

Ask HN: If you're not using a password manager tool, what's stopping you? - tim_nuwin


======
AznHisoka
I wish they would just work. Example: I use LastPass, and everytime when I log
in to Twitter, it asks me if I wanna save my password even though I logged in
100 times before and saved it previously. it always does this.

Lastly, it's too time consuming sometimes when I need to login to a critical
service in a PC in a public place. I need to install LastPass (and hope I can
install it), then login. if I remembered my password I could just login
without LastPass. Those precious few mins are critical if I need to login to
my host provider if my site goes down for example.

------
Stoo
I don't use a password manager tool because I don't feel I need to. I take a
kind of algorithmic approach to generating unique passwords for each site I
use. I have a root password which contains the usually required alphanumeric
with an upper case letter and some special characters. The rest of the
password is based on the site or service I'm logging into.

A really simple example would be:

cabbage123!face <\- Facebook cabbage123!goog <\- Google cabbage123!twit <\-
Twitter

I only have two things to remember - the root part of the password and the way
to generate the last part. Obviously, just using the first four characters
isn't the best idea, but you can change that part to whatever you want to -
it's kind of your own secret key.

~~~
Gustomaximus
2 problems;

1) Some sites place rules on the password. A bank I used limited passwords to
6 characters! Can believe someone thought that was a good idea.

2) If you use this on random sites someone might pick up the format quite
easily if they are targeting you. I'd suggest using layers of 'root' so random
sites you sign-up use one root (e.g. HN), mid-security sites use another root
(e.g FB), and high need for security sites use a third root (Financial). I do
something like this to limit risk and it's not too hard to remember.

Regarding the single point of failure which I believed previously was a
problem with password managers, Voxic11 explained otherwise a couple months
back in a previous thread:

"LastPass and other password services don't actually store your information in
any way they can read them. What they do is store the password information as
a encrypted blob and the public key derived from your password. When you "log
in" you actually are running the key derivation function on your password
locally then signing a message with your private key and sending that to
Lastpass. When they receive the signed message they check it against your
public key and if it passes they send you your password information. Which you
then decrypt clientside. So anyone who compromises lastpass gets nothing
except a bunch of encrypted blobs and public keys. The only way to get at your
lastpass information is to retrieve the unencrypted copy off your computers
memory, but if a hacker can do that they can just steal your passwords as your
type them in anyways."

~~~
Stoo
> 1) Some sites place rules on the password. A bank I used limited passwords
> to 6 characters! Can believe someone thought that was a good idea. That's
> true, but I haven't recently come across a service that I want to use on a
> regular basis which has that restriction. If I do need to sign up to a site
> which has a similar restriction it's normally something I'm going to use
> once so I use a garbage password and rely on their password reset mechanism
> if I need to use the service again.

2 is a good idea and I'll start doing that. It still keeps what you need to
remember to a minimum while adding greater uniqueness to passwords.

------
HorizonXP
I _am_ using a password tool, and I wish it provided the following:

1) Seamless sync between my devices. I want to be able to access my accounts
on any laptop or mobile device. I use a BlackBerry, so good luck with that! (I
can sideload the Android app, if that helps. :P)

2) Automatic encrypted backups. Sure, I can throw the database into Dropbox or
something, heck I can set it up to sync back to my tarsnap account. But if you
do this for me, I'll pay you.

3) Shared accounts. This is useful in two scenarios:

a) Accounts & passwords for use within teams/companies/etc.

b) Sharing accounts with my wife.

Right now, she doesn't have full access to my financial accounts. I really
want to change that. Make it easy for me to do that.

4) Dead Man's Switch. IMO, the value of a centralized password manager is this
last feature. Heaven forbid that I'm no longer around, I'd like my family to
have access to my complete online & offline life to take care of things as
needed.

~~~
Immortalin
I am using Mitro, it has all of the features you wanted except the Dead Man's
switch, but you could probably overcome that with shared accounts.

[https://www.mitro.co](https://www.mitro.co)

~~~
modzilla
I also use Mitro. It is free, has strong crypto, allows sharable secrets,
works cross-platform.

I wish there was an API. I would use it for storing integration test accounts.

------
sjs382
Convenience.

Trust.

Fear that the tool (or database) will become corrupted and lose all of the
passwords that are stored in it.

------
MalcolmDiggs
I don't, because I don't feel comfortable with the idea of a single-point-of-
failure for all my passwords. I'd rather keep them distributed across a
variety of storage mechanisms than any one tool.

------
ceeK
I like the concept, I've just never had the patience to go through the entire
on-boarding procedure for any of them.

------
DanBC
A combination of:

i) I want it to sync across all my devices but

ii) I don't trust cloud providers. I especially do not trust the cryptography
people use.

Also, I am poor / mean and I the price I am prepared to pay is below what
people are prepared to charge.

------
ark15
I use Keepass + $cloudsyncprovider so that my KDB file is available where ever
I need it.

------
davismwfl
I use different passwords for almost every site and so if one is compromised
my risk is fairly limited. If the password manager was compromised in some way
it would raise my exposure significantly.

~~~
tim_nuwin
Do you remember all your passwords in your head?

~~~
davismwfl
Not all, the rarely used (but needed) ones are stored, and I am old school,
they are printed and stored in a safe. But the ones I use every week, yea, I
remember them. Part of my ability to do that is I also shutdown accounts if I
am not actively using them to keep it a manageable number. Mostly because
there is no way I could remember too many at once and not screw up by having
some easily guessable pattern.

------
J_Darnley
It doesn't stop me from using one but I am frequently forced to use the
clipboard to get the password into the software I want. So integration is a
big pain point.

------
hariharan_uno
1\. Disbelief in encryption tech used for the tool.

2\. No guarantees that it won't be vulnerable at some point.

~~~
tim_nuwin
Would you be more apt to use a password management tool if you hosted the
service yourself?

~~~
logn
I would use any tool I can compile myself and run on my local computer.

------
manuw
I use a gnupg file.

------
jpetersonmn
Don't trust a 3rd party with my passwords.

~~~
tim_nuwin
How about if you hosted the service on your own server?

~~~
jpetersonmn
Setting up and securing a server would be a lot of extra work, and then also
wouldn't trust the 3rd party software that would need to run. Not trying to be
a negative nelly, just giving honest feedback.

