[bkishan]

Of course passwords are fine. What's not fine is getting billions of people to change their behavior and switch to and use a password manager (that's not chrome).

You could even argue passwords are better than passkeys for those with strong password hygiene. However when it to the masses, the convenience-security tradeoff of something like passkeys is always going to be better. And for the nerds and geeks, passwords are not going to disappear anytime soon.

[foobarbecue]

Why not chrome?

[noirscape]

Not the parent but the problem is that Chrome (sub. Firefox and Safari, these are problems with pretty much all browsers) isn't a password manager, its a password autofiller.

The result is that what should be crucial things like "how do we ensure permanency of the passwords file" are treated as very second rank - profile corruption usually is met with "remove the entire profile", which also ditches the password database. Literally every other password manager has some sort of tool available that makes it very clear where your data is stored and emergency backup options.

Chrome also doesn't like it if the login form doesn't look like most other login forms (and because this is the internet, you're gonna at some point run into weird login forms). It also can behave really funny if the site combines the user registration form with the user login form (which a lot of webshops do) by putting the autofill information in the registration form instead of the login form.

Add to that a very subpar experience in manually filling the right fields and "why not Chrome" should have a very clear answer.

[foobarbecue]

It's a full-featured password manager, accessible via passwords.google.com . Also has great android app integration. I use it on Android, Linux, and Windows. The only thing it's missing is the marketing; I often wonder why they don't market it and crush 1password et al.

[cj]

This isn't a great answer, but I've never liked Chrome password manager because I feel like a password manager is something I want to pay a company for, not a service I want to be given for free. Somehow, it being a free feature that's bundled with my browser makes me not trust it. (Again, not claiming this is a great reason not to use it)

[Arch-TK]

Weird.

I use pass as my password manager on all my Linux boxes (with a yubikey to store GPG keys and Password Store + OpenKeychain on android).

I basically refuse to use any password manager with an implementation I can't see or audit.

I can't imagine trusting any company to handle my passwords correctly.

The only proprietary component is the yubikey which is basically incapable of misbehaving in a way which would cause me to lose control over my passwords unless I lose control over the yubikey itself.

[ValleZ]

How do you know that the product you use was built from the provided sources?

[nordsieck]

> How do you know that the product you use was built from the provided sources?

Maybe you haven't heard of pass[1], but it's an open source project, and it's easy to build from source[2].

---

1. https://www.passwordstore.org/

2. https://git.zx2c4.com/password-store/

[Arch-TK]

It's 800 lines of bash. I can read it.

[chkaloon]

Did you actually look at it and audit it? >99% of people aren't going to do that. They're just assuming somebody has.

[Arch-TK]

Yes, pass is 800 lines of relatively straightforward bash and I am qualified to review bash. Now, granted, it uses GnuPG and git but in those cases I think the risk of problems is minimal.

I haven’t in all honesty read the Password Store android application (nor OpenKeychain) source code but I trust my phone sandbox capabilities enough for it not to do anything nefarious like send my passwords somewhere. Its also not so large that it would be hard to read it.

The point is, the operating principles behind how Pass works are simple enough that its relatively easy to verify the core of any implentation and relatively difficult to smuggle in nefarious behavior.

[nordsieck]

> Did you actually look at it and audit it? >99% of people aren't going to do that. They're just assuming somebody has.

That's a fair point. I certainly haven't.

But the great virtue of pass is that it runs locally, which means that it's much more difficult to attack than a SaS password manager.

[worksonmine]

I have, pass is just a bash script with <1000 loc.

[dspillett]

Not sure if it is what the GPP is referring to, but I prefer to keep a larger gap between my browser and password manager to reduce the potential spread of difficulties if the browser falls foul of a security vulnerability. The risk of this happening is of course small, it would require significant bugs in a couple of different places, but the potential damage is high. Firefox's password manager, or those built into any other web UAs, I'd be wary of for the same reason rather than it being specifically an anti-chrome thing.

An air gap would be preferable still, as that would protect from similar issues at the OS level, but that is another step or few into less practical (well, significantly more inconvenient) territory. I at least have my master password on a USB device (and backed up by other physical means in case that dies) which is only plugged in when needed, that is effectively an air gap when I don't leave the password manager unlocked between uses.