Honestly, I think your opinion is unpopular because it demonstrates a serious lack of understanding or thought.
If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised. In the case of a password manager, the manager itself is the one that needs to be compromised, and you have more reason to trust them to avoid being compromised than some other random site. Some random sketchy website being hacked doesn't need to effect the rest of your network of logins if you use a manager.
Most password managers (such as 1password) won't let anyone from any machine access your stored passwords over the web by just supplying your single password. They require multiple extra steps that are quite limiting, so for the most part they first need access to a computer that you've already installed your password manager on.
Furthermore, if your password manager is compromised, you have a very clear path to your password on that manager, and then a list of all the websites, usernames and passwords that you need to change in order to regain secruity. By contrast, I'm still rediscovering old websites I used 10 years ago that used my old omni-password which was compromised.
> If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised.
And speaking as someone that operates a website accepting passwords, this happens more than you'd think. There are hackers that actively try leaked lists of username / passwords against websites using botnets. If your password is leaked by one website, people will attempt to reuse it on other websites.
Even if stand alone app vendor goes away, the app still works. There are things that I see are okay as a monthly service like Netflix or other content provider where the content is literally changing month to month.
Stand alone software that rarely changes, like 1Pass, does not warrant a monthly service fee from me. I am self-hosting the content, so I don't need their cloud services.
Playing devil's advocate here, but the service fee (at least to my mind) is more for the maintenance & upkeep of the infra.
I'd gladly move to self-hosting if it was only me. But after a few months, I was able to convince my wife to use it for convenience and security. So if there's an issue with the self-hosted version, it wouldn't just be me impacted, but my wife. And that's an SLA you don't wanna break. :D
Also, while I know I could probably do a decent job securing the hosting server, I would rather not have that on my mind. That's not my day-job, so I'll leave it to a team of people who are paid to do that.
Lastly, the service fee is $60/yr, but for sake of argument, lets call it $100. That's 2hrs of my time at my hourly pay. If setting up a self-hosted version takes me more than 2hrs to get it running, it's not worth my time.
Haha, those are great points. However, if you make $50/hour and it takes any where close to an hour to install 1Pass, you're overpaid!! The install is super simple. Setting up the passwords is an ongoing thing and something I consider outside of the initial setup of the self-hosted version.
Ha! I was referring to a self-hosted password manager. I looked at keepass some long time ago (in internet time anyways, likely 4ish years ago), and after starting to get things hooked up and trying to demo it for the spouse, I realized that it wasn't worth my time.
I'm 1000% behind them existing and am planning to toss them a donation cause I like that these FOSS alternatives exist, but I'd rather not have to manage my own in the end.
I've gotten past the stage of wanting to do it all on my own and hit the point where I'd rather pay a company to do it so I can go about the things I want to do in my free time (hobbies and spending time with my kids). I know it means I'm potentially trading privacy for this convenience, but it's something I've accepted in this case.
My new campaign is convince the spouse that we should move away from free email into paid.
I too do not begrudge someone trying to make a business model work, and I'm happy for anyone that uses that model to stop using the same username/password combo for everything. However, due to the sudden and unexpected loss of all income thanks to pandemic, I have totally given a re-think to my old saying of just throw money at the problem. I'm now one of those old farts that looks past the "affordable" monthly fees to how much extra it's costing rather than owning out right. The big exception is if the monthly expense allows me to make enough money the monthly expense makes sense.
Hacking aside... these are many ways in which it can go wrong:
- There can be an outage and you get locked out of your keys. You can have a connectivity issue to the service.
- The service can be discontinued or they could randomly terminate your account based on some automated system decision by mistake, sometimes with no right to appeal...
- They can change leadership and start mismanaging the service, or start selling your data like the services you use and such.
- They can start cutting corners and rushing unsafe things live.
- They can offshore all their development and reboot the team somewhere cheaper, at the expense of introducing defects during the transition.
- They can be ordered by a government to have a backdoor.
- There can be disgruntled employees, infiltrators, bad hires, malicious employees, etc...
And finally, they're a famous service that is known to have the keys to many other systems. This makes it very lucrative for a black hat to attempt to hack them. Even smart, dedicated people are not safe from 0day vulnerabilities that nobody know they exist.
Many things can go wrong. And what happens when they do? you can get locked out of essential services you need, or someone can ruin your life, force you to pay a ransom or even make you homeless if they wanted to.
Then, there are other aspects I don't like much. You can set a secure password, but then your browser will ask you to remember it. Some services allow you to skip MFA in a trusted computer... so then all your stuff is simply behind physical access to one of the trusted devices.
I don't know, it just doesn't feel right to me.
And by the way: I started by saying it's an opinion. It's an unpopular, provocative opinion, but I was honest enough to communicate it was indeed an opinion. I did not say it was a fact. Opinions are subjective, facts are not.
Regarding outages, services such as 1Password allow you to locally save your keys. An outage might interrupt synchronization, but you won't lose access.
As far as the other concerns, I'd say these concerns are all present in the 'single password re-use' strategy as well, except instead of choosing one single company to trust over your stuff, you now have to trust every single website you log into to safeguard your passwords, lest a malicious actor gets access to everything.
I agree there are downsides to services, but I disagree very strongly that the situation with services are no better than just re-using a password.
If you re-use the same password for all sites, it takes just one sketchy site being compromised for all of your other sites to become compromised. In the case of a password manager, the manager itself is the one that needs to be compromised, and you have more reason to trust them to avoid being compromised than some other random site. Some random sketchy website being hacked doesn't need to effect the rest of your network of logins if you use a manager.
Most password managers (such as 1password) won't let anyone from any machine access your stored passwords over the web by just supplying your single password. They require multiple extra steps that are quite limiting, so for the most part they first need access to a computer that you've already installed your password manager on.
Furthermore, if your password manager is compromised, you have a very clear path to your password on that manager, and then a list of all the websites, usernames and passwords that you need to change in order to regain secruity. By contrast, I'm still rediscovering old websites I used 10 years ago that used my old omni-password which was compromised.