[martinced]

None. Zero. Zilch. Nada.

Will people never learn? Do you realize what happens when your password manager itself gets compromised?

Using a password manager is trading security for conveniency. This is simply not acceptable.

I fully expect all the people using insecure security practice and all the people selling snake oil to downvote this.

The problem, however, is that you can't argue with facts. And the fact is that trading security for conveniency is a very stupid thing to do.

[guygurari]

Using a password manager allows me to assign a different random password to every site I use. This means that, if a site that uses weak hashing gets hacked (a relatively common occurrence), none of my other accounts are compromised. Do you have another practical way to achieve this level of security?

Also, note that if my password manager is compromised, it means that the attacker has some level of access to my machine, since that is where my passwords are stored. In that case it is reasonably likely the attacker can also install a keylogger. This will reveal my often-used passwords even if I do not use a password manager.

[smilliken]

What would you recommend instead? If you insist people remember all of their passwords in their head, you'll end up with them using the same password for everything.

[purephase]

I think the most common is you have a single password, but you hash it with the name of the service you're logging into.

For example, if you're password is "puppy" and you're signing-up for HN, your password would be:

pHuApCpKy

And, if you wanted to make it stronger, salt it with some special characters.

p~Hu!Ap@Cp#Ky$

... which is just the shift-characters on a number row in order.

This way, you only have to remember one password, and it is service specific, and pretty strong. No password manager needed.

Of course, I don't do this. I use a 1Password and KeepassX.

[GhotiFish]

I like the idea of hashing off a root word + site. I'd rather have the browser do it for me though, and I don't think there's anything on the page itself that I could depend on to hash with. Maybe the domain?

To be honest, firefox has an encrypted database of site-passwords. What's wrong with that?

[icebraining]

I have a system like that, that takes a master and the domain. The advantages over the Firefox password manager is availability and not having to worry about backups. Since I know the algorithm, I can recreate any password using widely available tools.

[tlrobinson]

http://cynix.org/tools/superpwdhash

http://supergenpass.com/

https://www.pwdhash.com/

[vacri]

Feel like providing a workable alternative, or are you just content to stay in your cloud of idealism with other thoughts like "everyone should change passwords for everything every 90 days"?