Are password managers actually as secure as some people make them sound...

Are password managers actually as secure as some people make them sound? Isn't keeping all your passwords in one place kinda dangerous?

And if they aren't just a meme, which one would you recommend for a tinfoil user??

They are more secure as long as you're careful with your master password. Most services encrypt your data and use 2FA to make sure your info stays secure.

Bitwarden is the best option if you're a fucking paranoid. Is open source (bitches like you love that shit) and you can even self host the software on your private server.

Switched the fuck to bitwarden. Not as nice as LastPass - it doesn't offer saving my passwords but less annoying than LastPass. Works with newer Firefox. I am fucking glad.

>Isn't keeping all your passwords in one place kinda dangerous
If it's protected by during encryption then it's not the slightest bit dangerous

i have no idea how people actively forget their passwords.
i just combine 3-4 words in no particular order, three numbers and 2-3 symbols. it's probably not the most secure in the world but it's far more secure than the vast majority of people.

meanwhile my co-worker writes down her (only) two passwords on a post-it note at work and stuck it to her computer monitor and still manages to randomly have to do password resets.

I think KeePass also supports 2FA, not sure how to enable it though.

The android client I use mentions it and the desktop application boasts a plugin system.

just use excel and encrypt with a password

I tried to switch to Bitwarden too but I find the android experience a bit lacking. Also no offline mode pits me away.

Lastpass is bulky but at least it works and has the features I need. Also I got like 2 years of premium with Humble Bundle was a bit cheap.

The point is to use a different password for every account. If you use the same password everywhere then when one account gets hacked they all get hacked.

>Bitches like you love that shit
Any sane person wouldn't use a proprietary password manager. An open source password manager is the only acceptable solution.

>ey are more secure
than what

Keepass only

This.
I only remember the password to my main gmail account and banking account.

Everything else uses a random generated high entropy password. The best part is I never have to copy/paste anything. It automatically gets typed in.

if you are able to memorize tens or hundreds of unique passwords, each with their own rules about "minimum standards" then a password manager is not necessary.

what i want is a kill switch so my family can get the master password if I die. I got 4 bitcoins sitting around!

No. No one makes them sound safe.
Whoever says that is crazy.

Pencil and paper.
I will take a bitcoin as a thanks for this useful tip :3

Keepass is open source.
In fact I've developed plugins for it that specifically cater to my needs.

Good stuff.

>password managers secure?
Let's put it this way, to be truly secure, every account of any importance should have a different password which should be randomly generated and of sufficient length that it cannot be bruteforced. Unless you have a photographic memory, the only reasonable way to keep track of them all is with a password manager.

>Isn't keeping all your passwords in one place kinda dangerous?
Maybe if you are a retard and store your master password on paper or in plain text in a place where it can concievably be accessed by others. If you are smart you will have one very secure password that you memorize and don't store anywhere other than your brain to be used to a master password for your password database.

>which one would you recommend for a tinfoil user??
KeePassXC for PC and KeePassDroid for phone. I usually sync the password between devices with my self hosted cloud server (ie. NextCloud).

I know. It's my preferred password manager as well.

>I only use securely generated passwords for unimportant things, but I don't use securely generated passwords for my email and bank account
wtf kind of backwards retard are you?

>what i want is a kill switch so my family can get the master password if I die. I got 4 bitcoins sitting around!
Put the master password in your will and seal it in a security envelope. It's not complicated.

Not him but it's so you can access those when you don't have access to keepass

Local password storage is as secure as any other encryption. Which happens to be extremely secure, so long as your password is good.

Use a keyfile as well to counter keyloggers and you're pretty much set. Even if someone gets your database file, they can't get into it- especially if you set an expiry on your passwords (which could be once a year, just have them expire after some time) so that someone can't spend years grinding into it.

As for shit like lastpass and other 'cloud password storage', they're about as secure as any other cloud storage- as in NOT IN THE FUCKING SLIGHTEST.

I have literally hundreds of passwords

>Not him but it's so you can access those when you don't have access to keepass
That's a dumb reason. Why would you ever need to access your bank account or gmail on a device you don't have the ability to install keepass on?

Keeping your email password out of keepass is a good idea since 'password reset' schemes require access to your email, so it's actually a second master password.

It's so I can access them in an emergency on any device if needed.

If they were randomly generated I'd be fucked without KP

>Keeping your email password out of keepass is a good idea
No it isn't you fucking retard.

>since 'password reset' schemes require access to your email
And this somehow prevents you from pasting a password from keepass? Are you brain damaged?

I use it too. What did you develop?

Just stop you fucking idiot

>in an emergency on any device if needed
Well you are retarded if you access either of those things on a device you don't own. You can have keepass on your phone and personal computers. If you are accessing your email or bank account from someone elses device you are literally retarded.

Keeping your email password out of keepass is so if your keepass gets compromised, you don't lose all your accounts. You can reset your password on all of them.
But if your email password is in the database that was broken, you lose everything.
I'm not sure what part of this you think is retarded.

>password managers
whatever happened to just not having anything worth stealing? And avoiding interacting with toxic people who would try to cyberstalk and phish your passwords?

>if your keepass gets compromised, you don't lose all your accounts
You would have to be pretty fucking retarded to allow your keepass database to become compromised. You would either have to be using an insecure password or storing your password insecurely (ie. you didn't memorize it)

Keyword 'emergency'

This or Master Password or pass inside a shell.

There is no emergency great enough to warrant using someone elses computer to access your bank account or email. That's how you have your identity and/or money stolen, you fucking retard.

pass a best

What can go wrong will go wrong, and defense in depth is the best strategy.

Personally I use 2FA with a keyfile, to reduce the odds of my database being compromised. There's also data loss to worry about, sometimes shit just breaks. While you'd have to be retarded to not have your keepass database in at least 3 places at any one time (preferably in different buildings!) sometimes there's a fire or some shit.

You're right that you'd have to be retarded to have your keepass compromised, but it can happen if you're targeted. Unless of course you're not worth enough money to be targeted.

>hurrr... but the keepass could be compromised
>everyone knows this can only happen to keepass and not to the email account itself

How do you keep your password file synched between devices though?

>What can go wrong will go wrong
It can't go wrong unless you are a fucking dumbass. Stop being a dumbass. Memorize a secure master password and don't ever write it down or store it in digital form. Don't ever use KeePass from a device that could plausibly have a keylogger. Use full disk encryption on your personal computer and keep your phone on your person at all times to ensure nobody fucks with it.

syncthing

If the email gets compromised you pretty much lose everything, which is why services like gmail offer phone recovery, suspicious login prevention, etc etc. While the email my ISP provides is pop3 plaintext credentials. I really hate that.

Stop using insecure android devices. Which is all of them. If you use an android device to do anything important you need to stop right now.

Using NextPass

Sorry, I meant to say NextCloud, not NextPass. I don't think that's a thing.

It's just one more password to memorise to protect yourself against more things that could go wrong.
Who knows what zerodays are out there.

In what bubble are you living?
I had to access both of those things countless times on machines that don't belong to me when I was traveling or where there's no open wifi hitspot.

>Isn't keeping all your passwords in one place kinda dangerous?
Yes. Even if you can trust the people running the password keeping service not to just outright snoop on them, everything of yours becomes accessible via a single password or a single security slip up from the service.

>accessing your bank account and email on devices you don't own
It's like you literally want to have your money and identity stolen from you. Are you seriously brain damaged?

It doesn't increase your security in any way. You are just shifting the risk from one place to another. I don't understand why you can't comprehend this fact. If it's in your keepass database and someone gains unauthorized access to it, your email is compromised. Well guess what? There is an equal chance of your email being compromised directly. You only shifted the risk from one place to another. The downside is that you can't memorize a password as secure as one you could generate from keepass and even if you did, you sure as hell wouldn't be able to routinely change the password in a secure fashion the way you could with keepass. It is objectively less secure to do it the way you are describing.

Third party password hosting is retarded. Full stop.
You're not reliant on one technology, but an entire stack of technology.

For keepass only two things have to be reliable; your OS, and keepass itself. For something like lastpass the stack is like this:
Your os
your browser
The code that the browser runs from the server
HTTPS
WPA2 (if you're on wireless)
Your network in general
Every node between you and the server
The server's hosting software
The server's backend software
The entire company's networked systems and all their services and software
And the people running the third party service need to be secure too. Stacy from HR at lastpass can forward an 'employee survey' from an attacker to the IT department and have the network compromised.

I wonder which one is more secure.

>tfw your bank "password" is 4 digits because that's what they have decided is good enough

>It doesn't increase your security in any way
I disagree and I'll leave it at that. I prefer segmentation of security.

>I disagree and I'll leave it at that.
Well you are objectively wrong, but go ahead and keep being a retard.

>they're also still running Windows Server 2003 and run your credit card transactions over telnet internally

t. A bank I'm under contract not to name

you're user, c'mon tell us

>Third party password hosting is retarded. Full stop.
Basically what I'm getting at, yeah.

[spoiler]the worst part about the shitty passwords is that I've written part of the login code for them.[/spoiler]

Those 4 bitcoin are worth over 22k by now, I'd say those are worth protecting

can you sync with keepass?
like on your phone?

It's not a silver bullet for security, but any security risks it does have are shared by the inevitable password reuse that comes without a password manager.

If someone gets access to your computer and steals your password database, keylogs your master password or steals passwords from your clipboard/memory, they could have just keylogged your password when you typed it anyway.

A password manager protects all your other accounts if one of your passwords gets stolen from a company you use though.

Because I want to have a very complex and unique password for every important site I go to. The sites I don't really care about I just use the password I've been using since I was a kid.

Just use the same password for everything you mongaloid