For most people, non-technical people in particular, their biggest exploit risk is they re-use the same username and password everywhere, one website gets popped and their creds get in the open, and then people use those creds to get into everything else.

Anything that gets them to use unique, strong passwords for everything vastly improves their general security, even if they are using a third party, commercial organization.

Yep. I fell in the trap of using repeat passwords because I was lazy. One of them leaked and someone overseas started using my personal Plex server. I setup LassPass the next day and changed everything to unique strong passwords. LastPass is cross platform and the convenience is worth what the risk for personal use.

What's the alternative?

1. Have people manage their own secrets storage? Most people don't have the time or ability do this securely either. I'd rather pay someone else to secure infra, code, distribution, encryption, backups, etc. for me.

2. Reuse the same password on every site? One site gets hacked and now you're screwed.

3. Memorize a unique, long password for every site? Not feasible.

Third-party/commercial password managers are the best solution for most people, practically speaking.

I've never used password managers, partly because I don't trust them and partly because I've found an alternative that I feel is secure enough and more convenient. I split my passwords into two parts, one secure part that is memorized but reused and one weak part that is written down but not reused.

The main ways people are hacked are re-use of passwords and writing passwords down. If someone gets access to one of my passwords, trying it in other sites won't work. If someone finds the written parts of my passwords, that won't work either as they would need to know the secure part of the password that I memorize. I can even easily take the written part of my password with me if I want to use a password on a different computer.

The only issue with this technique would be if someone finds multiple passwords of mine, they might be able to figure out the scheme and brute force other passwords, but if someone already has multiple passwords of mine and is taking the time and effort to go after me individually then I figure I am probably screwed any which way.

The alternative to fully cloud-based solutions would be a local, open source kdbx client (Keepass, KepassXC, etc) with the password database situated on a cloud storage (Dropbox/Google Drive/etc). This way, one gets the best of both worlds.

This can be a nice compromise, but it's not without downsides. Personally, 99% of the authenticated software I use is in my browser, and the usability of an extension that has a little badge to tell me I have an account on this site and autofill capabilities is really tough to pass up. Further, because it's an extension, it can know what site I'm on, which all but eliminates my risk of falling prey to phishing attempts.

KeepassXC does have a browser extension.

Why go through all that trouble? The passwords database or storage in 1Password is encrypted. It is only ever decrypted on a local device.

How is cloud storage more secure than a password managers web interface ?

Passwords suck. Move on to something better.

I'll be sure to tell the 100+ sites I have saved logins for to move on to something better.

like what ?

It is a hard one because the only computing/memory device you have with you at all times, requires no batteries and not connected to any networks (yet) and not vulnerable to probing/observation (yet) is your brain! But memory is too unreliable unless everyone trains for it.

Crypto keys are great but you can lose them and once shared they are keys to you kingdom.

Specific security devices are great but you need to remember to have them with you. They can get lost or broken so you need backups.

Google authentication is convenient but they can ban you. It is also a 3rd party to trust.

Passwords suck but might be the best of the worst. Advantages: password managers can be used to make password useless for other sites and people conceptually understand it.

It is quite a hard problem!

Webauthn passwordless is the answer right now.

Obviously doesn't work for many sites cause people are still convinced passwords are good.

what?

It's supposed to be E2E encrypted with your master password plus an additional key.

Supposed. But few do research, even fewer do audits.

For many, the ease of setup and maintenance is worth the risk.

The general population is not going to setup their own open source password manager solution. So going with an easy to use commercial password manager is better than not using one at all.

I don't agree with it but it is far from baffling.

Come on now. How is that baffling?

in what other tech stack is it a good idea to have all your eggs in one basket?

that's why it's baffling. The convenience is outweighed by the possible loss.

What is the alternative strategy? I think for most people before password managers the strategy would be "have one egg".

What percentage of the population even thinks about "tech stacks"? That's the group of people who probably already is using something else. Everyone else is still catching up to not having a password that's just "password1234"

People get their credential compromised via shared passwords way more than compromises of Lastpass or Chrome or 1Password. Sure, it's a bigger risk if your manager is compromised, but for most people it's as much "eggs in one basket" as people only having one bank account which is probably true of nearly everyone.

> password that's just "password1234"

it's even worse than that. The world's most common password is... password.

I'm not sure about that. According to The Plague, the four most common passwords were God, love, sex and secret.

Wiki says that some companies agree[1] that "123456" and "qwerty" are the most popular. "password" seems to generally be in the top 10.

What's interesting on these lists is the presence of Dragon and Monkey - am I mistaken or is it due to CJK users entering a Chinese character that got translated somehow? Wouldn't that mean some of the most popular passwords out there are single unicode characters? Surely not...

[1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwo...

There are lots of enterprise tech stacks where you have a single (or single-as-possible) centralized secret store… it’s far from uncommon, I.e., Hashicorp Vault, AWS Secrets Manager, Google Cloud KMS.

The alternative is spreading your eggs all over the farm, with no way to keep track of where they all are. Many will be put somewhere, then forgotten about.

Do you really think that’s safer?

Then what should folks do? The alternative is having to "run your own encryption" by running your own Password manager on your own infra or re-using passwords

This. And their business model is literally to convince people to trust them with their most valuable secrets. Behold the power of marketing.

Are you also surprised that people run their entire SaaS business on a third party?