Yea, it does look legit after reading the articles you posted. I am not a hacker per se, but I guess uncovering what a gov hacker did in your account is highly difficult. In terms of safety, use a password manager that creates and stores hard-to-crack passwords for you. I am pretty happy with Dashlane, 1password has a good reputation, too.
Not OP but open for a chance. Last time I checked the popular password managers saved the passwords in one way or another. Which personally simply sounds like a bad idea to begin with.
Even if in theorie they are safe. Even the slight chance that a single failure could lead to all my passwords getting in the wrong hands at once just is to scary.
How do you propose one memorizes a properly random/secure/long password, let alone multiple ones, without trusting 'something' with it, whether a password manager of good repute, a hand-rolled version with potentially bigger security issues, or a piece of paper somewhere?
I've memorized multiple long passwords, and routinely memorize new ones. Also phone numbers, poems, mailing addresses, digits of pi, etc. It's not really that challenging. Especially if you do it often.
Your password doesn’t need be a long random string, just a long unguessable one and safe from dictionary attacks
Ilikeapples! Is fine
But You know I’m not a security researcher
They do, but that's not such a bad idea. For an exhaustive read, I wrote this[1] a while back, but I'll try to make the point here too:
1. Are all your passwords unique?
2. If I discovered some of your passwords, will the rest of your passwords stay secure?
3. Were all your passwords created using at least 32 bits of entropy?
4. Are your passwords stored only in encrypted form?
5. Do you perfectly remember every single password you’ve used when signing up?
6. Do you turn up positive for a password leak at this website?
If you answer "no" to any of these questions, you'll benefit from a password manager.
About storing passwords, I use LastPass and they use client-side encryption[1], which means even they don't have the decryption key to read my passwords. So, you'll be fine as long as you have a secure passphrase and 2FA :)
Do you have citations for this? AFAIK state of the art is to put the password through some password stretching algorithm (like PKBDF) and to encrypt the database with that. No need to store the password. I think NaCL offers out-of-the-box support for this.
EDITED to add: I am using Password Safe which is recommended by Bruce Schneier. What you describe would be an absolute noob mistake. He would be pretty embarrassed if you were right.
Not parent but I'm guessing the rationale is that a password manager could undermine the concept of 2fa.
Some believe that the "something you know" should be stored inside your head. I personally use a password manager, but can understand the viewpoint.
Password managers lie somewhere between 2 different factors, "have" (the password DB) and "know" (only your master password). For those who use a laptop as their 2nd factor (yubikey plugged into a USB port, a token on the system itself) and get their laptop stolen, a compromise of the password safe could result in both factors being breached.
Because The security of your passwords depend on the security of the password manager and the security of their infrastructure ... the big password managers have had issues, in code, design and even last pass was attached by hackers.
trusting your bank / email and other important password is an unneeded risk.
Your turn why should I rely on someone and their servers to save my passwords why a good password and 2fa will protect my account?
