[TZubiri]

Using a password manager has 2 main tradeoffs and mistakes:

1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.

2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.

At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.

So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).

Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.

[amenghra]

Password managers (whether it's Lastpass or your browser's built-in password store) also protect against phishing since they tie passwords to domain names.

I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.

[al_borland]

When they work… I finally gave up on 1Password as it has been getting worse and worse about actually autofilling for a few years. After all the Avengers turned into investors and the price increase was announced, I jumped ship. It felt like they were more worried about their ROI than the product. After 18 years of use, this was pretty disappointing.

[amenghra]

For personal use, Bitwarden + a Raspberry PI should work perfectly fine. Your devices will sync when you are home. If they get out of sync, your fallback is to password reset. Or use your browser's built-in password manager which also syncs in most cases. I prefer to be browser-agnostic since it gives an easy solution to handle non-web passwords.

[zarzavat]

"Password manager" used to mean a program that runs locally on your computer. At some point people started making it into a SaaS, because that's more profitable.

I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.

[pdimitar]

You can and should have the best of both worlds. Using Enpass, the program _is_ local, it just backs up the entire database (encrypted SQLite3) to a cloud.

But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.

[NoMoreNicksLeft]

>At some point people started making it into a SaaS, because

Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?

[Biganon]

Are you sarcastic, or do you not realize your vault is encrypted with your master password and never readable to the service?

[mkayokay]

heavy mouth-breathing

[panick21_]

It became SaaS because its more practical when you have many devices or many users.

[acheron]

The article is about a marketing data breach, not passwords.

[al_borland]

From a marketing perspective, a data breach of any kind looks horrible for a company whose entire job is keeping secrets safe.

[TZubiri]

I understand, just making a general comment.

And it's not unheard of that infections metastize, whether into developer accounts, product code... Probabilistically, this was a shot on goal.

I apologize for the mixed metaphors.

[rpdillon]

> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

[kijin]

It's not just about long vs. short passwords. IMO the greatest benefit of having a password manager -- whether it's a bloated Electron app or just a text file on your computer -- is that it enables you to juggle hundreds of different passwords, randomly generated for each site. It's the best way we know of to limit the blast radius when (not if!) some of those sites inevitably get hacked.

[dist-epoch]

We need a bitcoin hardware wallet kind of password manager, where the actual passwords are stored on a hardware security key. When you click on the computer on the password you want to use, the hardware security key shows it's name on it's screen, and asks you to press a button on it to confirm that you want to use it.

For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)