password manager vs writing it down

[Morgoth]

so im wondering is it worth getting a password manager? like eset password manager? do they also sheck the net for any breaches??
or is writing it down a safer option?
i do know to use differend password for each program / website i use

 

[GerKNG]

i use Keepass since ~15 years, have a encrypted copy in my cloud, on my phone and in my backup on an external drive. i highly recommend to not use browser based ones.
Writing them down is okay as long as you have them only local but i rather have my passwords encrypted.

 

[Solaris17]

Bitwarden is my go to, but the reality is there are a multitude of them.

The big ones that I see, atleast working in the tech industry are

Bitwarden
1password
Keepass

Lastpass is a trainwreck I would stay away from it personally.

but really any of them will do including your own browser. I self host bitwarden and use it for ToTP functionality (for 2FA prompts)

They help you but for the average user with no team of people it probably wont matter much. You get the most benefit at that point from them helping you with security posture. With password auto generation and the "ask to save" feature it removes the burden of laziness in password posture.

The truth is browsers to that too now I think. Last time I was using chrome on a different machine it asked me if I wanted to generate a password in a registration field.

Though browsers would be my last bastion before post-it notes. (I dont keep passwords in my browser).

Anyway im going to go to bed, no matter what you decide its probably just a roll of the dice of who you think is less likely to get a data breach this year.

 

[jon_joy_1999]

I use Passwordsafe, it doesn't require any kind of account, so there's no worry about third party data breaches, and the password vault is portable between devices. I use it on my PC and sync the vault to my phone for when I'm on the go.

 

[Morgoth]

im kinda hoping that password manager got a fail safe once a certain password on a certain website or program gets leaked that it automaticly changes it for you or atleast warns you. before its to late

 

[Tahagomizer]

Writing your passwords on a piece of paper is fine, as long as you live in a bunker and never let anyone inside.
Personally I would never trust anything with the word "cloud" it it's name or description. It's just someone else's computer and security is strictly dependent on cost so it's a "reasonable minimum" type of deal. Personally I use Keepass, no type of online sync, just manual copying of database only to applicable devices. I also use partial databases since there is no reason to have my server/work/tax data passwords on my phone. But I tend to be on the paranoid side, I actually have bulletproof door...

im kinda hoping that password manager got a fail safe once a certain password on a certain website or program gets leaked that it automaticly changes it for you or atleast warns you. before its to late

My friend uses Bitwarden and it has a feature which lets you check if your password is in any known data breach, although I don't think it does it automatically.

 

[Shou Miko]

Lastpass is a trainwreck I would stay away from it personally.

I will sign that, one of my friends that's a hacker/security found out before it was discovered that Lastpass do a clear text transfer from browser plugin to website login and when that got public a lot of people denied it and called me crazy.

Personally I use 1password and I pay for them and I but my trust in them because they handle everything across the platforms I use so I am happy paying customer each month

My friend uses Bitwarden and it has a feature which lets you check if your password is in any known data breach, although I don't think it does it automatically.

1Password also do this it's really nice.

 

[Splinterdog]

I've been using Roboform for years because there are too many to keep writing down. My wife keeps hers written in a book/filofax in spite of me trying to persuade her otherwise.

 

[chrcoluk]

Keeppass, master password for that is in my head, it auto backs up the db to another drive whenever its saved so 2 copies.

I might consider mirroring its db on google drive/onedrive.

I prefer to stay away from cloud based password managers.

I also use browser password managers for things like forums for convenience, but dont let them save for things like my bank accounts.

Not sure who decided it was a good idea to let browsers save credit card numbers.

 

[AsRock]

Write it down

 

[Bill_Bright]

or is writing it down a safer option?

Write it down

NEVER write it down!

I was at an IT security conference 25+ years ago and there was a "reformed" bad guy giving a talk on "Physical Security" - a genuine, but often overlooked threat! He said when he broke into a home, place of work, (or hotel room), he would take about 30 seconds to sit down at his victim's desk and take a quick look around in drawers, on shelves, under keyboards - at anything within arm's length for a notebook, steno pad, index card box or just a piece of paper (even sticky notes stuck to monitors) for passwords. And very often he would find such a list. Then, instead of just grabbing and hawking the hardware with a "fence" or shady pawn shop, he would take that list too and use the passwords to see if he could access their bank accounts or obtain other personal information he could then sell/trade.

Years later when I started my own shop/consulting business, I would make occasional house calls. I started to do the same thing - sit down at their desk and take a quick look around and sure enough, I would often find them. Shockingly (to me anyway) I would discover some of my clients were using a password safe/manager only to write the master password down on a sticky note stuck to the monitor, or under the keyboard.

NEVER assume an unauthorized person will never "physically" sit at your desk, or rummage through your home. It doesn't have to be a burglar either. It could be someone visiting your home like a whiz kid mischievous nephew or one of your kid's nosey friends. Or even your own kid! For a work computer, never assume your co-workers would never stab you in the back.

The biggest advantage to using a password safe is you only have to remember one [hopefully very strong] password - the one to unlock the safe. Okay two passwords - you also need to remember the one to unlock/wake/log into your computer - which everyone uses, right? RIGHT?

I do NOT recommend using the password managers integrated with most browsers. Again, it is about "physical" security. If they are stored in your browser and someone gains physical access to your computer, they may have access to all your important sites and accounts too.

I’ve been using SplashID since my Palm Pilot days. Sadly, it is no longer free - otherwise I would heartedly recommend it. Other recommended safes include the very basic, simple to use, but robust and effective Password Safe. KeePass Password Safe. Enpass and RoboForm are very popular favorites too.

I no longer recommend the very popular Last Pass. Due to its popularity, it has been the target of state-sponsored Chinese (and other) hackers multiple times. While supposedly, they have not gained access to users passwords, they have been successful hacking the site. Not worth the risk to me.

This points out another advantage to the simple and effective "Password Safe". It is totally stand-alone. It does not rely on, nor does it store anything in "the cloud".

 

[AsRock]

NEVER write it down!

I was at an IT security conference 25+ years ago and there was a "reformed" bad guy giving a talk on "Physical Security" - a genuine, but often overlooked threat! He said when he broke into a home, place of work, (or hotel room), he would take about 30 seconds to sit down at his victim's desk and take a quick look around in drawers, on shelves, under keyboards - at anything within arm's length for a notebook, steno pad, index card box or just a piece of paper (even sticky notes stuck to monitors) for passwords. And very often he would find such a list. Then, instead of just grabbing and hawking the hardware with a "fence" or shady pawn shop, he would take that list too and use the passwords to see if he could access their bank accounts or obtain other personal information he could then sell/trade.

Years later when I started my own shop/consulting business, I would make occasional house calls. I started to do the same thing - sit down at their desk and take a quick look around and sure enough, I would often find them. Shockingly (to me anyway) I would discover some of my clients were using a password safe/manager only to write the master password down on a sticky note stuck to the monitor, or under the keyboard.

NEVER assume an unauthorized person will never "physically" sit at your desk, or rummage through your home. It doesn't have to be a burglar either. It could be someone visiting your home like a whiz kid mischievous nephew or one of your kid's nosey friends. Or even your own kid! For a work computer, never assume your co-workers would never stab you in the back.

The biggest advantage to using a password safe is you only have to remember one [hopefully very strong] password - the one to unlock the safe. Okay two passwords - you also need to remember the one to unlock/wake/log into your computer - which everyone uses, right? RIGHT?

I do NOT recommend using the password managers integrated with most browsers. Again, it is about "physical" security. If they are stored in your browser and someone gains physical access to your computer, they may have access to all your important sites and accounts too.

I’ve been using SplashID since my Palm Pilot days. Sadly, it is no longer free - otherwise I would heartedly recommend it. Other recommended safes include the very basic, simple to use, but robust and effective Password Safe. KeePass Password Safe. Enpass and RoboForm are very popular favorites too.

I no longer recommend the very popular Last Pass. Due to its popularity, it has been the target of state-sponsored Chinese (and other) hackers multiple times. While supposedly, they have not gained access to users passwords, they have been successful hacking the site. Not worth the risk to me.

This points out another advantage to the simple and effective "Password Safe". It is totally stand-alone. It does not rely on, nor does it store anything in "the cloud".

I assumed it was 100% full proof ? erm no but common sense goes a long way, nothing is full proof and shame on him leaving it around.

 

[jon_joy_1999]

I assumed it was 100% full proof ? erm no but common sense goes a long way, nothing is full proof and shame on him leaving it around.

As they say, nothing is fool-proof to a sufficiently talented fool.

 

[Vayra86]

Writing it down, sure. But not in a text file on the PC, that would be good

 

[Deleted member 230939]

Your brain is the best way, I just use my brain and make different variations of the same password with increased length etc.

15 digits or more is where you need to be at for no brute force method to really work.

 

[Bill_Bright]

Writing it down, sure. But not in a text file on the PC, that would be good

Huh?

Writing it down? Never.

In a text file on the PC? No.

In any unencrypted file? No.

In an encrypted file? Only if you don't write down the encryption key. Or, you could keep the encryption key in your password safe!

 

[Deleted member 230939]

This is 6 years old, I followed this and never looked back.

There are mental limits and you need to overcome them, creativity works best and not being like a dictionary.

 

[Vayra86]

Huh?

Writing it down? Never.

In a text file on the PC? No.

In any unencrypted file? No.

In an encrypted file? Only if you don't write down the encryption key. Or, you could keep the encryption key in your password safe!

Honestly, I'm not a prime example when it comes to password security. Still, haven't ever lost a dollar to anyone because of it. Then again I don't write it down either. I just have it in my head.

 

[Bill_Bright]

Then again I don't write it down either. I just have it in my head.

Nothing wrong with that - if you have the mental capacity to never forget.

I personally don't have enough of those little gray cells left to keep track in my head, the 500+ entries I have in my password manager.

 

[lemonadesoda]

Write it down.

My password at TPU is lemonadesoda.website.A1$

The lemonadesoda is what I write down. You can do letter swaps if you want. e.g. swap e for 3. Or X. Or $. Your choice. Only you know that swap and you dont write it down. So what you write down is actually a false but near password.

The .website. is the first 3 letters of the domainname of the website. Could write is backwards. It is not written anywhere. This stops brute force attack of stolen password database against other servers.

The .A1$ is never written anywhere but is common and not easily forgotten, typically dealing with the "Must have a number" "must have a capital" "must have a symbol". Choose your own 3 character combination or more.

With 2 factor authentication for important, e.g. bank websites, this is pretty secure. MORE SECURE, I believe, than a password manager. If you have THOUSANDS of logins and passwords, a password manager is probably much easier to use.

*I don't believe in local password managers* What happens when you are travelling and need to access a password? Or you have a system crash and your backups are out of date (or never been done!). AND you have no access to your passwords until you complete a successful restore. There is no way I would allow that type of risk+downtime+recovery effort.

*I don't believe in web based password managers* Unless it is YOUR OWN WEBSITE/SERVER.

I believe in real passwords = ibelieveinrealpasswords.tpu.A1$ and not password manager crap 3EeFa%6$qP@

However, do look at the video posted by @Engage above so you don't make obvious mistakes! Actually, looking at that video, I'm not so sure my passwords are secure against a good dictionary attack.

For unimportant websites that don't contain any personal info, I just use website.A1$

 

[Chrispy_]

so im wondering is it worth getting a password manager? like eset password manager? do they also sheck the net for any breaches??
or is writing it down a safer option?
i do know to use differend password for each program / website i use

Use the free one in Chrome, especially if you have an Android phone because holy crap the convenience is second-to-none.

As someone experienced in countering account hijacking, 2FA enrollment, data breaches and ransomware attacks across multiple different offices (yay for consultancy/rapid-response roles) - the password manager you use doesn't matter, it's better than meatspace. For stuff you actually care about, just make sure 2FA is enabled. It protects you ten times better than any amount of password shenanigans ever will. and especially if it's biometric.

 

[ir_cow]

Never save passwords on the computer you care about. Password mangers seem to make the news often of being broken into. It also won't stop keyloggers. Best thing to do is use Google F2A with whatever password you have. Phone F2A is easily spoofed.

 

[cvaldes]

My password management has evolved over the thirty years I've been online.

Back in the early-mid Nineties, I remembered my logins and passwords (which were 6-8 characters and didn't have special symbols). At about 50 logins, I reached the point I had to write them down on a little piece of paper (which I kept in my wallet) because I started having more login attempt errors due to an imperfect memory.

I kept this wallet note until it reached about 150 logins, at which point using a physical piece of paper was too cumbersome, so I switched to a plain text document on my computer (I only had one at that time).

More time progressed, I had more devices: a notebook computer and a desktop computer, and finally a mobile device, an early iPod touch. With smartphones came an explosion of online services and social media networks. Password lockers were amongst the early apps, I picked 1Password (an app which I still own for my iDevices). This made password management easier to handle, Dropbox handled the initial (optional) cloud syncing. At one point, 1Password decided to move from a pay-once-and-keep-forever business model to a subscription model, so I moved to LastPass.

Over time, most of these password managers with cloud syncing abilities had data breaches, some more serious than others. Naturally you couldn't predict which ones would have problems in the future.

Today, I'm still using LastPass although I've considered going back to 1Password. My data has still remained safe throughout the years. I have a desktop Mac, a desktop PC, an iPhone, an iPad and a rarely used notebook PC. I value something that works on all and stays synchronized.

In 2023 passwords are a fact of life. I am approaching a thousand with various login accounts (not just one e-mail account). All new services get a randomly generated 16-character password with special symbols. Some services have password recovery questions, so I need to write down those answers. A handful have special password recovery keys. Sometimes I keep old passwords in the notes section. Other times, I keep a note when I abandoned the service (for example, I deleted my Facebook account in August 2010, my Instagram in December 2012).

Plus there's other data I keep: passport numbers, government IDs, loyalty club membership IDs, insurance policies, financial institution stuff, vehicle registration data, etc.

It's really up to the individual on how to manage their passwords, each person's appetite for risk tolerance, and their appreciation for convenience. I keep an online calendar because I can't keep all of my appointments memorized. Same with phone numbers and addresses. And for decades it has been the same with passwords.

Granted, I've been online since the emergence of the World Wide Web (around 1993) so I've accumulated more cruft than many others here. My preference in using the same login credentials everywhere is long gone. Newer machine learning technologies make password cracking even easier on passwords with the standard modifications (like using an exclamation point ! to replace the letter i or the number 3 to replace the letter E).

Simple password managers are typically free nowadays with paid premium services. You can always cancel a premium service if you don't like it. Today it's easier to migrate data from one password locker to another versus the early days of mobile apps where locker migration was almost impossible (or at least very messy).

Anyhow, OP has a plethora of options to handle a wide spectrum of individual users and their needs/desires. Again, there's always a scrap of paper or simple local file storage. It's up to the individual to decide which mix of convenience, security, speed, availability, etc. is most valuable.

If I had a choice, I'd keep the encrypted password locker file in Apple's iCloud rather than the password locker service's own servers because Apple's iCloud servers are generally more secure.

There is no perfect password management solution for everyone.

 

[Chrispy_]

This is 6 years old, I followed this and never looked back.

Yeah, almost anything is crackable but unless you are a very high-value target, you won't be selected for brute-force/dictionary attacks.
I have friends in government and private pen-testing and if the passwords are anything other than completely insecure and stupid, they'll go for phishing/social engineering over brute-forcing your actual password.

 

[Bill_Bright]

*I don't believe in local password managers* What happens when you are travelling and need to access a password? Or you have a system crash and your backups are out of date (or never been done!).

That really makes no sense - unless you are careless enough to not have a 1/2 way decent backup plan in place - a plan that includes multiple backup copies, preferably with at least one stored off site.

I use a local manager and have tried and tested 5 or 6 others and each and every one lets you easily export and import the encrypted database from one machine to another. So one of my backup places is my laptop. That way, when I travel, I still have all my passwords. And if I want, I can always export a copy, then save it to cloud storage. But I don't trust the cloud, so don't.

Or if really in a jam, I can tell the site I forgot my password and reset it.

As far as swapping an 3 for an E or a $ for an S, the bad guys automatically look for elementary tricks like that. That won't fool anyone. And if you have a pattern, they will figure that out in seconds - or less.

All those substitutions do is satisfy the sites that require special characters and numerals.

Most password managers have password generators that truly are random. I recommend using them - at least for your most important accounts.

There will always be "what happens" or "what if" scenarios you can use to rationalize this or that. For example, "what happens" when you are traveling and don't have internet access?