What do security minded people do about passwords? It seems like you either use the same password for everything, or you need some kind of password manager, but then I'm always worried about having all my passwords in one place meaning they all get compromised instead of just one.
It also feels like there's a convenience tradeoff with a lot of solutions. I could keep a physical binder full of passwords in my home office but that would be a pain to look up and enter things every time (and a big risk for anyone with physical access to my place).
Bitwarden for usability. Vaultwarden if you can and prefer to self host. Being on the internet you'll have to trust someone at some point. Can reduce risk by combining strong 2FA (not SMS/Email) alongside backing up your vault.
Ensure all your passwords get reset at some point after vaulting, long randomly generated from Bitwarden extension/app is easy enough. Ensure you enable strong 2FA at each service you have an account at too.
Passkeys tied to actual hardware, like the TPM-based solution in Windows Hello, whenever possible, Keepass where not.
Keepass DB cloud synced, but the passkey file I use in conjunction with a p/w to open it never leaves the machine(s) it's on. Also, key file needs Admin rights to read, so KP is run privileged, which also protects its process memory space from user-land snooping.
Even better than the TPM in Windows is a hardway FIDO2 or OTP key, I'd imagine. Those cannot be comprimised by a virus on your PC in the same way, assuming you don't leave the key in at all times and you only tap the button when explicitly logging into something that would require it.
I use a simple algorithm. So you don't actually remember the password, put the algorithm to produce the password for the site or service. Not perfect, but each passwords turns out to be unique (mostly). I don't know what experts think about that, but it has worked fine for me.
* If 1 to N password(s) leak the pattern may be obvious leading to your other accounts being compromised
* Not all sites have the same password “rules” so there is no algorithm that works for all passwords without you being aware of the rules of the given site. Rules that only you only (may) have access to at signup time.
* Typing passwords out manually sucks (slow and error prone)
1) only matters if you're a very high value target who is being manually target. Doesn't apply to 99.999% of people, who only need to worry about credential stuffing and brute force.
2) Similarly, it's not hard to come up with an algorithm that satisfies 99.9% of websites.
3) To a lot of people, managing a password manager sucks.
I personally do use a password manager and automatically generated passwords, but also understand that for many people it's the better option.
Yes! I'm totally aware, but, for the first point, attacks are generally automated. If someone tries to find the pattern, you are being personally targeted and you have bigger problems.
As per number 2, it is true and it sucks big time.
As per number 3, I don't really mind much. You don't generally have to use your password every time.
I agree that especially with modern LLMs, I would avoid following patterns like this.
Dedicated 2FA on a hardware device seems pretty resilient, I hope more banks incorporate it instead of SMS 2FA. Hosting vaultwarden also seems pretty good because it’s unlikely for you to be targeted, but requires selfhost maintenance.
It also feels like there's a convenience tradeoff with a lot of solutions. I could keep a physical binder full of passwords in my home office but that would be a pain to look up and enter things every time (and a big risk for anyone with physical access to my place).