Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My system requires me to hold exactly one key, which is my master password. I don't even know the dozens of passwords I am using. When I require one, the pwd manager enters it for me.


Most users will use the lowest energy option, which is using a reused, low-entropy password. Using a password manager is great for those that choose to do so, but the system can be designed so the lowest energy option is still secure enough. In this light: passwords are not secure enough.


A password manager solves this problem as well.

Even if the user choses to use a low-entropy password for his locally stored safe, the actual passwords generated (which the user doesn't even need to know) for the services he accesses will be of high quality, and unique to every service.

The only point of vulnerability is then if the device gets stolen/hacked, but that's a proble that one entity has to deal with, instead of a problem that affects millions of users like a DB leak full of weak passwords.


A password manager is higher energy than reusing the same low-entropy password directly. So no, it does not solve the password problem.


Using a PKI, or a hardware token, or MFA or any other method is also "higher energy" than reusing the same low-entropy password directly.


Unless, of course, passwords were no longer made an option. Pushing down the energy of alternatives that are secure enough is important work.


Passwords will be an option as long as comfort is a selling point.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: