Password managers really do need to be forced on people, not only because of unsafe password issues but because of username issues listed in the OP as well.
Use a paper notepad. Generate passwords by opening a dictionary at random for 3 words, with a random number at the end.
It’s not as good as, say, 1Password but it’s more likely to get used. Combine it with the browser or OS level password manager. It’s good enough for grandma, definitely better than “kitten4” that she’s currently using everywhere.
On a tangent, stereotyping this as “grandma” is a bit unfair. Most of my colleagues are college educated males in their 20s, some of them developers. And their passwords are rubbish, with no password manager, and no 2fa.
Aside from how painful that sounds, paper notepads can easily get lost. And if she's out and wants to check stuff on her phone (or trying to check her bank account at my aunt's home, or whatever), is she supposed to carry it all around and risk getting it stolen? If that's the implication, I'd rather she just have kitten4 at that point.
(And re: the grandma thing: it's nothing specific to grandmas, it's because the moment you suggest your audience is "college educated developers in their twenties" as in your case, people throw the notion of UI/UX out the window and recommend you suggest they compile their own kernel first. It seems you just can't win.)
If we make a crude risk assessment, it is way more likely that her account will be randomly hacked by a botnet if she has "kitten4" as a password than someone actively stealing her purse to get her passwords. And if the notebook with passwords was stolen/lost, she would at least know it and be able to take preventive measures.
For most people, writing (good and unique) passwords down in a notepad is a way more secure system than having the same bad password for every account.
Having a botnet guessing the random "kitten4" password for a random user account, is as likely as having your purse stolen for the passwords on that note. FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication, even if you allow brute force attacks. Imperically speaking, obvisouly it's going to fail in the end but I hope you get my drift.
> FWIW "m" is almost a secure password on a root account with an SSH that allows password authentication
This is very counter-intuitive. Is the idea that guessing both the username and the password together is much harder than guessing the password when you already know the username?
In the kitten4 example, I would guess most botnets are working from a list of usernames/email addresses that they got from leaks.
We are obviously talking about a different stereotype. My “grandma” already keeps various notepads - recipes, appointments, address books. And she never has an urgent need to check her bank account while at Auntie Rita’s. As such, this fits her needs and workflow.
Yeah. In fact most likely, she's already written down "kitten4" in a notepad somewhere, because she doesn't trust herself to remember. So asking her to use a slightly longer password is not a massive change.
That's what my grandpa does. After failing to find his gmail address in it, he went through the "forgotten password" process. Then, after needing it the third time, we found the old password in the notebook, which was now wrong...
Xkcd's classical correct course battery staple is about 40 bits is entropy, while being selected uniformly at random from a fairly large pool of words.
I can assure you that the average user wouldn't get above 15 - 20 bits with self selected words. That's often worse than most current passwords.
Anything using cheaper/more common hardware? so the user doesn't have to buy new hardware and switch ecosystems just for the sake of being able to manage passwords? (i.e. anything PC/Android?)
I mean, if you agree that the only option for mass adoption of password managers is to get people to shell out $$$+ for new hardware and switch ecosystems, I rest my case.
As developers we might be used to paying 100s of euros (or signing up to a contract to effectively do the same over time) on a phone, but the point is $grandma may not be willing to spend even 20% of iPhone budget (and definitely not replacing it by the time OS updates end)
There's a case made that statements like "so my grandma can use it" is (unintentionally) implicitly agist and sexist -- Grace Hopper worked in computing until her death at age 85.
I use KeepPassXC and the Android app and just email the database to myself if I update it. Not very elegant, but I couldn't think of an easier way.
I tried using Google Drive to sync it up, but Drive is useless for this - it doesn't open the file using the right intent on Android ("file type not recognised" or something similar it says, this used to work as well) and the Drive website makes it a pain to upload an updated file even from the desktop using Chrome.
Emailing your database to yourself after every change sounds... very painful. And error-prone.
In my case, I use KeePass 2 and KeePass2Android with Google Sync and it works decently well (I would recommend you try this). I would never recommend it to non-technically-minded folks though.
Nah, doesn't hurt at all :) The db doesn't change often so isn't a big deal.
Sync looks to be for Google-domains/business only. In fact Wikipedia says it has been discontinued! I used to sync over owncloud and that worked pretty well, but the provider shut down and I haven't gotten round to setting another up.
I'm confused, would you mind clarifying? What is for Google-domains/business only and has been discontinued? I'm using the software I mentioned with a regular @gmail.com account and it syncs fine with my Google Drive. I don't have gSuite/a business account/anything else.
You weren't talking about this? https://en.wikipedia.org/wiki/Google_Sync - I guess not. I think the sibling poster cleared it up though, the app I'm using is pretty old and doesn't integrate well any more in Android, there's a newer Keepass app that works with Drive natively.
Ahh! I have been using Keepass Droid, since I was using Keepass v1 files. For a long time Ubuntu LTS didn't have a good v2 client. A while back I upgraded my database to v2 on Ubuntu but stuck with KP Droid on Android. Maybe time to change app, thanks.
Interesting... that actually works fine? What happens if you make an edit to your password database on your phone, and then make another independent edit on your PC, and then they both get a chance to synchronize? Do they both persist, or do you lose one?
I can't honestly remember, it either lets you choose which file to keep or creates a copy. Might be that Dropbox and Nextcloud even behave differently. If I edit the file on mobile, I make a point of triggering the synchronization right after to avoid the problem.
If you're on Android, Keepass2Android [1] is an excellent app that implements the input with a special keyboard. This avoids risking your password via the clipboard. It even comes with a no-network-permission version!
I use Dropbox. I haven't actually tried that case since I rarely change my database from my phone. That said, I have had conflicts between two computers, but KeePassXC's built-in merge tool have fixed those nicely.
