Honestly, I think your opinion is unpopular because it demonstrates a serious lack of understanding or thought.
If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised. In the case of a password manager, the manager itself is the one that needs to be compromised, and you have more reason to trust them to avoid being compromised than some other random site. Some random sketchy website being hacked doesn't need to effect the rest of your network of logins if you use a manager.
Most password managers (such as 1password) won't let anyone from any machine access your stored passwords over the web by just supplying your single password. They require multiple extra steps that are quite limiting, so for the most part they first need access to a computer that you've already installed your password manager on.
Furthermore, if your password manager is compromised, you have a very clear path to your password on that manager, and then a list of all the websites, usernames and passwords that you need to change in order to regain secruity. By contrast, I'm still rediscovering old websites I used 10 years ago that used my old omni-password which was compromised.
> If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised.
And speaking as someone that operates a website accepting passwords, this happens more than you'd think. There are hackers that actively try leaked lists of username / passwords against websites using botnets. If your password is leaked by one website, people will attempt to reuse it on other websites.
Even if stand alone app vendor goes away, the app still works. There are things that I see are okay as a monthly service like Netflix or other content provider where the content is literally changing month to month.
Stand alone software that rarely changes, like 1Pass, does not warrant a monthly service fee from me. I am self-hosting the content, so I don't need their cloud services.
Hacking aside... these are many ways in which it can go wrong:
- There can be an outage and you get locked out of your keys. You can have a connectivity issue to the service.
- The service can be discontinued or they could randomly terminate your account based on some automated system decision by mistake, sometimes with no right to appeal...
- They can change leadership and start mismanaging the service, or start selling your data like the services you use and such.
- They can start cutting corners and rushing unsafe things live.
- They can offshore all their development and reboot the team somewhere cheaper, at the expense of introducing defects during the transition.
- They can be ordered by a government to have a backdoor.
- There can be disgruntled employees, infiltrators, bad hires, malicious employees, etc...
And finally, they're a famous service that is known to have the keys to many other systems. This makes it very lucrative for a black hat to attempt to hack them. Even smart, dedicated people are not safe from 0day vulnerabilities that nobody know they exist.
Many things can go wrong. And what happens when they do? you can get locked out of essential services you need, or someone can ruin your life, force you to pay a ransom or even make you homeless if they wanted to.
Then, there are other aspects I don't like much. You can set a secure password, but then your browser will ask you to remember it. Some services allow you to skip MFA in a trusted computer... so then all your stuff is simply behind physical access to one of the trusted devices.
I don't know, it just doesn't feel right to me.
And by the way: I started by saying it's an opinion. It's an unpopular, provocative opinion, but I was honest enough to communicate it was indeed an opinion. I did not say it was a fact. Opinions are subjective, facts are not.
You're totally right. As long as you have a different, secure password for every site and service, and you keep a careful list of all of them, and make sure to keep this list backed up, and encrypted, and sync this list across your devices so you have access to it when and where needed, then you totally don't need a password manager.
...oh wait, that's literally a password manager. Sometimes opinions are unpopular for good reasons.
Presumably the alternative to 'a password manager as a service' is 'a local password database and password manager which is not a service'.
This can be something like password store, or keepass, where the attacker needs both your password database unlock key / gpg passphrase, but also needs access to the database / gpg keys, which means either physical access, or at least access to your local files.
I think there is some merit to pointing this out. If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.
I use password-store, and I could tell you my gpg passphrase right now, but you still couldn't access any of my passwords. You'd need to get access to my yubikey and my psasword repository before you could do anything with that passphrase at all.
I think it's true that a setup like mine, which requires a physical hardware token to decrypt my passwords, is more secure than a password service, however I also think the parent comment is totally wrong. 1password without a hw token isn't the most secure option, but it's way better than password reuse on random sites.
I've never used 1Password, but both LastPass and Bitwarden support hardware tokens like Yubikey for two-factor authentication. Keeping the encrypted store locally might give you some edge, but I personally need to be able to access secrets from more than one device, and once you allow external access then the advantage of your solution compared to hosted services disappears.
I don't think the advantage completely disappears.
Let's look at one possible attack: the attacker knows all my passwords, and they manage to steal my laptop from my car. What can they do in each scenario?
In the case of lastpass, bitwarden, or keepass, the attacker now has all my passwords. The 2fa token was used once in the past, so all the passwords are stored on the device, protected only by a password at most.
In the case of password-store with my gpg-private-key on the yubikey, the attacker still can't decrypt anything unless they also stole my yubikey, which I never leave unattended.
The fact that my private key on my yubikey isn't just required to sync or login (like it is for the 2fa case), but is rather where the actual decryption is done every single time I access a password, does have a difference.
I don't think the difference is very large though, no.
> If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.
They would need to guess both your master password and your 128 bit secret key.
I can agree that a 'password manager' as a service is less secure than a 'local password database that's not a service', but that's not the comparison the OP made.
They compared passwords as a service to reusing a single password and said it was the same, which IMO is foolish.
Well since this discussion is in a thread about 1password I think it's worth pointing out that 1password doesn't even support SMS as an MFA option [1].
If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised. In the case of a password manager, the manager itself is the one that needs to be compromised, and you have more reason to trust them to avoid being compromised than some other random site. Some random sketchy website being hacked doesn't need to effect the rest of your network of logins if you use a manager.
Most password managers (such as 1password) won't let anyone from any machine access your stored passwords over the web by just supplying your single password. They require multiple extra steps that are quite limiting, so for the most part they first need access to a computer that you've already installed your password manager on.
Furthermore, if your password manager is compromised, you have a very clear path to your password on that manager, and then a list of all the websites, usernames and passwords that you need to change in order to regain secruity. By contrast, I'm still rediscovering old websites I used 10 years ago that used my old omni-password which was compromised.