should I prefer a password manager or a manually kept password list?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
should I prefer a password manager or a manually kept password list?
I've never been sure whether it's unwise for security reasons to use a password manager. I stopped in probably 2017, and switched to "pen and paper"--that is, I keep my passwords manually in a file. Not encrypted. I have the file on home computer and nobody's about to look. It works for me and I'm comfortable with it. It actually wasn't for security reasons in the first place that I quit password managers, anyway. Do I have any reason to go back? It is less secure, not more? What do you do?
If you do keep your passwords in a file on your computer then you should definitely have that file encrypted. Otherwise anyone breaking in to your computer, physically or remotely through the network, will have all your passwords to hand and merry mayhem will ensue.
Equally important is that you use good passwords and don't re-use them on multiple systems. Although I don't use a password manager (I use an encrypted file as described above), one of the advantages such managers have is that they can generate, and remember, very convoluted passwords for you.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by newbiesforever
I've never been sure whether it's unwise for security reasons to use a password manager. I stopped in probably 2017, and switched to "pen and paper"--that is, I keep my passwords manually in a file. Not encrypted. I have the file on home computer and nobody's about to look. It works for me and I'm comfortable with it. It actually wasn't for security reasons in the first place that I quit password managers, anyway. Do I have any reason to go back? It is less secure, not more? What do you do?
You could post your "password list" on the Internet for all to see too, but anyway...
Seriously, if you visit multiple sites and have multiple accounts, then isn't that what password managers are for? Why would it be "unwise" to use one?
All someone has to do is get a copy of that file, and hay presto, there's all of your passwords. Are you saying you don't even have a password on that file? I hope your computer has good security at least.
If "it works for you and you're comfortable with it", then why bother asking the question?
I must say, you ask some pretty bizarre questions.
If "it works for you and you're comfortable with it", then why bother asking the question?
Just because something works for a person and they are comfortable with it doesn't mean that it is the best thing to do. The OP merely, in my opinion, wants to see if that is in fact the case. Not a weird question at all.
I don't have an answer for you, but I certainly 2nd your question! The security of "pencil and paper" is questionable too, especially in an office situation. Ya never know who's going through your desk! However, at home, it's probably as secure as the lock on your front door. To be transparent about it, that's what I do at home too - except that I take the extra precaution of password-protecting the file in which passwords are stored.
I see two problems with the free password managers we see routinely on linux distros. I always envision "Tim" on NCIS finding my passwords. Go figure! I'm guessing this mythical character could break the encryption in most password managers. [The real FBI, CIA, NSA and whomever are welcome to find whatever they can on my laptop. It wouldn't be worth their effort anyway.] The second problem is the "One password to rule them all" problem. All someone with the need, desire, time and money has to do is figure out the one password. Until quantum computing becomes ubiquitous, that's probably safe too. Until then, they're welcome to my password for LinuxQustions.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by hydrurga
Just because something works for a person and they are comfortable with it doesn't mean that it is the best thing to do. The OP merely, in my opinion, wants to see if that is in fact the case. Not a weird question at all.
That's kinda what I was saying above (it's not the best thing to do that is). It's still bizarre to ask a question when they are saying they stopped using a password manager, but not for "security reasons", and yet passwords are a "security issue". Particularly with some of the OP's other questions.
That's kinda what I was saying above (it's not the best thing to do that is). It's still bizarre to ask a question when they are saying they stopped using a password manager, but not for "security reasons", and yet passwords are a "security issue". Particularly with some of the OP's other questions.
That's actually a good question.
OP: If it wasn't for security reasons, why exactly did you stop using a password manager?
Password manager, local storage and backed up somewhere like a thumbdrive. I use my manager (keepassxc) to randomize long strings as passwords and I have no idea what they are. No 2 are the same for all 100+ sites I have accounts on. Single, long password (not a dict word) for entry into the password database.
I have the advantage of being able to remember long strings of letters, numbers and symbols so my "one password" is a long string of random chars hat I have memorized. Doesn't work for everyone but works for me...
Password manager, local storage and backed up somewhere like a thumbdrive. I use my manager (keepassxc) to randomize long strings as passwords and I have no idea what they are. No 2 are the same for all 100+ sites I have accounts on. Single, long password (not a dict word) for entry into the password database.
I have the advantage of being able to remember long strings of letters, numbers and symbols so my "one password" is a long string of random chars hat I have memorized. Doesn't work for everyone but works for me...
I've used my convoluted master passwords for so long that they are now part of my "finger memory". However, I do worry about whether I will forget those after some sort of accident or perhaps early onset Alzheimers (you never know) so have considered for a while whether I should also write them down and keep them in a well hidden place. Except of course I might forget where that place is.
I've used my convoluted master passwords for so long that they are now part of my "finger memory". However, I do worry about whether I will forget those after some sort of accident or perhaps early onset Alzheimers (you never know) so have considered for a while whether I should also write them down and keep them in a well hidden place. Except of course I might forget where that place is.
Well put, and I think about that too since I am getting on in age
hyrdurge: "I've used my convoluted master passwords for so long that they are now part of my "finger memory"."
Yeah - that's pretty good. But I have one problem with that, one that's probably unique to me. You see, about 10 years ago I decided to learn the Dorvak keyboard - it really helped with my (relatively) minor carpel tunnel. Relying on muscle-memory works fine at home (except for the one time Fedora/anaconda messed up the installation procedures so that the login password was still in QWERTY and boy, was THAT confusing). The computer at work was a minor problem - the admins only let me switch to dorvak at runtime. Those machine booted windows and logged in using QWERTY, which meant my fingers had to memorize two passwords.
Oh - the other thing is that "age happens". Now that I'm 65, my muscle memory is only a bit better than the brain storage for passwords. If, for example, I lose my PC for a week (like I did when a power surge burned out my old motherboard), I really struggled to get the ol' password back. Having my pw file backed up to a thumbdrive saved my sanity that time.
hyrdurge: "I've used my convoluted master passwords for so long that they are now part of my "finger memory"."
Yeah - that's pretty good. But I have one problem with that, one that's probably unique to me. You see, about 10 years ago I decided to learn the Dorvak keyboard - it really helped with my (relatively) minor carpel tunnel. Relying on muscle-memory works fine at home (except for the one time Fedora/anaconda messed up the installation procedures so that the login password was still in QWERTY and boy, was THAT confusing). The computer at work was a minor problem - the admins only let me switch to dorvak at runtime. Those machine booted windows and logged in using QWERTY, which meant my fingers had to memorize two passwords.
Oh - the other thing is that "age happens". Now that I'm 65, my muscle memory is only a bit better than the brain storage for passwords. If, for example, I lose my PC for a week (like I did when a power surge burned out my old motherboard), I really struggled to get the ol' password back. Having my pw file backed up to a thumbdrive saved my sanity that time.
I know the feeling. I'm the same for passwords when I'm travelling and have to use someone else's AZERTY keyboard, for example.
I'm not not much younger than you are but only recently I went to pay for my groceries at the store and realised I had completely forgotten the PIN number for my bank card. I had to sit down for 15 minutes and try to remember it (I had a mnemonic for remembering it but had forgotten I had one). One of the assistants kept asking me if I was feeling ok and whether I wanted a glass of water. It was amusing but slightly worrying. You never know if/when your memory will start playing up.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
My thoughts:
How can I trust a "password manager" not to leak them through malice or ignorance?
How can I remember all my passwords, work and home?
What if I have to use a new device to, for example, use my bank account to buy flights home from a British Embasy computer because my possesions were stolen?
I justwrite passwords down and remember the ones I use the most. For corporate use, always have the important passwords in a safe or vault ans only accesible to lawyers or other such.
I always recommend a local file based password manager. I always push Keepass or Password Safe. You could also use an encrypted office document. If you go the document route, make sure it is actually encrypted and not just password protected. The password protections are easy to break. The advantage of a password manager file is that they should be safe to store as an email attachment or somewhere else on the internet you could access from anywhere.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.