I\'m a firm proponent of using a password manager like Keepass to generate and s

Question

I'm a firm proponent of using a password manager like Keepass to generate and store secure passwords. I also encourage others to do the same.

But there's always one person who says they'll never use it because it keeps all their passwords in one place, so if an attacker breaks into their Keepass database, they will then have all their passwords.

I've been pointing out that the same thing can happen with their email accounts, and that the attacker can just use the "forgot your password?" option to get all their passwords, but it usually doesn't help, and I'm a bit curious about this myself.

Does anyone have any more in-depth rebuttals to this?

Explanation / Answer

In my opinion, there's a long answer to this question, and there's a short one. The short one goes something like this:

Most of the exposures (of usernames and passwords) we see are not targeted attacks against an individual, but they can result in an individual's credentials being exposed. A password manager helps to limit the impact on a single user by allowing them to use different passwords across all websites they access, while minimising the risk that they will forget them.

From my experience, people who oppose the use of a password manager are afraid of a targeted attack against themselves, rather than the opportunistic attacks I described - but they are correct: if someone gets access to their password repository, it's game over.

Now, there's a "right" and a "wrong" way to use password managers. Here are some tips:

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.