How long does it take you to enter several keys of 16+ length for a few sites you might to access? A password manager can autofill, retrieve and input keys, provide an OTP in a few seconds.

Where would you store your emergency codes and other secret-like artifacts?

It just seems impractical for a person, let alone edge cases like sharing, or usability concerns like working with secrets frequently throughout the day.

>I've never been hacked, never been locked out of any accounts.

Due to the strength of your system, general digital hygiene, or simple odds? If we're getting really contrived, how do you maintain confidence your heuristic can't be guessed from X plaintexts obtained from breached sites (highly common)? That's kind of like rolling your crypto, isn't it? -- doing it correctly is beyond almost all of us.

I hate having to log into my password manager first before I can log into the service... And I don't like having to adhere to the whims of the password manager about things like changing my password every 6 months or using certain characters... It's really none of their business to determine what level of security is appropriate for me when trying to access my Instagram account which I barely care about anyway. I'm not some billionaire with teams of hackers trying to crack into my account 24/7.

I hate it when I can't use certain passwords because the password manager thinks it should contain certain characters which I simply won't remember.

I hate when trying to log into LastPass with my master password and I can't remember my password and have to try like 10 permutations to find the one in the format that it forced me to use last time that it forced me to change my password.

I hate getting locked out of LastPass and having to go through its 'Forgot my password' flow only to find out that the password for my email account which receives the email password reset link is also controlled by LastPass... And it's only by the grace of god that I had not trusted LastPass to generate my email password for me and I was able to guess it and didn't end up fully locked out of all my services which I need for my work.

That last experience was so scary, I actually wrote down my LastPass master password on a piece of paper and put it in my desk drawers so that I would not forget it. I know this is insecure but that sort of risk profile is aligned with my current non-billionaire status. Somehow, I don't think North Korea is going to send spies to my house to peak into my desk drawers to break into my work accounts...

Also how is remembering a master password any different to remembering a secret heuristic.

In other words, no matter of how well 1Password handles the storing of your master password (encrypted/decentralized or what not), the fact that it does is inherently less secure than something that doesn't store anything at all, such as the case with a secret heuristic.

> In other words, no matter of how well 1Password handles the storing of your master password (encrypted/decentralized or what not), the fact that it does is inherently less secure than something that doesn't store anything at all, such as the case with a secret heuristic.

When I say 1P stores your master password encrypted, it usually does it as an item in the vault. You can easily remove it from the vault and therefore doesn't store it anymore, and you can have the same security as your secret heuristic. Storing it in your vault is of negligible concern.

If your master password is not stored anywhere, there is no way for 1P to know what your master password is - and so no way to validate what the correct password is to access your vault. Even if 1P doesn't store the master password on local disk, their servers, on a hard device, encrypted, unencrypted, or does it completely algorithmically or whatever... it is in fact stored somewhere outside your brain, and therefore more hackable than something that isn't stored anywhere other than your brain.

Given a sample set of passwords derived from a secret heuristic, it could be reversed. The secret heuristic isn't completely safe either. Moreover because it lives in your brain the algorithm is inherently low entropy and the resulting passwords will be as well. Furthermore the old adage applies, don’t roll your own crypto.

> Given a sample set of passwords derived from a secret heuristic, it could be reversed. The secret heuristic isn't completely safe either.

Sure but this isn't the argument being made. As an analogy, not using any E2E is inherently less secure than using some E2E encryption, but using E2E encryption doesn't automatically mean you're more secure. Simply put, you had asked "What's the difference between a master password and a secret heuristic?" And that difference is a master password (or ways to generate it) must be stored outside your brain, and doing this is inherently less secure than not doing this.

To give you a concrete example, 1Password doesn't guarantee you from say, being compromised by a keylogger, and someone stealing your master password (never mind the key which is in fact stored). A secret heuristic doesn't necessarily face such risks. Sure that doesn't automatically mean a secret heuristic guarantees you better security, but that's not the argument.

But the keylogger or malware argument is a lazy one tbh, not only does it affect your secret heuristic as any input password is affected, basically no software can be guaranteed to be safe from malware or keylogger except maybe that running in something like a Secure Enclave or if your OS supports secure entry on certain fields (1P on Mac does this). If you’re in that position you got bigger things to worry about anyway.

But anyways it all depends on implementation as I said. 1P also supports passkey unlock eradicating the need for the master password (secret key stays), so you can still have the security you desire, particularly if you use a FIDO2 security key like a yubikey.