Why should I trust password managers?

I don’t trust or use SAAS password managers. They are massive honeypots just waiting to be pwned and everyones’ passwords to all their websites stolen. They have above average security, but unlike a typical website they can’t just store a one-way hash of passwords that remains secure even when stolen, they have to store the actual password.

I imagine nation state-supported malicious hackers are targeting them. Everything else is getting breached and leaked these days, there’s a non-trivial possibility these will too.

I just use KeePassXC instead, and periodically ‘sync’ the database across my workstations and laptop. And by ‘sync’, I mean manually export the database and rsync it around to my workstations and laptop and re-import it on each. But given how infrequently I create new web accounts, this isn’t a major hassle. It works fine, I don’t need some centralized service for this.

Something I've not seen come up yet: a password manager that's integrated with your browser is a good defence against phishing.

Because it'll only offer passwords for sites that match the entry, defaulting (most often) to being the same domain, if you come across a phish then it won't offer the site at all. This is fairly similar to the "trust on first use" that SSH gives you, which some folk were wishing might have existed for SSL certificates the other day.

Unfortunately some sites require you to "log in with your ... credentials" rather than doing SSO. But you TOFU those, too, once you've verified they're legit.

Happy Bitwarden user here: the software is all Free, but I trust the company to run their servers securely more than I trust myself to, so I pay them to do so. Extra benefit: if I lose all my infrastructure, I haven't lost my passwords.

I'm surprised by so many of the comments here out-of-hand dismissing or denigrating any password manager that stores data in the cloud. There are ways to store data securely, one of the simplest methods is to do zero-knowledge encryption of that data by way of key-generation from a password only the user knows at the time of decryption. This is essentially how the vault functionality of most password managers work, whether that vault is stored locally or not. They used something like PBKDF2 to generate the key used for encryption from your password.

There's no such thing as perfect security, but as a security-minded person I see nothing there to concern me simply because the data is stored in a company's S3 environment vs on Dropbox vs on my local disk. Presuming that the software itself has not been maliciously modified to leak the key, then regardless of where the data is stored it either requires breaking the encryption or finding the password that generated the key in order to access the data. My local disk is no more secure in that aspect, except that I may have the illusion of control. Availability is also an aspect of data security (in the CIA triangle) and a cloud provider that properly replicates and manages backups of data is more reliable than my local disk in this aspect and a fair trade-off for data I likely want to synchronize across systems and devices (phone and laptop, at minimum).

Why should you trust a password manager?

For me, it's pretty simple. I don't use social login, and I use unique usernames (most of the time) and passwords (every time) for hundreds of sites I've created accounts on over the years. This is because breaches /will/ happen, and password re-use is probably the single largest issue for user security, including for "power users" like myself. A password manager of /some kind/ is basically required to have unique passwords across hundreds to thousands of sites. Certainly, there's more to it, and you need to figure out your own threat model and trust constraints, and I can't solve that for you. But as far as I am concerned, if I have a reasonable assurance that the right algorithms are used and those algorithms are correctly implemented by the password manager software, I see no reason to distrust it.

https://www.passwordstore.org/

gpg "make-key"

mkdir -p ~/.passwordstore/foo/bar

echo "hunter2\nusername: hunter@hunter.com\n" \ | gpg "sign" > ~/.passwordstore/foo/bar/entry.gpg

gpg "decrypt" ~/.passwordstore/foo/bar/entry.gpg

tree ~/.passwordstore/

--

Basically, "passwordstore" is pretty trustworthy, open source, reasonably inspectable, and kindof automates the above steps in a decent CLI (and has a nice git integration for syncing).

There's another plugin: "password-tomb" which basically adds in a "zip -r tomb.zip ~/.passwordstore && unzip tomb.zip" with some extra encryption blobbing around things.

I'm nudging towards wanting all that "junk" stored on a mostly-offline (or read-only USB, or doing something with fetching encrypted secrets over the network), and trying to figure out in a temporary ram-disk to try and reduce exposure-time.

The reason it feels pretty good for me is that it degrades gracefully and can be used with standard tooling. It's totally possible to have a script which does: "foreach password => unlock && dump && append-to-pdf && qr-code => print.pdf" and print that out at intervals, so it's got great survivability characteristics. It allows me to self-host even completely offline using git. If I have the GPG key, I can recover the passwords w/o any tooling. Really it's kindof my ideal situation for trustworthiness.

Bruce Schneier has written extensively on the subject (and has written a password manager so he knows what he's talking about):

https://www.schneier.com/blog/archives/2019/02/on_the_securi...

https://www.schneier.com/blog/archives/2019/06/risks_of_pass...

I will tell you a good reason to trust password managers. I know a lawyer who does estate planning. When you start talking about "what happens when I die", passwords are a class of problem that has only gotten worse in the last 2 decades. There are legal ways for estate executors to request passwords, but it is a pain, and can be time consuming. She tends to recommend password managers because they tend to be more consistent than written down passwords in a safe. Further, having a password manager, where someone can be designated as a trustee makes executing a will considerably easier.

Now, none of the above necessarily makes password managers safe. The increasing legal scrutiny that password manager providers face, means that they will tend to be relatively safe, but they're still a single point of failure. At some point you need to decide what trust level you want though, security is a lot about tradeoffs, and ease of access is always at odds with keeping things safe.

I use a password manager for the hundreds of accounts I have where security is not super important. Mostly as way to not have to reuse passwords (credential stuffing now makes up a significant amount of attack traffic), nor fight the varying password requirements ("shoot, did this website require a special character?"). Tbh, it's nice to have one less thing to worry about. For the increasing number of sites which require 2fa, it also let's me keep a totp token accessible from all my devices.

My most secure accounts use their own individual, memorable, secure password.

I do fear that even if my self-hosted password manager is secure today, there's nothing stopping a malicious update to that software which could exfiltrate all of my passwords.

It sounds like to me that there are three types of people:

* Layman who reuses passwords unless a techie friend convinces them to use a PW manager.

* HN user who either uses a SAAS password manager or sets up their own system to solve the issue of syncing a password store across devices.

* Those who actually have state level secrets or living under an oppressive regime and thereby don't trust even the networks they connect to.

Just an observation; not making any statements. But if I were to make one, it's to know your own threat level and find the security vs convenience compromise that works for you, and educate your friends & family.

Because if you don't use one, you'll almost certainly instead either reuse passwords across sites, store passwords insecurely, or choose weak passwords.

Why are people talking like the choice is between cloud password managers (potentially insecure) and no password manager (impractical unless you reuse passwords)? There's a third option - a local password manager like the one built into your browser. Its one disadvantage versus the cloud is that you have to reenter your password on each of your devices. For normal people who have maybe 2 or 3 devices and don't change their passwords very often, this is a trivial obstacle.

At the bare minimum, you should trust the password manager that comes with your web browser. After all, you trust your browser enough to type your passwords into it.

I personally just use the Safari browser together with Apple's Keychain.

IMO it's strange that people use cloud-based password managers. Companies like 1Password have all your passwords in their cloud. So they are an enormous target.

I use enpass, and am in charge of my own syncing and storing in the datastore of my choice. I personally prefer this model.

The reason password managers help your opsec is not because they can store passwords..but because they can randomize passwords, too, and per website.

If one of those web services is compromised, the other accounts and credentials stay unaffected.

And humans on the other hand have maybe 2 or 3 passwords based on some imaginitive sense of "how secure and trustworthy" the website is...only to realize later that their paypal password ain't that secure, and that now all other "secured" accounts are compromised, too.

I mean, BreachCompilation and Collection No1-6 have shown us not only the passwords to accounts, but the patterns specific people use once their passwords have been compromised and what they add to their patterns when they are forced to change their passwords after a breach.

And let's just leave it with humans are not good at remembering special characters, and they do like counting a lot.

I use pass[1], which is a command line tool to store gpg encrypted passwords in a local git repo.

I share the git repos between different machines using my own servers. All remote mirrors are synced over SSH using git-remote-crypt[2], which additionally encrypts all remotely stored files - including the metadata (e.g. paths and file names of the files) of the remote git repo itself.

On mobile I like to torture myself and enter the passwords manually.

I definitely wouldn't trust any SaaS password manager.

[1] https://www.passwordstore.org/ [2] https://spwhitton.name/tech/code/git-remote-gcrypt/

It depends on what you mean by password managers and trust.

If you have an application that you trust (be it track record, inspection or known-good controls), and that application happens to also be a password manager, then the trust in the manager itself should be fine. If, however, you use a third party service, i.e. something managed by a company that holds your data, that is a different topic because you're talking about trusting a company.

A password manager can be KeePass on your local FDE storage medium. A password manager can also be a web app hosted elsewhere. It can also be both. You can even mix it up and have the storage medium be remote storage in stead of local storage.

If you currently have a file called "passwords.txt" stored in a public S3 bucket, that would be your 'own method' but would that really be good? Or perhaps you have an RSA-wrapped AES-encrypted spreadsheet you store locally with no back-ups, also possible. Too many unknown parameters.

At the end of the day the solution that gets you strong unique passwords per entity in a way that you don't lose access to personally but also don't give unwanted access to towards third parties is better than not having a solution at all. (this includes physical paper password books, those are 'unhackable' after all)

I once got an account hacked because I reused a password. Since then I only generate passwords and use a SaaS password manager. I got informed about leaked passwords multiple times by the service which saved me time and maybe even money.

Managing them in the cloud is the easiest way to keep the passwords with me. I trust those services because I am lazy, my own solution would just be obscure and self-managed solutions would probably give me headaches in multi-device or multi-user scenarios (I share many passwords with my wife).

With a payed subscription SaaS solution I can expect that the provider has a huge interest in keeping my data safe from criminals. It's their biggest selling point.

Like most of the posters here, I trust my local password manager (keepass) for the most part (well, if my personal machine is compromised to the point where I don't trust programs running on it, I guess I'm truly boned).

I have recently started putting some low-value (social media) passwords in the firefox password store, just for autofill convenience. Does anyone know if there are some massive landmines to this sort of thing?

You don't "send" your password to the manager, you enter it locally. Ideally, it never leaves your computer, so it is far less likely to 'leak'

The database is encrypted, so if someone were to hack them, they would at least have some (hopefully major) issues decrypting it all.

I'm very low tech : I use a small paper notebook (see link below, I don't know the proper term in English). It's absolutely unhackable unless someone breaks in my house which I'm not too much concerned for (my security profile is "random Joe").

I would not trust something in the cloud.

But at one point you have to trust something, learn to let go or do without.

I'm too lazy to work on the "memory palace" thing, but it might be the best solution: portable, secure, free.

https://media.cultura.com/media/catalog/product/cache/1/imag...

Because my passwords are stored in the cloud but they are only decrypted on my PC. If a nation state or another attacker gets into the password manager I use, they have my encrypted passwords just the same as if they rooted some Linux box I have an account on. The stakes are roughly the same.

A passsword manager (PM) makes random passwords easier. A PM keeps me from re-using passwords. A PM gives me a relatively secure place to store vital information, and it also lets me use it on multiple computers and stays in sync.

Do I trust them implicitly with everything? No. That would be foolish. It's a calculated risk, and the benefits outweigh the risks.

If you don't trust password managers you're trusting something else. You have to take that into consideration and weight in versus your threat model.

And you probably don't even need to trust a password manager with every password you have, you can keep just the random 200+ logins you probably have for weird websites. And keep banking, emailing and the other important stuff away from it. Also, you don't even need to have your password manager store the actual passwords there, you could "pepper" what is stored so you transform it after you paste it to the website.

https://www.passwordstore.org/

I trust a local password manager, namely KeepassX running on my linux laptop. It's an open source dedicated piece of tech running on the local box, so I figure my trust model extends at least this far.

Otherwise, no, I wouldn't trust a commercial password manager with automatic sync on to someone else's servers. I also don't trust the browser enough to put an extension in it that has the keys to my password database.

It's a tradeoff. I get a nice level of security, but it's not 100% seamless. Without autofill, I often need to start up the password manager, search for a site, copy and paste password into the browser. (I just had to do this to log into HN.)

For some sites, I let the browser also save the password, which I treat as just a cache of low-value passwords. And the encrypted password manager database gets occasionally synched into gdrive, so I can also access it from my smartphone using the appropriate app.

Been doing this for 5+ years at this point, and it works for me... can't even remember what on earth I did before. Probably passwords in tiny plain text files.

Everything is a risk reward calculation.

Convenience vs security.

The balance i struck with a self hosted instance of bitwarden has been good for me.

I run it.

It’s open source

It’s third party audited

Company has a good history generating trust

Did I mention I host it?

"Should" is an impractical word. "Would" is better.

One would trust a password manager as a result of their obvious social media login getting all their friends spammed.

One would trust a password manager as a result of someone finding the post it documenting their bank credentials.

One would trust a password manager as a result of missing out on an opportunity for forgetting a login and having to wait an ungodly number of hours due to an inconveniently timed DNS upgrade leading to a long delay in the password rest email's arrival.

Nobody trusts password managers because of something essential to the password manager or the concept thereof, we trust password managers because we have experience or can imagine experiencing the fallout of our own credential mismanagement in the face of increasingly complex security demands resulting not always directly from increasingly sophisticated attacks. It reduces our cognitive load slightly and focuses otherwise diffuse anxieties.

I trust password managers more than my ability to remember a strong, unique password for each of the 200 sites in my password manager, and more than my ability to identify URL phishing attempts 100% of the time. I use Firefox' built-in password manager because it's hard to write a secure content script in an add-on password manager[1], and because Firefox Sync encrypts passwords before uploading them to the web[2]. I also know that, if my password manager is ever breached, my most important accounts are also protected by 2FA.

[1]: https://lock.cmpxchg8b.com/passmgrs.html [2]: https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

This question is incomplete without expanding on your "methods for safe handling of passwords on the web." Tell us what those methods are, and you'll get some thoughts on whether you should or shouldn't trust them.

Password manager anxiety is a thing. Maybe you're worried that you'll lose the vault, or that it will be hacked. I didn't like the idea that I couldn't log into something without it. The problem is, without a password manager, my passwords sucked. I had a core secret that I sort of salted for each site.

So my reason for using a password manager (KeePassXC with SyncThing, if you're interested) is that it's better than the alternative.

Honest question: Why browser's integrated password managers (such as chrome's) are not considered an option for most companies which ask you to use 1password, etc?

Taking out of the equation that maybe google can read your passwords... from the endpoint/laptop point of view itself, is it any less secure than those 3rd party password managers? My understanding is that, for example on OSX, they store them in the OS keychain anyway, right? What's so wrong with that?

I don’t trust password managers — I use them to store only half of each password. I have a changing algorithm to derive the other half from the site’s name in my head.

This allows me to securely copy paste the first part, then securely type the second part. Also, even if someone has my password database and a full password or two, they still wouldn’t trivially have all the other ones.

I might be minority here, but I prefer Bitwarden because of it's seamless ability to sync passwords with my wife. There's no way she's going to use something complicated or non-intuitive and she mostly uses iOS. We have nothing to hide from each other so all of our passwords are in the same vault. We also use the secure notes functionality to lookup important family info.

It's a convenience vs. security tradeoff. The fact is, most people can afford to adopt a flawed security model to give themselves greater convenience, because most people aren't being specifically targeted and attacked. I doubt many people realize that they are making such a tradeoff, but that's more about dishonest advertising...

I trust my password manager (keepassxc) because

(1) I believe in the fundamental goodness of humans.

(2) I believe that keepassxc being a Free Software, was made with honest intentions by competent people.

(3) That human society should be organized on the principle of mutual aid, and that involves trusting (initially at least) those who say they intend to aid you.

I use KeepassXC. It's free and open source, and local-only: my password file never touches the cloud even in encrypted form. It has hundreds of account credentials in it, along with other notes like security questions and which email I used for signup. The random password generation feature is a godsend: we all hate those security policies that ask for "at least one lowercase, at least one uppercase, at least one number, at least one special character, between 8 and 20 characters long" or some such outdated nonsense. I can tell it to generate a random password meeting those requirements, saving me the hassle of doing it myself. Or I can ask it for a 6 word long diceware phrase, for sites enlightened enough to support that. It makes my online life massively more convenient and secure.

Your decision here is based on balancing security and convenience. It's a tradeoff that you have to decide on based on your situation.

Most average users are willing to trade the upside of the SaaS apps (sync is easy and pretty secure) for the downside (have to trust a third party like 1Password, that they won't send you a malicious client that slurps your master password).

We're technical, so we can use Password Store[0] and avoid the downside of the SaaS programs (have to trust a third party) while still having sync. If you're pissing off entities who might conceivably blackmail or hack 1Password, Password Store is the bare minimum.

[0] I'm not addressing that Password Store doesn't encrypt the sites it has logins for, just the fact that it doesn't require entering your master password in a web page.

I don't trust them and use an offline virtual machine on Qubes OS to store my passwords instead.

If you are concerned about using unfamiliar and complex cloud software:

A very reasonable option is ccrypt, which gives you dirt-simple command-line password-based encryption for text files (or any other files). It's available for most linux distros, cygwin, homebrew, etc.

Personally I use my own homemade text editor with built-in AES-256 password-based encryption. It's about as trustworthy as I am, and a tad more friendly than ccrypt.

In either case cloud storage is easy; for example a github repo is nice (preferably a private one) because you have backups automatically in case you mess up, which I have done. I don't use my phone for critical work in the first place (can't trust 'em) so I'm not worried about integrating that.

I run a self-hosted instance of a Bitwarden compatible server. It’s only available locally on my local network. So, when out and about, I VPN back home.

Not sure it’s the best way to do it, security wise, but it’s what I found works for me in a security/convenience trade-off

What other option is there? When you've got over a hundred different random passwords, at some point you've got to manage those, so you use a manager.

Though I would never recommend a service-based one, just use something like KeePass and sync that file.

Because others do. Or maybe they make themselves feel like they trust because of the convenience of password managers. After all, we have to draw a line somewhere or just quit using Internet.

IMO if we're talking about security you should ask other questions. How much can you trust a device after Jonathan Brossard's Rakshasa paper? What about evidence-based trust and bunnie's Precursor? Would having a password manager app on Precursor be actually more secure taking into account that your stuff is going to be decrypted on a less protected device?

There are offline capable ones that basically protect your passwords via an encrypted file you know the password for, I've seen this for Android and Desktop, not sure about iOS but I would be surprised if there wasn't. There's open source ones like BitWarden as well which I use. You can quite literally fully manage your password manager yourself. Then you have Firefox's rolled out instance, where if you forget your password, the moment you reset it, you lose all the saved passwords. They can't recover it because it is encrypted with your password.

I trust the one I wrote for myself. I would have a hard time trusting a 3rd party tool without a lot of insight and feedback as to its design and implementation, and credible assessments of its trustworthiness.

You don't need to trust all of them. You might have been wrong to trust lastpass a few years ago as they got hacked, however something fully open source like bitwarden builds trust through sheer code. It is truly end-end transparency. You're welcome to look at it if you'd like.

I count on their cloud to host my data but might as well switch to the hosted version. If you have multiple devices with the app installed you should be able to have at least one device that still holds all your data should bitwarden ever go down.

You should not trust password managers with critical stuff.

Even if the product is secure. Even if it actually does end-to-end encryption. Even if it is open-source and you can audit code.

Even if all of the above are met, somebody still can upload a malicious package or commit malicious change that gets propagated to you.

It is probably fine to use password managers for stuff where damage would be limited (accounts to low value things).

But for stuff that matters I know of no better system than a piece of paper, a tamper evident envelope and a logbook.

A Password manager that only has a local "vault" and simply syncs an encrypted file a much safer security wise way to operate. The BIG question is whether the remote server does any processing of the websites (for spam, malware etc) in which case it decrypts the website name. That becomes a big temptation to log and on sell. Not the logon password just the address. Having an emergency access code or method is just another security hole.

I have the exact same question for these ad blocker browser plugins. You go to install one of these things and get a warning that the plugin will:

    Access your data for all websites
    Read and modify privacy settings
    Access browser tabs
    Access browser activity

No thanks, I just use a pi-hole, something that I own and control.

I am less concerned with the password managers, as I actually pay for those.

Remember if it’s free, you are the product.

I don't trust password managers at all. I ended up creating a trust-less password manager for myself (which generates passwords based on a master password and a service name one-way hashed). You can check it out here (but probably don't use it, I don't want to be responsible for your password security): https://horuspass.com

Why do you trust that your car wont explode when you turn it on in the morning? Or, that you food is not actually poisoned? Same reasons apply.

I self-host Vaultwarden[1] on a $6/mo DigitalOcean droplet. It took awhile to set up, but I know that I control the data, the backups, and the security. I made this decision after trying LastPass, which turned out to be a buggy piece of shit.

[1] https://github.com/dani-garcia/vaultwarden

You don't need to trust them. I use "pass" (https://www.passwordstore.org), a simple CLI password manager that operates using a GPG key you control (which I have on a Yubikey). Then, you can upload the GPG-encrypted password store wherever your want in order to sync-up your passwords.

Well, if one's using a Mac and iCloud one already trusts Apple. so no additional trust needed to use iCloud Keychain I guess.

Password managers that respect their users, will encrypt their data on their device and prove they do so by being open source.

I personally wrote my own https://almondpass.com/

I have implemented a syncing solution but registrations are not public yet.

I just checked my Keepass database and it has 192 entries. 192 unique, actually secure passwords. Without a password manager it would be a necessity to reuse passwords or have otherwise insecure passwords in some form.

That's why I use a password manager. The small annoyance it is to keep the db file synced is well worth it.

Personally, I use pwd managers as a convenience thing. My main accounts (bank, email, git, domain, or any other admin lvl thing) I either memorize or write down irl and use 2fa. Other than that yea I use password managers with the acknowledgement that it may get hacked but so would I at any point too.

Never do any kind of clever scheme with passwords, the other side might be storing in plaintext, have misconfigured logging etc.

My isp does store them in plaintext :), the support person read my password to me while fixing an issue with the account(you can guess which language their webpage is in).

You could do that salt and pepper thing found here: https://passwordbits.com/salting-passwords/

This way you don't store your full password in your password manager.

My biggest fear with a local password manager is a keylogger stealing the master password. I wished local password managers had a way that they would only disclose a single password when using a yubikey rather than opening/decrypting the whole vault.

I use 1password for the convenience they offer.

However for important accounts, I use 2FA with yubikeys or codes that are not stored on 1password. Just in case.

Especially for non-tech family members and friends. Its either an easy password manager or using the same password everywhere.

This is why people design password managers with "Zero Trust Architecture" and it is open source and auditable. Now what have you to lose?

The comment section is full of false dichotomy of no PM vs vulnerable ones like SaaS based ones.

You need a unique, strong password for every service. Humans are bad at creating unique passwords and bad at memorizing hundreds of unique passwords. Machines are good at both of these. So why would you trust your methods?

Because I too had "my own methods for safe handling of passwords on the web", but eventually realized that's a fallacy. Unless you're some memory palace super champion, you're probably using an underlying pattern to remember all your various passwords, perhaps without even realizing it. I didn't realize it until I started using separate passwords for everything, and "everything" started multiplying exponentially year over year. Only then did the pattern emerge to me, and only then did I realize it would emerge to a computer algorithm in about 1 femtosecond flat.

There is no more convenient "safe handling of passwords on the web" than a password manager, in my experience. That said, if you know of a better, but at least as safe, way, then please share.

Insert shameless Bitwarden plug here.

I use SaaS password managers and I don't trust them. That's why I have MFA enabled on all of my accounts and logins can only be authorized through the authenticator app installed on my phone

Why do you trust your cpu, firmware, OS, and all the layers of code then ?

Keepass is offline, opensource and quite simple: an encrypted list of passwords you can open and copy&paste from. No lock-in, easy backups, simple threat scenario and hence easy to trust.

I trust password managers more than I trust my ability to write down every password I might need again, and somehow not lose that notebook or leave it somewhere for someone to read it.

If they hack my PC, they can keylog my passwords, so I do not fear this single point of failure. And without that, password managers just allow me to generate secure passwords

I don't. You can easily set up your own.

https://github.com/dani-garcia/vaultwarden

Pass is a small bash script

https://www.passwordstore.org/

You can read it and make sure you are comfortable with it.

You can host Bitwarden yourself if you want to and trust no one.

I use an offline only open source password manager so I don't have to trust it. That and backing up the database solves the issue entirely

I'm actually scared about trying password managers, they might actually be infiltrated and release your sensitive information?

I really don't know. I barely trust the one I built myself, especially for the automatic, cloud based ones, I just don't know.

You shouldn't [trust SaaS password managers].

Trust local password managers working on local files that are synced via Google Drive/Dropbox.

I think best and safest practice would be using memorizable, random password such as those created by passgen.

The question also applies to other software.

Do you trust your backup software placing your encrypted data at the feet of NSA (cloud storage)?

Keepassxc and strongbox (iOS). Both are open-source, I manually sync with iCloud + local backups on each device.

> passwords on the web

password safe isnt on the web.

I trust hosted Bitwarden because it is open source and uses zero-access/end-to-end encryption.

i am the author of a password manager which you don't have to trust: https://www.ctrlc.hu/~stef/blog/posts/sphinx.html

autofill is the most important bit.

I trust a centralized solution more than anything I could do myself, plus the convenience ig

Never think of this before but I just get used to the pw ms of google...

They are fine as long as you don't have anything crypto-related tied to them

Why do people use paid password managers when you can just use firefox's?

I don't trust them. I store passwords locally on my machine (encrypted).

Differently, why do people trust closed source password managers?

> I've been having my own methods for safe handling of passwords on the web.

I use a local password manager, KeePass: https://keepass.info/

It's probably the only good middle ground for keeping track of passwords, SSH certificates and other data: a password protected local database that i can move to USB sticks or SD cards for backups, or keep inside of an encrypted 7z archive, or a VeraCrypt file if i cared that much.

You not only get to have a simple way to use it (it's just a file that's compatible with the software, like SQLite is also really easy to use), but also get to pick where/how you want to store that data in an easy to understand manner.

Right now it's great for all of my vaguely relevant access credentials, from numerous e-mail accounts, to online shopping accounts, to even access data for online platforms, hosting solutions, servers etc. with as many separate databases as i choose.

In my eyes, it's also really great for letting you randomly generate secure passwords - i don't know almost any of the non-essential service passwords and because it's so easy to generate new ones for accounts, i'm not plagued by "password-reuse-itis" either. When coupled with 2FA, it's pretty decent from a security standpoint.

It also has a clearly understandable attack surface - infected password manager binaries, stealing passwords when in memory or malware on the system (like keyloggers, clipboard watchers), someone stealing the database AND the master password, asking me nicely for it with a 5$ wrench: https://xkcd.com/538/

For why people use web based ones which aren't so clearly understood or dependable (your list of risks would be a lot longer with those), i'm not sure. It's probably just convenience.

I am in the minority I know, but I don't trust them.

icloud/keychain and KeePass, im surprised people trust other pwd managers

A password manager creates a single point of failure of all your passwords.

Nope.

So, I think in-general, the answer is that for a question like this, you need to start from doing threat modelling, and work outward. Threat modelling is the first step that must be conducted, and then you can find solutions that fit your needs from that.

For most people, the biggest threats that come from passwords are: data breaches (compromising reused passwords), human memory limits (you can't remember high entropy passwords easily, in general), and an ever-increasing demand for both high quality passwords and unique passwords.

If you look at these threats from the perspective of most people, a password manager works well! You don't have to worry about breaches, memory limits, or even password generation. You can just generate-and-store random passwords for every site that meets their requirements, and walk away.

But that doesn't mean that that's the end of threat modeling. Other risks that you're probably thinking of are the security of the cryptosystem involved, bugs in the application, and fear of backdoors. These are valid threats, but for the vast majority of people, they're mitigated by other reasons, or are non-factors.

To give an example: a password manager that most cryptographers would laugh at is writing your passwords on a sticky note. Yes, that's bad from a cryptography standpoint, but if you make a new unique password for each site, and each one is sufficiently long and complex, you've actually mitigated the threats involved with password reuse, memory, and complexity. But you've also made it impossible to steal from a cryptography backdoor, and the barrier-to-compromise involves your physical space being violated. But again, if you ask a cryptographer, or even most security professionals, this is a bad idea, because you're still risking physical compromise if...you work in an office, have kids, don't guard your home, etc.

A lot of people dislike 1Password's decision to store passwords in cloud storage. This is a real risk, because a cryptosystem backdoor would create danger. If you use a password storage app with strong cryptography, and store the passwords in a completely benign location (e.g., a network share, some random cloud storage provider), you can decouple the cryptography from the storage, which brings some safety.

Now, back briefly to your question: why would people trust a completely SaaS password storage provider? Well, for me, it's that I know that Google Project Zero exists, and they do a lot of research into third party apps. I sleep easier at night knowing that lots of smart people are invested in trying to break 1Password's cryptography, and have thus-far been unsuccessful. Sure, a government might have a secret backdoor that I don't know about. But in my threat model, the government could just come arrest me for violating a non-disclosure agreement I've signed, and hit me with a wrench.

In summary: for the vast majority of people, the threats that come from "memorizing passwords" are mitigated by password managers. Heck, you even say you have your "own methods for safe handling of passwords". I would argue that you have a password manager, it's just more DIY than something off-the-shelf, and that's fine!