Ask HN: Does anyone use an alternative to a password manager?

I am shocked to see a tech literate audience recommending a single algorithm based password. This is pretty basic stuff. Minimize attack surface!

With a password manager, your attack surface is your email, and the password to the manager. You can focus your efforts on securing those two things with 2fa, a hardware device, etc. Every other password can be extremely difficult, and only grant access to an individual service.

Compare it to an algorithm, where your attack surface is "every service." If one password is compromised, they all are. Then you have to change them all manually, and remember what's been changed, when.

In an age of great open source options like bitwarden, Keepass, and unix pass, there's no excuse for using an algorithm anymore.

I use Linux, Windows, and Android. I decided on Pass [1] and it's been working really well for me. I have a dedicated PGP key that encrypts all my passwords, and they're stored on my own git server.

On Linux I use the pass command, on Windows I use QtPass [2], and on Android I use Password Store [3] and OpenKeychain [4] (for the PGP key).

My "master password" is the password for the PGP key, and I type it each time I want a password. Git keeps everything in sync. If one of my devices is compromised, you still need the password for the PGP key. If my git server is compromised, you'd need the PGP key (which isn't on the server).

[1]: https://www.passwordstore.org/

[2]: https://qtpass.org/

[3]: https://github.com/zeapo/Android-Password-Store

[4]: https://www.openkeychain.org/

I use an algorithm. In short:

1. Memorize some base password 2. Memorize a way in which you mutate that password based on the name/type/other of the service logging in to.

Eg. Hunter2 becomes eHunterG8 Because my example algorithm cares about Google's first letter, length, and service type: email.

It allows every password to be different but you only memorize two things. It is meant to be a "good enough" solution that is much better than using the same password for everything, but naturally is worse than using significantly different passwords.

I've used this for a few years to great success. The one issue I have is I sometimes have to try multiple times when one account is many types of services.

I'm a bit surprised at all of the people suggesting "remember one password, and mutate it with an algorithm based on the website name". That means that if you have to invalidate one password for any reason, you have to change all of them. On every service that you use. Do people really do this?

You most likely already have another single point of failure: the email account that you use for "forgot your password" resets. So, I make that the only point of failure by choosing long, secure passwords and not really trying to remember them, resetting the password every time I need to log in to a rarely used account

* descriptive, long passphrases, that I usually have no trouble remembering. e.g. Facebook could be "I talk to my friends".

* salt to make stupid password rules happy and to make it somewhat safe to write down passwords. e.g. "mysecretsalt42$". This gets appended to all passwords and doesn't get written down anywhere.

* encrypted text file, used rarely when I forget a password. e.g. `vim -x socialmedia.txt`. I find this a bit better than Keepass or pass because it's not one obvious attack target (both the file and app).

* optionally, a paper backup

We really need passchange.js: an open source collection of headless JS scripts that can programmatically change your password on a given website. Then you would continuously rotate _all_ your managed passwords as well as your master.

Not a panacea, but significantly minimizes the length of a theoretical breach.

I used a small script to generate my passwords : I choose a simple password, I append the domain and I hash the string. I take the first 15 characters of the hash as a password. I find it quite convenient and easy to remember !

sha256("password"+domain)

Use KeePass. It's FOSS, has a great extension for FF, and stores your passwords in a local, encrypted file. No cloud necessary.

I use https://www.passwordstore.org/.

I use a simple 'cipher' that makes new passwords easy to remember and remains relatively secure without the need of a book/service.

I have a file of the first word that comes to mind for every letter in the alphabet. Then my password is created based on some features of the site.

I.e. eBay has 4 letters so I could choose: 'Elephant_4_Yankee'

The delimiter is up to you and you could just as easily choose every second letter or whatever.

Yes, it does mean my Netflix password is a bitch to put in but I know it off by heart.

"Just use a password manager" is actually a simplification for doing proper threat modelling because most people don't bother thinking about it.

For each site you have to consider; what is the worst thing that could happen if somebody gain access to that account? Do you have a meaningful online presence on the website? Did you enter private information that you don't want to go out? Did you provide your credit card to the site? It would actually be useful if sites where classified by the type of information and access that they require.

Another short answer would be: memorize your computer, email and password-manager passwords. Use the password manager for day-to-day sites. Add a second factor for juicy targets like net banking. For all the other sites, generate a random string and throw it away. Use password reset the next time you want to log into it.

I use https://securemypw.appspot.com (because I wrote it).

I need to remember just 1 good password (that I don't use anywhere else). I use it to encrpyt different passwords for different uses (gmail, banking, etc). I put the url with encrypted password in my bookmarks and a google doc (to share with my wife).

To hack me, the attacker would need get both the link (from my laptop's bookmarks) or from the google doc ... and then would need to guess the password to decrypt it.

I know it doesn't answer the question, but it does hit at the heart of the issue. I use Enpass - the only password manager I could find that doesn't store your info for you--because I was also concerned about breakins and single points of failure. I am able to keep my entire password collection on my local hard drive and in whatever online storage tools I'm using currently (onedrive, google drive, etc). This seems to fit well while removing the issue with online password managers.

I'm surprised at how little advocacy there is for 1password.

Yes, it's a single point of failure (probably more, depending on how you choose to define them) but it is invariably more secure than me remembering my super-nifty password algorithm.

It's not perfect, but I trivially generate very long passwords for every service, and have to remember the master password only of my email and my 1password account.

If anything is truly important, it will have 2 factor authentication.

If someone has access to my unlocked physical machine and an unlocked 1password UI, I'm screwed. Additionally, they could use the wrench approach [0] to gain my credentials.

This is not a use-case I'm actively trying to prevent. Nor is protection against state-level actors targeting me in particular.

Further benefit of 1password: my wife and I both use certain shared logins to access things like credit card accounts.

Instead of me having to get her on board with my password book, or special algorithm, I can just move a login into our shared password vault.

I suspect most people reading this are in a similar boat - we're more than happy to pay a few dollars to hire millions of dollars of specialized security knowledge to outsource this problem for us.

This is just too mundane a solution for most people to comment on.

Long live 1Password!

[0] https://xkcd.com/538/

I've used supergenpass[1] with some success, but the fact that some websites have special requirements for passwords means that I still have to memorize more than one password.

1: https://chriszarate.github.io/supergenpass/

If you're worried about storing your passwords somewhere where they could be compromised, one alternative is to simply not store them:

1. Generate a long random password.

2. Use that password once, but don't make any effort to store or remember it.

3. When you need access to the service, use the Forgot Password flow. Return to Step 1.

This is admittedly inconvenient, especially on mobile, and it won't work well if you routinely use devices that cannot access your email. But...it is an alternative approach that removes the need for a password manager.

In my personal experience, this approach has worked well for services I use rarely, especially those with good Forgot Password flows or long remember-me session times.

See also: Passwordless[0] is a Node library that discusses a similar approach to authentication from the service's perspective.

[0] https://passwordless.net

I have a file on the local drive of my office computer and a sheet of paper near my home computer (used by me and my wife). When the sheet of paper is full of handwriting, I bring it to office to synchronize both list.. When my house has been robbed last year they have not found the sheet, but if they had, I could have changed all passwords very quickly. In case of fire, the backup is safe in a remote location. It is easy to carry, duplicate or destroy. The security at office is ensure by the IT service. This may be imperfect, but I think my list of password would not be the main target of an attack. At home, my wife is often present and would quickly notice if a burglar steal the list. When I go on holidays, I take the home list with me. I think it is quite successful.

I use a formula that I can figure out in my head and I just remeber that. I don’t know any of my passwords, but I can figure out my password when I need it.

It has problems on sites that have shitty password rules. But for those sites, i just mash the keyboard then rely on the forgotten password link.

If your PC is compromised it's pretty much game over, using a password manager does not really worsen the damage in that scenario At that level of compromise they can probably add a root cert, MITM your connections, and grab your passwords anyway.

If you're concerned, you could use separate files for different levels of security, which would give you the theoretical ability to compartmentalize the loss. But again, if you're compromised to that extent it's game over, there is nothing you can do that will allow you to operate securely on untrusted hardware/OS, you simply can't let that happen.

It's not like that's an unreasonable goal, the combination of Ublock Origin, Windows Defender, and common sense have kept my systems clean for 10 years now.