I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don’t like that idea. I can exercise my brain.
I encourage you to think critically about this and re-evaluate your decision. I would say that for at least 99.99% of people a password manager is significantly more secure overall.
Browser-integrated password managers will avoid filling your password into the wrong site. This is a great barrier to phishing.
Allows a unique password per-site which greatly mitigates the problem of password leaks which are fairly common.
Allows you to use much stronger passwords than you can memorize.
It’s quite convenient to just click “login”.
For most people phishing is a far bigger risk than some malware stealing their local password databases. To make database theft even less of a concern most password managers have the option to encrypt the local database file. This means that to steal your passwords the malware will need to extract the encryption key from the password manager process which can often be configured to forget the key quickly after the last use.
Also consider that if you have malware that can steal your password database and the encryption key it can probably just keylog all your passwords or steal your browser’s cookie jar. So the extra barrier here is minimal.
I think you are right to be suspicious of having a vault of passwords “ready to steal” but in practice the upsides far outweigh the downsides, especially if you make a security-focused choice of password manager.
I’ve been using keepassxc for a while now and it’s better than most other options, everything is stored locally and encrypted behind a master password.
All you micht want to do is make a backup of your vault onto an external drive (best practice would be encrypted via the options you have, I use luks because I’m a Linux nerd).
I’m in the same boat at this point, partly just because I’m not sure how I want to partition things and if the software will work together the way I want.
I assume password managers themselves store things encrypted until you unlock them with whatever master password.
If your computer is compromised to the extent that bad guys can read memory allocated to your password manager in order to discover the key to your password database, then they can also read memory allocated to your browser, which temporarily stores your passwords when you type them into websites, and steal the passwords from there.
Even storing passwords in unencrypted text files only reveals them to bad guys if they have compromised your computer to the extent that they can read arbitrary files, in which case the bad guys can also read all the other sensitive information stored on your computer. Depending on what you do for a living, your porn preferences, etc, that may be even worse than your passwords being stolen.
And that sort of security breach isn’t terribly common anyway. As long as you don’t run any shady software on your computer, it will most likely never happen. Using weak passwords, on the other hand, will result in the compromise of whatever they protect, because cybercriminals are constantly, relentlessly trying to guess people’s passwords.
I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don’t like that idea. I can exercise my brain.
I have 350 items in my BW vault. I am not memorizing that many passwords, I’d rather use my brain for something else.
I encourage you to think critically about this and re-evaluate your decision. I would say that for at least 99.99% of people a password manager is significantly more secure overall.
For most people phishing is a far bigger risk than some malware stealing their local password databases. To make database theft even less of a concern most password managers have the option to encrypt the local database file. This means that to steal your passwords the malware will need to extract the encryption key from the password manager process which can often be configured to forget the key quickly after the last use.
Also consider that if you have malware that can steal your password database and the encryption key it can probably just keylog all your passwords or steal your browser’s cookie jar. So the extra barrier here is minimal.
I think you are right to be suspicious of having a vault of passwords “ready to steal” but in practice the upsides far outweigh the downsides, especially if you make a security-focused choice of password manager.
I’ve been using keepassxc for a while now and it’s better than most other options, everything is stored locally and encrypted behind a master password.
All you micht want to do is make a backup of your vault onto an external drive (best practice would be encrypted via the options you have, I use luks because I’m a Linux nerd).
Agreed. Have my password database backed up over multiple places, GPG encrypted of-coarse, you can never be too safe.
I’ve got 1601 logins and 86 secure notes in my Bitwarden vault… no way I’m memorizing all of that lol
I’m in the same boat at this point, partly just because I’m not sure how I want to partition things and if the software will work together the way I want.
I assume password managers themselves store things encrypted until you unlock them with whatever master password.
If your computer is compromised to the extent that bad guys can read memory allocated to your password manager in order to discover the key to your password database, then they can also read memory allocated to your browser, which temporarily stores your passwords when you type them into websites, and steal the passwords from there.
Even storing passwords in unencrypted text files only reveals them to bad guys if they have compromised your computer to the extent that they can read arbitrary files, in which case the bad guys can also read all the other sensitive information stored on your computer. Depending on what you do for a living, your porn preferences, etc, that may be even worse than your passwords being stolen.
And that sort of security breach isn’t terribly common anyway. As long as you don’t run any shady software on your computer, it will most likely never happen. Using weak passwords, on the other hand, will result in the compromise of whatever they protect, because cybercriminals are constantly, relentlessly trying to guess people’s passwords.