[dhdgrygev]

The average person, when not allowed to use a convenient password manager, will either use the same password for every site or come up with a predictable pattern. Encouraging a password manager helps make sure they don't get destroyed completely when a blog they signed up on 5 years ago is hacked.

This is partly because so many things want an account now. I have over 500 passwords saved, it would be straight up impossible to remember unique strings for each site.

[optionalsquid]

> This is partly because so many things want an account now. I have over 500 passwords saved, it would be straight up impossible to remember unique strings for each site.

I'd argue that it is not just about remembering passwords. A password manager also helps you remember that you even have an account. I have a similar number of passwords stored as you and there's no way I'd remember all the sites I signed up for (never mind the passwords) if not for the password manager I use.

If I was diligent I could probably track them via confirmation emails (or self-authored "confirmations" for services that don't send a confirmation email), but I can guarantee that a lot would slip through the cracks if I were to attempt that.

A password manager also gives you a convenient place to store (and share) secrets, recovery keys, SSH keys, and similar bits of security related information that you cannot memorize.

[smnrchrds]

In addition, password managers are much better than the average human at avoiding phishing attacks. The chances of the password manager auto-filling your normalwebsite.com password on nomalwebsite.com or normal-website.com are infinitesimally low compared to the chances of an average user doing so.

[theturtletalks]

I use BitWarden, but I'm thinking of self-hosting BitWarden. BitWarden's commercial offering might be tempting to crack from a hacker's perspective, but I don't think they would go after a specific user's instance.

[weaksauce]

there's a non-zero risk of hosting it yourself and not keeping up with the maintenance/security updates of whatever server you host it on. gotta weigh that in the calculus. It might not be likely that they target you specifically but there could be a drive by bot that slurps up your password vault.

[utsuro]

Most people seem to think it needs to be accessible online. Remote Access =/= Internet Access. Self hosting an external vault, using VPNs, and requiring MFA access make the vault tricky to get to in the first place. You’re machine would need to be compromised first for an attacker to even connect to it—and at that point you’re compromised (and probably keylogged).

If you’re actively under attack no Password Manager, mental algorithm/ password pattern, Yubikey, or MFA will prevent someone from just using your authenticated session(s).

Does that mean we shouldn’t use these mechanisms? Of course not. When the risk is only realized with full compromise—saying XYZ could pose a threat is moot from a security perspective.

[weaksauce]

> Self hosting an external vault, using VPNs, and requiring MFA access make the vault tricky to get to in the first place.

ok but that also is prone to a weakness in any part of that chain assuming you even set it up properly in the first place. each piece is another layer that can be hacked or improperly setup.

[codetrotter]

> This is partly because so many things want an account now. I have over 500 passwords saved, it would be straight up impossible to remember unique strings for each site.

How many of those accounts are essential?

I create throw-away accounts on the regular.

There are many accounts, but few that really matter. For the ones that matter I take care to make sure I have the passwords. For the rest, who cares :)

[danielvaughn]

I use the same password for every account that doesn’t have any private/payment info of mine. Don’t really care if they get hacked.

[eurticket]

What are some good methods to not create patterns, while allowing yourself to have an easier time remembering more complicated passwords?

[usrusr]

If you go for the shared strong secret part "uniquefied" by an added per-site trivial part (not saying that you should), you increase risk the longer the trivial part gets: if an attacker somehow determines that your password here is 123hacker456news789 they will easily guess that they can get into your Facebook using 123face456book789. Less easy if it's 123h456n789 (Because you don't really use the spaceballs password, in reality h and n don't stand out half as much). If it's 123c456w789 guessing Facebook's 123c456o789 from that would be quite close to brute forcing unless they get their hands on dozens off that kind.

[nonethewiser]

Honestly a somewhat sophisticated pattern that you write down somewhere is probably pretty secure. Outside of a very targeted attack.

[nonethewiser]

But its safer to write it down on paper (at home, not work). A centrally managed service is for convenience.