[AlbertCory]

I don't use a password manager. You shouldn't, either, probably, unless you want to share passwords with a group or something.

I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.

You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.

Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.

All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.

[ryan-c]

Counterpoint: Use a password manager and unique passwords for every site, and be mad about the terrible authentication UX, just like the vast majority of experts in the field recommend.

[lolinder]

> You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect everything you do.

But it does mean that if one of those passwords gets leaked and the service that leaked it takes a while to notice, you now have X other services that are compromised and you don't even know it.

There are breaches on haveibeenpwned for my email that I was never notified of. If I were reusing passwords, each of those would represent a possible security breach in unrelated accounts.

[AlbertCory]

I'm not going to give examples here, but: there are tons of sites that no one is ever going to bother impersonating you on. They can't use them to buy, sell, move money, or ruin your reputation.

Maybe they're like diseases you have that aren't any threat to your health.

If some site is really important, then yes: you do need a unique password for it.

[latexr]

> I don't use a password manager.

Seems like you do, in the form of a hints file. You even protect it with a password. You’re using a bespoke solution, sure, but you’re still using something to manage your passwords. You could do all that trickery with an off-the-shelf password manager.

[AlbertCory]

No, I couldn't. With an off-the-shelf password manager, one failure and the bad guys are in. Or I'm locked out, which seems to be what happened here.

[latexr]

> one failure and the bad guys are in.

You don't have to store passwords in an off-the-shelf password manager; you can store secure notes and files. In other words, you could continue to use your current method of hints but with more organisation.

Point being that what you’re doing is not meaningfully different from using a password manager, you just manage your passwords in an uncommon manner.

[AlbertCory]

It IS meaningfully different: almost everyone expects the password manager to fill in the actual password on the form, not a hint about it.

As far as I know. Maybe someone does do that?

Anyhow, password managers cost money. This doesn't.

[latexr]

It is not mandatory for password managers to fill in passwords. Turning that on is often an extra step because you need to install their browser extension. Everyone is free to not do so.

And there are plenty of free (and open-source) password managers.

https://en.wikipedia.org/wiki/List_of_password_managers

It’s fine that you don’t want to use an off-the-shelf password manager, but if you’re not familiar with how they work in practice, perhaps you should not advise people to not use them. Your system is a way to manage passwords and from your description seems to be more complicated than most people (especially non-technical users) would bear.

[AlbertCory]

"more complicated" on the contrary. It's a homebrew system like people have used since before computers. And since it's a one-off, it's not worth cracking.

Edit: what do you consider "complicated"? Compared to all the inevitable complications of a PW manager and browser extensions? Not to mention screwups like the LastPass one.

[Yasuraka]

Did you try KeePassXC?

[AlbertCory]

No, why would I? And would one of these "unsophisticated users" even know about it?

[diarrhea]

This is not the way. So much churn for less effect.

[AlbertCory]

"churn" ?? what are you talking about?

or is that a hint that's only meaningful to you? /s

[Latty]

More vulnerable to phishing, a good password manager checks the URL programmatically and won't fill a different domain, human validation of domains is weak, we forget and can be tricked.

[AlbertCory]

These are all weak. "Phishing protection" consists of not clicking on URLs someone sends you, particularly the "is this you in the photo?" messages on Facebook.

"human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.

If you're afraid of misspelling your bank's name and landing on some malware, you can enter the bank name in your search engine.

[latexr]

> "human validation of domains" : not sure what you mean here but I think it's a theoretical problem, not a real one.

It’s a very real and not theoretical problem. For example, someone sends you a link to a Google Doc. You open it and the page looks exactly like the real deal, but the domain is `signin.googledocs.com` or `login.googgle.com`. Even a technical user could not be paying attention and be fooled by that, manually entering their email and password. Because a password manager would only auto-fill your password on the correct domain, you have an extra reason to be suspicious and note something is amiss.

[AlbertCory]

You missed the part where I said not to click on URLs people send.

[latexr]

But you do realise non-technical people (i.e. most of the world) will click those links, don’t you? Password managers have a convenient and secure solution to the problem and you’re offering an alternative which requires teaching and convincing everyone to act differently in a very specific situation to prevent a situation that rarely happens but is potentially catastrophic when it does.

[AlbertCory]

Everyone in the world is not reading Hacker News.

[Latty]

So some news site you read on gets hacked and they install malware that means when you move to another tab, it changes the tab to look like a log in screen for say, google, and when you go back, you log in. This has been seen in the wild, and it is very hard for a human to catch, we assume we had a tab open and log in. A password manager will refuse to do it because it isn't the right domain.

Yes, of course all of these kind of attacks can be avoided by "just don't do anything dangerous", but in the real world we are all flawed and mess up. No human can be perfect, and relying on never making a mistake makes you vulnerable. Anyone serious about security makes it hard to do the wrong thing.

Hardware security keys are an even better solution, but not every site supports them. Both is by far the best option.