[SPBS]

Wow, that's awful. So they abuse "forgot your password" as a login method, with the added obstacle of having to come up with a random password every time. And they don't see any problem with it. My hunch is that all these people are very non-technical users.

[EnigmaFlare]

I do that for some sites. It's the initial effort required to set everything up that's the obstacle. This kind of behavior is taking the easiest route at every step instead of investing time into making the future easier. I stopped using a password manager after it got hacked and haven't bothered setting up a new one.

The most annoying sites require you to confirm your throwaway password or log in again using it, and can't copy from the password field, so you can't just spam the keyboard and have to type it into notepad then copy and paste a few times before discarding it. This is stupidly inconvenient to do all the time but the alternative is more inconvenient to do once - researching which password manager is currently safe, finding it, installing it, writing down your master password somewhere really safe, etc. Then keeping on top of the news for the rest of your life to see if your password manager is going down the gurgler or been hacked. Also, will my passwords be available when I travel to a country with restricted internet? Who knows. Can I export my passwords to any other password manager or a text file if I need migrate? That's part of the research needed to even get started using a password manager.

[roryokane]

I can save you some of that research. The KeePass family of password managers are open source and based around a shared file format. They save your passwords in an encrypted file on your computer or phone’s local drive. An ecosystem of apps by different people can parse that file format (after you enter your master password), and at least one app can export as CSV or HTML, so migration is not a problem.

Since your passwords are in a local file, there is no online password manager that can be hacked. If you worry that your local password manager software will have malicious updates posted, you only have to read news at the time you download an update, which can be as infrequent as you like.

If you need to share passwords among your devices, you can store the encrypted file in a generic file syncing service such as Google Drive or Dropbox. Those services are less of a target for hackers than dedicated password managers, and even if someone obtains that file, your passwords will be safe as long as your master password is strong.

Specific KeePass clients I recommend: https://keepassxc.org/ on desktop, https://github.com/PhilippC/keepass2android on Android.

[conradklnspl]

> Then keeping on top of the news for the rest of your life to see if your password manager is going down the gurgler or been hacked. Also, will my passwords be available when I travel to a country with restricted internet? Who knows. Can I export my passwords to any other password manager or a text file if I need migrate? That's part of the research needed to even get started using a password manager.

These are pretty much the exact reasons I created https://github.com/conradkleinespel/rooster. It's a simple password manager for the command line. It's offline. It's open source. It's stable. It can export passwords to plain text in different formats.

And its feature-set is intentionally limited, so I can maintain it with little work, to avoid it going down the gurgler. It's been available and maintained since 2015.