I like to have as few accounts as possible. Add to that a little bit of laziness on my part and that is how I came up with the following way to keep track of all of my unique, long, complex passwords without a password manager.
What I need is for others to tell me why this is an idiotic idea.
I await your abuse.
I use the offline password generator LessPass.
Since whenever I am online I am almost always logged into my Proton account, I have a draft email titled “Passwords” that I have a list of all my account user names and unique passwords listed on. Then I just copy and paste from the draft email anytime I log into a new account. (of course I never send this draft to anyone, and my Proton account also has a very long, complex, unique password that I have memorized)
Bring it on.
How is that easier than just using bitwarden?
I don’t think it’s idiotic because it’s less secure, it’s probably safe enough. I think it’s idiotic because of the all the manual work you need to do, and all it does is increase the chance you lose a password.
How does it increase the chance of losing a password?
The only manual work is putting the password into the draft the first time. True, it is more work but it’s kind of on the level of blinking three times is more work than blinking once.
To me, it just seems like you are crossing the river to get water.
I don’t see why you wouldn’t just use a password manager, but it’s your life your choice.
It was also pointed out to me in a DM that my emails aren’t encrypted at Proton and that they have access to my emails. 2 things I was not aware of.
But maybe I misunderstood since Proton says the following:
User information that the company may share with Swiss authorities includes email address, email subject lines, sender or recipient email addresses, last login time, and IP addresses of incoming messages
I don’t see “email contents” in that list, but if they collect that other stuff I don’t see why they couldn’t get the contents as well.
So far it’s Me-zero, Everyone else 3.
The body is encrypted, but the header isn’t encrypted.
Proton handles email as if you PGP encrypted it yourself, there is really no difference. You can encrypt the message, but not the encapsulation.
Don’t they hold your private key?
I do not know for sure, just asking.
They hold your encrypted private key, and your public key.
They can encrypt your messages, but they can’t decrypt them.
Unfamiliar with LessPass. Do you have a database in LessPass?
I could duplicate my system inside yours. I use KeePassDX on my phone, KeePassXC on a thumbdrive, and currently not using a password manager on a PC. Im doing things…
The thumbdrive portable KeePassXC is more of a backup.
I could export a less sensitive list to Proton, maybe with out the notes and URL details, IDK. This would give me an additional back up and access to those less sensitive passwords I manage like my work passwords which I can easily recover or reset.
I’m giving you a B- on digital minimalism and a A- on innovation of using a platform you already or using. Hows that for a scolding.
Get a useful password manager, and the limit your trust in Proton.
That was going to be my next question.
I’m looking around now trying to find confirmation of that on the Proton site.
I am red with shame.
Yeah, I know. I’ll just get a Password manager. Someday.
You do seem to have all your passwords in one basket.
I accidentally left my phone at the house today. Using my laptop I got on Signal and had a few contacts on Signal relay to my other contacts who may be looking for me, my situation.
I used my thumb drive to access my back up of passwords.
Overall I was productive not more productive just got some work done differently then I normally would. I challenge you to stress your system and see your weakness.
You have to have redundancy. Two is one and one is none.
Few things to think about:
- What’s your backup strategy? What happens if you lose access to your Protonmail account?
- Where do you store your Protonmail’s password? Do you just remember it?
The easy way:
Bitwarden is the easy way to go as it requires very little effort to set up on your end, is very secure and syncs between all your devices.
My preferred and favorite way is using Keepass with Syncthing:
Syncthing might take a little bit of time to set up but automatic effortless synchronisation between your devices is worth it. (even for things other than passwords)
This takes away the hassle of keeping a drafted email which is inconvenient, unpleasant and has big potential for user error (erasing all your passwords by mistake, deleting drafts from the app, losing access to your Protonmail account etc.)
Passwords that you update on any of your devices in keepass will be automatically and locally imported to your other devices (using a p2p connection).
If you’re worried about creating accounts both Keepass and Syncthing don’t require any.
Keepass uses a local database file as a way to store your passwords and Syncthing runs with an ID system for devices to recognize each other meaning no accounts needed!
If you ever for some reason need to login to a service on a new temporary device (ex. on a friend’s device) you don’t need to have a list of all your passwords, which is why you can use a service like Snapdrop to copy-paste your needed password between the two devices (using a p2p connection aswell) or keep an encrypted thumb drive with you containing the passwords.
Another added benefit to this technique is that you keep a backup of your password database when you share it across multiple devices.
I have been properly chastised.
Plus I also got some solid advice in multiple DM’s. I will stop being a knucklehead (at least on this topic) and make a change soon.
I guess I’m just a sucker for punishment.
I know I marked this as solved, which it is, but I just have a couple of speculative, silly additions. No need to continue reading if you’re not interested in possibly less-than-absolutely-serious topics–
I know password managers have many different features and flavors but the core functionality is-
- Generate unique, long, complex passwords for each account that the average human would find impossible to memorize.
- Guard those passwords in an encrypted vault locked with a unique, long, complex password.
(I understand, there is auto-fill, cross device syncing, etc. but let’s stick to these 2 core functions for now)
I have read up on Proton’s encryption practices over the past couple of days, received some great messages here about it, and even some clarification directly from the Proton help desk, and feel that I now have a solid grasp of their e2e and zero access encryption processes.
What exactly is the difference between my dumb (previous) habit of saving my passwords in a ProtonMail draft, and saving them in any other cloud-based password manager?
Both are in encrypted “vaults” locked with a long, complex, unique password.
As long as I have Clipboard History off, and clear the clipboard after pasting the password, I’m struggling to see the difference in the core functionality.
LessPass does not have a database.
You asked for punishment so here I am:
Password managers are way more diverse:
Even tho the two options offer encryption and a way to store your passwords the 3 big differences in my opinion are functionality, user error and backups.
When you save your passwords in a password manager there are certain features designed to make your life easier:
- You can copy the full password in one click (there is usually a copy button) without having to manually select the text and risk hitting that backspace button (which would suck considering you don’t have backups) or copy an incomplete password and spend 20 minutes wondering why your password isn’t working even tho you were sure you saved it in your super secure state of the art email draft.
- There is usually a search bar in password managers that will quickly allow you to find the account you are looking for. I personally have over 50 passwords and I can’t imagine myself scrolling through an email draft to find one of them.
- Passwords are way more organized and separated, you can add attachments and notes for labeling, you can add an icon to visually find the passwords faster and can change the color of each entry to make it visually pleasing (unlike some plain text in a draft)
- You can immediately save a generated password upon generation unlike your draft system which would require more copy pasting. (previously known as crossing the river to get water)
- Some password managers integrate 2FA among other interesting features, why miss out?
- It looks cooler in a password manager.
User Error and recovery
Imagine doing your normal copy pasting routine and accidentally hitting the backspace button cause it’s a lazy morning and you just wanted to log in to your Techlore account to talk about email drafts:
- User error is a big concern with plain text passwords because accidentally deleting even one character in a password will render it useless, enjoy your 2 hour hold with tech support.
- You might accidentally delete your drafts and suffer for eternity.
- Password managers keep previous instances of passwords stored for a limited time for recovery purposes, so even if you somehow managed to accidentally change your password and hit save, or delete an entry you can always recover a previous instance from your password manager or your other backups unlike your drafts which will happily sync it across your other devices.
- You might forget your Proton Account logged in somewhere.
-It looks cooler in a password manager.
Keeping your eggs in one draft basket is not a good idea:
- Database password managers like Keepass will keep your password in an encrypted database file that you can put anywhere you like meaning you will always have a copy of your passwords handy without needing to login to your Proton account.
- The mighty backspace button strikes again! Proton drafts are synced to your account meaning if you accidentally delete something it’s now gone everywhere, not the case with physical backups.
Unlikely scenario: You are relying on Proton to stay online for you to keep your password draft, although it’s very very highly unlikely but how would you recover your list if Proton suddenly got nuked or something? (even if drafts are local you might not be able to access the app). That’s where physical backups that YOU own come in handy. (Unlike an imaginary email draft)
-It looks cooler in a password manager.
Security (the extra punishment cherry on top)
- Anyone with access to your email account will have access to all your passwords, better not log on to your personal email at work! (trust me it’s tempting)
- Vault entries are protected with a master password that is required every time you open the manager meaning even if somebody gets physical access to your phone they wouldn’t have a full list of your passwords, unlike your trusty email draft which would happily hand them over.
Imagine your funny friend - or friendly phone thief - somehow getting hold of your email draft and thinking it’s a good idea to email it to himself.
-Trust me, It really looks cooler in a password manager.
If all of this wasn’t enough I’d be happy to write another reply to bring you even more pain and guilt.
You are defining you password management practices, within your system well. With your manageable amount of accounts and solid recovery programs for each account do you feel confident you do not require a backup. With a back up how well do plan to keep your back up, up to date with out sync.
Once I worked on a good sync option I felt confident with cross device sync and sharing.
NextCloud was set up with Cloudamo from my home, utilizing KeePass I had a decent set up. I probably will not set this back up.
…the most comprehensive spanking I have ever received…
This had me laughing.
But here’s what finally convinced me:
As Ken Watanabe said in The Last Samurai- “This. Has been a good conversation.”