Ask HN: What password manager do you use? - heckubadu
======
Nadya
Password managers are flawed by design. A master password grants access to all
other passwords and creates a single point of failure. I also advise using
separate email addresses to avoid having an additional single point of
failure.

Have one email primarily for social interaction and create new emails when
creating new accounts on new websites with new passwords.

I'll stick with using my own head. Even if that means I'm sending a password
recovery request at least once a month from forgetting my passwords and then
playing "Guess the Email that was just sent to" for the next 15 minutes.

Chances are if I forget my login, the site wasn't very important to me anyway
and it's one less place I'll visit.

~~~
snowwrestler
You're worried about the password for a website, so you create a new email
account to handle its password recoveries. Now you have 2 passwords to worry
about.

In cryptography, a single point of failure is what you want, because you can
concentrate entropy at that point. Take 5 of the best passwords you can
remember; concatenate them and use that as your master password. A 40+
character password from the full set of symbols will not be guessed anytime
soon, even for astronomical values of "soon."

This is a net win because with a password manager, ALL your passwords can be
40+ characters if you want; you only have to remember one of those. Plus you
can reduce the chance of needing to use email reset (which is itself
incredibly insecure) to near zero.

~~~
Nadya
A single point of failure means if they gain access to one account they have
access to ALL of your accounts. For example, if someone breaks into your email
and you use that email for all of your accounts (banking, amazon, facebook,
etc.) they can use email recovery to gain access to ALL of your accounts.

If someone gains access to one of my accounts, every single other account is
still secure because it uses an entirely different email & password that has
no relation to any other email or password.

~~~
snowwrestler
> If someone gains access to one of my accounts, every single other account is
> still secure

All of your accounts are insecure from the start because a) you use passwords
easy enough for you to remember, and b) you rely on email reset, which travels
the public Internet in plain text.

~~~
Nadya
Try checking your RCPT header next time. Create a throwaway Yahoo account and
change the password. You'll find it's sent with 128 bit encryption over TLS.
If using a Gmail account to recover, Gmail defaults to HTTPS. You'll find
you're secure every step of the way. To call email insecure is to be rather
outdated with advances in the past 4-5 years.

Furthermore, nice assumption under 'a'. Mnemonics are a powerful learning
device for memorization, I advise you look into them. The human memory is a
powerful thing and committing several randomly generated password consisting
of 20-50 characters it not "impossible".

[https://en.wikipedia.org/wiki/Grand_Master_of_Memory](https://en.wikipedia.org/wiki/Grand_Master_of_Memory)

I do not remember my passwords. I remember mnemonics which help me remember my
passwords. It's not entirely foolproof but it is far more secure than a
single-failure-point system.

~~~
snowwrestler
Your password reset email might or might not travel over SMTPS. As an end user
you have no way of knowing in advance or forcing its use, so it's not very
trustworthy.

I have no doubt you can memorize several very strong passwords, but there is a
limit to how much randomness anyone can memorize. I've got over 100 passwords
in my manager, counting both personal and professional accounts I need to keep
track of.

------
kseistrup
Pass — the standard unix password manager ⌘
[http://www.passwordstore.org/](http://www.passwordstore.org/)

------
vortico
I use a plaintext file on a LUKS partition.

------
andygambles
1password

------
kolev
1Password

~~~
kolev
I hate the fact that it pollutes my Dropbox history though.

