re: Anyone using a password manager?

(no message)

Also sounds like a huge pain keeping that offsite backup updated. With as many passwords as we have these days, we should be changing one or more passwords every week.

We worry about our passwords getting hacked because it would be a pain in the arse to protect our data and recover from it. To me, storing passwords on an encrypted thumb drive is a bigger pain in the arse in the long haul, just in many smaller byte sized (swidt?) portions. Like hacking yourself a little bit every day.

Use a cloud-based password manager. Use a strong master password and multi-factor authentication on your account. Also use MFA on every site that allows it, ESPECIALLY your password recovery email account(s). And learn to identify the various phishing and social engineering techniques to avoid hacking yourself.

That is the safest thing you can do. Your passwords are protected by MFA in the event the password manager is breached. Your accounts are protected by MFA in the event your passwords are somehow compromised. Should you choose to also store your TOTP in your password manager, if the added convenience causes you to actually use MFA at all your various sites that should outweigh the risk of putting those eggs in the same password manager basket.


The benefit is you are encouraged to use strong, unique passwords at all of the dozens or hundreds of sites that you use, as well as to update them regularly because these things are so easy to do. A password manager protects you by reducing your attack surface, potentially by a couple orders of magnitude, by beefing up your security practices at these dozens or hundreds of sites. And the risk of keeping all your passwords in the cloud is almost completely mitigated by using MFA on your password account.