
Ask HN: are pwd managers more secure? - fakeElonMusk
Let&#x27;s say I use 1password or any other password manager. They will eventually get hacked or there will be a back door or some exploit. Right? All software has vulnerabilities, even the NSA has been hacked. So why is it more secure than me keeping passwords on paper? I would like to use 1password but I&#x27;m also ok with staying old school. Convince me!
======
Lorenz-Kraft
Using the "paper form" has only the drawback of being available for everyone
in your environment.

If you want to keep the paper form and also have the ability to securely
generate new passwords:

Buy a cheap, widely, available book (maybe two or three of the same), start at
a random page and use the first letters/sentences in this book as your new
password. To make it even more secure, I would suggest you add a "standard" to
every password you have created ... like "SuperSecurePa##".

So for example: You have bought a book and like to add a new password ... you
might start at page one, where the sentence would be: "Once upon a time, there
were two developers ..." => this will become your password:
"Ouat,twtdSuperSecurePa##"

Even more secure password (due to the size):
"Onceuponatime,thereweretwodevelopersSuperSecurePa##"

You can level this up by: \- Your chosen appendix has even more "secure"
chars, like #*+?="§%&/() (you know what I mean) \- You prepend and append your
new password with your "common" pass (here "SuperSecurePa##") ... or maybe
prepend with a different common pass??

~~~
fakeElonMusk
I have a pwd scheme like this that I use, but not based on book pages. But
it's a cool idea...thx!

------
t0astbread
I use password managers for the following reasons:

\- Convenience: I only have to remember one password and I get the comfort of
a digital database (as opposed to, paper).

\- The passwords I have on websites can have higher entropy and be longer than
I could ever remember or type, making them possibly harder to decipher in case
of a breach on any website.

\- Password managers are all about security while many websites are not (at
least not as their primary purpose). Password managers are probably better at
it.

\- If a (good) password manager is set up to sync passwords via a server or
your machine somehow gets compromised, the password database should still be
encrypted via a master password.

~~~
fakeElonMusk
I agree that a big pro for pwd manager is the generation of long, very secure
pwds

------
antisemiotic
You can use a local password manager like pwsafe, that way someone would have
to hack into your computers first, and then break pwsafe's encryption (which
is of course impossible, since it was written by Bruce Schneier).

It's more of a pain to use than web password managers, but less than a piece
of paper. I'd still recommend writing down the master password, since if you
lose it you're screwed.

~~~
fakeElonMusk
This is another issue I have with it - if I forget a pwd for a site (or lose
my paper) I can reset it assuming I have access to my email. If I forget a
master pwd I'm f'd.

------
shrutipathak
You could lose the piece of paper making all your passwords vulnerable. My
colleague stored all passwords on a note in the phone and lost the phone on
vacation.

I had to change all the passwords immediately because of this. Even if i have
1Password on the lost phone, i don't see how anyone could get inside of it

~~~
Lorenz-Kraft
Quote:"i don't see how anyone could get inside of it"

OS Bug, Software Bug, OS Exploit, Software Exploit ...

