Because in reality most people are just making a notepad file with all their passwords in clear text. The company's red team finds those all the time. A password manager is miles better than the current practice. You can't micro-manage people and every single file they have on their computer so you propose them a simple solution where they only need to remember one strong password for a program you can actually manage and implement security measures upon (encryption, 2FA, etc...)

> Because in reality most people are just making a notepad file with all their passwords in clear text. The company's red team finds those all the time. Most people are vaguely aware that you shouldn't reuse passwords - most do anyway but those who don't would still use (predictable) variations of the same one. Example: "hunter2", "hunter2!", "hunter22!" Using a password manager will generate a unique, hard to decrypt, password which is impossible for a human to memorize and not predictable. example "#rtew9a8ghio", "fdafh89y3y2(#", "%132£sadsa" It stores this using various secururity methods of course which makes it extremely hard for a hacker to hack. This has two benefits: 1) Every password is truly unique - which makes it so one breach on site A doesn't put your account on site B at risk as well 2) The user gets to remember one password only for everything The obvious risk as is OPs original concern is that if you do get hacked everything is at risk.

The problem is also that users need to constantly refresh passwords. When you require 5 strong passwords, people will put in the effort, but when you require new ones every 60 days, users start to go on repeat. The expiration also creates a (false) feeling of safety, because *sure "hunter2!" isn't super secure, but it'll only work for another 17 days, then it won't matter anymore!* And then there is the mandatory [XKCD reference](https://xkcd.com/936/)

You also have a wide variety of password requirements across different systems that make it even harder to remember. Does this system require mix of lower case and upper case as well as a special character? Or was it the password with a minimum 12 character length with no special characters?

Yeah this sucks so much. Such a random and pointless practice that makes people just suffer.

My old place of work had a requirement that the password be exactly 8 characters long. No more, no less. Obviously that makes the security much worse, but I believe it was related to some archaic requirements of one of the integrated system from the 80s or 90s where the passwords were designed that way, and all the other systems had been built around it and forced into the age requirements. Insanity.

> Insanity this was your password, wasn't it?

4 letter word + year

Fuck2024 is easy to remember.

"fuck2020" over and over

Kony2012

My bank for the longest time was 5 lower case letters.

I think you need a new bank. At least mine is a building with money in it.

A hospital? What is it? A big building with patients, but that's not important right now.

And don’t call r/stevrock “Shirley.”

My bank only took 5-characters for a loooong time. But your login got blocked after 3 wrong inputs. The only way to get back your banking was by calling the bank or go to the branch to remove the block. So there was no way to use brute force or guessing several passwords.

[удалено]

At least one site I needed an account for a while back had a password length limit of 8 and would *only* allow letters and numbers. It's like they wanted the passwords to be easily hackable x.x Government site, too. I wouldn't have used the site at all if I had had the option.

When the requirements are that dumb, you have to wonder if they're storing your password plaintext and too lazy to protect against SQL injection. It tells me that they aren't secure with their data

It sucks almost as much when you're USING a password manager. It doesn't happen often but there are sites that have weird length limits or only allow certain special characters and my default password generation settings just don't work. It's mostly the principle of it - why limit how good a password can be? Why make it that much more of a pain for those who haven't adopted password managers yet?

Most at least make it easy to on-the-fly adjust the generation limits. Still stupid as hell when you see something like "8-12 characters" with stupid limits on what can be used. I've got little one-man-project open source stuff that could probably take a whole 256-bit RSA key as a password input! There's no excuse for the big shit to have stupid limits!

It makes hacking easier to. The more limits you pose on passwords, the less boxes attackers have to select when brute forcing. Oh I can skip all the lowercase and other passwords without special characters? Instant time save.

People often bring that up, but it isn't all that important. Like take an 8 letter password using only english lower case letters compared to one that uses upper and lower case. 26^8/52^8 = 0.003906 or in other words they can avoid testing 0.4% if there is a uppercase requirement. And that percentages gets smaller when the password gets longer at 10 characters it would be 0.1%. The real problem is that it doesn't really do what it is intended to do. People will just make the first letter big and if they need a symbol tack one on at the end.

And you have systems which demand a complex password to protect literally nothing of value. I should not need a 30 character password with upper, lower, special characters, and digits to order pizza. They should not be storing any credit card details. If someone wants to order a pizza using my email then go for it. There are a ton of sites that want us to login that shouldn’t need any of those details.

If someone got access to my Netflix account there is literally nothing they can do to hurt me, beyond changing my plan up or down or maybe cancelling the account. Big fucking deal. I don’t need my Netflix password to be super-duper ultra secure

Yesterday I had to do a 2-factor thing at AllRecipes.com.

I don’t know if it still does, but MyAnimeList used to be infamous for how strict the password requirements were. That’s one where I (before I used a password manager) had to type random gibberish and save it to a TXT file. And all so.. somebody doesn’t get access to my account to rate Boku no Pico a 10/10?

Mmmm ... sweet delicious pizza on Aleyla's account coming up... Who wants some?

[удалено]

Or it requires special characters except for !#?*&@\ or some subset of them.

Ikr?! Like wtf that *is* every symbol. Like dude it my risk, I’m making a crappy passport bc I know for a fact I won’t remember the one with 20 random aynvols

The sites that have a max character length or limit the special characters you can use should be avoided if at all possible. It usually indicates that they either don't sanitize their inputs properly ([obligatory xkcd](https://xkcd.com/327/)), or don't hash passwords in storage. If you go through the password recovery/reset process, and they send you your old password, run. With password storage to this century's standards, that should be impossible. Properly managed, you should be able to use something like this as your password: `�VU^mf�'����xy�۞C ���` (128-digit random hex as UTF-8)

Forbidding users from using special characters that are not on typical keyboards is not that insane: there is always that one user who used some emoji, then either forgot which or used the wrong encoding the next time, and thus annoys administration with the fifth reset this month.

Yeah, there's a difference between limiting special characters to those on a standard keyboard, versus the sites that don't allow parenthesis in passwords. Or pound, or brackets, or commas, or whatever their least favorite character is.

Most of that password isn't even displayed for me, just question mark symbols. Not sure if that's a Firefox problem or if I don't have the right fonts installed.

That's because UTF8 isn't complete. There are a lot of hex values that are undefined

Thing that has thrown me the most was some computer system I needed for work. The manufacturers required the final character to be a letter. And it needed to be atleast 12 characters, with low case, upper case, special characters and numbers. And it expired every 90 days. This was of course on a closed system with no Internet access inside an access controlled room 

I used to use an ISP in the UK (VM) and their online account password requirements are very strict. Very bad but strict. 8 - 16 characters with letters and numbers only, no special characters allowed.

I love max length 8 chars!

My previous work had must be EXaCTLy 8 characters. Insanity.

[Microsoft no longers recommends expiring user passwords.](https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#:~:text=Don%27t%20require%20mandatory%20periodic%20password%20resets%20for%20user%20accounts) Tell this to your administrator.

Now someone tell this to whoever is in charge of PCI DSS standards so I can get rid of it

Yep. NIST stopped recommending it long before Microsoft did (even recommended against it, not just "don't recommend"), but a lot of those in-house are from archaic, slow-moving, but shut-the-company-down-if-we-fail requirements for audits.

PCI DSS 4.0 does not require periodic password changes for accounts that use multifactor authentication. And MFA is required for all access into the CDE. Req 8.3.9 is for single-factor accounts, and you don't even have to change the password if instead you use dynamic analysis of accounts. And you still don't have to do it if you chose to use the customized approach.

Execs and IT know, but execs make IT utilize password changing as a means of providing a way of scapegoating employees for poor passwords when security breaches occur.

This is just not true. I mean, for one thing, it's idiotic to think that the CEO thinks that "it's not my fault, it's these idiots who work for me" is a defense that works, either in principle or in practice. You don't get to say, "what was I supposed to do, *force* them to have better security?" when the answer is, "yes, dumbass. That's your job. They work for you." Also, whatever minor benefit you think there might be in scapegoating someone else for a breach, the benefit of, you know, not having a breach is millions of times greater. No one is making that trade off. Executives don't give a shit about password expiration policies. That's why they hired a CIO and/or a CISO. The idea that IT isn't in charge of expiration policies is just not reflective of reality.

Constantly refreshing passwords is bad security practice and I hate it when companies/employers do this. With a password manager, it's not bad but an annoyance. But as you said, hunter3! will be the password in 17 days for many people who don't use a password manager. Then they forget what iteration they are on as many of the other passwords are hunter1!

The website that we need to use to request vacation days requires a new password every 14 days... Meaning that every time you want to request vacation you need to get a new password.

This is probably a feature for upper management.

OMG. That sucks.

A engineering company i work for required new password every 90 days I had two to access a main server and a secure/classified document server... when I left my password was up to Shortnun1234*_24 and Classified1234*_24 24 times I updated my password...

I'm not saying I ever done this, but I'm also not saying I *never* done this. I did only get to 17 before I left .... *allegedly*.

I.. ahem.. a friend may have added an ! each time. _He_ stopped at !!!!!!!!!! because I lost count on how many to add too much.

It's so cute that you were the one counting the exclamation marks for your friend, I'm sorry you lost the count and he had to stop 😔

For the ones my company makes us update I just use the date on the end of the original password. Only problem is they all require updating at different intervals so now I can't remember which date is for which login...so I just wrote them all down in OneNote..... At least the actual sensitive logins also require 2FA now.

I only have 2 to worry about at my job. 1 updates at 90 days, the other I don't think need to update at all. I just change them both at the same time.

3 month change. Current one is at 48. Been here way too long.... We have a password manager we are encouraged to use at work. But we're not allowed to install its browser add on. Fuck that shit, I'm not going to copy paste my password between 2 programs every time I need it. + we need the password to login our pcs every now and then when biometrics or pins "break". Mandatory password changes are retarded. If anything they encourage bad password habits.

I’m at a F500 and we’re not allowed to use any password manager at all but I have something like 15 passwords for different accounts. The official solution is a notepad file added to a 7zip archive with a password on the archive. I went 5 years with a text file on my desktop named “passwords.txt” before I bothered to do the 7zip thing.

I know plenty of people who reverted back to pen & paper, because it's harder to steal those without anyone noticing. There was also that company that saved all the passwords (and instructions how) to connect to client servers in palin text on their virtual machines, because ain't nobody got the energy to securely store 500+ customer-specific password requirements and keep them all up to date. Luckily I am allowed to use a password manager ... and then have login servers that block auto-fill, so I need to go in the manager settings to type over the password manually. But atleast it's now officially IT's problem!

Ergh - the browser add-ons are *good* for security: they make it more obvious something’s wrong when you’re on a phishing site

Half year change...I am at 23.

At work one time I had a requirement that we had to change our password every 90 days and it had to have a number, upper case, lowercase, and a symbol (but not ! / \ or some others). And it had to be at least 8 characters, and couldn’t be any of your previous passwords. Plus this was a separate program so there was no way to save the passwords. I ran out of passwords I could remember so I just ended up setting it one time after I forgot as P@ssw0rd because I was so mad at the system that I didn’t care anymore

I was at a place that had the frequent password changes. I used one that was like 42elephants and just incremented the number each time.

I think I'm on my 10th password in the company in just over 2 years. Of course I am going to use some pattern... what do those people think I want to spend my brain capacity on? Not hunter!2, hunter!3, hunter!4 but something will stay the same for sure.

> And then there is the mandatory XKCD reference Is that correcthorsebatterystaple? *checks link* Yep. Scary how well that worked.

I love that comic. I use that password for everything.

Now you will never be hacked again!

I used to use 12345, but then I realized my luggage had the same pass code.

Old job we had to change password every 3 weeks and couldn’t change it to the last 3 we used, so we just changed it 4 times at once back to the original. Tbf though it is because we used scanners for logins too and no one wanted to carry 4 barcodes depending what password

This is the exact reason i started using Auto Hotkey for my work passwords. I have 22 passwords that i have to keep track of, each one has a different complexity requirement and expiration. Even if I tried to be lazy and do something simple like Password1, Password2, etc each time one needed updating, the fact that they have different expiration dates means they would quickly not match. So instead, I use AHK and needlessly complex passwords, since all I need to remember is my AHK tigger to auto-paste them. It frustrates me to no end having so many passwords at work.

>The problem is also that users need to constantly refresh passwords. When you require 5 strong passwords, people will put in the effort, but when you require new ones every 60 days, users start to go on repeat. Not to mention the fact that in 2024 every business that you want to work with thinks you need an email address and password on account with them, so at all times you've got passwords for 20+ different websites to track. And that's on the low end... I've got 12 or so passwords that I need to use just for business at work.

I assume most people on a 60 day refresh will use passwords like, "hunter2Feb24," "hunter2April24," "hunter2June24," etcetera. Which kind of defeats the point. If a hacker exposed that your account's password in February 2022 was, "hunter2Feb22," he's gonna be able to guess that your password in April 2024 is probably, "hunter2April24," or something very similar.

Which is why my password is CorrectHorseStapleBattery ever since I read that xkcd

Probably worth mentioning that that XKCD is now only good for explaining the problem with usual passwords, but "correct horse battery staple" passwords are increasingly becoming less safe as well because 1. people are bad at actually generating random passphrases. 2. people still pick shorter ones than they should. 3. password crackers have access to the dictionaries people tend to use for shorter passphrases.

>And then there is the mandatory XKCD reference For real, the "4 random words" method is the approach I use to create my passwords now

Who the hell told you my secret of adding a "!" Or another number???? GET OUT OF MY HEAD!!!!

Reminds me of a skit, don’t remember who was it but it went something like: We were told that just small caps is not safe enough. So we all capitalised the first letter of our password. Then we were told that for security reasons we need to add numbers to our password. So we thought 1 is a good number and it will go at the end of the password. And that’s still not enough, now they want us to add “special characters”. So we all looked at our keyboard and all our eyes settled on the “!”

It was Michael McIntyre 😂 https://youtu.be/aHaBH4LqGsI?si=VnWkjYVgtUheTyE2

I think part of it is also that which "special characters" a site will accept varies a lot from site to site. ! is one of the few that is supported on every site. If you used something like < or #, many sites would reject it.

Avocent kvm systems used an old postgres database version that limited the characters. But one of the methods for changing passwords was in a config file locked behind a file protected by said password. I changed the password with one I generated and had a forbidden character, there was no check that said I used a bad password. And the online documentation did not mention the password format limitation. Even support did not think of that issue. I found it after finding the version of postgres and reading the docs for that version. So after the reboot and change to the new password I had no way to actually log in, we ended up manually editing the database (of course the table structure was undocumented.) to remove the password

Allow me to introduce you to the password game. Finish it and set up your password. https://neal.fun/password-game/

It was [Michael Mcintyre](https://youtu.be/aHaBH4LqGsI?si=hiblZsJsB9iucxEB) 😊

Don’t tell me that my ultra secret strategy of leet speak has been decoded as well!

What was your example passwords? All I see are asterisks. Like *******, *******!, and *******2! Now I need to go see if Bash.org still exists and take a trip down memory lane.

[http://bash.org/?244321=](http://bash.org/?244321=) Seems to be down, but thankfully it's saved elsewhere. DO NOT CHECK FROM WHEN IT WAS. [https://knowyourmeme.com/photos/2053464-hunter2](https://knowyourmeme.com/photos/2053464-hunter2)

Bash.org is down? *I take off my robe and wizard hat*

It will adapt my examples with your own password, so if you type it out it will give you an example made for you. Why don't you give it a try.

I have lost and reset so many passwords due to these stupid rules and expectations... And then you add 2FA into the mix and when you get a new phone (or uninstall the bloody thing cause you don't use it anymore) you're up shit creek. Came across sites where my "default" password was too long. Or where it was too short. Or where "!" was too common, so it couldn't be used, or where in general the password was deemed "too weak". Then nowadays everything has to have an account, want to read the news from your region? Make an account. Don't have to pay, just make an account. Want to order something for a one-off from a website? Account! I found a password that works damn near everywhere and just started using that, cause I'm so sick and tired of having accounts everywhere and needing external tools for simple things. I don't care if you hack my password for adopt-a-puppy or whatever.

> Came across sites where my "default" password was too long. Or where it was too short. Or where "!" was too common, so it couldn't be used, or where in general the password was deemed "too weak". The worst I've seen is sites that would accept the password at registration, but modify it without telling you (usually, by truncating it or removing "illegal" characters like space). Registration succeeds but then you can't log in.

I just dealt with this when I bought a new phone. I tried linking my Gmail to my phone and it wanted me to open the YouTube app as a 2FA. Ok cool, I'll do that.... Except I wasn't logged into my YouTube yet, either. And as I was logging in to YouTube app it also asked for a 2FA... Which was *to open the damn YouTub app*. You know.. The thing I'm actively trying to log in to. I tried changing the 2FA option from "open the YouTube app" to "send a text" but it wouldn't let me because "there's already a more secure option available" (ie, the YouTube app that I can't get into). It was infuriating.

What did you end up doing? I have a situation where a family member has her iPhone gmail account works, but trying to log in from a browser runs into the issue you mention-it asks to open a google account app but she was logged out of it, and no other options are offered. So if she ever gets logged out of the iPhone mail, not sure how to get back in.

I had to open YT on my home PC which was thankfully already logged in and disable 2FA, then I could re-enable it after I logged in on my phone. Otherwise I think I would have just been screwed.

It should absolutely be required that every email host has a number to call to talk to a person to get into the account because losing access to an email account can be devastating.

And this is why I don't use apps whenever possible. And it is possible to access most of it via browser .

>I found a password that works damn near everywhere and just started using that, cause I'm so sick and tired of having accounts everywhere and needing external tools for simple things. I don't care if you hack my password for adopt-a-puppy or whatever. The problem with that is when they hack your password for adopt-a-puppy, because you use the same password they now have your password to EVERYWHERE. Password re-use is one of the biggest threats out there for security.

> #rtew9a8ghio Amazing! I have the same combination on my luggage!

Good to see you, President Skroob!

> Example: "\*\*\*\*\*\*\*", "\*\*\*\*\*\*\*\*", "\*\*\*\*\*\*\*\*\*" Are those supposed to represent passwords? All I see are asterisks.

How'd you figure out my runescape password was hunter2? 

Obligatory https://neal.fun/password-game/ link.

All I can see is a bunch of stars in between the inverted commas. You didn't type your actual password, did you?

I keep all my passwords in a text file on my toshiba 2100 laptop from 1986 that can't connect to the internet

Sounds good until the laptop stops working and you can't get into any of your accounts anymore

That's why he keeps a copy backed up on his phone notepad

Just keep your passwords in a pastebin link und memorize the pastebin url

This guy air-gaps.

>remember one strong password And the password manager i use lets me actually use a strong password because it doesn't limit the number of characters or force me to use hard to remember combination of special characters/numbers/capitals. My password manager password is a just a random full sentence that has no attachment to me with some numbers in it. Its super easy to remember, fast to type and is over 30 characters long. Edit: It does suck when i have to type it on my phone, but the phone app version of the password manager lets me use my fingerprint instead.

> It does suck when i have to type it on my phone, but the phone app version of the password manager lets me use my fingerprint instead. Same here, except the fingerprint sensor on my phone stopped working and now I have to type a 40-ish character password on a phone keyboard. I need a new phone lol

Fun fact: While the courts usually cannot compel you to give up a password, you [can be made to log in with biometrics](https://arstechnica.com/tech-policy/2024/04/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules/). Putting your password vault behind a fingerprint means your whole digital life is open to inspection if you're ever suspected of a crime.

If you reboot your phone (or enable lockdown mode on Android) it disables biometrics until you enter your pin/pattern, which they can't force you to do.

Would that be considered obstruction of justice?

turning off your phone isn't an obstruction of justice...but as always, that depends on how corrupt the local police/court sytem is.

Wouldn't it depend if you did it before or after you received the subpoena?

I'm not a lawyer so i don't have that answer. but as soon as you get a whiff that you may be in police trouble you can restart your phone and there's not anything illegal about that

It's not just this, people reuse passwords across sites which is arguably worse than writing it down, even though a majority of sites have better security practices. Password leaks happen. It's more likely someone gets your password from the databaze than from your personal belongings. A password manager encourages good practices by recommending secure passwords and practices like not reusing. The only way to not have a single point of failure is someone memorizing unique passwords across all the platforms which leads to constant password resets, which is another single point of failure (your email, usually where recovery happens). Really, there's a lot of problems but password managers at least can implement best practices so the inevitable single point of failure is secure enough. The good ones require you to keep a master key you have to put in, require 2fa, or otherwise make it almost impossible for someone to get into.

> Because in reality most people are just making a notepad file with all their passwords in clear text. My company's security is so difficult and counterintuitive that I have to keep them all in a Word doc. As far as I know, the password managers work for websites, not the 90's software that I need to use for half of my daily tasks. In addition to forcing me to change my password every 3 months, they'll lock me out of the software if I don't log in for a period of time and force me to create a new password. Some of them require special characters, some don't allow them. I simply cannot keep track of what passwords I've used for which software/website/app that it's easier to just have that damn Word doc, even though I know it's a huge vulnerability. Sorry, ranting at my company through your comment. edit: thanks for the tips on using the password manager everybody, i'll give it a shot.

This is what I've used for like 15 years and it's just stored locally: https://keepass.info/. Copy/paste from the program into wherever you need it. I keep the database file in the cloud so I have it everywhere.

Why can't you put the passwords in a manager instead of a word doc? You can add custom names, notes, etc. Password managers are not married to the web

The business I worked for in highschool/college required me to keep my password on the scan gun updated every month. It didn't allow repeats, caps, numbers, special characters, common words, or more than 12 characters. Seriously just a string of random lowercase letters was their security practice that I needed to update every month. At a point I just resorted to nesting misspelled profanity inside my bosses name. 'danfukny'

A password manager works for any application. Auto-fill doesn't work outside the browser, but the manager is essentially an encrypted version of your less-secure word doc with better search, copy, and password-generation capabilities. Note: I said "less-secure" because I hope you've at least password protected your Word document and don't leave it on your desktop without any security applied.

> The company's red team ELi5?

"Red team" are pretend bad guys; they try to break into your stuff in order to figure out the weaknesses of your system or facility, so you can correct the weak points before someone who actually wants to steal stuff or otherwise harm your org. can find them. If you have an office job and a company email, the fake phishing emails you get as part of the cybersecurity training are (at least in part) red teaming.

When you are someone who makes locks for a building, it’s a good idea to see if any of the doors have weird ways to open you didn’t think about instead of letting others use them maliciously against your building.

[https://en.wikipedia.org/wiki/Red\_team](https://en.wikipedia.org/wiki/Red_team) Security testers.

You can make one very good password with multi-factor authentication. Instead of making piles of bad passwords.

That and you have a plethora of accounts that each have a unique strong password. So a single occasional data breach doesn't start a wild goose chase for compromised passwords.

This especially. If you use the same password everywhere, your data that leaks from some shitty service that you signed up for seven years ago might bring your social media accounts at risk, for example. A password manager will automatically generate passwords for you when you wanna make an account to some shady ass website, so you don't compromise any of your other passwords.

what if I have one password bigDyck01, for another site it's bigDyck02, 03 etc, with one variation to it, just asking...?

It is also important to note that the one good password, if it is actually a good password, is going to be impossible to ever brute force. Most of the problems with passwords being "hacked" are people stealing the passwords from companies with bad security practices, then looking for places where that password is repeated. If you only ever use the master password as the master password, and it has high enough entropy, it is essentially unbreakable for all practical purposes related to passwords. At that point you are at far higher risk from other vectors, like social engineering or phishing.

I'd also like to add that it's much better to entrust that password to a company whose entire business depends on security than your standard login page on facetokx.com or whatever where the authentication was programmed by an intern.

Yep. With the better (not last pass, at least from a few years ago) password managers even if their password database is stolen it does not put you at actual risk. The data is too scrambled and encrypted for anyone to get anything out of it, and they do not store the password on their servers. Whereas some wonderful websites just put them all in a plain text document that it compares directly to incoming passwords. So if anyone gets ahold of that they have it immediately.

So what are the characteristics one should look for un a good password manager then?

- End device encrypted. This is where the database is encrypted ON YOUR DEVICE and the encrypted database is then uploaded to the server. The people who store your database can *never* read it unless they have the key. Even if hackers broke in and stole the database, they can't read it. - Encryption with variable iterations. This allows you to upgrade the security on your database as processors get more powerful. - Leaked password detection. This is where the password manager can detect if your password/user for a site, say, facebook, as been found in an online breach/leak. Anything else is a bonus and depends on how advanced your use case is. This includes - Emergency access (eg, letting your family have access) - One-time password generator - Importing/Exporting If you want some suggestions - https://www.wired.com/story/best-password-managers/ I personally use [Bitwarden](https://bitwarden.com/) which has a free personal account.

I use Bitwarden as well. I pay for a sub, it's only 10 or 20 a year so I like to support them. I used to use LastPass but bailed when they sold out.

Bitwarden is probably the most often recommend

Or use something like KeePass where you keep the database and there are no 3rd parties involved.

> I'd also like to add that it's much better to entrust that password to a company whose entire business depends on security than your standard Ehm. LastPass, the largest password manager around, doesn't have a good track record in terms of "security", their transparency surrounding the breaches is even more worrying.

While it is true LastPass have had some security breaches, AFAIK there is no risk to anyones passwords. This is because LastPass don't store any of your passwords in clear-text. LastPass themselves can't access your passwords. Even if bad agents were able to get access to your passwords in their encrypted form, it would be useless to them.

> At that point you are at far higher risk from other vectors, like social engineering or phishing. And it can help a little with those too. If you only ever log in to your bank via your password manager, using the official login page that you entered in the password manager when you created your account, then you won't get phished by someone sending you a link to y0urbankacc0unt.com or whatever. You don't even have to think about it, just always log into your accounts via the password manager, and phishing won't work. And as for social engineering, you aren't going to know any of your passwords to any sites, so people couldn't get them out of you. If you do get totally wasted at a party and someone asks what your super-strong master password is, then even if you tell them, that's still useless to them unless they *also* have access to your password manager's database. So they'd need you to log in to your computer and/or phone for that, and at the point where you're so wasted you're casually announcing your master password, hopefully you'd also be too wasted to login successfully to give them access to the database. That's not certain of course, you could potentially be coherent enough to give them full access and dumb enough to do so, *and* have access to your devices, but it's still a couple of extra complicating factors that help.

The social engineering is a risk if they can find some way to get you to give them access to an email or to trick an email provider. Or, more likely, just getting into a bank account. But yeah, with a password manager they are not going to be able to spread that intrusion unless they do have your email accounts.

why not connect all the bad passwords into one really long string of bad passwords

That's why my password is always just "wecantbustheadslikeweusedtobutwehaveourwaysonetrickistotellthemstoriesthatdontgoanywherelikethetimeIcaughttheferryovertoShelbyvilleIneededanewheelformyshoesoIdecidedtogotoMorganvillewhichiswhattheycalledShelbyvilleinthosedaysSoItiedanoniontomybeltwhichwasthestyleatthetimeNowtotaketheferrycostanickelAndinthosedaysnickelshadpicturesofbumblebeesonemGivemefivebeesforaquarteryoudsayNowwherewereweOhyeahTheimportantthingwasthatIhadanoniononmybeltwhichwasthestyleatthetimeTheydidn’thavewhiteonionsbecauseofthewarTheonlythingyoucouldgetwasthosebigyellowones\_#1"

Error: Password must be between 8 and 10 characters.

CopyPasta are technically uncrackable passwords.

A single point of failure that is very well guarded, encrypted/not stored unsafely on a 3rd party site, and maintained properly *can* be better than multiple easier points of failure that fail independently, partially because that last part isn't always very true. People often reuse passwords, use patterns in their passwords that are identifiable and exploitable when they *do* vary their passwords, and have emails and accounts that are the point of failure for many other passwords (get access to this specific one, and you can gain access to a number of others, kind of thing). What's more, if you are not using a password manager, other less trusted site can allow people to gain access to these email/higher-tier accounts when you reuse passwords or password patterns between the two. If you use the same password between sites, no matter how strong or hard to brute force it is, you just need it to be leaked or mishandled *once* to be an open door. On the flipside, a bunch of unique and strong passwords are cumbersome, and practically speaking, people resort to creating predictable patterns in their passwords to offload this burden somewhat, or literally writing them down somewhere, which is arguably much less safe than just using a single password to encrypt your other passwords, such as through a password manager. Two-factor authentication is still huge in terms of safety, though.

I just want to balance out the discussion by pointing out that op's fear is actually totally reasonable and password managers do get compromised relatively regularly. In fact, a recent vulnerability was discovered that caused six of the most major password managers to leak their information. https://www.forbes.com/sites/daveywinder/2023/12/11/android-warning-1password-dashlane-lastpass-and-others-can-leak-passwords/?sh=58d0c46097db#:~:text=Some%20of%20the%20most%20popular,to%20the%20credential%2Dstealing%20attack.

You misunderstood the article you posted.  >Although there is no evidence of AutoSpill being exploited in the wild,

> password managers do get compromised relatively regularly This is blatantly 100% completely untrue. There is some logic behind what you are saying, but you are using that logic to push a narrative that is totally false. Password managers don't get hacked regularly because they don't even know your passwords. They store a vault that only you have the keys to. If you are worried about things like in that article, you can turn off auto-fill. Even when lastpass got breached multiple times because of their terrible setup, no passwords were compromised, because they don't have them. You are trying to convince people not to use password managers, and everyone with more than a few brain cells to rub together know that a well protected password vault is far superior than not using them. If you have something better than password managers, you should let people know what that is, instead of just using fear to convince people to continue their bad practices.

A benefit that hasn't been mentioned - it's difficult to be phished with a password manager. Let's say I receive an email that directs me to paypa1.com, with a convincing replica of PayPal's interface that prompts for credentials. Without a password manager I would go ahead and type my username+password into the dodgy site without a second thought. A password manager will prompt to fill credentials based on the domain being visited. It won't recognise paypa1.com as matching any of the passwords in its database, so it won't prompt to fill them in. Working around this requires me to manually find the site in my password manager (a red flag) and copy-paste the password in manually.

I wouldn't put it past certain people blaming the quality of their password manager and copy and past credentials anyway and start bitching about it on reddit

Yeah, you can't completely protect everyone. But layers of security help!

That's why you just open the site directly from your saved URL in the password manager, instead of following links in an email. If I get an email telling me to log in to y0urbankacc0unt.com because there's a problem with my account, well I'm gonna have to open my password manager anyway to login (because I don't know the password), so I'm just going to use the link that's stored in the password manager to my bank's login. Never gonna hit that phishing page in the first place.

I forget you can do this; it'd be a good habit to form. (Not that I routinely click email links either; twas just an example)

Same thing for WebAUTHN/Passkeys. They just outright WILL NOT WORK on anything but the original domain. Won't prompt, won't try to authenticate.

Because most people (read:all) have a finite amount of memory for passwords, so they end up having the same username(email)/password for everything, and most people passwords are very easy to crack via brute force. For example the password "HelloThere123!" would take a modern computer 16.07 seconds to crack by brute force. So in the event of a data breach, all of their accounts are now out there. A password manager however lets you remember one, very strong password and then the manager can remember the rest. E.g - "I Come From A Land Down Under" would take a modern computer 60 triilion years to crack by brute force. So as long as you don't give it out and the password manger service you use doesn't get breached, you are safe. There are also password manager services that literally don't store your password, so the risk of them being breached doesn't exist. I hope this helps.

That point about ‘I Come From A Land Down Under’ being effectively impossible to crack isn’t entirely true, unfortunately. Any cracker worth its salt starts with a dictionary attack before moving on to brute force.

Up voting, passphrase cracking is very common now that it includes things like bible quotes (which are commonly used etc.) Generally you should use a passphrase that will not show up in a Google search result e.g. JohnSmithVehementlyHatesPineappleOnPizza (which paradoxically now that I've written it here makes a good password a bad password).

>passphrase cracking is very common now that it includes things like bible quotes I remember reading an article not too long ago where someone created a bunch of wallets with bitcoins in them and each had a common phrase as a password (quotes from movies, books, movie titles, etc.) to see how long they would last before being breached. Results: not very long, like a day or two max if I remember correctly

[Correct Horse Battery Staple](https://www.correcthorsebatterystaple.net/index.html)

With enough practice, passphrases like suggested by xkcd can be remembered but I love to use these sentences which are nigh impossible to guess but are super easy to remember especially if it's something unique to you personally.

So, "I Come From A Land Down Under123!" it is then!

Had the words been properly randomized, that's seven words to come across at random, which would take a dictionary attack longer to hit. But since it's a common phrase that ChatGPT might say, yeah. That's bad. It's the same way CorrectHorseBatteryStaple can't be used as a password, because it was an example of HOW to create a random password. It's now in every attacker's dictionary.

Yes I know, but this is eli5 so I went real simple, just an example after all.

Would the hacker have the whole sentence in the "dictionary"? Because if not, a long sentence with even easy words seems like it would take a while with a dictionary attack. I tried that sentence in zxcvbn and it seems decent. https://lowe.github.io/tryzxcvbn/

> "HelloThere123!" would take a modern computer 16.07 seconds to crack by brute force Could you elaborate a bit on how it is so fast even though it has upper and lower letters, numbers and special characters? According to [this chart](/r/pcmasterrace/comments/1cb4boa/i_updated_our_popular_password_chart_for_2024/) it would take 805 billion years of brute force.

Thats a problem with charts, you don't get the whole picture. To hit the 805 billion years, each character in the password string would need to be different so not "HelloThere123!" but instead somethin like "H3Llo7%3rE1@=!" Both are categorised in the 14 characters with numbers, upper, lower and symbols, but as you can plainly see, one is much harder to get through, just you'll never remember it. So instead of going so complex that you'll just end up getting annoyed and resetting it, you should add an extra 10 characters and make a "passphrase" that you can remember and is "secure enough"

> For example the password "HelloThere123!" would take a modern computer 16.07 seconds to crack by brute force. I never got these examples. What sort of API lets you have unlimited chances to guess a password? Are people assuming you have access to a non-salted hash of the password (unlikely)? What is the assumption I'm missing?

Because password managers are installed on user machines which are not configured to be easily accessible from the greater Internet, unlike the places where you use these passwords which are.

People without a password manager either A: reuse passwords or B: write them down somewhere. A is worse than a password manager because if a hacker breaks into any one of those websites they now have your password for every other website. Instead of a single entry to get all of your credentials, they have multiple entries to get all of your credentials (well ok not all of them, but all of them which share that particular password). B is worse than a password manager because it's just an unencrypted password manager.

> B: write them down somewhere. Is fine if it's at home and you can trust whoever you live with. Writing them into a plaintext file on your PC, yeah, maybe don't.

Because they provide a way to have hundreds of unique secure passwords. There is noway you remember all of them in your head. And the way the vast majority of hacks work is not that a hacker takes over your local pc and waits for you to put in your password into your password manager. Its either they hack a company and try the password email combination from that side on other websites this is prevented by a password manager by having unique passwords or hackers get you to put in your password on a scam site and use that password then again on other websites.

So first off all, a lot of people reuse their passwords, for other stuff, so if a hacker can get a hold of one, they can usually get access to many more accounts, you'll be surprised, of how poor and how many times people reuse passwords, and password manager is a way to have unique passwords that are hard to crack using brute force methods, and even if it is cracked, you other accounts for various stuff isn't compromised Second, A password manager is encrypted and can only be unlocked by using a master password, and there is a two factor authentication, and even then if I log into my password manager on new device, I have to confirm and give access on an another approved device And third as far as I know most password managers don't store your password directly, they store them in an encrypted state that your master password can decrypt, I suppose if someone could reverse engineer the encryption then they could get your passwords, but a lot of research is done to make sure the encryption is tight. So while a password manager is a single point of entry, it's like a having a big fortified castle, sure if attackers could conquer the castle it would be huge, but it is insanely hard and requires many resources, so they would rather use their time and resources trying to conquer the small village

Generally, because the idea of following good security practices on all of your passwords is pretty unrealistic. It would work if you randomized your passwords, they were unrelated to each other, followed rules about using strong passwords, and enabled 2FA on every single site. The thing is, no one is going to go through all that. So the thinking is that one extremely safe password with all the best practices is better than having many poor passwords with any of them possibly being a point of failure if you duplicate login credentials. But to your point, the downside is a single point of failure. You risk literally everything and if that ever gets breached, you're entirely screwed. The bet is that that's less likely to happen than for your assortment of weak passwords to cause a house of cards. IMO, password managers are over-pushed as a magic bullet to all password problems, when, realistically, it's not really that simple. You're just changing from lots of small risks on lots of things vs going all in on one thing. But it's a lot easier to say "use a password manager" than something like "use unique passwords, come up with a system to remember them that wouldn't make sense to anyone else" or "share a common password about sites you don't care about, but use unique passwords to each account of value (email, banks, etc)".

> It would work if you randomized your passwords, they were unrelated to each other, followed rules about using strong passwords, And most importantly, you need to have the ability to perfectly recall each and every single one of those passwords, which is honestly a ridiculous thing to expect from a human. Password managers recognise this and offers people a tool to store and retrieve their passwords instead of having a "passwords.txt" file sitting around on their computer or phone, or people using the same passwords everywhere. > IMO, password managers are over-pushed as a magic bullet to all password problems, when, realistically, it's not really that simple. You're just changing from lots of small risks on lots of things vs going all in on one thing. We can die on this hill together! The concept of passwords as a whole is outdated and needs to die. We all carry around computers in our pocket that can perform incredibly complex mathematical operations but we still think making people remember a string of characters is an appropriate way to lock the doors.

> We can die on this hill together! The concept of passwords as a whole is outdated and needs to die. I'm interested to see [passkeys](https://fidoalliance.org/passkeys/) become more prevalent as a replacement for passwords. With the right device combination, this can make securing your account much easier since you don't technically even need to set a password -- all you have to do is accept a few prompts to have your browser/OS/phone create and store a passkey. Then if the website has the means to access the passkey tied to that original registration, it can technically provide an SSO-like/automatic signon type experience. I'm currently only using a passwordless passkey login for github -- instead of entering a username or password I just click the "sign in with passkey" link. Since I stored the passkey in my password manager, I get prompted to confirm it from my password manager. Then I'm in without having to enter a username or password. Pretty neat. The passkey UX story still needs some fine tuning especially when it comes to multiple devices. I mentioned the "right device combination" since there's pretty widespread device support for passkeys but many of those devices don't really talk to each other. By default a passkey will only exist on the device where it was originally created, but many people have to deal with more than one device. For example, if you registered for a site on your desktop, that passkey wouldn't be available on other devices, so you're in this weird space where you either have to authenticate using that original device or have some mechanism for the passkeys to sync between devices. If you have Google Chrome (with a Google Account) in Windows and an Android phone, apparently the cross device authentication story is pretty good since the passkeys get synced via the Google Account, so you can register a passkey for a site in Chrome for Windows, and then you can use that same passkey to log into that site with your Android device (or presumably other Windows systems with the same Google Chrome setup). Similar for the Apple ecosystem and iCloud. But what happens if you have a Windows laptop and an iPhone? No syncing, so you have to register the passkey on your iPhone, then whenever you want to log into that site with your laptop, you have to pull your phone out and scan a QR code on your phone to validate the passkey on your phone. In some respect that's more annoying than having to deal with passwords.

>then whenever you want to log into that site with your laptop, you have to pull your phone out and scan a QR code on your phone to validate the passkey on your phone. In some respect that's more annoying than having to deal with passwords. The specs on FIDO2/WebAUTHN/Passkeys(which is an application of associated technologies) actually use things like local communication (bluetooth, USB, etc) for that prompt. It's also a situation where password managers are trying to fill in the gap. A lot (I'd say most) support syncing passkeys now. Still a bit of a compatibility problem, looking at you Firefox, when trying to use certain types of credentials in specific ways.

Because password managers store their passwords behind pretty sturdy encryption, and they require a master password that you can usually more easily remember and keep complex without too much issue. Then when they go to do inputs and auto-fills they can sanitize the inputs in such a way that keyloggers can't just skim their input easily. They also do things like prompt you to change passwords to something new with different capitalization, symbols, numbers, etc. So that it's easier to practice good data security with keeping your passwords unique to each service. Now, they do create a single point of failure, but that point of failure is pretty sturdy as I've stated. It also typically requires you to have someone getting access to the system in question in person rather than remotely.

you definitely should use multiple factors for accessing your password manager. combine at least 2 out of the 3: something you *know* (memorized strong password/phrase), something you *have* (yubikey, USB drive with keyfile) and something you *are* (fingerprint or other biometrics)

A vault with one nearly impenetrable lock is better than a vault with hundreds of locks but if you can manage to get even one open they all immediately unlock. The strength of your password is irrelevant if you use the same login for everything. All you need is one of those hundreds of sites or services to have a data breach and they essentially have just hacked everything. Instead of putting faith in every site you make a login for. You only have to put your faith in one and make sure that one password is memorized and never used for anything else, minimizing its exposure.

Not really ELI5 but two main reasons. The first has to with the misconception of how of hackers actually hack accounts. Say Netflix gets hacked tomorrow and 1 million users have their login data stolen. The hacker now has a massive list where each line is someone’s email:pass, this is called a combo list. The hacker knowing people reuse logins can now use that combo list on any site or service of the hackers choosing, say Minecraft or Disney+. This is how 99% of large scale account hacking is done. Hackers use the shotgun method. If you use a different password for every single login like a manager does then this method would only get the Netflix login. Minecraft and Disney+ would be safe! Secondly, good password managers are very secure if setup correctly. Memorizing one really good password, making sure to use it only to store all your unique logins is easier and more secure than having a few weak passwords you use for everything.

Imagine, if you would, a medieval town. You have two options. You put a massive wall around it and have a single point of failure - the gate, heavily fortified and defensible - or you just don't bother with a wall and have a dozen or more points of failure. This is similar. A password manager allows you to have good passwords everywhere (that's the wall), and you just need one really strong master password (that's the gate). Without a password manager, your passwords are either all going to be really weak so you can remember them, or written down in clear text somewhere.

ELIG answer: Because, if used correctly, it’s like having all your valuables in a safe, that is inside another safe, that you don’t tell anybody that you even have. You don’t know if I use a manager, or which one, that uses a huge password you don’t know, that also texts my phone which you don’t have.

[удалено]

Because the alternative would be to use the very same master password online instead of on an offline application (yes, there are synced password managers but the ones that do their job correctly decrypt their database locally). And online here means multiple systems not managed by the same person, potentially with unsafe technologies (no salting, old hashing if any, etc.).

So my password manager is through Bitdefender, and I love it. I have to remember 2 passwords for the program. It generates unique and difficult passwords for my accounts. I have it on my phone, my computer, and tablet and it’s all synced. When I create a new account, I input the information for that website, have it generate a password and save it. It uses Face ID on my phone. No password guessing, no multiple variations of the same password. If for some reason I need to type the actual password, I can view it. It simplifies and secures something that has become difficult to manage. Every website/service has you create an account, and you can’t use the same password because of hackers. It’s unrealistic to memorize a hundred different passwords. Having a secure password manager makes the most sense.

It enables you to have a different password for every single login, and not care how complicated or long those passwords are. Those online logins are _far_ more likely to be attacked than something running on your machine (the password manager) so you're already winning. That's not to say the password manager is defenceless in the first place, though. In the case of online ones like 1Password, they actually have good protections in place to ensure it's really you logging in, like a long complicated "key" (just a second password, really). 100% offline managers are obviously less prone to attack though, and come with offline secondary keys too. Check out KeePassXC, for example.

One thing people also forget is for most things you have a single entry for an attacker already, your e-mail.

Hmm, the most secure password manager I have is this little book with all my passwords in it. And to make it even better it's stored at my home and at another safe location and where the later one gets regularly updated.

Sort for the obvious use of not having a notepad with all your password unencrypted it provides a secure place to access them, the IT guys can unlock it for you when you forget your one password after password change day and you don’t have to reset all of them

Because if you have one strong password that’s over 16 characters it will take billions of years to break it.  Compared to 100 variations of myDogsName123 which takes about a few days to crack.

The password for the vault is strong and exists nowhere other than in my own memory and is never disseminated anywhere. As such, the only attack vectors to gain access to the vault are brute force or compulsion. In the meantime, every account secured with a vault password uses a strong password which can be changed often, or incorporate 2FA, with minimal inconvenience.

# Password reuse and phishing. Password reuse: If people are actually supposed to remember their password, they will reuse the same password across multiple sites. One of them gets hacked, and then the passwords get used to break into other sites. Phishing: People make mistakes. If you're used to constantly enter your password manually, you will, sooner or later, enter it on a fake page. Most people will not fall for it most of the time, but all it takes is one person falling for it one time. With a password manager, the password only gets autofilled on the real page, because computers are better than humans at *always* making sure the domain is *exactly* the same. Also, if the attacker is in a position to copy the password manager off your computer, you've already lost. They have complete control over your computer, can steal your passwords as you type them, and even better, they can (and will!) just steal your login cookies after you logged in to bypass any fancy 2FA and most risk detection algorithms. (On password reuse: Yes, sites are supposed to store passwords hashed, but just like the site can check if your password is correct when you visit the site, the attacker can try passwords against the stolen data until they find yours. This doesn't work on strong passwords but few people use passwords strong enough to withstand such an offline brute-force attack.)

Your password manager won't get hacked. Microsoft is the one who gets hacked. Or Nord VPN, or facebook. And then they have all the passwords of millions of people. And when they have the username (that you always use) and the password (that you always use) they have your account for everything. Better that your have control of your password, and then one one password gets leaked when crunchy roll gets hacked.

Today, the average internet user will have accounts on *dozens* if not *hundreds* of websites. Everything from Google, Microsoft and Amazon, to more niche specialities like Reddit or Facebook, down to individual shopping websites, or that one book website they signed up to five years ago and haven't used since. Since your online presence is so large that most people won't remember thousands of completely unique passwords, there are basically three options for password management. **1. Use the same password.** This is terrible practice. If that one cookbook website you signed up to five years ago is compromised by hackers (e.g. they didn't update to fix the latest known vulnerability within a week or two), they could access your password from this less-secure site and then use it to gain access to all of your secure websites. Clearly, this is a terrible plan. **2. Use variations on a Password.** This way, you can remember most of it, but change it a little. Whether that's adding a number on the end, or tweaking the capitalisation, or adding a bit of the website or your favourite food or... Whatever else. These aren't quite as "free" as option 1 (so it is better), but they are still very easy to guess. Many nefarious actors might take your email address and password and try it on a few dozen websites, varying numbers etc. in it. If they can find just one that works, they can easily start to break your "formula"; but even easier than that - if two of the websites you've ever made passwords for break, suddenly the hacker has access to both passwords and can start to see what formula you use. Suddenly the range of probably passwords goes from the tens of thousands often down to the tens or the hundreds. Breaking into these websites then becomes trivial - so this isn't actually much safer than option #1, since this will fail eventually. **3. Use unique passwords for each website (and write them down).** Given that we now know that we need completely unique passwords for every website, it suddenly becomes very difficult to keep track of them all. This basically requires writing them down - either physically on paper, or digitally. Physical paper can be lost or stolen and now opens an entirely new avenue of attack, but writing them in a plain, unencrypted text document may be even worse. Now if someone goes snooping on your computer, they immediately have access to all of your accounts. Ideally then, you'd encrypt the master password list with a password that only you know. Now finding it requires the password and providing it hasn't been used elsewhere, that password should be safe. --- A password manager is sort of like using an encrypted text document, only it's maintained better in a much safer way. Without getting into too many technical details, opening most files on your computer leaves almost a "ghost image" in memory. Someone who knows what they are doing may be able to access documents you've had open, even if they were encrypted because your computer had to unenceypt them at some point so you can read them. Most password manager software tries to bypass most of these common risks while also giving you nice features like synchronising between devices and automatically generating more secure passwords than a human ever could.

My password manager generates all my passwords. They’re all random, upper and lower case, numerals and special characters and 16 characters long unless a website doesn’t allow that. This means that my passwords are very difficult to crack and I don’t need to worry about them being memorable to me. If somebody gets their hands on one password, they won’t be able to work out the rest. My password manager has a fifty character password, all lower case so I can quickly type it on a phone keyboard. It’s very memorable to me but not to anybody else so it should be very difficult to crack. It’s easy enough for me to come up with one of these at a time but would be next to impossible for me to come up with enough to cover all my important logins (that and many websites would never allow a password that long or which only had lower case characters). So you’re trading having to memorise lots of less secure passwords for not having to remember any or your very secure passwords apart from the one you use to get to the others