question regarding password managers

brent

Here's the question. Disregarding ease/efficiency and focusing only on security, is one better off storing passwords on pen and paper, like I do?
Or installing a password manager?
Both seem to have inherent vulnerabilities outside of one's control. Both methods are at the mercy of the website that stores the password, correct?
But I'm starting to think this is Schrodinger's cat: 50/50. Security-wise, neither method seems better than the other.
Having never used a password manager, am I looking at this the right way?
Or is both the way to go, with the built-in redundancy?
**Variables: I create strong passwords with my brain and sometimes pwgen.
As always, I value any points of view, thank you.

JoshStrobl

is one better off storing passwords on pen and paper, like I do?

I don't expect to carry around a notebook full of my passwords with me if I need to access it from my phone or laptop 😛 And I can actual encrypt my database, I'd have to basically use a cipher w/ pencil & paper.

brent Both methods are at the mercy of the website that stores the password, correct?

No? You can use KeepassX / KeepassXC (in the repo as keepassx) entirely offline, it saves as a kbdx file that you can copy to your phone over MTP if you don't want to use a file syncing solution (I use Nextcloud) and use Keepass2Android.

[deleted]

Well, if you mainly care about security I would recommend writing the passwords on a piece of paper. When I was younger I used to write my passwords into a little book and lock it into a cupboard. Nowadays I prefer using a password manager because my passwords got a lot longer and it is very useful that I don't have to enter the passwords on my own. My favourite password manager is Bitwarden because it's libre software and you can use it on almost any operating system. If you want to use auto insertion of passwords and usernames then you should install the browser extension. On Solus you could install Bitwarden with Snapcraft or just download the AppImage.

Nacho_Trebuchet

[deleted]
The browser extension allows full control of the manager for those who prefer not installing Snaps, Flatpaks, or AppImages.

Staudey

Essentially what Josh said. I have a bazillion different passwords, that I used to store in KeePass, but I recently switched to KeePassXC because it just works better in Solus.
I always keep one copy of the database on my phone (managing it with Keepass2Android), and one on my desktop PC; but you can of course sync it with whatever service you trust.
KeePass(XC) also has an easy to use password-creation tool, so you don't have to rely on your brain 😉

davidjharder

I used to use KeePassXC synced over Dropbox. However, if my phone was lost then I can't access dropbox because of the 2-factor requirement. Backup codes were distributed at home, work, and in my wallet.

The worst case scenario of missing phone and missing wallet while far from home or work drove me to use BitWarden. With BitWarden I can recover passwords from any browser, so long as I can remember my BitWarden password.

kyrios

The pen & paper is not secure you might put it in your wallet and get it stolen, or a thief can visit your house, people from your close surrounding can read it while you're busy or sleeping. It's not a 50/50 it's just an unsecured way to store your password unless maybe you invent your own secret code to write it then put your paper in a good physical vault than it strongly screwed on ground/walls.... Of course you have to make sure to return the paper into the vault immediately after you used the password in case someone enters the room (you know smartphones have good cameras nowadays and the sheet of paper doesn't magically hides the passwords when the timeout is reached).

And then when you need to access your password from outside your house you realize you're screwed... and you blame yourself every x months when you have to renew your passwords and write them down again...

Use a good offline password manager... many passwords managers offers handy functionalities to store your encrypted password in the cloud (meaning on someone else computer), this is convenient, but it is the worst idea ever... unless you generate long random passwords and rotate them often and put them on your own private cloud... but still... forget about this option... just don't put your passwords in the cloud at all !

Also always prefer passphrases to passwords for your super important things you absolutely need to remember even if your computer/storage and post-its on your screen should ever burn. Complex passwords are just hard to remember, replacing O by 0, E by 3, i by 1, etc... don't make them more secure a meaningless phrase (which only has a meaning for you I mean), is much easier to remember and usually naturally meet the complexity criteria so you don't have any specific efforts on that side.

brent

I found every reply valuable. I've read a lot about passphrases.
I would definitely keep that info offline--NO cloud--and having a potable .kbdx file is gold.
Got the keep(XC) stuff from repo. Brave new world now
Appreciate the perspectives and especially the clarity. Thanks.
Solved---(I have a plan🙂)

dbarron

Brent, the only thing about keeping it offline (which is probably better than keeping it online), is that someone tidies your desk and throws that scrap of paper away and your mind is now lost (and all your accounts). Been there.

brent

dbarron True that. But I was using "offline" in the same context as Josh and Kyrios: a password manager that doesn't connect to the internet or phone home or update itself. I like the digital 'offline' concept. As for the piece of paper, when I migrate to a password manager I probably would keep paper as an insurance. It's morphed into a small booklet! See Staudey above.
Another poster mentioned password length as well. Can you believe back in the day I'd use the same password for multiple accounts? But now? No no no. Like you said, enough to lose your mind besides now being too cumbersome.

Snoober

brent if you use a strong master password then you can keep the password database on the cloud

Justin

Chrome, save password.

brent

Justin I'm going to have to dust off my tinfoil hat for that level of trust! 🙂

viyoriya

Brain is the best manager build a story around the password so you remember it even i forget the password my wife remembers it mainly bank related 😀
rest of the passwords I am not worried about it just stored in Gmail Keep with twisted key=value so no one can decode.
South Korean bank users use korean PKI memory stick to login for public/private handshake .

pascal-c

Hello I put you an internet link for a device for passwords maybe it will suit you :
https://www.tindie.com/products/stephanelec/mooltipass-mini-offline-password-keeper/?pt=ac_prod_search
I hope this can help you

Emperor

As other people explained why password manager is probably better( cheers to @kyrios for the example of phone taking picture of your list, if hacked). And you know why it's better for your password list to not be on the cloud( because for example NSA eventually could order it to be given to them or something like that...although a good password can take years to be broken, soon governments and big companies will have quantum computers which will crush passwords for seconds).
So it's best for your password list to be in your hands...
And now the new part- you can actually use the option for key file(essentially you must browse and select a file like a picture to be your authentication- you should be warned that if a picture is opened even with image viewer it can change it's metadata and thus making you incapable to open your kbdx file).
So it's most secure to have local passwords file with strong master password and a key file 😃
Also hide your characters when entering passwords and I think you could do something more to stop Brute force attacks.

Justin

Emperor If the NSA is going to ask for your data they won't bother asking for the password, they'll just go to the company holding your data and ask for it, no need for passwords. 😁

v3l0ct

Justin Well there goes the thread, you have to bring truth into it 🤣

Emperor

Justin That's right 🙂
But passwords are also used to read encrypted files/documents- so in that regard it can be useful.
Thus you can give someone else the password to decrypt files you send to him via the internet.

kyrios

Snoober I don't subscribe to this point of view because

Some people think they have a strong password but actually it is not or it can be deducted with some social engineering
Once your password DB is in the cloud, it can be downloaded and then the attacker can take all the time he wants to perform his attack and it's cheap and easy to rent CPU/GPU power nowadays or better he can wait for a vulnerability to break or bypass the security. Changing your master password or patching your application won't save you.

Even if it takes years, once someone evil gets access to your passwords the chance are high that some passwords haven't been changed and for the others, the attacker can see your password style, find some logic in them, see if you reuse some password or use very similar ones, etc.

This gives a great feeling of being safe while you may have been hacked and be vulnerable.

There is a very simple rule, consider internet as a public place. Don't put anything you don't want to share with the world on the net.
Just compare internet to the street. You leave your bicycle on the street, anyone can take it. You attach it with a locker, even a strong one, the chances your bicycle won't be there the next day is high.
Leave it in your garage (=offline), the chances it get stolen are much lower.

kyrios

Emperor Thus you can give someone else the password to decrypt files you send to him via the internet.

Heurm.. Public/private keys are a thing... 😉

Emperor

Staudey The most general rule for privacy and security after Don't put anything you don't want to share with the world on the net(kyrios)...is probably Don't put all of your eggs in one basket
Also you should prefer to generate passwords locally instead from a website + KeePassXC gives you the choice to use ExtendedASCII- making a far more complicated password.

Emperor

kyrios For me not xD
Just that was the first thing that come to my mind for my defence.
But I will still admit that Justin nailed it- it looks like against NSA it's useful only if you have something offline- not in the logs of corporations...making it pretty limited.
Still tough for everyday security it makes a lot of sense to keep everything you don't want to share locally.
But I am still almost wrong about governments/NSA as they really have other ways of accessing your information.
So against them can local storage help? If used to store password for Riot for chatting(have no idea if that makes any sense, but I will still throw it here) or something else?

brent

I got the joke when I clicked the link🙂
I have a booklet of good passwords. Eventually I will delegate them into an offline password manager with a traveling kbdx file if necessary.
My passwords will never be online. And never be in the cloud on purpose.
This sounds like a plan to me.
The nsa bothers me not--I am boring all around.***Online trackers building personality/financial profiles of me and you bother me a lot more. Firefox Pocket suggestions and Youtube suggestions terrify me. At least I could diable pocket.
kyrios --I love when you chime in with the common sense to remind us all of online decorum/protocol.
Thank you all for the fantastic perspectives. I got what I needed: SOLVED.

edit: added a bit