from Hacker News

Ask HN: are pwd managers more secure?

by fakeElonMusk on 9/3/19, 9:53 AM with 8 comments

Let's say I use 1password or any other password manager. They will eventually get hacked or there will be a back door or some exploit. Right? All software has vulnerabilities, even the NSA has been hacked. So why is it more secure than me keeping passwords on paper? I would like to use 1password but I'm also ok with staying old school. Convince me!

  • by Lorenz-Kraft on 9/3/19, 10:24 AM

    Using the "paper form" has only the drawback of being available for everyone in your environment.

    If you want to keep the paper form and also have the ability to securely generate new passwords:

    Buy a cheap, widely, available book (maybe two or three of the same), start at a random page and use the first letters/sentences in this book as your new password. To make it even more secure, I would suggest you add a "standard" to every password you have created ... like "SuperSecurePa##".

    So for example: You have bought a book and like to add a new password ... you might start at page one, where the sentence would be: "Once upon a time, there were two developers ..." => this will become your password: "Ouat,twtdSuperSecurePa##"

    Even more secure password (due to the size): "Onceuponatime,thereweretwodevelopersSuperSecurePa##"

    You can level this up by: - Your chosen appendix has even more "secure" chars, like #*+?="ยง%&/() (you know what I mean) - You prepend and append your new password with your "common" pass (here "SuperSecurePa##") ... or maybe prepend with a different common pass??

  • by t0astbread on 9/3/19, 10:35 AM

    I use password managers for the following reasons:

    - Convenience: I only have to remember one password and I get the comfort of a digital database (as opposed to, paper).

    - The passwords I have on websites can have higher entropy and be longer than I could ever remember or type, making them possibly harder to decipher in case of a breach on any website.

    - Password managers are all about security while many websites are not (at least not as their primary purpose). Password managers are probably better at it.

    - If a (good) password manager is set up to sync passwords via a server or your machine somehow gets compromised, the password database should still be encrypted via a master password.

  • by antisemiotic on 9/3/19, 10:37 AM

    You can use a local password manager like pwsafe, that way someone would have to hack into your computers first, and then break pwsafe's encryption (which is of course impossible, since it was written by Bruce Schneier).

    It's more of a pain to use than web password managers, but less than a piece of paper. I'd still recommend writing down the master password, since if you lose it you're screwed.

  • by shrutipathak on 9/3/19, 10:18 AM

    You could lose the piece of paper making all your passwords vulnerable. My colleague stored all passwords on a note in the phone and lost the phone on vacation.

    I had to change all the passwords immediately because of this. Even if i have 1Password on the lost phone, i don't see how anyone could get inside of it