[chrisnight]

> Like, I really don't get it. Why not just use a password manager. I always tell these people to just sign up for a password manager and they always resist and say no. I must be missing something obvious.

Simple, I don’t trust a cloud service to keep the data secure, and I don’t trust myself to self host and keep the data safe (and not get corrupted) while simultaneously getting that data on all devices and synced.

The flaw of password managers is that you don’t know the passwords you’re using for your sites. That is, if the data was lost, you’d have to do an account recovery, which for some sites is fine, for others it can be a nightmare though.

Alongside this, it is a hard problem to have to simultaneously get all of these copied-pasted passwords on each device without inherently putting them on the Internet (albeit with a password in front of them). Given a threat model of password managers being inherently valuable targets, data going in and out of them is inherently vulnerable for when an exploit is inevitably found.

I’m not saying any of these problems makes mental hash algorithms or rotating passwords better, but password managers do have inherent flaws that make them still an unideal tool.

Also, I find it ironic in the modern day that a simple sticky note next to your computer is probably one of the better solutions to password management, if people invading your physical space isn’t part of your threat model (which is usually the case).

[CharlesW]

> The flaw of password managers is that you don’t know the passwords you’re using for your sites. That is, if the data was lost, you’d have to do an account recovery, which for some sites is fine, for others it can be a nightmare though.

It's typically a 5-minute process, which I know because services regularly force password resets quite often.

> …I don’t trust a cloud service to keep the data secure.

Fair enough, there are definitely shady SaaS vendors. My password manager is a SaaS with a long history (2006), which has no access to my account passwords or Secret Keys and could not reset or recover them for me if I asked. I'm personally satisfied with that.

Have you considered the benefits? For example, I know I currently have 1,161 account logins on various sites/services, 278 of which have "fantastic" passwords, and 144 which have "fair" passwords that I should really go back and update (surely from my pre-password-manager days). I know there are 5 accounts that now support 2FA, and many more which now support passkeys. I know when I've last used each so I can easily close old accounts, which I gradually do.

That kind of awareness/security hygiene enablement would be tough (if not impossible) to replicate manually.