[BearGoesChirp]

Electronic password managers never made sense to me. While you can do more to secure a single target, it is a more valuable target and one mistake costs you all your passwords. For me a physical password journal is best. While it does make you vulnerable to physical attackers, the cost invest to target someone physically is so much higher that if I have to deal with that threat level I'm already a goner. Just have to hide it from the kids.

[jXCw1N0jtH3]

My approach for anything remotely sensitive, or that could be used to gain access to other accounts, is to generate a LastPass password and to memorize a handful of short "salts" that I add to each sensitive password manually + using 2FA wherever it's available.

Obviously there's no 100% secure approach, but at least this makes me sleep better knowing that if LastPass were comprimized, my stored gmail, bank, paypal, work, etc. passwords wouldn't work.

[Too]

Thanks for that tip. I was always worried a lost vault could leak all my accounts in one go but with this trick I think I'm confident enough to start using a password manager.

[ComputerGuru]

The only drawback to that is the difficulty of logging in while out of the house (I understand making priority accounts “on site access only” but what about others?) and the fact that you’re deincentivized from making more secure passwords because (even if only subconsciously) you’re going to have to type in all those characters and symbols each time you want to log in.

I think the biggest security failure is session cookies that expire too quickly or too eagerly. Having people need to enter their password so often is more dangerous than keeping them logged in (from the same IP) for a longer period of time.

If my bank would keep me authorized for basic access (review transactions, pay bills, transfer money between own accounts) without logging in each time, but required a password to add a payee or make changes to the account, I’d keep the password in a journal in a safe.

[derimagia]

Does make it more vulnerable to things like keylogging - electronic managers skip typing completely. Also it makes people create simpler passwords than they would if it was electronic and becomes pretty unmanageable with a large amount of passwords.

I'm not saying it's the wrong way to go but if electronic password managers "never made sense" then I feel like you don't have the entire picture.

[ComputerGuru]

I think the threat from keyloggers is not as severe as the threat from clipboard scrapers. Apple and Google absolutely need to make a secure password transport mechanism to allow one app to fill a field in a web browser or field in another app that does not rely on the clipboard because even just expiring it after n seconds is not secure enough.