Aren't password managers a massive opsec risk? - Or do I not get it?

[rel=alternate]

To me, it feels really stupid to concentrate everything in one place, yet password managers keep getting recommended to me, as if it was no concern at all and actually safer.

I am thinking mostly about Youtubers, but even professional insurance is recommending it. And I don't get it.

To me this looks like a huge vulnerability issue. It's only as good as the security of the password manager you're using. I don't see how this would be any confort to offload this to a third party.

 

[Daddy's Angry Juice]

dont worry these people have your best interest in mind, those indians working at microsoft and apple are totally not gonna go through all of your photos.

 

[rel=alternate]

dont worry these people have your best interest in mind, those indians working at microsoft and apple are totally not gonna go through all of your photos.

Checkmate, I don't take photos.

 

[DankSmoker]

I just use pen and paper, then probably lose it if I dont put it in the cigar box.

 

[We Are The Witches]

I don't think it's a massive risk, it is however inherently a risk.

Maybe you'd be better off by writing them down in a couple of physical notepads that you save at home (if you want, with the letters encrypted to some degree), so that way even if a thief steals it, they won't know what is, and you'll probably have the other notepad safe/not-stolen with your passwords so you can change them after you learn that you were robbed (and for some reason they took one of your notebooks).

If the problem is that you want good passwords without the need to memorize them, try to understand password entropy. You can have it as a sentence you know you will remember with a scheme you know you won't forget, like after whatever letters, I'll have this other characters.

Use every pool of characters (uppercase, lowercase, digits, symbols), and make it long (like by having it as a sentence you only know), that way its entropy will be as high as you can have it.

By the way, Kiwifarms has a limit of characters for a password, which I believe is around 72 or so (maybe some less), but won't tell you, any further character won't be taken as part of it. So you can have an 80 character password, but only those (72 or so) first slots/characters will be needed to log in.

Learn what the limit is for whatever website you're in, then design a good one if you're paranoid about that. Chances are, your account won't be cracked due to a crap password if you do this, if anything, it will be cracked through a data-breach of the website itself, or you do something extremely stupid.

 

[DankSmoker]

I don't think it's a massive risk, it is however inherently a risk.

Maybe you'd be better off by writing them down in a couple of physical notepads that you save at home (if you want, with the letters encrypted to some degree), so that way even if a thief steals it, they won't know what is, and you'll probably have the other notepad safe/not-stolen with your passwords so you can change them after you learn that you were robbed (and for some reason they took one of your notebooks).

If the problem is that you want good passwords without the need to memorize them, try to understand password entropy. You can have it as a sentence you know you will remember with a scheme you know you won't forget, like after whatever letters, I'll have this other characters.

Use every pool of characters (uppercase, lowercase, digits, symbols), and make it long (like by having it as a sentence you only know), that way its entropy will be as high as you can have it.

By the way, Kiwifarms has a limit of characters for a password, which I believe is around 72 or so (maybe some less), but won't tell you, any further character won't be taken as part of it. So you can have an 80 character password, but only those (72 or so) first slots/characters will be needed to log in.

Learn what the limit is for whatever website you're in, then design a good one if you're paranoid about that. Chances are, your account won't be cracked due to a crap password if you do this, if anything, it will be cracked through a data-breach of the website itself, or you do something extremely stupid.

No one breaks into your home to rifle through scraps of paper.

 

[We Are The Witches]

No one breaks into your home to rifle through scraps of paper.

I didn't say they would, I said if they happen to take that notepad, and only if OP wants to have that peace of mind.

That's because if it happens and OP doesn't remember the passwords or have a 2FA, they'll most likely lose the account.

 

[Slav Power]

It's your fault for buying into anything that big name YouTubers are shilling. Those will inherently be designed where you rely on a third party, the reason they pay for those ad spots is because they earn money off of you using the service in one way or another.

Wanna know a cool password manager that isn't advertised anywhere? KeePass. At it's core it's just a FOSS file format for an encrypted password database, and you can use any client. The popular ones are KeePassXC for Windows/Linux and KeePassDX for Android. You set a master password for your database, which encrypts it's contents. You can set how strong the encryption should be, whether or not it should require 2FA to unlock and so on.

With KeePass, you have a local file in which all of your passwords are stored. Like a text file, but better. Synchronization and backups? Syncthing for syncing between devices and Unison for syncing between drives. Someone stealing your file? First of all, if you've set a good master password and strong encryption, they won't be able to do shit, as no amounts of brute forcing will allow them to access the database. Second, for a malicious actor to obtain this file, they'd need to essentially get remote access to your machines, by which point you have much bigger issues than how to manage your passwords safely. You forgetting the password/losing the file? Well if you're retarded then that's a you issue, my current database dates back to 2012 when I first started using KeePass and I never lost it, nor did I forget the password.

This is a common mistake people make when it comes to security. They go full schizo without understanding the technology and taking a realistic risk assessment. With KeePass, your chances of getting hacked are one in a trillion. Are you so important that someone would go through all the effort to obtain access to one of your devices, then to the database and somehow managing to decrypt it? No, and in most likelihood it'd go something like xkcd 538.

With LastPass, it was begging to get hacked. A gigantic central server full of people's personal passwords. It's like comparing crashing a plane into WTC and blind headshotting someone through multiple walls on the first try.

By the way, what all kinds of cyber criminals really love are database leaks. Your password manager has an extremely low likelihood of getting hacked, but the sites you register on will have a data breach sooner or later. By then, your login and password will be available online, and if you believed that using multiple passwords was too much of a chore, guess what happens. With a password manager you avoid that situation, since a leaked password becomes useless on any other of your accounts tied to the same e-mail.

 

[rel=alternate]

It's your fault for buying into anything that big name YouTubers are shilling.

That's just to say I am surprised I don't see anyone bringing up dangerous it is. Like Muta will shill it, and I don't understand how you could in good conscience.

The thing that brings this question is my insurance now thinks I should pay for this service. Which is ridiculous to me.

There are many other ways to protect your business from intrusion that don't rely on handing everything to single company. This seems completely insane to me, and a massive risk too.

I am legit wondering if I am missing something. Because it sounds fucking stupid to me. I am pretty sure Null shilled password managers too.

 

[Slav Power]

Like Muta will shill it, and I don't understand how you could in good conscience.

You really are a special one aren't you. Yes, Muta will shill anything because he is a spineless faggot just like every other YouTuber. I'd suggest you to install SponsorBlock, but I feel like you're the type of tech illiterate retard that hasn't even heard of uBlock Origin.

There are many other ways to protect your business from intrusion that don't rely on handing everything to single company. This seems completely insane to me, and a massive risk too.

In business, you always want to rely on a third-part company so that when SHTF you can actually sue someone. It's just the way shit's stacked. They won't recommend KeePass because they can't sue Dominik Reichl personally, since GNU GPL explicitly states the software has no warranty and corpos need someone to blame if something goes wrong.

I am legit wondering if I am missing something

From what I can see, a lot of fundamental knowledge about tech, the Internet, and life in general.

 

[Osama Bin Laden]

Checkmate, I don't take photos.

Checkmate, I take your photos

 

[dick brain]

Just save a long string of random gibberish to autofill and then add your actual password to the end of it manually. That way you only know half and your devices only know the other half. It's high-entropy; each password is unique per site so breaches don't matter, but you only have to remember one short password for everything; breaches of the device or password manager don't matter because the passwords are incomplete; and it can't be beaten out of you with a $5 wrench.

 

[gagabobo1997]

I use Mozilla's password manager. 2fa and basic Internet safety prevents most attackers and if you were targeted by an advanced threat your password manager or lack thereof is probably of little concern.

 

[rel=alternate]

In business, you always want to rely on a third-part company so that when SHTF you can actually sue someone. It's just the way shit's stacked.

You really are a special one aren't you.

This two quotes next to one another are quite something.

While you may be right that there is value in offsetting risk to third parties, you're completely missing the point in this case.

It's not like I am deciding to go with a big three rather than a smaller structure where I know I get paid up no matter what.

If I am fucked, everyone is fucked. This is the only value proposition, and the same for everyone. How far along the list do you think I will be to get my money back?

From what I can see, a lot of fundamental knowledge about tech, the Internet, and life in general.

Yeah, by not buying this shit and actually asking if I am wrong in thinking it's bullshit I don't need, I am definitely demonstrating how stupid I am at life. You seem great at it, wish I could be you.