Hacker News new | ask | show | jobs
Ask HN: are pwd managers more secure?
1 points by fakeElonMusk 2480 days ago
Let's say I use 1password or any other password manager. They will eventually get hacked or there will be a back door or some exploit. Right? All software has vulnerabilities, even the NSA has been hacked. So why is it more secure than me keeping passwords on paper? I would like to use 1password but I'm also ok with staying old school. Convince me!
4 comments
Lorenz-Kraft 2480 days ago
Using the "paper form" has only the drawback of being available for everyone in your environment.

If you want to keep the paper form and also have the ability to securely generate new passwords:

Buy a cheap, widely, available book (maybe two or three of the same), start at a random page and use the first letters/sentences in this book as your new password. To make it even more secure, I would suggest you add a "standard" to every password you have created ... like "SuperSecurePa##".

So for example: You have bought a book and like to add a new password ... you might start at page one, where the sentence would be: "Once upon a time, there were two developers ..." => this will become your password: "Ouat,twtdSuperSecurePa##"

Even more secure password (due to the size): "Onceuponatime,thereweretwodevelopersSuperSecurePa##"

You can level this up by: - Your chosen appendix has even more "secure" chars, like #*+?="ยง%&/() (you know what I mean) - You prepend and append your new password with your "common" pass (here "SuperSecurePa##") ... or maybe prepend with a different common pass??

link
fakeElonMusk 2480 days ago
I have a pwd scheme like this that I use, but not based on book pages. But it's a cool idea...thx!
link
t0astbread 2480 days ago
I use password managers for the following reasons:

- Convenience: I only have to remember one password and I get the comfort of a digital database (as opposed to, paper).

- The passwords I have on websites can have higher entropy and be longer than I could ever remember or type, making them possibly harder to decipher in case of a breach on any website.

- Password managers are all about security while many websites are not (at least not as their primary purpose). Password managers are probably better at it.

- If a (good) password manager is set up to sync passwords via a server or your machine somehow gets compromised, the password database should still be encrypted via a master password.

link
fakeElonMusk 2480 days ago
I agree that a big pro for pwd manager is the generation of long, very secure pwds
link
antisemiotic 2480 days ago
You can use a local password manager like pwsafe, that way someone would have to hack into your computers first, and then break pwsafe's encryption (which is of course impossible, since it was written by Bruce Schneier).

It's more of a pain to use than web password managers, but less than a piece of paper. I'd still recommend writing down the master password, since if you lose it you're screwed.

link
fakeElonMusk 2480 days ago
This is another issue I have with it - if I forget a pwd for a site (or lose my paper) I can reset it assuming I have access to my email. If I forget a master pwd I'm f'd.
link
shrutipathak 2480 days ago
You could lose the piece of paper making all your passwords vulnerable. My colleague stored all passwords on a note in the phone and lost the phone on vacation.

I had to change all the passwords immediately because of this. Even if i have 1Password on the lost phone, i don't see how anyone could get inside of it

link
Lorenz-Kraft 2480 days ago
Quote:"i don't see how anyone could get inside of it"

OS Bug, Software Bug, OS Exploit, Software Exploit ...

link