Let me begin this by saying this is entire post is just an opinion. I’m not a user of any password manager software and never in anyway centrally stored passwords in any fashion (be it a notebook, a safe space in my mind or on my hard drive in a .txt file).

Above all things, I find that my mind is the safest store for any info I believe to be sensitive, important or something private. When it comes to security, there are often two main aspects to consider:

Physical and Hyperphysical (or software)

The easiest example to explain this is consider your computer and it’s data as being Hyperphysical (yes it does exist physically on a drive) but it’s not something you can hold or touch (it’s data!). On the flipside, physical objects or data can be stored on lets say paper, in a safe or somewhere physically in the world.

One big security principle I often repeat and stand by is that if anyone has physical access to your hardware/devices/data it is insecure and can be exploited. I believe this fact to always be true, but there are some circumstantial exceptions. Most international hackers won’t have physical access to your house keys, to your office or the places you choose to visit. In this situation, keeping data OFF of your machine is a task which is as secure as the person doing it.

If you write your passwords onto sticky notes and leave them on your monitor, you might as well just have no passwords. This might be super bad practice but at least this data isn’t on your machine, connected to the internet where anyone can have their try at getting it.

Don’t Take My Word For It

So again I must repeat, I don’t use password managers so the obvious benefits or even security advantages of it are lost on me. The whole idea is to keep your passwords in an encrypted, secured database that requires authentication to access. This should help minimize predictable or re-used passwords by taking away the responsibility of recollection and memory. Most password managers advertise this security in the same function that banks are entrusted to store your money (rather than a shoebox).

However, time and time again password managers have had flaws and exploits found making my worst fears regarding them very realized. Published Feb 19 2019 this report by The Security Evaluators demonstrates that multiple password manager applications/services have vulnerabilities all of their own. Also check out the associated blog post which explains in detail just how these vulnerabilities where found.

Emmanuel Schalit, CEO of Dashlane, stands behind password managers. “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own,” he said.

-Dashlane’s CEO (Taken from CBS news)

Now as much as I can understand the mentality outlined by Emmanuel above, my personal understanding in all things IT/Software/Hardware/Security is built around layers. The same way castles, homes and processes all have layers, doors, multiple paths and multiple obstacles.

Using the example expressed previously, if we liken all of this to a BANK you would consider that there is a front entrance, some tellers or a receptionist, then some corridors and a few extra checks before getting into a main vault.

Keep this idea in mind, if you have one password for your PC, a separate one for your email, another for your intranet, another for your bank and so on, it requires a hacker to take over multiple accounts and puts hurdles in between – So even if they break the front door, they haven’t gotten into your “vault”

The Flip Side

Now again, I’m a total hater of password managers and stand by a subjective view that they cause more problems then they solve. This however, isn’t entirely correct. Take the view of Troy Hunt who even cites the UK GOV’s NCSC (National Cyber Security Center) on what they think. Quite correctly, Troy does outline that password managers don’t have to be full proof, just better than not having one. This is something I can totally get, as from my own experience I’ve had users note passwords anywhere and everywhere along with reusing their password on multiple systems just for simplicity.

Though for the general public, a password manager might mitigate many more issues that might come with their security posture overall, in my personal opinion it’s only a treatment for the symptom (and not the cure).

There are differing opinions on this entire topic so please take note this is genuinely just my view on it. Rather than putting your eggs in a basket, keep what you need secure in the one place no one else can get to; your mind.