[bigiain]

> Because choosing good passwords is about memorableness as well as sheer strength

That's not been true ever since the development of good password managers. There are fewer than 10 passwords I remember. One of them is my password manager's master passphrase (5 misspelled-and-with-random-punctuation words). The others include stuff like my work and home laptop/disk passwords, which I can't autofill, my 3 important banking passwords which I do not even entrust to my password manager, and my AppleID password because iOS is annoying enough at asking for that that I'm using one I can remember.

The other ~600 entries in my password manager are 25 random characters (or whatever the upper limit if password length is for sites/services that are 'doin it wrong').

[Biganon]

One could argue that you still need to remember your master password, and since it gives access to all your other passwords, it's all the more important to make it extremely strong. Therefore the randomness/memorability trade-off is still very important.

[shepherdjerred]

Yes, but it’s not too hard to make one ridiculously long/complicated master password that is also memorable. It might take you a while to remember it — just keep it written down on paper somewhere private & safe and refer to it as needed. If you’re not being targeted then you’ll probably be fine.

[invisiblerobot]

It doesn't need to be complicated. Just long.

ie

theuniverseis99%emptyspaceatleastthatswhatiwastaughtbymr.cattoningrade6

easy to remember without paper and uncrackable. Pair it with a yubikey and that's your bitwarden master

[shepherdjerred]

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa is an equally long password, but much less safe than your example password because my password has far less entropy.

[omegalulw]

> That's not been true ever since the development of good password managers.

A lot of people (do not trust password managers, case in point the recent last pass scare.

You want passwords to your key accounts to be 1) memorable 2) strong 3) only in your head. For these, I think the article is fairly relevant.

[awelxtr]

> A lot of people (do not trust password managers, case in point the recent last pass scare.

That's no excuse. KeePass allows having the database file locally where it's you duty to manage it.

It might be less convenient, maybe. But I don't see valid excuses for people to not start using a password manager, even less the less tech savvy people.

[shepherdjerred]

It’s completely valid to distrust password managers. No software is free from bugs, or accidentally exposing your passwords. It might take a lot of work, but it’s certainly possible.

There’s also the possibility of mismanaging your password database and losing all of your data.

[witrak]

> It’s completely valid to distrust password managers.

Is it, really? And at the same time to trust one's memory? For memorizing hundreds of long passwords? Don't think so...

[shepherdjerred]

Distrusting password managers does not implicitly trust your own memory.

There are alternatives to programmatic password managers or human memory, e.g. a paper notebook and a safe. That's not an approach I would personally take, but I imagine it's a reasonable option for someone who sees the potential danger of trusting any program for sensitive data.

[awelxtr]

> There’s also the possibility of mismanaging your password database and losing all of your data.

The alternatives are same password everywhere or keeping a paper around with the passwords written in plain text. Both are equally disastrous (unless you work at home and don't ever get robbed)

[gokdisjtrdcvv5]

I would say having it written is more secure. If you hide it in a good spot no robber is going to find it and even if they do you will almost certainly know you’ve been robbed so you can change the passwords. Not only that but I bet 99% of robbers wouldn’t have an effective plan to sell or use the passwords. Digital on the other hand has a significant chance to go undetected for a while and certainly know exactly what to do with them.

[jjk166]

Or finding a good mix between entropy and memorability so you can keep lots of strong passwords in your head, like the featured article discusses.

[adgjlsfhk1]

This doesn't work. If you have 100 different accounts, there is no way you can memorize around 5000 bits of entropy in a reasonable amount of time.

[aeternum]

Keeping a local database file secret is a pretty difficult task. You introduce a wider attack surface vs. a memory-based password.

[bigiain]

Keeping it secret isn't as critical as you make it sound.

KeePass is open source. You can review the crypto, or pay somebody competent to review the crypto, or trust that the project or some 3rd party has done so.

I wouldn't go out of my way to publish my KeePass file publicly, but any attacker who can break the 256 bit AES encryption, or brute-force/dictionary-attack it's key that's using Argon2 KDF with enough rounds to take 1 second per key transform on my laptop, is well into the "I stand no chance against state level actors specifically targeting me" category, and I'll just assume I've lost to them already. In the immortal words of James Mickens: "If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT." If ASIO/CSIS/GCHQ/GCSB/NSA want access to my accounts, it's unlikely having passwords that are only in my memory is going to make much difference to my personal outcome. If a driveby teenaged script kiddie hits a zero day on one of my devices and pops my KeePass file, I'm not even sure I'd bother changing the passwords.

I'm happy enough storing the KeePass file on my (encrypted) laptop hard drives. I'm OK with using iCloud to sync it to my phone. I'm fine with it being part of my regular TimeMachine backups to a pair of external usb (encrypted) drives, and for a copy of that usb drive backup to be synced to an encrypted S3 bucket.

[smaudet]

The problem with password managers was they were a commercial venture - not that commercial is inherently in the general case worse, but:

1. Closed source, so you cannot audit a critical peice of security infrastructure. 2. Perverse incentives - they want to make money, so they are naturally going to encourage new versions over old and deprecate support for old programs. 2a. If your company of choice has not great business they have an active incentive to sell your data (including bank passwords) on the black market. 3. A need to keep "Up to date" i.e. jam whatever hot takes into your app to up the selling appeal - you want your security to be very boring, having a bunch of new features mixed into every release is a recipe for insecurity and disaster. 4. Cloud access - this leads on from the last point, but as soon as you store your stuff on a third party server, even encrypted, your potential leaks go from your computer, to every device between you and the remote, and then some (all third party integrations). Which has the side effect, said companies must start (complex) security auditing practices with all the fun and failure points that brings...

Now, even on the open source side:

1. As soon as you have to update your password manager, you might as well throw away all passwords and start over: a) Can you really trust that no source was beached during the update? b) How do you know it is even a legitimate update? Better not have put your password for updating things in your password manager... c) It's open source, great, so you can audit it but...will you? d) Or will you just trust it and because some guy who wasn't getting paid and is trying to get through school and hold a part time job missed a critical bug, you end up with all your passwords compromised anyways. 2) Deserves status as its own point, Open Source is auditable but not necessarily trustworthy, not without a lot of active oversight.

As such, one can conclude that such programs are mostly collosal wastes of time, if not actively endagering security.

Even as a 'better than nothing', they are a bad idea, to the layfolk who don't know any better its just another potential bad practice they are getting drilled into them.

I would argue that writing down passwords on paper is usually a better practice than using a password manager, at least that can be locked up in your home (and if you can get into my home I have other bigger worries).

Instead we should focus on giving back some responsibility to the user - most sites don't need passwords, if you are using a password manager for those sites you should presume that password is low security.

It would be better if we could codify the importance of a password somehow.

[benwr]

I mostly agree, but I do find myself choosing a new FDE and login passphrases about once a year, and I wish that I could choose these using something like Diceware, but memorable enough that I wouldn't need to write them down at all. Thinking about how I might do that is what ultimately led to this post.

[shepherdjerred]

Login, like for your local computer? Why rotate those?

[benwr]

More often for e.g. work computers.

[taeric]

I'm curious if you have a rotation/audit practice for those? With 600 odd passwords, I'm not even sure how I would keep track of access to the items being protected.

[bigiain]

Rotating/expiring random 25 char passwords is unnecessary.

One big advantage of a password manager is you _can_ audit accounts/passwords. I do a once a year sweep of my personal ones in KeePass, and use it as an opportunity to close accounts on services I no longer use. (Not that I believe any 3rd party service can be trusted to actually delete your data when you close your account, but spending 5 minutes updating your profile with junk data before deleting it improves your chances of not ending up on spam lists or automated credential stuffing attacks when that service gets popped.)

For the work shared passwords we use 1Password, which while I prefer their old standalone app over their new cloud thing, they do two very useful things - 1) integrate with HIBP's password checking service so it warns you when you have a password that's been published in a dump, and 2) provides an audit trail of which credentials each team member has ever accessed, so you can revoke only what's needed instead of rolling all shared passwords every time a staff member leaves.

[taeric]

That is auditing your access to a password. It is not auditing the use of said password at the service. Consider, social hacking to reset one of your passwords cannot be determined by inspecting your manager.

And rotation is still needed. Less likely that you're password is busted, I agree. But, you still need to rotate, if only to make sure it was never intercepted.

[nextaccountic]

> 5 misspelled-and-with-random-punctuation words

Why misspell and add random punctuation?

[Biganon]

So that they can't be found in a dictionary

Granted, 5 words chosen truly randomly from an English dictionary is already insanely strong, but why not make it slightly stronger?

[c0balt]

Most likely to make dictionary attacks against the password(s) ineffective.

[rvense]

Also makes them more resistant to people looking over your shoulder.

[c0balt]

I recommend changing the keyboard layout silently when someone is looking over your shoulder.