Password Managers - Better than a Post-It?

I’ve looked at some discussions here and elsewhere, and my wife hit me with a question last night…

You follow the clamor saying you need a password manager – presume Dashlane or Lastpass or something equivalent. HOPEFULLY, you find one that HAS actual, accessible, human support (unlike those two).

You go through the interminable process and create dozens of long, arcane, impossible-to-remember nonsense passwords, each unique for web sites, products, logins, whatever. You create some long, cumbersome MASTER password for getting into the thing, and turn on 2FA ‘cause they all seem to encourage this now.

And, you’re a person that DOESN’T like screen clutter (my wife is a “clean desktop” maniac who OPENS a tool, uses the tool, CLOSES the tool). So to check what cousin Gertrude is having for lunch, you go through the whole process of getting the 2FA key, enter than, then enter the password manager password, open Facebook, check whatever, then Log Off Facebook and close the browser. Come back next time and do it again, maybe this time to Amazon, do stuff, finish, close Chrome. Repeat untold times per day for browsers, email, applications, anything you normally do, over and over, all day.

And for whatever reason, you prefer Firefox for doing financial stuff, so if you want to get into your bank, credit cards, portfolio, anything financial, you start that browser – and go through the whole process again.

Even to open a LOCAL application you have to log into the Password manager and manually copy the username and password to paste into the login. Which means going through the whole login again.

After about the 8^th time doing that today, you log into the Password manager and hit the “stay logged in for the next 14 days” ‘cause it’s just more hassle than it’s worth to go through this process 20-30-40 times a day, especially if you regularly mistype the password and have to repeat…

Here’s the question I was asked: “Didn't you just UNDO all the security you had? Wouldn’t the passwords be safer on a piece of paper taped to the screen where some virus or worm or trojan or 12-year-old in East Overshoe can’t break into the computer and access them?”

I didn’t have a good answer.

So, HOW do you use a Password Manager that’s secure, easy to use, doesn’t require logging in over and over, is readily accessible, but still secure from any malware or other intrusion getting at those dozens of passwords and secure notes with all the registration information, credit cards and everything else the Password Manager is supposed to be protecting?

I have the horrible feeling the answer is going to be “you’re screwed”. You either go through the whole login dozens of times/day or you make all the passwords “123456” so you can remember it, and take your chances… Hopefully, I’m wrong?

Well, no.

But here is my own method instead of using password managers. Is to add all your passwords for your websites and email or whatever into an encrypted USB stick using the strong AES256 using BitLocker and then all you need to remember is the BitLocker password to decrypt the USB drive.

Would even suggest to get one more as a backup.

But the issue with this method is syncing across platforms which is the only drawback.

I use LastPass to generate "secure passwords". From there, I have a text document that I keep which is in an encrypted location that stores all of my usernames/passwords for things. This is stored in multiple locations. This is my master list.

For convenience, I use LastPass and have it store my passwords once I am logged into my computer. I do use two factor for a variety of things, but not everything as this level of protection is not needed everywhere.

I find this a nice mix of what works well for me, is not too cumerbome and hasn't failed me in the past.

Thanks for the replies... I think my question goes beyond the individual password manager.

On top of the other stuff, you've got FIVE devices that all have to work the same way - 3 windows PCs and two Android phones. They all have their own passwords and secure notes, and they all have SHARED passwords and secure notes.

So, while putting things on a flash drive is fine if you're the only one that needs the information, it's not very practical with multiple people and multiple devices. I used 4 or 5 different password managers when I was testing. I too like LastPass. I used BitWarden and it was OK, but it never felt very finished, and it was as really tough sell with the domestic associate. We ended up going with Dashlane for a year to see, but in June I'll likely migrate everything to Lastpass and try that. In THEORY, and I've NEVER been able to get anyone to give me a flat, direct answer, it's capable of providing login information for local applications (not websites) - Creative Cloud or Zoom for example.

But, WHY would Lastpass be any more secure than Dashlane? You're STILL going to tell it NOT to make you log into every browser every time you start one, or make you log in every time you need to start some local application, right? Even WITHOUT the 2FA, you're not going through the whole "login" every time with every action, right?

Same question for Bitwarden. Are you going through the whole login every time you want to log into any site, every time you start a browser? If not, how is it any more protected against malware than having Dashlane not forcing a login except every 14 days?

It's not a "do they work", they all work (I don't know anything about Sticky Password), but I've used the others), it's how do you get Security, Ease of Access, <whatever the third thing was> in a good package. Do you have a recommendation for a package that can be unlocked with a pin? And is using a 4-digit pin instead of a 23 alpha-numeric, random string of gibberish still secure? It sounds only marginally better than just having the Password Manager available all the time.

Which, just because of my ignorance, WHY does Dashlane allow you to turn everything on for 14 days, even across reboots, if it a big security hole?

Anyhow, if you've got a recommendation for a good package that allows unlocks with a PIN, that seems at least a LITTLE better than nothing....

OK, so don't sweat the password manager, let the system security stuff keep the malware away from that.

Which leads to a security software question I'll ask separately...