I'm willing to bet that a major upcoming security disaster is a compromised password manager that leaks out tens of millions of accounts and passwords in nicely structured XML that's perfect for automated attacks and frauds.

Yes, I use a password manager too, but an ancient one that has no Internet connection, no syncing, and no cloud storage.

The only "modern" password manager I've been able to find that works completely offline and is open source is KeePass -- so long as you don't install any of its plugins that open it up to Internet access.

What I do is use a password manager, but when it enters a password into an app or site, I type a few more characters after the end of it before logging in.

Kind of a secondary master password that's not stored anywhere except my memory and my safe.

Best of both worlds in my opinion.

This is awesome! (I think). I've never used a password manager, because I was afraid one breach there is worse than many breaches everywhere else. But, I am curious, if I use a complex formula in my mind to create passwords that are unique to every website I visit, and I store those in Chrome am I not safe? The only problem I see is that I do not update passwords regularly.

If that database in the browser ends up somewhere it should not, a curious attacker will have a nice list of examples to figure out the formula. I share your vulnerability and "password manager + brain-stored component" has been my unexecuted upgrade plan for many years.

That's really clever.

Well, I use pwgen and gpg ┐(´ー｀)┌

A great thing about password managers is that you can change your passwords more often since you don't have to bother coming up with and remembering new passwords. It can even be somewhat automated with pass-rotate: https://github.com/ddevault/pass-rotate

xkcdpass is also useful.

https://packages.debian.org/stretch/xkcdpass

https://xkcd.com/936/

I wrote a `pass` plugin [1] that works similarly to xkcdpass — but integrates it into a password manager. Makes usage far easier!

1: https://github.com/pinusc/pass-diceware

I use https://pwsafe.org/ (or a few other file-format compatible apps on different platforms) and keep my password file (still with its own passphrase) in a keybase ( https://keybase.io/ ) private filesystem. Keybase's filesystem does a dropbox-style thing to take care of sync, and pwsafe doesn't need to know anything about the internet.

Keepass is amazing. I use Keepass2Android to keep a local file in my cellphone, and occasionally back up the encrypted file to my Google Drive.

> a password manager that leaks out tens of millions of accounts and passwords

While I agree that this would be a security disaster, its not a whole lot different then someone using the same credentials for all their accounts. Also, one of the great benefits of a password manager is that they remove a very high mental cost of passwords. Before I used a password manager, although I knew it was good practice to change passwords, I wasn't willing to invest that effort into it. The cost of good random passwords was too high. Today, if my password manager was hacked, it would suck going through all my accounts and changing all the passwords - it would take a lot of physical time, but there would be no long-term fallout and mental effort involved for me. I'm not attached to those passwords - I don't even know them.

Yeah IMO the only "good" passwords are those hard to remember even by yourself.

Personally most non-trivial passwords of mine were generated by 'pass'.

As someone who speaks 4 languages, my passwords are always a combination of words from different languages together. I am wary of trusting a software with my password generation.