Password Management Options: Are managers really necessary?

It is unclear to me if password managers really are the best way to store passwords. I can certainly see the utility of cloud-based password managers in the context of organisations which involve many people using many devices. But these of course, require trusting the security of a 3rd parties servers, which I know many here would rather not do.

Which leaves us with KeepassXC. I think passwords can be similarly secured and inputted through alternative methods:

1. Passwords can be stored in an encrypted document. For example, Libre Writer and Libre Calc allow you to password encrypt a file, using the same encryption method as KeepassXC (AES). Alternatively you can keep the file unencrypted, and store it in an encrypted Veracrypt container. Passwords can be similarly hidden by formatting the cells (in LibreCalc) with a strikethrough - allowing you to copy and paste them without the camera behind you, or an adversary who can access your screen, seeing what the password is.
2. To save you from having to copy/paste passwords, the KeepassXC browser extension is usually recommended. But this requires adding more software the chain, espieically in the case of Flatpak’s, which requires the installation of a 3rd party proxy to allow for communication between the password manager and browser. Espiecially in the case of passwords, the less things I must trust, the better. With that in mind, I do not see how the following alternatives are not comparably secure:
   a) Browser’s native password manager.
   b) Saving cookies in browser for that site, to remain signed in.
   These alternatives require trusting the browser, yes. But so does the KeepassXC browser extension. Couldn’t an adversary who hacks the browser equally gain access the KeepassXC data, the browser’s native password manager, and the already logged in cookies?

Also worth mentioning, the complexity of the KeepassXC interface is daunting. I see more of a risk of making an error here, than with a spreadsheet.

All things considered, I think I’m better off without a password manager. Option 1. seems very secure to me, provided I use a good master password which I remember. But maybe I am missing something.

What is your opinion?

Password managers are intended for the purpose so yes they are worth it.

Potentially your entire spreadsheet could be stolen by malware, meaning you have everything open. Password managers like KeepassXC make it a lot easier to look up a particular record, and get reports on password reuse.

As far as cloud password managers, the ones we recommend are fine, the data is encrypted with very strong encryption prior to being uploaded. Unless you’re making offsite backups, this is probably actually a good idea, because it is more likely your house will burn down than the encryption will be “broken”, particularly in the case of BitWarden and 1Password that undergo regular auditing.

1Password probably has the better UI out of all three though.

Important note: just because something uses the same encryption method it does not mean it offers the same security - it needs to be implemented correctly as well. There are quite a few things that can go “wrong” if you don’t have a background in cryptography and don’t really know what you are doing.

I think password managers are essential for password management.

Using documents to store passwords lack quite some functionalities offered by password managers like KeePassXC, such as password generators, HIBP integration, attachments and notes support, thumbnail support, lock upon device suspend / timeout, extension support, TOTP support, etc.

Some functions like groupping / tagging / expiry dates support can be added to document (i.e. spreadsheets) using functions aka formulas, but you don’t need to go through all those hussle if you use a password manager.

Also, application layout on mobile devices for password managers are much more optimised for the use case and support autofill features, which cannot be offered by generic document formats.

In terms of data security / privacy, I think not saving password to system / browser is already a huge improvement.

The issue comes from the human component in the whole process. We know humans will gravitate towards the easier option (uses less brain calories), become complacent (more efficient neuron pathways), etc.

From what I am aware, KeePass allows for further encryption options beyond LibreOffice (I am not an encryption expert).

KeePass has benefits beyond the libreoffice setup. Automatic clearing of your clipboard cache. Requiring a hardware security key to decrypt the password database (a key which you can hang around your neck). Two factor authentication support. As @dngray points out, password managers were literally built for the sole purpose of adding security to your local passwords. The cloud hosting available everywhere feature was tacked on after the fact.

You aren’t required to use the browser extension. People have different threat models.

In terms of data security / privacy, I think not saving password to system / browser is already a huge improvement.

If the browser is hacked, couldn’t the hacker have access to the password manager if they are linked with an extension? I presume not, but I just haven’t seen it explained anywhere.

You can follow my lovely company’s security team advice; Memorize all the passwords because it is not hard to remember them, even if you have 30+ accounts with unique passwords.

Technically reputable Password managers] are typically designed with the assumption that servers will eventually be compromised (and the Lastpass Breach shows why that is a prudent assumption) and users should approach with this mindset as well. An attacker who successfully compromises a password managers servers does not gain access to your vault because it is encrypted with your key, which the PWM doesn’t possess.

I think passwords can be similarly secured and inputted through alternative methods

Other methods can be equally secure (or more secure). The comparative advantage of password manager’s is not that they are the most secure or the only secure option. It is that they are highly secure AND (1) convenient to use (2) not locked to a certain platform, OS, browser, or physical location.

There are plenty of ways that you could manually create an offline, airgapped, or physical method of storing your passwords that would be at least as secure from theft/hacking as a PWM but most of them are too inconvenient, or increase the risk of either data loss, or user error.

b) Saving cookies in browser for that site, to remain signed in.

This doesn’t replace the need for a password manager (or password management strategy of some other form).

Passwords can be stored in an encrypted document. For example, Libre Writer and Libre Calc allow you to password encrypt a file, using the same encryption method as KeepassXC (AES). Alternatively you can keep the file unencrypted, and store it in an encrypted Veracrypt container. Passwords can be similarly hidden by formatting the cells (in LibreCalc) with a strikethrough - allowing you to copy and paste them without the camera behind you, or an adversary who can access your screen, seeing what the password is.

This seems like a lot of work (and more possibilities to screw something up) to basically just recreate a rudimentary proto-password manager. What would be the advantages of this approach from your perspective? In either case you are using a piece of software, to access an encrypted file, on your computer. This approach seems like it would introduce many headaches, and greater potential for data loss, without really having any clear advantages in security or usability. But possibly I’m just misunderstanding or not seeing the value that you see in it?

I think you and the others make valid points.

I must confess. Moving all my passwords from somewhere familiar to somewhere unfamiliar and complicated like KeepassXC is scary.

But I since realized just how widely recommended Bitwarden is, and I gave it a go. I find it very user friendly and will be now moving to here.

So to conclude. Are password managers really necessary? No. But they are near universally endorsed by people who know more about security than me, and they are more convenient than alternatives.

I totally get this. When I’ve transitioned password managers its a 1+ year transition (for that reason). The actual migration is done quickly, but I’ll keep my old system until I’m really really sure the new system works for me.

What’s complicated about KeepassXC? Wondering what that might be. Maybe making backups of your data file?

For me, simply the lack of KISS in it. It is a tad too clunky for me, albeit having much more features and controls built into it. I am sure at least a few others would be sharing the same opinion as mine. While, with Bitwarden, most of the stuff was pretty intuitive to me.

You mean backing up the database file? Literally just use any sync tools, even scheduled task would work, its just one file, isnt it?

I think it actually might be the less modern UI.

Yes. They are. The more people who use them the better off we all are.
They provide features I cannot and mitigate conditions that would exist without one.

I too used to keep passwords in an word doc in a Veracrypt vault but changed to KeePass years ago and pay annually to support the project. The features I like most are FOSS, O/S and browser independence, auto-type (CTRL-V), clipboard clearing, two-channel obsfucation and that its not cloud-based.

Online managers scare me. Not just because I can’t predict which one will get breached next but that one certainly will.

And also because…
They can change their ToS arbitrarily ( Dashlane).
https://www.dashlane.com/blog/updates-dashlane-free

Fumble updates (Raivo)
https://news.ycombinator.com/item?id=40523411

Take my data hostage and make it impossible to recover by discontinuing products (Authy)
https://help.twilio.com/articles/19753631228315

Have poor internal controls, inadequate employee training and misleading breach notification (Lastpass)
https://www.upguard.com/blog/lastpass-vulnerability-and-future-of-password-security

Force the latest trend on me without thinking it through. (passkeys).

Make it too easy to create a circular disaster recovery situation.

And like any other online app there’s the chance of losing access suddenly and forever when their owners decide to shut it down. Or sell it and the new owners go in a completely different direction. (Skiff)

With online password managers you can generally export to JSON though and that should be stored somewhere locally (like an encrypted container).

Yes, but not always and are the exports encrypted?

If I need to manage local copies anyway then arent I really paying for a convienience and doesnt convienience always find a way to compromise security eventually?

Having to moniter social media to learn if something is going into the weeds with such a critical app is a timesuck.

There are things in my PM that have nothing to do with the internet but my heirs will need access to even if its 3 months after the last payment to the ISP.

But back to the OP question.
Is a PM necesarry to practise good OPSec? No, absolutely not.
Does a PM make practising good OpSec easier. Yes, it does.
If the majority of people in wealthy nations practised better Opsec bad actors would focus elsewhere and we’de all be better off.