Is there a future in which password management is sane?

I use bitwarden and I don't understand the question.

My phone gives me a popup on text boxes to enter credentials. There's also a bitwarden button on my keyboard. I scan my thumb and it signs me in.

On my desktop browser, I get a badge on the bitwarden button when it detects a site it has credentials for. Two clicks signs me in. Three if my session times out and I need to put in my master password.

I have a single unique and complex password that I have to remember, and I have recovery keys stored in a physically safe location.

Bitwarden generates complex passwords with a single click, and has excellent integration with the browser.

Password management is sane. You can just use a good password manager and understand how to protect your single master password. Which basically just means never, ever type that password into anything other than your password manager.

ETA: bitwarden also syncs seamlessly between my half dozen different devices/installs. It works everywhere, and if I really cared to I could set up my own server so as to not rely on Bitwarden's infrastructure.

No. As long as mediocre programmers and organizations require BLIND entry of very complicated passwords on mobile phone teeny weeny virtual keyboards TWICE, nothing will get better.

Nothing will get better because most organizations are on autopilot, only doing "best practices" even when those practices don't make any sense. For instance, typing passwords blind. It exists because CRT terminals had a wide field of view. Flat screens have a marrow field of view, and further, in the form of cellphones, are small and held close to the face. There is no reason to require blind password entry, yet it persists. All of this points to stasis, nothing getting better, and the situation probably getting worse, since there's no upside for anyone contradicting "best practices".

I had assumed that some governments would take on responsibility for identity management, and things would grow from there. It seems somewhat odd that companies such as Google and Meta are now providing this service, but these companies are more at ease with globalization than the nation states are.

In Europe, there is eIDAS [1], but for now this seems limited to governmental organizations, and well, to Europe.

[1] https://en.wikipedia.org/wiki/EIDAS

> Password management is just terrible. Vulnerable populations stand no chance against social engineering. Password manager apps are okay but the UX is pretty awful especially for non-computer savvy folks. People who think about this a lot -- is there a sane future

No there isn’t. Passwords are fine. Password managers are good enough. It takes only minutes to learn the following flow:

1) Reset password

2) Type in the new password into the app (many people are too lazy to do this)

3) Open password manager

4) Copy and paste the password into the text field

That’s all. If people can’t figure this out then quite frankly I don’t understand how they function in other areas of life.

Genuine answer, as the demographic you requested:

It starts with you managing your security, not looking for someone to dish this responsibility off onto.

I like keepass; simple, portable, easily syncable any number of ways.

I'm going to find out all the sites I use that have the SSPR vulnerability, and I'm going to use SSPR every single time to login, so in lieu of using my passwords or Authenticator app, I'll just pretend it's a "magic link" login.

No need for a manager. Use a simple formula based on the company or service name. That way you can remember one base password and slightly modify it for any service. No need to copy and paste, no need to trust other companies with all of your passwords. No need for any software.

I haven’t thought about passwords in at least 5 years since I started using Apple + iCloud. Apple has native password management baked into everything. My face or thumb logs me in, whether I’m using laptop or phone. When creating accounts I just use the auto-fill and generated password.

What’s wrong with Google’s auto fill for Chrome? Seems extremely trivial.

My grandfather needs help to connect to wifi. Doesn’t own a cell phone. Didn’t know how to get rid of a bad extension. He does just fine with Google.

This has been solved for me for a few years since I started using iOS’ password manager. Syncs all my computers and mobile devices to my Apple ID. Seems to scale pretty well.

Password manager + something you are/something you have. Cookies solve the problem for me after the first login + remember me option.

It's going to take time but people are going to have to get used to needing n+2 things to log into their accounts (username + password + MFA).

I think you’re pointing out a problem which mobile has begun trying to solve - passwords are probably not the right long term solution to authentication for the majority of the population or usecases - the right solution is something more like an automatic biometric scan that doesn’t require remembering anything - just presenting yourself ie. Fingerprint scan, retina scan, faceID etc.

Devices which support these authentication method need to become ubiquitous and their APIs need to be open and widely integrated with, including by web applications and laptop/desktop applications.

There are some hard problems to solve in the way.

You either need to make a central authority that manages the scan data or you need to figure out a way to cryptographically hash the output of a biometric scan such that it can be reliably checked against a stored value in a database. Or perhaps our AI experts on HN could comment on if there is a not too computationally expensive verification method…

But it would be nice. Overtime users could remember less.

I have used Keepass for years and have zero complaints.

I've never had a problem yet and I gave up on two factor authetication. If I told people what I do:

1. They would not believe it works 2. They would steal my clear text file containing all my secrets.