Password managers vs. Manual password management

I've been thinking about the use of password managers lately and wondering whether it's worth exploring an alternative.

The problem, as I see it, is with having one master password - I know this is supposed to be kept securely by the developers, but I've heard of several security scares in the last few years. Of course, this is much more secure than simply using the same password everywhere, but if hackers were able to gain access to people's master passwords, surely it would be a goldmine for them and disatrous for everyone else! Even if the master passwords are well protected, this is possible, right?

Back to the alternative... what do you think about the possibility of devising a new unique password each time, writing it down, and physically guarding it. However, this would just be for the accounts you deem most vital, so a password manager could still be used for less important accounts. I know it sounds inconvenient, and I suppose it would only work if you're not prone to losing things, but could be a viable option?

Exactly, it's always a little disconcerting to have the key to so much sensitive information in one place. I was reading this earlier, mainly to get an idea of what each password manager offers, but then I noticed right the "Residual Risk" heading...:
"Further challenges include a certain dependency on already-prepared data bases as well as the fact that local installations only allow password managers to be used on private computers. Options involving cloud functions are also associated with higher risk."

Seems like a pretty big deal really. Either you go with a locally installed password manager, which sounds far less convenient, or you go for the cloud and risk being the target of a hack. Not ideal! Can someone tell me if I'm missing something here?

I'm with fireberd on this..been doing it that way forever!

I personally use Excel, but there are numerous other options.

Lee

Layback Bear said:

I personally have never had a pencil or paper hacked. When I upgraded to pen; still no hacks.
Maybe I'm just lucky.

Paper works for many people. It would not work for me (and many others). In this old post, I mention that I had just under 400 accounts/passwords to keep up with. I checked before making this post and I'm now closer to 300 accounts/passwords.

The KeePass database is electronically searchable - which is the only way that I can find some accounts. A lot of those passwords are related to those that I support. e.g. I use KeePass to generate a unique/long password for TeamViewer access.

One man that I support uses pen/paper to track account credentials.
His list has never been hacked
His home office burned to the ground :-(
His list was in a "fireproof" safe
His list burned up anyway :-(

A woman that I support was near Katrina. She moved far from there and decided to keep important stuff in a small fire/water resistant safe. That is where her paper password list was when a tornado took the roof off of her 3rd story apartment. She never found that safe. If someone else found it (and got it open), they had lots of important info. We tried to change the passwords on her accounts, but she could never be sure that she remembered every account on that list.

While a fire/tornado event is rare, losing the paper list is not that rare among the elderly that I support. Also, my "clients" have told me that they changed the password on an account and failed to write it down or wrote it down wrong or could not read what they wrote. Whatever happened, they could not get in to a particular account. Systems like KeePass create/save the new password and make a backup of the old password. Sometimes, a password change does not go thru and you need to know/try the old password.

The KeePass encrypted database is a local file, but I back it up to an encrypted online storage provider. Yes, an employee of the online storage provider could get to my KeePass file - then spend years attempting to get into the file.

Back doors into apps are hard to keep secret when there are millions of users of that app. People sell such valuable secrets and buyers greedily use the "secret" over and over and over. Once that happens, the secret is out.

WindowRobin said:

The problem, as I see it, is with having one master password - I know this is supposed to be kept securely by the developers, but I've heard...

There is no master password like that to KeePass (unless there is a secret back door). You pick your own master password to unlock your KeePass database*. Yes, a lot is riding on that password - but consider this: most online account passwords can be reset via e-mail. The password to your e-mail account becomes a master password for all of your other accounts. [Which is why I have lots of different/active e-mail accounts.]

*You can have multiple KeePass databases with different master passwords (e.g. not all of your eggs in one basket). Have the name of the shortcut to each database include a tiny (one character) password hint and maybe a hint as to its contents. For example: P9 could be the shortcut name to the KeePass database that holds credit card account info. The P is for plastic. Plastic being slang for credit cards. 9 might not be enough to help you with a master password, but it works for me.

I, too, have been using KeePass. The UI could stand some improvement, but it otherwise works well.