Here's the question. Disregarding ease/efficiency and focusing only on security, is one better off storing passwords on pen and paper, like I do?
Or installing a password manager?
Both seem to have inherent vulnerabilities outside of one's control. Both methods are at the mercy of the website that stores the password, correct?
But I'm starting to think this is Schrodinger's cat: 50/50. Security-wise, neither method seems better than the other.
Having never used a password manager, am I looking at this the right way?
Or is both the way to go, with the built-in redundancy?
**Variables: I create strong passwords with my brain and sometimes pwgen.
As always, I value any points of view, thank you.

    is one better off storing passwords on pen and paper, like I do?

    I don't expect to carry around a notebook full of my passwords with me if I need to access it from my phone or laptop πŸ˜› And I can actual encrypt my database, I'd have to basically use a cipher w/ pencil & paper.

    brent Both methods are at the mercy of the website that stores the password, correct?

    No? You can use KeepassX / KeepassXC (in the repo as keepassx) entirely offline, it saves as a kbdx file that you can copy to your phone over MTP if you don't want to use a file syncing solution (I use Nextcloud) and use Keepass2Android.

      • [deleted]

      • Post #3

      Well, if you mainly care about security I would recommend writing the passwords on a piece of paper. When I was younger I used to write my passwords into a little book and lock it into a cupboard. Nowadays I prefer using a password manager because my passwords got a lot longer and it is very useful that I don't have to enter the passwords on my own. My favourite password manager is Bitwarden because it's libre software and you can use it on almost any operating system. If you want to use auto insertion of passwords and usernames then you should install the browser extension. On Solus you could install Bitwarden with Snapcraft or just download the AppImage.

        Essentially what Josh said. I have a bazillion different passwords, that I used to store in KeePass, but I recently switched to KeePassXC because it just works better in Solus.
        I always keep one copy of the database on my phone (managing it with Keepass2Android), and one on my desktop PC; but you can of course sync it with whatever service you trust.
        KeePass(XC) also has an easy to use password-creation tool, so you don't have to rely on your brain πŸ˜‰

        I used to use KeePassXC synced over Dropbox. However, if my phone was lost then I can't access dropbox because of the 2-factor requirement. Backup codes were distributed at home, work, and in my wallet.

        The worst case scenario of missing phone and missing wallet while far from home or work drove me to use BitWarden. With BitWarden I can recover passwords from any browser, so long as I can remember my BitWarden password.

        The pen & paper is not secure you might put it in your wallet and get it stolen, or a thief can visit your house, people from your close surrounding can read it while you're busy or sleeping. It's not a 50/50 it's just an unsecured way to store your password unless maybe you invent your own secret code to write it then put your paper in a good physical vault than it strongly screwed on ground/walls.... Of course you have to make sure to return the paper into the vault immediately after you used the password in case someone enters the room (you know smartphones have good cameras nowadays and the sheet of paper doesn't magically hides the passwords when the timeout is reached).

        And then when you need to access your password from outside your house you realize you're screwed... and you blame yourself every x months when you have to renew your passwords and write them down again...

        Use a good offline password manager... many passwords managers offers handy functionalities to store your encrypted password in the cloud (meaning on someone else computer), this is convenient, but it is the worst idea ever... unless you generate long random passwords and rotate them often and put them on your own private cloud... but still... forget about this option... just don't put your passwords in the cloud at all !

        Also always prefer passphrases to passwords for your super important things you absolutely need to remember even if your computer/storage and post-its on your screen should ever burn. Complex passwords are just hard to remember, replacing O by 0, E by 3, i by 1, etc... don't make them more secure a meaningless phrase (which only has a meaning for you I mean), is much easier to remember and usually naturally meet the complexity criteria so you don't have any specific efforts on that side.

        I found every reply valuable. I've read a lot about passphrases.
        I would definitely keep that info offline--NO cloud--and having a potable .kbdx file is gold.
        Got the keep(XC) stuff from repo. Brave new world now
        Appreciate the perspectives and especially the clarity. Thanks.
        Solved---(I have a planπŸ™‚)

        Brent, the only thing about keeping it offline (which is probably better than keeping it online), is that someone tidies your desk and throws that scrap of paper away and your mind is now lost (and all your accounts). Been there.

          dbarron True that. But I was using "offline" in the same context as Josh and Kyrios: a password manager that doesn't connect to the internet or phone home or update itself. I like the digital 'offline' concept. As for the piece of paper, when I migrate to a password manager I probably would keep paper as an insurance. It's morphed into a small booklet! See Staudey above.
          Another poster mentioned password length as well. Can you believe back in the day I'd use the same password for multiple accounts? But now? No no no. Like you said, enough to lose your mind besides now being too cumbersome.

              Brain is the best manager build a story around the password so you remember it even i forget the password my wife remembers it mainly bank related πŸ˜€
              rest of the passwords I am not worried about it just stored in Gmail Keep with twisted key=value so no one can decode.
              South Korean bank users use korean PKI memory stick to login for public/private handshake .

              As other people explained why password manager is probably better( cheers to @kyrios for the example of phone taking picture of your list, if hacked). And you know why it's better for your password list to not be on the cloud( because for example NSA eventually could order it to be given to them or something like that...although a good password can take years to be broken, soon governments and big companies will have quantum computers which will crush passwords for seconds).
              So it's best for your password list to be in your hands...
              And now the new part- you can actually use the option for key file(essentially you must browse and select a file like a picture to be your authentication- you should be warned that if a picture is opened even with image viewer it can change it's metadata and thus making you incapable to open your kbdx file).
              So it's most secure to have local passwords file with strong master password and a key file πŸ˜ƒ
              Also hide your characters when entering passwords and I think you could do something more to stop Brute force attacks.

                Emperor If the NSA is going to ask for your data they won't bother asking for the password, they'll just go to the company holding your data and ask for it, no need for passwords. 😁

                    Justin Well there goes the thread, you have to bring truth into it 🀣

                      brent if you use a strong master password then you can keep the password database on the cloud

                          Justin That's right πŸ™‚
                          But passwords are also used to read encrypted files/documents- so in that regard it can be useful.
                          Thus you can give someone else the password to decrypt files you send to him via the internet.

                              Snoober I don't subscribe to this point of view because

                              • Some people think they have a strong password but actually it is not or it can be deducted with some social engineering
                              • Once your password DB is in the cloud, it can be downloaded and then the attacker can take all the time he wants to perform his attack and it's cheap and easy to rent CPU/GPU power nowadays or better he can wait for a vulnerability to break or bypass the security. Changing your master password or patching your application won't save you.

                              Even if it takes years, once someone evil gets access to your passwords the chance are high that some passwords haven't been changed and for the others, the attacker can see your password style, find some logic in them, see if you reuse some password or use very similar ones, etc.

                              This gives a great feeling of being safe while you may have been hacked and be vulnerable.

                              There is a very simple rule, consider internet as a public place. Don't put anything you don't want to share with the world on the net.
                              Just compare internet to the street. You leave your bicycle on the street, anyone can take it. You attach it with a locker, even a strong one, the chances your bicycle won't be there the next day is high.
                              Leave it in your garage (=offline), the chances it get stolen are much lower.

                                  Emperor Thus you can give someone else the password to decrypt files you send to him via the internet.

                                  Heurm.. Public/private keys are a thing... πŸ˜‰