Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Even a fairly middling password manager implementation is better than just about any other strategy that anyone is likely to use.

Especially because for the vast majority, the other strategy is going to be reusing the same password ~everywhere and if you're lucky the might use a special password for their bank or something.



I guess for most people online, writing all their passwords down in a notebook is more secure than using a password manager. It’s just less convenient.


A notebook is better in some ways, but worse in important ones. It can't save you from phishing, and your password strength is going to be relatively poor (since a notebook can't generate them for you, and if they get long it'll be annoying to type). Also, a notebook is easier to copy, steal, or lose (though this is a fairly minor consideration for most people).

I would say a notebook is worse than a password manager. It's not strictly worse in every way, but on the balance it's not a hard choice.

A notebook is better than most other not-a-password-manager solutions though. So it has that going for it.


And less resilient.

If your notebook is destroyed (e.g. dog eats it, fire, water damage, et al) then all your passwords are gone. With most good password managers you can actually backup and store a copy of your vault data locally.


I installed BackBlaze years ago for my 88-year-old mother-in-law. She has a binder besides her computer with a sheet for each account, some with 7 or 8 passwords scratched out and replaced.

I really should have her write out a few key passwords and put them in an envelope for me to keep.


The only one you usually really need is your email password. You can typically reset everything else from that if you really had to.


The notebook is still less secure because of phishing


My biggest complaint is that password managers treat passwords as something precious. They're the opposite of that, in most cases they don't even have to be remembered at all, because there are easy password reset flows and long session times. Just get a new password if you need to log in from a new device or the session ended.

Sure, you need to know how to log into your email, but that isn't any more passwords to remember than the password manager master password.

I don't rely on just that, but between the reset flows and the browsers built-in password store, I don't really see what I gain by adding an external point of failure.


> I don't rely on just that, but between the reset flows and the browsers built-in password store, I don't really see what I gain by adding an external point of failure.

I mean, a browser "password store" _is_ a password manager. It's just usually not a very featureful one.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: