybe it was the middle numbers 9090?"

Maybe for you, but I don't have more than 10 accounts to anything, I recall all variations, if I accidentally inoput the wrong one I cycle through all possible variants until it is the right one, has never gone wrong in 15 years.

Perhaps make yourself a password variant reminder with just the special characters?

 

[cvaldes]

Maybe for you, but I don't have more than 10 accounts to anything, I recall all variations, if I accidentally inoput the wrong one I cycle through all possible variants until it is the right one, has never gone wrong in 15 years.

Perhaps make yourself a password variant reminder with just the special characters?

Using completely different passwords of randomly generated characters and symbols is far more secure than variants of a common password. That's just elementary statistics.

In any case your memory is likely much better than mine.

If it works for you and you are comfortable with the security level, I don't see why anyone's comments here would persuade you to behave differently.

 

[lemonadesoda]

I dont disagree with that you are saying, other than for 99% password needs, where there is no personal data held, then keep the burden low, keep it simple, because even if your password was hacked, you dont lose anything important.

i fully agree that in situations where a login reveals ID, money, etc, then you need to up the level,of,security and be diligent

 

[Deleted member 230939]

Your memory is likely much better than mine.

If it works for you and you are comfortable with the security level, I don't see why anyone's comments here would persuade you to behave differently.

In any case, completely different passwords of randomly generated characters and symbols is far more secure than variants of a common password. That's just statistics.

Agreed but I am human and if you ever stop using those pass managers which is also usually under a normal password and email anyway, you lose access to everything saved in it.

And then there is trusting a 3rd party which is similar to writing it down.

The mind may be limited but used correctly it can truly help, one must overcome the limitations of their own mind, until death. Thankfully though that's applicable to daily life too.

 

[cvaldes]

I dont disagree with that you are saying, other than for 99% password needs, where there is no personal data held, then keep the burden low, keep it simple, because even if your password was hacked, you dont lose anything important.

i fully agree that in situations where a login reveals ID, money, etc, then you need to up the level,of,security and be diligent

Actually, even if there is no risk of financial loss, there is a certain amount of unease or discomfort when private space is violated.

Let's say you drive to the shopping mall and when you return to your car, you find all the doors open but nothing taken. How would you feel?

Agreed but I am human and if you ever stop using those pass managers which is also usually under a normal password and email anyway, you lose access to everything saved in it.

And then there is trusting a 3rd party which is similar to writing it down.

The mind may be limited but used correctly it can truly help, one must overcome the limitations of their own mind, until death. Thankfully though that's applicable to daily life too.

Your knowledge of password managers is very outdated. Password managers have evolved and will continue to do so. They aren't like the way there were in 2010.

I won't go into all of the inaccuracies you posted here. The companies that make these applications explain it. There are plenty of online tutorials about the topic as well that cover this stuff ad nauseam.

I will reiterate that using a password manager solely for random password generation is still way better than creating variants of a common password.

It's amazing yet unsurprising how little some people on TPU understand about basic online security. Sad really. It's like talking to a brick wall which is increasingly common online. TPU has historically been very PC hardware centric in its coverage and is not a particularly good place to learn about online security fundamentals and ongoing changes.

I'll discontinue commenting about this subject, there's plenty of information online that addresses this topic which continues to evolve with each passing month. Those writers are better than me at explaining this and many of them use diagrams and illustrations to help communicate these concepts. Besides, we have many TPU community members who aren't native English speakers, they should refer to security tutorials in their native tongues.

Best of luck to the OP and others here.

 

[Ruru]

Using completely different passwords of randomly generated characters and symbols is far more secure than variants of a common password. That's just elementary statistics.

In any case your memory is likely much better than mine.

If it works for you and you are comfortable with the security level, I don't see why anyone's comments here would persuade you to behave differently.

One thing which seems to be somewhat secure is to have a password with your own language if you're not a native English speaker

 

[Deleted member 230939]

@cvaldes See that's the thing, I want you to go into detail.

 

[maxx2575]

I just use a password gen and keep them in a massive text file

 

[Morgoth]

thx every one i had a good read and i like the feedback i got from you guys

 

[lemonadesoda]

Based on what everyone has said, perhaps i will implement the following:

Use a very simple password, write it down.
Use https://codebeautify.org/hmac-generator or self hosted hash generator.
Type your simple password in, Copy paste the result as your online password.

 

[dgianstefani]

Bitwarden is the best.

 

[Fangio1951]

Password Safe !!!!

I've been using it since it was first released.

Pros = stand alone, not web based, not cloud based, free, you can have two located on two different pc's and you can merge them if one gets out of sync with the other.

I have about 3-350 p/w's (Company + personal) stored in it and it lets you create a top level folder then sub folders with different entries with different p/w's.

And the best part is = you only have to remember one p/w to access the safe !!!

 

[Chrispy_]

These days I'm storing more passwords in Apple's Keychain. I trust Apple more than I trust Google that's for sure.

I don't think it matters who you trust - like you said, the best benefit is having unique passwords auto-suggested for each website, not how secure or trustworthy the password manager's developer is.

As for Apple vs Google, they're both too big to fail. If news of a vulnerability in their password managers got out, they would spend multi-million dollars on a huge damage control campaign and ensure the improvements to security/privacy were published in as much mainstream media as possible to try and put a positive spin on the situation.

You don't have to trust them, you just need to trust that they're looking out for their own bottom line, which (by coincidence) is good for our own security.

 

[R-T-B]

Yeah, almost anything is crackable but unless you are a very high-value target, you won't be selected for brute-force/dictionary attacks.

Or part of a forum password dump. Yeah, it's more likely than you may think.

There's some superbad advice in this thread. I don't think I can fix this one.

 

[ShiBDiB]

i use Keepass since ~15 years, have a encrypted copy in my cloud, on my phone and in my backup on an external drive. i highly recommend to not use browser based ones.
Writing them down is okay as long as you have them only local but i rather have my passwords encrypted.

Just had a discussion about this app in particular. There's a known vulnerability (CVE-2023-32784) with a publicly available script to crack your dump file/vault.

TLDR password managers are and will always be a vulnerability.