If you end up, for some reason, being one of those unlucky individuals whose Google account gets banned and all your other accounts are behind Google login, then you truly have been owned.
You mean when using "sign in with" and then using a shitty password for your social media account?
If you use e-mail and password with a good password manager, that runs locally on your device and generate good random passwords, it is unlikely you will end up on haveibeenpwned, and even if one website does shit, the blast radius is only one account on one website.
You'll still have your e-mail address exposed, which you may not want if it is to some random porn site. Moreover, password managers do not work if you use multiple devices for log in, which most people actually do.
I assume they're thinking about the 'offline' style where one would shuffle a database file and probably resolve conflicts. There's an app/extensions nowadays, man!
I don't even bother with a VPN, just occasionally push a 'sync' button on the roaming devices [when they return to LAN]. DB transactions [new credentials] averages ~0 per month... but there's plenty of capacity. Works extremely well.
The truth is that even with KeePassXC, I just really do not notice stale passwords across devices.
It's just really not a huge deal for me personally. Maybe it is for normal people.
I sync my databases maybe once a year if I'm lucky.
Right, that's what I was trying to emphasize. Rare syncs are totally fine here, too. I try to keep a routine but tend to slip. If not 'with my usual device' there's a tiny number of accounts I even need. They rarely change so the 'cache' is usually suitable. If not, the restriction is always short-lived.
I am not sure, whether you are trying to get at something specific, but will interpret the question in good faith:
A classical password manager reads an encrypted database. In theory, you could upload your password database (usually just one file) anywhere, and wouldn't need to worry, assuming, that you chose a sufficiently long password for decryption, and assuming, that the encryption does not have weaknesses, which would allow an attacker to decrypt it without the password. In practice, of course you still wouldn't upload your password file to a public place, to reduce risks in the future. But anyway, the idea is, that only you know the master password for the encrypted database and so no one else can read your passwords.
Are you saying that you reuse the same password everywhere, but a different email address every time, and you feel confident that having your password leaked won't have repercussions?
I am genuinely confused. Sounds like holding a gun from the wrong end and feeling protected by it.
You don't even need a password manager, browsers autogenerate secure passwords for you, and they sync between computers/mobile devices.
(I'm saying this from the perspective of "regular people don't want to be inconvenienced like that, obviously you should use an external password manager for security)
> Before inevitable "what if your password manager is hacked
My passwords are encrypted with a security key. I think it is more likely for my computer to get compromised than for my password manager to leak the passwords.
Admittedly, if I lose all the security keys at the same time, I lose all of my passwords.
Sign-on with the external identity provider doesn't help if data related to your account like the billing information, your government ID info etc. are released in the breach, that's the sore point.
People will know that my password was y!2TvM8h3dpvw4 for one particular website at some point. What do I lose here? Google/Apple incurs much greater risk that is entirely out of your control.
If you end up, for some reason, being one of those unlucky individuals whose Google account gets banned and all your other accounts are behind Google login, then you truly have been owned.
You mean when using "sign in with" and then using a shitty password for your social media account?
If you use e-mail and password with a good password manager, that runs locally on your device and generate good random passwords, it is unlikely you will end up on haveibeenpwned, and even if one website does shit, the blast radius is only one account on one website.
You'll still have your e-mail address exposed, which you may not want if it is to some random porn site. Moreover, password managers do not work if you use multiple devices for log in, which most people actually do.
I use my password manager across multiple devices daily.
Apparently it has not been working without me noticing it?
I assume they're thinking about the 'offline' style where one would shuffle a database file and probably resolve conflicts. There's an app/extensions nowadays, man!
I don't even bother with a VPN, just occasionally push a 'sync' button on the roaming devices [when they return to LAN]. DB transactions [new credentials] averages ~0 per month... but there's plenty of capacity. Works extremely well.
The truth is that even with KeePassXC, I just really do not notice stale passwords across devices. It's just really not a huge deal for me personally. Maybe it is for normal people. I sync my databases maybe once a year if I'm lucky.
Right, that's what I was trying to emphasize. Rare syncs are totally fine here, too. I try to keep a routine but tend to slip. If not 'with my usual device' there's a tiny number of accounts I even need. They rarely change so the 'cache' is usually suitable. If not, the restriction is always short-lived.
Same here. I use pass, and I just don't create/update passwords that often. And synchronising is very easy (it's a git repo).
... And how do you access the passwords that password manager manages?
With the "password manager" program? I have one on my desktop and one on my smartphone.
How do you expect to access the passwords that the password manager manages?
... Can everyone in the world ready our passwords or are they "protected" somehow?
I am not sure, whether you are trying to get at something specific, but will interpret the question in good faith:
A classical password manager reads an encrypted database. In theory, you could upload your password database (usually just one file) anywhere, and wouldn't need to worry, assuming, that you chose a sufficiently long password for decryption, and assuming, that the encryption does not have weaknesses, which would allow an attacker to decrypt it without the password. In practice, of course you still wouldn't upload your password file to a public place, to reduce risks in the future. But anyway, the idea is, that only you know the master password for the encrypted database and so no one else can read your passwords.
I am confused. You say:
> Moreover, password managers do not work if you use multiple devices for log in
I use a password manager with multiple devices, and it works. And yes, my passwords are "protected", that's the job of the password manager.
If you decide to visit such awful sites then the least you could do is not use primary email for this.
I don't think it makes sense to even have a "primary email". I've completely separated work, shopping, banking, gaming etc mailboxes.
Also how do password managers not work? Bitwarden syncs instantly across devices just fine.
If you sign in with Google, the site knows your gmail address.
Email aliasing is a thing
Risk Bob's Salad Shack leaking an inconsequential, unique, credential or bind everything to the whims and identity of a single organization; hmm.
Ending up on HaveIBeenPwned is only a problem if you reuse passwords.
Nope. It is a problem if you reuse email addresses.
Are you saying that you reuse the same password everywhere, but a different email address every time, and you feel confident that having your password leaked won't have repercussions?
I am genuinely confused. Sounds like holding a gun from the wrong end and feeling protected by it.
Password manager.
Before inevitable "what if your password manager is hacked...," what if your google account is hacked / banned?
You don't even need a password manager, browsers autogenerate secure passwords for you, and they sync between computers/mobile devices.
(I'm saying this from the perspective of "regular people don't want to be inconvenienced like that, obviously you should use an external password manager for security)
Agreed. Just wanted to add:
> Before inevitable "what if your password manager is hacked
My passwords are encrypted with a security key. I think it is more likely for my computer to get compromised than for my password manager to leak the passwords.
Admittedly, if I lose all the security keys at the same time, I lose all of my passwords.
Sign-on with the external identity provider doesn't help if data related to your account like the billing information, your government ID info etc. are released in the breach, that's the sore point.
- Complains about age verification because it is "not private"
- Uses Google SSO to sign in everywhere
People will know that my password was y!2TvM8h3dpvw4 for one particular website at some point. What do I lose here? Google/Apple incurs much greater risk that is entirely out of your control.