Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:
> Alan Browne <bitbucket@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

There’s lots of possible weak links.

- The key may be stored insecurely.
- If the key is derived from a password then the user may choose a weak
password.
- It’s easy to make a bad choice of KDF.
- The choice of cipher mode matters.
- For some cipher modes, how you choose the parameters matters.
- Some ciphers (including AES) are prone to side channels.

How much each of these matters is situational, but “256 bit AES
encryption” is not a complete description and may indeed not be good
enough, depending on the missing details.

--
https://www.greenend.org.uk/rjk/

In message <8735s99z9w.fsf@LkoBDZeT.terraraq.uk> Richard Kettlewell <invalid@invalid.invalid> wrote:
> Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:
>> Alan Browne <bitbucket@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>>
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.

> There’s lots of possible weak links.

> - The key may be stored insecurely.

The key is not stored at all. The key is the password that that the user
selects.

> - If the key is derived from a password then the user may choose a weak
> password.

Nothing anyone can do about that.

> - It’s easy to make a bad choice of KDF.
> - The choice of cipher mode matters.

Which is why these tools are audited by third parties and you should
only use tools that have been audited.

> - For some cipher modes, how you choose the parameters matters.

Ibid.

> - Some ciphers (including AES) are prone to side channels.

Ibid.

> How much each of these matters is situational, but “256 bit AES
> encryption” is not a complete description and may indeed not be good
> enough, depending on the missing details.

Ibid.

--
you cannot code around infinite implementations of OCD -John C Welch

On 2021-07-19 14:08, Keith Thompson wrote:
> Alan Browne <bitbucket@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

First off there is a difference between a "key" and a "password".

If the password is "a", the key will still be extremely strong at 256
bits and would look completely different to the key for password "b".
Of course that is not a recommendation.

As to passwords, it's trivial to make strong and easy to remember
passwords with a few misspelled words, mixed case, some symbols and digits.

--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens

Alan Browne <bitbucket@blackhole.com> writes:
> On 2021-07-19 14:08, Keith Thompson wrote:
>> Alan Browne <bitbucket@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.
>
> First off there is a difference between a "key" and a "password".

Sure (but sometimes they can be the same, right?).

> If the password is "a", the key will still be extremely strong at 256
> bits and would look completely different to the key for password "b".
> Of course that is not a recommendation.

Are you talking about a key being algorithmically derived from the
password? If the string "a" is all the information you need to unlock
an encrypted file, then an attacker is going to be able to unlock it,
whether it first has to be translated to a 256-bit key or not. (Or I'm
missing something.)

> As to passwords, it's trivial to make strong and easy to remember
> passwords with a few misspelled words, mixed case, some symbols and
> digits.

Sure. It's also easy for a password to leak in any of a number of ways.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

On Mon, 12 Jul 2021 09:53:00 +0000, Unbreakable Disease
<unbreakable@secmail.pro> wrote:

>My 50-year old brain isn't capable of memorizing that many passwords
>anymore, so I use KeePassXC. I keep basically everything here including
>my financial passwords and credit card data, with the exception of
>passwords that I would have to remember anyway (full-disk encryption,
>login, primary e-mail passwords, etc.)
>
>Overall, it's much easier to remember and much harder to forget 10
>complicated passwords that you use everyday than 100+ simple passwords
>you use every month or even less.
>
>I can't speak about Windows version of KeePass, because with the
>exception of playing games not available on Macintosh, I haven't used
>one since Windows 95 days.

For what it's worth, I like LastPass. I'm not crazy about the fact
that I can't use it on multiple devices without having to pay for it,
but I can't begrudge the software developers over there the right to
earn a living.

The best strengths in current password technology are in passphrases:

https://useapassphrase.com

There's some great stats in there, such as the amount of time it takes
to crack common spatial word passwords such as "qwerty" or "aaaaaa"...
10 milliseconds.

Or how long it takes to crack a password that's a date like
"03261981"... 2.213 seconds.

However, if you use a sequence of four randomly chosen words like
"mergers decade labeled manager", it'll take 6 million centuries to
crack.

So.

I've converted all my passwords to sequences of four to six words; and
I have an email account at a provider that I've never used to send
email to anyone, or to use as the id for any website. There, I have a
draft of an email saved that holds the information.

I now only need to remember one password, and I can get to everything.
As for the remote chance that the email provider will cease to exist,
I made backup accounts with other major providers, because paranoia.

I don't use email apps to access my password storage account; and I
use Tor to get to it for the sake of anonymity. I'd be fairly
impressed if someone got through that level of security, and it's
probably overkill, but why take the risk?

While I'm at it... does everyone know about

https://haveibeenpwned.com

You can put your email address in there, and see if it's been involved
in any large-scale thefts. It's got records going back years, and I
was fairly shocked to see that my wife's account had been hacked years
ago.

--
Cheers,
Dreamer
AA 2306

"The fact that a believer is happier than a skeptic is no
more to the point than the fact that a drunken man is
happier than a sober one. The happiness of credulity is a
cheap and dangerous quality of happiness, and by no means
a necessity of life."

George Bernard Shaw
Androcles and the Lion

Dreamer In Colore <dreamerincolore@hotmail.com> writes:
> On Mon, 12 Jul 2021 09:53:00 +0000, Unbreakable Disease
> <unbreakable@secmail.pro> wrote:
>>My 50-year old brain isn't capable of memorizing that many passwords
>>anymore, so I use KeePassXC. I keep basically everything here including
>>my financial passwords and credit card data, with the exception of
>>passwords that I would have to remember anyway (full-disk encryption,
>>login, primary e-mail passwords, etc.)
>>
>>Overall, it's much easier to remember and much harder to forget 10
>>complicated passwords that you use everyday than 100+ simple passwords
>>you use every month or even less.
>>
>>I can't speak about Windows version of KeePass, because with the
>>exception of playing games not available on Macintosh, I haven't used
>>one since Windows 95 days.
>
> For what it's worth, I like LastPass. I'm not crazy about the fact
> that I can't use it on multiple devices without having to pay for it,
> but I can't begrudge the software developers over there the right to
> earn a living.
>
> The best strengths in current password technology are in passphrases:
>
> https://useapassphrase.com
>
> There's some great stats in there, such as the amount of time it takes
> to crack common spatial word passwords such as "qwerty" or "aaaaaa"...
> 10 milliseconds.
>
> Or how long it takes to crack a password that's a date like
> "03261981"... 2.213 seconds.
>
> However, if you use a sequence of four randomly chosen words like
> "mergers decade labeled manager", it'll take 6 million centuries to
> crack.
>
> So.
>
> I've converted all my passwords to sequences of four to six words; and
> I have an email account at a provider that I've never used to send
> email to anyone, or to use as the id for any website. There, I have a
> draft of an email saved that holds the information.
>
> I now only need to remember one password, and I can get to everything.
> As for the remote chance that the email provider will cease to exist,
> I made backup accounts with other major providers, because paranoia.
>
> I don't use email apps to access my password storage account; and I
> use Tor to get to it for the sake of anonymity. I'd be fairly
> impressed if someone got through that level of security, and it's
> probably overkill, but why take the risk?
>
> While I'm at it... does everyone know about
>
> https://haveibeenpwned.com
>
> You can put your email address in there, and see if it's been involved
> in any large-scale thefts. It's got records going back years, and I
> was fairly shocked to see that my wife's account had been hacked years
> ago.

I use a couple of programs I wrote to generate random passwords and
passphrases:

https://github.com/Keith-S-Thompson/random-passwords

It's two Perl scripts. gen-password generates random passwords with
specified criteria, and gen-passphrase generates xkcd-style random word
sequences using the system dictionary or a specified one.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

Bob Eager <news0009@eager.cx> writes:

> On Wed, 21 Jul 2021 12:31:11 -0700, Keith Thompson wrote:
>
>> I use a couple of programs I wrote to generate random passwords and
>> passphrases:
>>
>> https://github.com/Keith-S-Thompson/random-passwords
>>
>> It's two Perl scripts. gen-password generates random passwords with
>> specified criteria, and gen-passphrase generates xkcd-style random word
>> sequences using the system dictionary or a specified one.
>
> I use dicewords and a set of casino dice.

What do you do when the password is restricted as is so often the case?

--
Ben.

On Thu, 22 Jul 2021 01:23:46 +0100, Ben Bacarisse wrote:

> Bob Eager <news0009@eager.cx> writes:
>
>> On Wed, 21 Jul 2021 12:31:11 -0700, Keith Thompson wrote:
>>
>>> I use a couple of programs I wrote to generate random passwords and
>>> passphrases:
>>>
>>> https://github.com/Keith-S-Thompson/random-passwords
>>>
>>> It's two Perl scripts. gen-password generates random passwords with
>>> specified criteria, and gen-passphrase generates xkcd-style random
>>> word sequences using the system dictionary or a specified one.
>>
>> I use dicewords and a set of casino dice.
>
> What do you do when the password is restricted as is so often the case?

It provides a basis to which I add stuff.

Jitsi does similar when choosing a random 'room' name, although I haven't
looked at the code.

--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org

On 19.07.2021 14:40, Alan Browne wrote:
> On 2021-07-12 05:53, Unbreakable Disease wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here
>> including my financial passwords and credit card data, with the
>> exception of passwords that I would have to remember anyway (full-disk
>> encryption, login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>
> I use 1Password.  Be careful of the option you select.  They are leaning
> towards "rent" model which I despise.
>
> You can keep the encrypted master file on iCloud or Dropbox so it's
> available to all of your devices.  Avoid the 'rent' model if possible.
>
You can use any FOSS password manager. For me, anything that is not FOSS
is automatically suspicious (including 1Password). I don't trust
proprietary software and try to reduce its usage to minimum.

--
Tip me: bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f

bitcoin:bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f

On 2021-07-22 04:52, Unbreakable Disease wrote:
> On 19.07.2021 14:40, Alan Browne wrote:

>> You can keep the encrypted master file on iCloud or Dropbox so it's
>> available to all of your devices.  Avoid the 'rent' model if possible.
>>
> You can use any FOSS password manager. For me, anything that is not FOSS
> is automatically suspicious (including 1Password). I don't trust
> proprietary software and try to reduce its usage to minimum.

1Password has proven itself over time. I like companies that pay
employees to do things right when it's a critical component.

Free? You get what you pay for. So unless it's a wildly widespread and
popular package with many people maintaining it, it tends to crud.

The Gimp refers.

--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens

On 22.07.2021 13:52, Alan Browne wrote:
> On 2021-07-22 04:52, Unbreakable Disease wrote:
>> On 19.07.2021 14:40, Alan Browne wrote:
>
>>> You can keep the encrypted master file on iCloud or Dropbox so it's
>>> available to all of your devices.  Avoid the 'rent' model if possible.
>>>
>> You can use any FOSS password manager. For me, anything that is not
>> FOSS is automatically suspicious (including 1Password). I don't trust
>> proprietary software and try to reduce its usage to minimum.
>
> 1Password has proven itself over time.  I like companies that pay
> employees to do things right when it's a critical component.
>
> Free?  You get what you pay for.  So unless it's a wildly widespread and
> popular package with many people maintaining it, it tends to crud.
>
> The Gimp refers.
>
>
Well, I like free software. It's not always of the same quality as
commercial software, but at least its security can be tested by many
experts in the industry easily as anyone has access to the source code.
Anyone can read and edit it... understanding and making it work not so much.

--
Tip me: bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f
bitcoin:bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f

Secmail.pro is down, please mail me at current address instead

On 2021-07-27 11:27:00 +0000, Unbreakable Disease said:
> On 22.07.2021 13:52, Alan Browne wrote:
>> On 2021-07-22 04:52, Unbreakable Disease wrote:
>>> On 19.07.2021 14:40, Alan Browne wrote:
>>>>
>>>> You can keep the encrypted master file on iCloud or Dropbox so it's
>>>> available to all of your devices.  Avoid the 'rent' model if possible.
>>>
>>> You can use any FOSS password manager. For me, anything that is not
>>> FOSS is automatically suspicious (including 1Password). I don't trust
>>> proprietary software and try to reduce its usage to minimum.
>>
>> 1Password has proven itself over time.  I like companies that pay
>> employees to do things right when it's a critical component.
>>
>> Free?  "You get what you pay for."  So unless it's a wildly widespread
>> and popular package with many people maintaining it, it tends to crud.
>>
>> The Gimp refers.
>
> Well, I like free software. It's not always of the same quality as
> commercial software, but at least its security can be tested by many
> experts in the industry easily as anyone has access to the source code.
> Anyone can read and edit it... understanding and making it work not so
> much.

With the source code available for free, it also means the hackers can
more easily work out how to steal your information. Using open source
or hacked pirated versions for anything even remotely to do with
security is simply incredibly silly.

In article <sdpqco$1erg$1@gioia.aioe.org>, Your Name
<YourName@YourISP.com> wrote:

> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source

nonsense.

open source means it's easy to audit so that nothing undesirable is
hidden.

> or hacked pirated versions for anything even remotely to do with
> security is simply incredibly silly.

that part is true. using pirated versions is dumb.

On Wed, 28 Jul 2021 08:30:16 +1200, Your Name wrote:

> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source or
> hacked pirated versions for anything even remotely to do with security
> is simply incredibly silly.

Ah, a proponent of security through obscurity.

I think not.

--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org

On 2021-07-27 22:47:01 +0000, Bob Eager said:
> On Wed, 28 Jul 2021 08:30:16 +1200, Your Name wrote:
>>
>> With the source code available for free, it also means the hackers can
>> more easily work out how to steal your information. Using open source or
>> hacked pirated versions for anything even remotely to do with security
>> is simply incredibly silly.
>
> Ah, a proponent of security through obscurity.
>
> I think not.

I guess that's why the banks leave their vault doors open all night. :-\

Your Name <YourName@YourISP.com> wrote:

> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source
> or hacked pirated versions for anything even remotely to do with
> security is simply incredibly silly.

"Hacked pirated" versions aside, security by obscurity never works in
the long run.

The security of cryptosystems should depend on things like your key
management, not that nobody has got their hands on the source code.
Widely used systems like openssl are open source and better for it,
as they have open audits of how they are builts.

--
/* * * Otto J. Makela <om@iki.fi> * * * * * * * * * */
/* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki */
/* * * Computers Rule 01001111 01001011 * * * * * * */

On Wed, 28 Jul 2021 15:40:13 +1200, Your Name wrote:

> On 2021-07-27 22:47:01 +0000, Bob Eager said:
>> On Wed, 28 Jul 2021 08:30:16 +1200, Your Name wrote:
>>>
>>> With the source code available for free, it also means the hackers can
>>> more easily work out how to steal your information. Using open source
>>> or hacked pirated versions for anything even remotely to do with
>>> security is simply incredibly silly.
>>
>> Ah, a proponent of security through obscurity.
>>
>> I think not.
>
> I guess that's why the banks leave their vault doors open all night.
> :-\

Non sequitur.

--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org

In message <sdqjit$aif$1@gioia.aioe.org> Your Name <YourName@YourISP.com> wrote:
> On 2021-07-27 22:47:01 +0000, Bob Eager said:
>> On Wed, 28 Jul 2021 08:30:16 +1200, Your Name wrote:
>>>
>>> With the source code available for free, it also means the hackers can
>>> more easily work out how to steal your information. Using open source or
>>> hacked pirated versions for anything even remotely to do with security
>>> is simply incredibly silly.
>>
>> Ah, a proponent of security through obscurity.
>>
>> I think not.

> I guess that's why the banks leave their vault doors open all night. :-\

You obviously have no idea what "security by obscurity" means. A vault
is not obscure. If you hide you money in a hollow book, that would be
security by obscurity.

--
Demons have existed on the Discworld for at least as long as the
gods, who in many ways they closely resemble. The difference is
basically the same as between terrorists and freedom fighters.

In article <sdpqco$1erg$1@gioia.aioe.org>,
Your Name <YourName@YourISP.com> wrote:
>With the source code available for free, it also means the hackers can
>more easily work out how to steal your information. Using open source
>or hacked pirated versions for anything even remotely to do with
>security is simply incredibly silly.

Security by obscurity? Please tell us you're joking...this has to be one of
the most ignorant comments I've seen on Usenet in a good long while.

If you have access to the source code, you can verify that (1) secure
algorithms are in use and (2) those algorithms have been properly translated
into secure code that works. Without source code, you're potentially buying
a pig in a poke.

_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

In message <sdpqco$1erg$1@gioia.aioe.org> Your Name <YourName@YourISP.com> wrote:
> On 2021-07-27 11:27:00 +0000, Unbreakable Disease said:
>> On 22.07.2021 13:52, Alan Browne wrote:
>>> On 2021-07-22 04:52, Unbreakable Disease wrote:
>>>> On 19.07.2021 14:40, Alan Browne wrote:
>>>>>
>>>>> You can keep the encrypted master file on iCloud or Dropbox so it's
>>>>> available to all of your devices.  Avoid the 'rent' model if possible.
>>>>
>>>> You can use any FOSS password manager. For me, anything that is not
>>>> FOSS is automatically suspicious (including 1Password). I don't trust
>>>> proprietary software and try to reduce its usage to minimum.
>>>
>>> 1Password has proven itself over time.  I like companies that pay
>>> employees to do things right when it's a critical component.
>>>
>>> Free?  "You get what you pay for."  So unless it's a wildly widespread
>>> and popular package with many people maintaining it, it tends to crud.
>>>
>>> The Gimp refers.
>>
>> Well, I like free software. It's not always of the same quality as
>> commercial software, but at least its security can be tested by many
>> experts in the industry easily as anyone has access to the source code.
>> Anyone can read and edit it... understanding and making it work not so
>> much.

> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source
> or hacked pirated versions for anything even remotely to do with
> security is simply incredibly silly.

Once again you demonstrate a complete lack of knowledge on a topic. The
VAST majority of encryption is done with open source tools, you nimrod.
Not on;y that, but when companies try to write their own (like Telegram)
it turns out they write shitty software with massive security holes.

Please stop trying to weigh in on things you know absolutely nothing
about, it's embarrassing.

--
"Are you pondering what I'm pondering?"
"Sure, Brain, but how are we going to find chaps our size?"

In article <slrnsg3mjk.2fg5.g.kreme@m1mini.local>, Lewis
<g.kreme@kreme.dont-email.me> wrote:

> In message <sdpqco$1erg$1@gioia.aioe.org> Your Name <YourName@YourISP.com>
> wrote:
> > With the source code available for free, it also means the hackers can
> > more easily work out how to steal your information. Using open source
> > or hacked pirated versions for anything even remotely to do with
> > security is simply incredibly silly.
>
> Once again you demonstrate a complete lack of knowledge on a topic. The
> VAST majority of encryption is done with open source tools, you nimrod.
> Not on;y that, but when companies try to write their own (like Telegram)
> it turns out they write shitty software with massive security holes.
>
> Please stop trying to weigh in on things you know absolutely nothing
> about, it's embarrassing.

that would mean an end to his posts...

In message <280720211856021661%nospam@nospam.invalid> nospam <nospam@nospam.invalid> wrote:
> In article <slrnsg3mjk.2fg5.g.kreme@m1mini.local>, Lewis
> <g.kreme@kreme.dont-email.me> wrote:

>> In message <sdpqco$1erg$1@gioia.aioe.org> Your Name <YourName@YourISP.com>
>> wrote:
>> > With the source code available for free, it also means the hackers can
>> > more easily work out how to steal your information. Using open source
>> > or hacked pirated versions for anything even remotely to do with
>> > security is simply incredibly silly.
>>
>> Once again you demonstrate a complete lack of knowledge on a topic. The
>> VAST majority of encryption is done with open source tools, you nimrod.
>> Not on;y that, but when companies try to write their own (like Telegram)
>> it turns out they write shitty software with massive security holes.
>>
>> Please stop trying to weigh in on things you know absolutely nothing
>> about, it's embarrassing.

> that would mean an end to his posts...

<fingers crossed>

--
'The trouble with my friend here is that he doesn't know the
difference between a postulate and a metaphor of human existence.
Or a hole in the ground.' --Pyramids

On Mon, 12 Jul 2021 09:53:00 +0000
Unbreakable Disease <unbreakable@secmail.pro> wrote:

> My 50-year old brain isn't capable of memorizing that many passwords
> anymore, so I use KeePassXC. I keep basically everything here
> including my financial passwords and credit card data, with the
> exception of passwords that I would have to remember anyway
> (full-disk encryption, login, primary e-mail passwords, etc.)
>
> Overall, it's much easier to remember and much harder to forget 10
> complicated passwords that you use everyday than 100+ simple
> passwords you use every month or even less.
>
> I can't speak about Windows version of KeePass, because with the
> exception of playing games not available on Macintosh, I haven't used
> one since Windows 95 days.

I use Pass, which is a command-line only password manager using git and
gpg. It's good and lightweight.

On 2021-11-27 22:51:45 +0000, rtr said:
> On Mon, 12 Jul 2021 09:53:00 +0000
> Unbreakable Disease <unbreakable@secmail.pro> wrote:
>>
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here
>> including my financial passwords and credit card data, with the
>> exception of passwords that I would have to remember anyway
>> (full-disk encryption, login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple
>> passwords you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>
> I use Pass, which is a command-line only password manager using git and
> gpg. It's good and lightweight.

MacOS has the Keychain app built-in.

1Password used to be a good third-party option, but recently it has
been tending more towards silly subscription-based pricing and storing
everything in the silly cloud. Probably best avoided in case some
future version decides that's the only way to use it.

There are numerous other third-party options.

rtr <rtr@nospam.invalid> wrote:

> I use Pass, which is a command-line only password manager using git
> and gpg. It's good and lightweight.

I also use it, though gpg is a bit clunky it helps me trust the cryptosystem.
--
/* * * Otto J. Makela <om@iki.fi> * * * * * * * * * */
/* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki */
/* * * Computers Rule 01001111 01001011 * * * * * * */