[Discuss] Password managers

[ajbennett at gmail.com (Jack Bennett)]

On Wed, May 6, 2020 at 6:59 PM Kent Borg <kentborg at borg.org> wrote:

> On 5/6/20 1:45 PM, Jack Bennett wrote:
> > One of the benefits of a password manager is that it automates this
> process
> > so you can easily use passwords that would be impossible to remember
> and/or
> > type in (and lock them behind a suitable and memorable passphrase).
>
> I'm not opposed to software automatically generating passwords. But why
> make them impossible to remember?
>
> It is easy to remember "tropic-judge-dragon", and it has 32-bits of
> entropy. Same with "voodoo-apollo-period". Neither would be a good
> encryption key, but both fine passwords. (Again, the distinction between
> password and an encryption key is *crucial*.) Those were both software
> generated. How many would you like?
>
>     sandra-shelter-avenue
>     bicycle-bruce-patrol
>     under-survive-pluto
>     zodiac-stuart-pattern
>     amazon-mouse-museum
>     dublin-scoop-optic
>
> I got a million of em'! All fine passwords. (All terrible encryption keys.)
>

I agree 100% that any one of these individually is easy to
memorize/remember (and type in, which is a nice feature as well). The hard
part comes in organizing and remembering N>>1 of these (bank site,
insurance site, email, retail sites, etc, etc), updating them, deprecating
them, and so forth. A password manager does this at a very low financial
cost; whether the risk is acceptable is another question.

I do trust Thomas Ptacek's (@tqbf) assessment of the situation. This was
one of the factors that sold me on 1Password a few years back:
https://twitter.com/tqbf/status/886058611692232704 (herd mentality perhaps,
but at least informed and considered herd mentality ...)