[l33r]

My girlfriend once asked me why I don't use a password manager like LastPass. A week later she got locked out of her LastPass account because she was inadvertently using an enterprise account that one of her clients forced her to use while on a project. And even though she was paying for her own premium LastPass subscription, the support experience had was terrible. Issue was resolved when the client was able to unlock the account for her, but it was a pain because it was during the holidays. I would avoid a password management software because of her experience.

[lucb1e]

Your friend used a commercial service under contract for someone else for private purposes, and you conclude that therefore all password management software must be bad? This is definitely not what I have in mind when I recommend people to use a password manager.

And regardless, people should finally take this to heart:

If something is important to you, back it up in a format that you can read with offline software. I don't care if you store it on punch cards under your pillow or in The Cloud, so long as it's independent of the primary copy (such that you can access it regardless of access to the primary copy, and such that you don't need the original service to load the data in order to read it). It doesn't sound like that was the case for your friend.

[jackson1442]

This is like saying that you should never store anything on a computer because you know someone who got locked out of their work laptop with important documents on it after they were let go.

The real lesson here is to never put anything sensitive or personal on corporate devices/services.

[serial_dev]

What can we learn from this apart from not saving private data into someone else's corporate account?

I don't think it's the password manager's fault, mistakes like that can happen if you don't double check whose the account is.

[Dumblydorr]

So what do you do to remember passwords? Do you write them down on paper, or maybe save in browser? I'm curious, I've pondered writing down my pivotal passwords on paper and hiding in a book or something.

[shnock]

Personally I combine a hash of something site-specific, eg. name, purpose etc and a base alphanumeric string. Allows each account have their own specific credentials while not being overly burdensome to remember.

[jackson1442]

What do you do for sites with strange password requirements, like 12 character max or requiring you to use a very specific set of special characters?

I used to do what you described but my base password was rejected by far too many sites because of absurd (and insecure) requirements.

[lucb1e]

> requiring you to use a very specific set of special characters?

Stupid requirements don't matter. If you have a secure password, e.g. a passphrase consisting of 7 random words (diceware) and the service complains that you're missing digits, uppercase, and symbols, then adding A0! to the passphrase does not make it less secure. Appending anything never makes it less secure. You can also write down in plain text and store on pastebin what you added per site because it's not part of the secret anyway. (Okay okay, might as well keep it private rather than pastebin; it's about the general point.)

> like 12 character max

This is not that common anymore, most services have reasonable limits. If you do run into one and it's too important not to use, then you don't have a choice anyway: you'll have to make an exception to the scheme and memorize or store an actual password for once. Doesn't mean you have to design all your other passwords for one exceptional case.

[jackson1442]

Ah, must've missed that you have an alphanumeric string. Mine had a couple symbols in it. I personally really like diceware passwords but the guesswork of "oh does this system have a 24 char max, does this one require special chars, etc" just got to be too much effort.

And while the 12 char max is (mostly) a thing of the past, I run into max char issues (usually around 24) far more than I should in 2021.

[jackdawipper]

great, unless you get hit on the head.

[hsbauauvhabzb]

At least consider an offline manager, one where you control updates and backups. Either way, even using a dodgy solution (like LastPass) is probably statistically better than not using a manager at all…

[orangepanda]

I completely agree; sticky notes have a much superior support experience