Most people don’t use many services where security is important. It’s not uncommon to have several hundred accounts with passwords, but I have maybe 10 that I really worry about being hacked/lost. For all the crap sites I can just use $singlepassword+$servicename as password. For the few sensitive ones I use strong passwords and 2FA. I do use a manager to keep those strong passwords - but even though I have it, I can’t be bothered to use stronb passwords for all those forums, web shops etc.
Is my solution secure? No. Using a bad password for hundreds of sites is definitely not secure - but the quality of a password only needs to be proportional to the sensitivity of what it protects.
When I started using a password manager I did something similar, but I told myself every site which used the "insecure" password was linked. So I'd ask myself "If someone hacked the least consequential site I've used this password on, they'd also have hacked this site, do I care?"
It was very rare that the extra 30 seconds to add a new entry password manager wasn't justified after asking myself that question.
I think it all comes down to ease. Yes, some secure passwords is better than none, but it's just soooo easy I'd just say go with the PM
You're right, but that doesn't mean he's better off with a password manager. No method of storage is perfectly secure. Password managers have their attack vectors, your brain has others.
'U2F + password' is very secure and can't be phished if implemented fully. However, even Google doesn't do U2F correctly :( U2F authentication needs to happen _every_ time a new TLS session is established in order to be 100% phish proof
I use abbreviations of several different long sentences with random characters added in random positions.
To me this is far more secure than trusting a single authoritative source with 10 different random character strings that I have no real ownership of, and can all easily be stolen (or lost) at once.
I have at least 50 different passwords in my 1Password account
And 1Password supports syncing via services other than their own and each device acts as its own backup too, so you’re really only relying on their service to shuttle around an encrypted keystore to your new devices.
Ok, but the core of the argument to me is "Is having a bunch of passwords that you don't actually know all in one place more secure than having a smaller bunch of passwords that you do actually know that, still, can at most be leaked one at a time?"
For me the answer is no. I would rather have fewer technically less secure passwords than have technically more secure passwords that all live in one place. My passwords live "nowhere". There is no database breach, or peek over the shoulder that could ever compromise my entire wellbeing.
>Is having a bunch of passwords that you don't actually know all in one place more secure than having a smaller bunch of passwords that you do actually know that, still, can at most be leaked one at a time?
It’s been repeatedly demonstrated that yes, it is.
Meaning you have consulted a sea of research that has compared the risk posed by password managers to keeping a mental catalogue of long, not-random-but-pretty-good character strings, using 2fa, and exercising proper security habits?
I don't think you could ever come to an objective conclusion, since the 99%-user doesn't have a near-autistic obsession with security like most of us.
I don’t have an obsession with security, it’s just so easy and cheap that I don’t get why you wouldn’t do it (the people with an obsession with security probably don’t even trust 1Password to sync that encrypted file anyways)
My mom, who is as far removed from tech as you can get, understands why not sharing passwords might be a good idea when one can get hacked and set of a domino effect.
And your comparison is a straw man, the real comparison is trying to remember 50 random passwords to using a password manager because there is a sea of research showing that good passwords should be truly high entropy and random.
Using a password manager doesn’t stop you from using 2fa like your comparison is worded to imply.
The answer is yes. For the large majority of users, the only thing that matters is that you never reuse your passwords. Since human beings cannot feasibly remember unique passwords for each service, password managers win.
Is my solution secure? No. Using a bad password for hundreds of sites is definitely not secure - but the quality of a password only needs to be proportional to the sensitivity of what it protects.