[commandersaki]

Before I used password managers I would just keep a monolithic text file with all the relevant information for sites and password and also keep notes. I was using vim encryption at the time. This was a bad idea because the vim encryption doesn't really follow cryptography best practices for example the encryption isn't authenticated.

The first password manager I started with is LastPass in 2014 when it was recommended to me by a password security expert in academia. I used a memorable human generated passphrase with enough twists to get about 80 bits of entropy, so if my old encrypted data is in the wild (doubtful), I'm not really concerned about the recent breach.

I've since been all in on 1Password since 2017 after LastPass was getting progressively worse and I sought out a new password manager. I've examined the security design whitepaper and most of the choices when it comes to cryptographic protocol design is pretty good, no real homebrew and should stand the test of time, but there's still better choices that can be made about protocols such as PAKE that'd be better in 2023. Anyways, 1Password UI is pretty good.

I also make backups of 1Password using the command line interface incase they decide to kick me off their systems or something happens where I can't make payments for years. The backups are then encrypted using the scrypt tool.

If I was to get off password managers completely, I wouldn't bother with these password management tools like Keepass etc. as they constrain you to their UIs and don't do an adequate job of doing things like browser autofills. I'd rather just go back to a plaintext file and encrypt/decrypt with scrypt or age.