There’s no guarantee anything is “secure,” anymore. Even if you run a self-hosted password manager, it could still be compromised at the package-level or down the road through some exploit. I will say that since I started using Bitwarden as my main password manager, I have had to worry less about company data breaches and stolen passwords. I have no need to reuse passwords for any site or service. I can use the built-in 2FA with sites that require it and don’t have to have multiple apps. I can share passwords with my wife if she needs to access something under my name.

In addition to storing logins, I can store secure notes, even storing login-specific notes within the login details for things like one-time-use passwords, etc. I can store various credit/debit cards and recall them into payment systems whenever I want, without storing them in a browser. When using the phone, I can tie the biometrics to the unlocking of my vault so, with the vault locked, I can easily unlock it to find the login/info I need to submit to an app or website.

Obviously, all this comes with their own risks, but the level of risk of a password management is far lower than the risk of reused passwords and the mismanagement of security at the corporate-level. If you’re really hard-up to keep your stuff offline, other products exist that are locally stored, but you’ll likely miss out on access from outside the home in the event you need that login info somewhere else.

Edit: I’ll also point out that the best passwords are ones that rely on unaffiliated words, with numbers or symbols sprinkled in. If I need to remember the password without my phone/outside help, I’ll rely on a password of 3-4 random words. Many of the password management tools available have some sort of password generation and Bitwarden’s can generate randomized character passwords or randomized word passwords. Once I find a word combo I like and can remember somewhat, I add a capital randomly, a number somewhere, and maybe even a symbol to make a password that would take million of years with current tech to decipher.

As always, you do you, but I find password management tools such as Bitwarden, with a minimal yearly price tag, worth it for the ease of password generation/storage and the ability to access those passwords wherever I need to.

It’s better than using the same few passwords everywhere. Passwords are being phased out though. The future is passkeys.

I do SyncThing and KeePass.

• https://en.wikipedia.org/wiki/Syncthing
• https://en.wikipedia.org/wiki/KeePass

Their URLs at time of writing are https://syncthing.net/ and https://keepass.info/

I don’t remember which KeePass UI for Android I use. I think I use Syncthing Fork on Android

That gives me the benefits of a cloud password manager, but the only cloud infrastructure is whatever SyncThing uses to do its peer-to-peer tricks. The password database is encrypted on disk with my root password, and then it’s encrypted end-to-end in transit because every SyncThing node knows the public keys of my other nodes.

I almost never upgrade KeePass because I’m afraid of losing access to my passwords on my phone. SyncThing I do upgrade because that’s easier to fix.

If you upgrade regularly, you’re vulnerable to the project being compromised. If you never upgrade, you’re vulnerable to whatever old code is vulnerable to. Personally I err on the side of not upgrading often.

I also have my own implementation of diceware https://www.eff.org/dice

With the arrival of near infinite phonebooks, the drive and know-how to remember 100s of phone numbers is lost to humanity.

Passwords present added complexity to those of phone numbers. On top of a name to number (allowing a few collisions) passwords are required to be of certain length, contain an upper case letter, lower case letter, number, special character, and more importantly, a preset lifetime.

Password managers seem to be a safer and low stress bet for the vast majority. There will always a few exceptions who can do it all in their head. They don’t tend to advertise their presence.

I don’t see how anyone can get by without one nowadays. Now online vs something local is a big deal. I use online for unimportant passwords and local for important passwords. With important being financial mostly but some other things. Unimportant are things that if I lost access to and ended up never using again would not like ruin my life.

Remembering (and inevitably) forgetting passwords for all your different accounts is inconvenient, frustrating, and arguably less secure than a randomly generated password unique to each account.

Additionally, it can be tempting to reuse passwords for multiple accounts, which is trouble when a less-than-reputable service that you used that password on is breached, since that password wasn’t unique.

If you use an open-source, tried and true password manager (Bitwarden, Vaultwarden, KeePassXC) and keep a passphrase unique to that password manager only, you avoid the problems above which are way more likely to occur than Bitwarden passwords getting breached in plaintext, or a security vulnerability to the KeePass database.

Plus, most password managers offer support for passkeys, which are easier to register/use than passwords. They usually only require a “verify with passkey” button on a given website.

Bottom line, password managers are probably (definitely) more secure than any other reasonable solution that anyone has come up with.

I won’t say which manager I use, but I used a ‘tool’ on it which cracked my access password in very little time revealing all my passwords. - a bit worrying.

Do I still use that manager? Yes, it’s convenient and fits my risk profile.

Have I upgraded my master password? Yes. Less convenient, but is all a trade off.

If I was a higher profile target, my assessment may be different.

Yes, but it depends on which one you use. Some are better than others. The ones that can be hosted locally (i.e. keepass) are the most secure because you are not relying on a third party to host your password vault for you. It would be helpful to know why you think they aren’t very secure, so people can help clarify.

It’s more secure than not using one (if it’s open source and offline), so just do it.

What makes you think they aren’t secure?

Most will tell you how the password is stored and assuming they implemented the encryption algorithm correctly it should be rather difficult to break the vault open.

I don’t trust the online one, I only use https://pwsafe.org/

Remember to think about your backup strategy if you use locally managed password software. I’ve helped (and been unable to help) some non-technical folks who relied on popular magazine/new site articles for software selection without good knowledge of how to properly backup their data.

The only big danger of a good password manager is the fact all your passwords are stored under one.

To mitigate the risk, follow these practices:

• Use a good trusted, much preferably open-source option (for example, Vaultwarden, KeePassXC);
• Use a strong password;
• Do not EVER use the same password you use for password manager elsewhere;
• Use 2FA on both your password manager itself and all the accounts you store passwords for;
• Backup your password database in an encrypted way.

Together, these measures should save you from any trouble.

Now, why they are good:

• They can generate and store very strong passwords you would never make up, much less remember;
• You can be sure you won’t forget your password;
• They are convenient and can auto-fill passwords for you.

Generally, using a password manager is considered a superior option in terms of security and availability compared to keeping your password elsewhere, including your head.

More secure than write to your notepad or text file, for sure.

If you can keep password from your computer (best: just remember it without reuse 1 for everywhere, second best: write in your notebook, don’t reuse password).

I’ve always thought it wasn’t very secure

Why? They are way better than you anyway (to generate random stuff, to recognize URLs, to store data encrypted, etc.)