Are there any reasonable arguments against password managers and, if so, what are the proposed alternatives?

Are there any reasonable arguments against password managers and, if so, what are the proposed alternatives?

there's arguments against online password managers like LastPass and such, but I haven't read a single good counter point against local ones like KeePass. It's open source + has alternatives on iOS/Android, not that I'd ever store such sensitive information on my phone.

Been using KeePass for 5 years now without an issue. Probably have 200+ unique passwords stored in it.

>but isn't that a single point of failure
backups/encrypted online backups.

if its not open source its more than likely a botnet.
dont trust anything that claims interoperability with yubikey or 2fa.

the biggest argument agianst password managers is that they are totallly unnecesary.
you could be using a plain text file encrypted in a small container with your ecryption alg of choice, you can make your own random password with one line of bash.
installing additional software is just asking for a vulnerability, and you have to doubt their business models as well.

>giving another person/company all of your passwords
Nope. Can't. Think. Of. A. Single. Thing.

>not writing a 5 line script that decrypts and parses a text file as your password manager

What about autofill?

Same here I started out using KeePass now running Keepassxc.

>Keepass
>free software
>local database
>giving to a company
wow, thanks for the insight retard, you can go back now

Firefox does that. You just log-in once and save and if you use the sync meme thing it'll autofill on all your devices

yeah it's a single point of failure, all an attacker needs is your password manager password to get access to all of your accounts. it also shows you exactly where all your passwords lead, like your paypal, bank, email etc. basically it's an intruders wet dream,

if you alternatively use no password manager and a set of passwords you remember, a massive security vulnerability is removed.

Or you could just use pass, so you don't have to hack together your own, you know?

r8 my password

>all an attacker needs is your password manager password to get access to all of your accounts
all they need is your password manager password and access to your local machine. If they have access to your local machine, you're likely to be fucked no matter how you handle passwords.

>if you alternatively use no password manager and a set of passwords you remember, a massive security vulnerability is removed.
And a massive security vulnerability is being added. Namely that, since you're memorizing your passwords, your passwords will be significantly weaker.

Enjoy a dictionary attack that turns your password basically into 9 chars

From what I understand, even if they knew I was using a dictionary of common English words, it would still take 30 million years at 1 trillion guesses per second.

Maybe I'm misunderstanding something.

>And a massive security vulnerability is being added. Namely that, since you're memorizing your passwords, your passwords will be significantly weaker.
not really, you can make easily memorizeable passwords that would still take until the heat death to force

>all they need is your password manager password and access to your local machine. If they have access to your local machine, you're likely to be fucked no matter how you handle passwords.

that is assuming you don't backup your key file anywhere(which means all of your passes are lost in case of a failure). suppose that you have a keylogger on your computer which also copies your password manager files, the attacker would have instant access to all of your accounts as soon as you type the manager password once. if you did not use a manger it could take months(or years, sites like gmail only has you typing in your password once per install) before enough important passwords are collected for a proper attack.

Well, there's a couple of words in the English vocabulary, and the amount of guesses needed would basically be all the words to the power of 9, which is a fuckton of possibilities. And that can all be made even more complex by replacing letters with numbers or capitalising each word.

try using the same password for everything
it saves a lot of time

This

Password1 is more than enough
>OH NO THEY HACKED MY MAL ACCOUNT

lmao, 9 chars, except each char could be any word. even if you only use english words in the oxford english dictionary that's 250000^9 combinations or 3.8*10^38 attempts. even with the fastest supercomputer it would take many sextillions of years.

this. i still use a leaked password publicly conntected to my mail for all the accounts i don't care about. anything important uses 2FA and/or unique passwords

Most dictionary attacks would probably be fine using the top 1000 words. Even then, you're still going to take at least a couple million years on a botnet.

and if you deliberately misspell one of the words or use capitalization it's suddenly many orders of magnitude harder

>Namely that, since you're memorizing your passwords, your passwords will be significantly weaker.
>he fell for the leetspeak password meme.

>Ilikepancakes,memes,fefsandhecksinthemorningWITHmycoffeeat9am.
Already more secure than any dumbshit password from meme-managers.
No, dictionary attacks aren't going to do fucking shit against that password. It is way too complex to assume anything, so they need to try everything. It has non-standard English words at that, meaning it is already breaking most generic shit dictionaries.
Brute-forcing that with a dictionary will take longer than known time even with supercomputers.

You seriously underestimate how long it takes to go through every single possible iteration with every other iteration multiple layers deep.
Every new instance of a character adds insane time to the brute-force.

Nice m8.
Replace sentence with bungtence and you'll break all dictionary attacks too.

Yep, this. Deliberate misspells of words breaks things hard.
A password cracker cannot assume a single thing about your password. it has to try every single iteration.

The thing you really need to worry about more than secure passwords is whether the dumb-fuck admins on the service you are using even encrypts their back-end, their client-end and their rear-end when they get hacked and raped by their boss.

Easy to remember long passwords are a meme. There's no way you are going to remember them once you have more than a few of them, especially the ones you don't have to type often. What seems impossible to forget today may be lost forever one or two months from now, especially with unusual capitalization and intentional misspellings on top of it. Even if you remember them there's the practicality of having to type 60 character long strings each time. Just typing one of those as a master password a couple of times a day is a pain the ass.
If you are so paranoid that having your keepass database stolen (along with the key file and the master password) is a real source of fear, I don't think you are ever going to feel safe no matter what you do. There's always the option of using a manager for most passwords and keeping a select few of them in your head, but insisting on memorizing everything is absurd. Even with the centralization of services nowadays it's really not hard at all for someone to accumulate over 50 passwords for their online presence.

Pointlessly overcomplicated. I don't understand what these shits offer over a text file encrypted with GPG.

the best password manager is that all fucking websites should use google or facebook accounts to log you in

Password managers are designed for managing passwords, so they are better at it. They are better at organizing them, they don't display your passwords on the screen, and they don't ever write them to the disk unencrypted (unless you have some swapping going on, but even that can be countered by setting up your swap partition to be "decrypted" with a new key from /dev/random on boot using dm-crypt, effectively making all old data unrecoverable). If you use an encrypted plain text file, you have make sure you don't ever decrypt it to the disk, and whatever text editor you're using doesn't make a temporary copy of it (e.g. vim's .swp files, though they wouldn't pose a problem if you were using a ramdisk).