as apt a time as any to remind everyone: Don't Ever Ever Use The Same Password On Multiple Websites. if you're not using a password manager in 2024 you need to fix that right the fuck now. keepass is free and has a mobile app, there's no excuse
Honestly I'm curious - what's the advantage of password managers over writing them down? Because I feel like that's a really easy target for hackers as opposed to a physical book that can only be accessed if you're in my house.
i was going to just respond to this in the comments but it wound up long and it would be annoying of me to blast multiple paragraphs directly into a stranger's notifs. so here's the Courtesy Readmore (plus maybe this'll be of benefit to somebody else out there too)
password managers allow you to automatically generate long, secure passwords for every website. if you're writing them down you're probably still going to veer toward less-secure things you can easily remember and type, like dictionary words, rather than 20+ completely random letters, numbers, and symbols. and you'll be more likely to fudge it and repeat a password on some sites because writing them down every time is a hassle. for something like keepass, the password database file is encrypted, and itself requires a password to be accessed. so that master password can be the one you keep in a notebook somewhere if you need - something like a long but memorable phrase/sentence with some numbers and symbols integrated into it is good for that. as long as the database uses a long, not-easily-guessable password, nobody's likely to get into it any time in the next thousand years
and realistically, "a hacker downloading files off your computer" is just not an attack vector that you as a normal person are going to experience. the most realistic case is maybe you have your password database on your phone and then the phone is lost or stolen, but even then they are just going to wipe and sell the phone rather than trying to go through all your files, because as a normal person your files are just not valuable enough to bother with. when you get malware in 2024 it is almost always either crypto mining or ransomware, because those give attackers the most straightforward way to most likely extract some kind of money out of some number of people at scale
having long, unique, un-guessable passwords is easily the most impactful thing you can do for your personal cybersecurity. most information breaches happen at a Big Company level -facebook accidentally exposing a billion people's emails and phone numbers, shit like that. using a different password for every single site means that if one website shits the bed and their passwords are leaked, the damage is contained to that site and you don't have to panic worrying that your email and google and bank website and so on are also compromised. and the "long and un-guessable" part ensures that if somebody does try to brute-force your password in particular, they just cannot succeed because every character of length increases the number of possible combinations they have to try exponentially. password managers, in addition to keeping all your passwords in one secure and convenient place, make "long, unique, un-guessable passwords" the default that you will automatically use for every website without having to think about it
also, while a person breaking into your house to steal your notebook of passwords is unlikely, situations like "getting into a fight with a roommate/parent and them retaliating by digging through your stuff and finding your login info" are a lot more realistic for most people than about any form of cyberattack. and even if somebody is in a situation where that isn't a risk now, one day they might be living somewhere else, with different people. and if your password paper does get lost or stolen at any point (maybe you drop it while moving, or leave it behind after a vacation - you will have to physically bring that list anywhere you might want to log in to websites!), literally anyone who can read has immediate full access to that info
in the "dropped phone" scenario, an attacker has to unlock your phone in the first place (and no factory resetting or that would wipe the data), guess that you might have a password database saved somewhere on there, find it, and then have access to a supercomputer that may or may not be able to brute-force the encryption within the remaining lifespan of the universe. the risk of your passwords actually being compromised in that situation is just astronomically lower than just about anything else you ought to be worrying about. (unless you made your master PW something like password1. don't do that.)
note that my experience is with entirely local software like keepass. personally, i'd be a little more wary of cloud-based services, because then your database is on somebody else's server - a server that is a juicy target for attackers. but realistically as long as you have a good secure master password, it'll still keep anybody in this decade from being able to extract your info. i would hope those services have other measures in place too so that simply "slurping your file off the server and guessing the right password" isn't enough on its own to get somebody's full database, but i ain't a cybersecurity expert. i probably would still rather place my bets on a cloud password manager than none at all though
(and i know there Are cybersecurity experts on here so feel free to chime in with any details i've missed or gotten wrong)
