| The problem with password managers was they were a commercial venture - not that commercial is inherently in the general case worse, but: 1. Closed source, so you cannot audit a critical peice of security infrastructure.
2. Perverse incentives - they want to make money, so they are naturally going to encourage new versions over old and deprecate support for old programs.
2a. If your company of choice has not great business they have an active incentive to sell your data (including bank passwords) on the black market.
3. A need to keep "Up to date" i.e. jam whatever hot takes into your app to up the selling appeal - you want your security to be very boring, having a bunch of new features mixed into every release is a recipe for insecurity and disaster.
4. Cloud access - this leads on from the last point, but as soon as you store your stuff on a third party server, even encrypted, your potential leaks go from your computer, to every device between you and the remote, and then some (all third party integrations). Which has the side effect, said companies must start (complex) security auditing practices with all the fun and failure points that brings... Now, even on the open source side: 1. As soon as you have to update your password manager, you might as well throw away all passwords and start over:
a) Can you really trust that no source was beached during the update?
b) How do you know it is even a legitimate update? Better not have put your password for updating things in your password manager...
c) It's open source, great, so you can audit it but...will you?
d) Or will you just trust it and because some guy who wasn't getting paid and is trying to get through school and hold a part time job missed a critical bug, you end up with all your passwords compromised anyways.
2) Deserves status as its own point, Open Source is auditable but not necessarily trustworthy, not without a lot of active oversight. As such, one can conclude that such programs are mostly collosal wastes of time, if not actively endagering security. Even as a 'better than nothing', they are a bad idea, to the layfolk who don't know any better its just another potential bad practice they are getting drilled into them. I would argue that writing down passwords on paper is usually a better practice than using a password manager, at least that can be locked up in your home (and if you can get into my home I have other bigger worries). Instead we should focus on giving back some responsibility to the user - most sites don't need passwords, if you are using a password manager for those sites you should presume that password is low security. It would be better if we could codify the importance of a password somehow. |