Ask HN: How do password managers make things better?

18 points by deanebarker ↗ HN
If I use a password manager (1Pass, LastPass, etc.), then all my passwords are in one place. There is literally One Password To Rule Them All™.

How is this less dangerous than the alternative?

41 comments

[ 2.6 ms ] story [ 104 ms ] thread
Getting your passwords requires two things: the master password (which should be strong) and the password file. Some pw managers add further factors.

Most people use simple passwords like cat12345. Or they use more complex passwords but share them between sites. Pw manager fixes that.

It's not perfect, but for most of us it's much better than most obvious alternatives.

>the password file

I use the online version. There's a browser plugin.

So the encrypted file is perhaps located in two places: in your browser cache and server-side.
It can be a problem if something can access your password database while it is unlocked or if you have a weak db password. In addition to keeping your system and applications patched and using least privileges and all the other usual best practices you can also keep the database closed when not using it.

To venture a few theoretical mitigation turtles down, one could keep a string in their head that they type in before pasting the password from their database meaning that the database only has part of the password. Some might consider that too much friction and some might see that as a fun prank for the password database vendors that theoretically work for intelligence agencies.

Well, LastPass is zero-knowledge, even if the databases are leaked, you are safe.

Companies are using these for their convenience (AD based access to passwords, without even knowing the actual pswds). Individuals can also have great benefits as they can shuffle their pswds, get notified about weak pswds, or breaches.

>Well, LastPass is zero-knowledge

How about 1Password?

For most accounts your email password is already a single point of failure (password reset flow).

Even where that's not true, the tradeoff with a password manager is in strengthening defenses broadly in exchange for a more central point of failure, compared to weak defenses all around but no single point that gives everything away. The idea being that you can remember one, really good high entropy password, vs. having a bunch of weak passwords.

Of course, the theoretical ideal would be having lots of different strong passwords, but that's not how human memory works.

"Don't reuse email addresses" should become as common advice as "don't reuse passwords."

Buy a domain and set up a catch-all email address, use a unique one for each service. Alternative options exist as well (Apple's "Hide My Email" for ex.)

Don't do the "add a plus sign at the end of your username to create unique addresses" thing. You still have a single point of failure and it causes weird bugs in poorly designed email addresses validation.

How is setting up a catch-all more secure in terms of account takeover? All the emails still go to one mailbox.

The only benefit is that when a website decides to sell your data or leak it, you know who is to blame and you can block that one e-mail they send the spam to.

Security without convenience means users will forfeit security for convenience.

Password managers offer convenience for "don't reuse passwords". You want to "don't reuse emails" become the norm? Implement a tool that removes all the hassle.

1password now has exactly this implemented with fastmail integration. You can generate a new email just as easily as a password when you make an account
That only helps if you actually use different passwords for all those different email addresses.
The main alternative is a shared password between sites so if one of those sites gets hacked, your passwords across many sites are compromised.

The security risk in general is not that your main password is guessed or cracked. It’s that a shared password is compromised.

To get into a password manager account, you require a secret and your master password. It is a potential point of failure, but less of one than what I tended to do without a password manager: reuse the same passwords across different sites. It would be impossible for me to remember a unique password for every site I'm registered on, so 1Password is just my place to record it.

Having said that as someone else mentioned in this post, your email password reset flows become a point of failure: if someone can get into your email address, they can essentially reset your password to whatever they want. This is why I also enable 2FA on every site I can, and have recently started using unique email aliases per website.

I'm considering getting a couple of YubiKeys instead of using something like Google Authenticator, but not really sure if that would result in a more secure setup overall yet.

If you are using truly unique passwords everywhere, then your brain is just fine. Good old paper and pen is a seriously secure password manager, and is the modern recommendation.

The only security feature that password managers bring to the table is eliminating password reuse. Some will monitor for breaches, but you can also do that yourself.

There are also conveniences, which is why I use one.

Great idea until you lose the paper or something happens to it (natural disaster/burglary/accident). It's also incredibly inconvenient to record 20 character passwords by hand. This is specifically what cloud storage (LastPass/1Password) solve.
It'a aways a trade off between security and convenience.

The best way I've managed to come up with is to use a password manager but then secure the hell out of it by using hardware keys as a second factor to access it, and only allowing getting around that with a printed out backup key.

This way you have the convenience of all the passwords as you need them on verified devices, but strong security (+ inconvenience) if you want to access them on a new device.

> secure the hell out of it by using hardware keys as a second factor to access it

I did this, then my phone broke and I was the only one with access to a particular system at work. It was miserable getting back in. I think harder about how I set myself up now.

This is one of the big issues with MFA: you should ideally never create a single point of failure in the second factor, so you want two hardware tokens, a hardware token and a fallback TOTP, etc., but also ideally the ability to have fallbacks that do not rely on email or SMS.

Most websites including financial ones fail on the second point. And it worries me because SIM swapping is real and does happen to people you know.

I wasn't sure about password managers for a long time, until I read this article by Troy Hunt "Humans are Bad at URLs and Fonts Don’t Matter": https://www.troyhunt.com/humans-are-bad-at-urls-and-fonts-do... - if you give this a skim read you may think this has nothing to do with password managers, but read it to the end.

I won't spoil it, but I will say that everything suddenly clicked in. Password managers solve so many problems at once, including problems we don't intuitively understand. Contrary to other comments here, password managers aren't " a trade off between security and convenience", security is a process and not a tool, and password managers regiment a very important process of password security for regular people.

Exactly - it's not just convenience. Without a password manager how the hell can you actually keep unique passwords that are completely unrelated on all your sites? You can't.

For me password manager is all about practicality.

I only need unique passwords on a couple sites, things like gmail and icloud, and that’s easy to remember. Don’t care about random websites, they can steal my password. It doesn’t matter, I’ll just make a new account.
Encourages stronger unique passwords, and it's safer than saving passwords unencrypted on disk. That's it.
It sounds like you're worried about theft of master password or theft of password database once gathered in one place.

For the former, use auth app-based 2FA against your master password to guard against unwarranted access, preferably using a physical key.

For the latter, review the security protocols your third-party provider specifies for how they protect your data. That should give you confidence about the likelihood of database leakage. If even that doesn't give you confidence, look at keepass where you can control where and how your passwords are stored.

Remember: you always had a password database in one place (your head), you just leaked information about it everywhere because you invested in a mnemonic for easy lookup. With a password manager, you've only increased the number of database accessors by one while guaranteeing significantly less leakage of your mnemonic, which was always the most likely danger.

asking people here, related to the topic at hand, why do we not have a passwordless system built fir the web? i mean i want to sign in to github or email or whatever, i use my local private key to do it like i do ssh. today we use mobile phones or desktops/laptops and all have browser addons and phone keyboards allow "features" so why isnt this more prevalent?
Going from my experience with 1Password here.

There are a few ideas, first is as you mentioned, it’s 1 password to remember, the rest can be randomly generated and you don’t need to know them.

In the case of 1Password, data is stored at rest, if the vaults locked it can’t be read, well, not easily.

Auto fill helps detect phishing attempts, if the domain is different 1Password won’t auto fill

It also can detect breaches and store TOTP if that tickles your fancy.

Auto fill is the key point of a good password manager, it makes entering logins trivial, I use biometrics to unlock on all my devices, then it fills in my details for me and away I go.

My pitch to clients is that the Password Manager is a way to consolidate all their passwords into a safe place, which also locks them into their own devices, which also gives them the ability to use unguessable and unique passwords, 2FA in the app.. and makes it easy to use and fill in. For some folks I tell them it's kind of like a glorified bookmark app that also fills in passwords. Whatever it takes to switch you over. ;-)

In my case we use 1Password for families .. which means my SO and kids also use it. Good password management from the get go is well worth it. It works on all your devices and automatically syncs across all of them.

Because all my passwords in the vault are strong and unique. Because my master password is a massive pass phrase not subject to the vagaries of limits on passwords many sites have and I literally keep it locked in a vault. So it is exponentially better than any alternative I have found [edit] for the cost and effort.
I use Bitwarden hosted on my own server at home. The only way to access it from outside is via a VPN. If someone gets access to that, figures out the URL of my Bitwarden instance, then manages to guess my master password, I feel it's fair game to have whatever passwords they want at that point :-)

Remember the alternative for most people is using the same password on every single site. When a password (along with your email) is leaked from one website, then people can gain access to whatever other sites you use the same email/password combination on.

I use 1pass but don’t necessarily trust it to make things any more secure..

AFAIK there is no way to prove that the cloud storage only stores an encrypted version at all times. Even if i audited the source and checked the network activity a few times, all it would take is one auto update that skips encryption, uploads the unencrypted passwords to a server and then restores the original binary. The only proof would be a network request if i was even actively logging and monitoring every single outgoing packet.

Not sure how common or secure this is but even inside my password manager, only part of the password is stored there. I have a common password that I add to complete the password.

So even if someone had access to my password manager, the passwords in there are just partials.

This sounds interesting. Does anybody have comments on how helpful it is?
Few advantages:

- One password per service, so if a service leaks it it affects nothing else.

- Super strong passwords, random long passwords way beyond what I can remember making them more secure from guessing/brute forcing.

Indeed, if someone gains access to your password manager you are not going to have a good time. So you have take all necessary precautions like 2FA, and even better hardware security keys, and you have to put trust in the service you use, they should be stored encrypted etc etc.

If it's less dangerous depends on your situation and what you are defending against. For me and I think for most "normal" folks, it's much safer as most risk comes from having bad passwords, reusing passwords, and services leaking your reused passwords.

That's the big question: what is the alternative? In most cases, it's way worse.

Another mitigating factor is that for important services you should enable 2fa anyway. If you keep your 2nd factor out of the pw manager (hardware security keys!) you add another layer.

Biggest advantage is with modern managers like 1Password on Apple operating systems, at least, there is tight integration that makes their use very seamless.

I have just one ridiculous master password that I have memorized (1Password has a great blog post talking about how to use the diceware method to pick a truly random yet fairly easy to memorize master password). With just that one password there is now not a penalty to keep individual, random passwords on all my accounts.

Password managers like 1Password are also integrating google auth support for two factor authentication and again in iOS in particular it's a VERY seamless experience to authenticate with 2 factor. macOS Monterey brought some further integrations but it's still not as seamless as iOS.

And I think that's what's really key - it's not like we all don't know passwords are a pain in the ass. OS vendors need to keep stepping up and making integrations with things like password managers easier until we finally come up with something that can replace them.

One side benefit of using a password manager is that your internet usage is truly portable.

This year, I’ve had to work with different laptops (linux and Macs) and switch my browser up a few times.

I’m so glad I was already moving away from iOS’s built in password manager before my old mbp died and I had to replace it with a borrowed linux laptop which got replaced with my wife’s decade old linux laptop, which finally got replaced with an M1 air.

I can’t imagine the world of pain if only ios knew my passwords. The above hops would have been impossible!