I like to have as few accounts as possible. Add to that a little bit of laziness on my part and that is how I came up with the following way to keep track of all of my unique, long, complex passwords without a password manager.
What I need is for others to tell me why this is an idiotic idea.
I await your abuse.
I use the offline password generator LessPass.
Since whenever I am online I am almost always logged into my Proton account, I have a draft email titled âPasswordsâ that I have a list of all my account user names and unique passwords listed on. Then I just copy and paste from the draft email anytime I log into a new account. (of course I never send this draft to anyone, and my Proton account also has a very long, complex, unique password that I have memorized)
I donât think itâs idiotic because itâs less secure, itâs probably safe enough. I think itâs idiotic because of the all the manual work you need to do, and all it does is increase the chance you lose a password.
How does it increase the chance of losing a password?
The only manual work is putting the password into the draft the first time. True, it is more work but itâs kind of on the level of blinking three times is more work than blinking once.
Got it.
It was also pointed out to me in a DM that my emails arenât encrypted at Proton and that they have access to my emails. 2 things I was not aware of.
But maybe I misunderstood since Proton says the following: User information that the company may share with Swiss authorities includes email address, email subject lines, sender or recipient email addresses, last login time, and IP addresses of incoming messages
I donât see âemail contentsâ in that list, but if they collect that other stuff I donât see why they couldnât get the contents as well.
So far itâs Me-zero, Everyone else 3.
Unfamiliar with LessPass. Do you have a database in LessPass?
I could duplicate my system inside yours. I use KeePassDX on my phone, KeePassXC on a thumbdrive, and currently not using a password manager on a PC. Im doing thingsâŚ
The thumbdrive portable KeePassXC is more of a backup.
I could export a less sensitive list to Proton, maybe with out the notes and URL details, IDK. This would give me an additional back up and access to those less sensitive passwords I manage like my work passwords which I can easily recover or reset.
Iâm giving you a B- on digital minimalism and a A- on innovation of using a platform you already or using. Hows that for a scolding.
Get a useful password manager, and the limit your trust in Proton.
You do seem to have all your passwords in one basket.
I accidentally left my phone at the house today. Using my laptop I got on Signal and had a few contacts on Signal relay to my other contacts who may be looking for me, my situation.
I used my thumb drive to access my back up of passwords.
Overall I was productive not more productive just got some work done differently then I normally would. I challenge you to stress your system and see your weakness.
You have to have redundancy. Two is one and one is none.
Bitwarden is the easy way to go as it requires very little effort to set up on your end, is very secure and syncs between all your devices.
My preferred and favorite way is using Keepass with Syncthing:
Syncthing might take a little bit of time to set up but automatic effortless synchronisation between your devices is worth it. (even for things other than passwords)
This takes away the hassle of keeping a drafted email which is inconvenient, unpleasant and has big potential for user error (erasing all your passwords by mistake, deleting drafts from the app, losing access to your Protonmail account etc.)
Passwords that you update on any of your devices in keepass will be automatically and locally imported to your other devices (using a p2p connection).
If youâre worried about creating accounts both Keepass and Syncthing donât require any.
Keepass uses a local database file as a way to store your passwords and Syncthing runs with an ID system for devices to recognize each other meaning no accounts needed!
If you ever for some reason need to login to a service on a new temporary device (ex. on a friendâs device) you donât need to have a list of all your passwords, which is why you can use a service like Snapdrop to copy-paste your needed password between the two devices (using a p2p connection aswell) or keep an encrypted thumb drive with you containing the passwords.
Another added benefit to this technique is that you keep a backup of your password database when you share it across multiple devices.
I have been properly chastised.
Plus I also got some solid advice in multiple DMâs. I will stop being a knucklehead (at least on this topic) and make a change soon.
Thanks everyone.
I guess Iâm just a sucker for punishment.
I know I marked this as solved, which it is, but I just have a couple of speculative, silly additions. No need to continue reading if youâre not interested in possibly less-than-absolutely-serious topicsâ
I know password managers have many different features and flavors but the core functionality is-
Generate unique, long, complex passwords for each account that the average human would find impossible to memorize.
Guard those passwords in an encrypted vault locked with a unique, long, complex password.
(I understand, there is auto-fill, cross device syncing, etc. but letâs stick to these 2 core functions for now)
I have read up on Protonâs encryption practices over the past couple of days, received some great messages here about it, and even some clarification directly from the Proton help desk, and feel that I now have a solid grasp of their e2e and zero access encryption processes.
What exactly is the difference between my dumb (previous) habit of saving my passwords in a ProtonMail draft, and saving them in any other cloud-based password manager?
Both are in encrypted âvaultsâ locked with a long, complex, unique password.
As long as I have Clipboard History off, and clear the clipboard after pasting the password, Iâm struggling to see the difference in the core functionality.
Password managers are way more diverse:
Even tho the two options offer encryption and a way to store your passwords the 3 big differences in my opinion are functionality, user error and backups.
Functionality
When you save your passwords in a password manager there are certain features designed to make your life easier:
You can copy the full password in one click (there is usually a copy button) without having to manually select the text and risk hitting that backspace button (which would suck considering you donât have backups) or copy an incomplete password and spend 20 minutes wondering why your password isnât working even tho you were sure you saved it in your super secure state of the art email draft.
There is usually a search bar in password managers that will quickly allow you to find the account you are looking for. I personally have over 50 passwords and I canât imagine myself scrolling through an email draft to find one of them.
Passwords are way more organized and separated, you can add attachments and notes for labeling, you can add an icon to visually find the passwords faster and can change the color of each entry to make it visually pleasing (unlike some plain text in a draft)
You can immediately save a generated password upon generation unlike your draft system which would require more copy pasting. (previously known as crossing the river to get water)
Some password managers integrate 2FA among other interesting features, why miss out?
It looks cooler in a password manager.
User Error and recovery
Imagine doing your normal copy pasting routine and accidentally hitting the backspace button cause itâs a lazy morning and you just wanted to log in to your Techlore account to talk about email drafts:
User error is a big concern with plain text passwords because accidentally deleting even one character in a password will render it useless, enjoy your 2 hour hold with tech support.
You might accidentally delete your drafts and suffer for eternity.
Password managers keep previous instances of passwords stored for a limited time for recovery purposes, so even if you somehow managed to accidentally change your password and hit save, or delete an entry you can always recover a previous instance from your password manager or your other backups unlike your drafts which will happily sync it across your other devices.
You might forget your Proton Account logged in somewhere.
-It looks cooler in a password manager.
Backups
Keeping your eggs in one draft basket is not a good idea:
Database password managers like Keepass will keep your password in an encrypted database file that you can put anywhere you like meaning you will always have a copy of your passwords handy without needing to login to your Proton account.
The mighty backspace button strikes again! Proton drafts are synced to your account meaning if you accidentally delete something itâs now gone everywhere, not the case with physical backups.
Unlikely scenario: You are relying on Proton to stay online for you to keep your password draft, although itâs very very highly unlikely but how would you recover your list if Proton suddenly got nuked or something? (even if drafts are local you might not be able to access the app). Thatâs where physical backups that YOU own come in handy. (Unlike an imaginary email draft)
-It looks cooler in a password manager.
Security (the extra punishment cherry on top)
Anyone with access to your email account will have access to all your passwords, better not log on to your personal email at work! (trust me itâs tempting)
Vault entries are protected with a master password that is required every time you open the manager meaning even if somebody gets physical access to your phone they wouldnât have a full list of your passwords, unlike your trusty email draft which would happily hand them over. Imagine your funny friend - or friendly phone thief - somehow getting hold of your email draft and thinking itâs a good idea to email it to himself.
-Trust me, It really looks cooler in a password manager.
If all of this wasnât enough Iâd be happy to write another reply to bring you even more pain and guilt.
You are defining you password management practices, within your system well. With your manageable amount of accounts and solid recovery programs for each account do you feel confident you do not require a backup. With a back up how well do plan to keep your back up, up to date with out sync.
Once I worked on a good sync option I felt confident with cross device sync and sharing.
NextCloud was set up with Cloudamo from my home, utilizing KeePass I had a decent set up. I probably will not set this back up.
