I keep having debates with myself about password managers. I've always had a mental block about 'single point of failure' even though the benefits are obviously massive. Yesterday I'd more or less talked myself into using one but then I read about their history of security breaches and flaws. Now I'm having some doubts. I suppose every piece of software ever made will have some issues. Nothing can ever be perfect. I'm more concerned with blatantly stupid security policies—Last Pass used to have the master password hard coded in the app and 1Password used to downgrade https to http by default in its internal browser—than with inadvertent bugs. So I'm wondering which one is the most sound. If it was more friendly, Keepass would probably be right for me (due to it keeping things local). I'm probably too much of a muggle for that system though. BitWarden seems promising but perhaps a bit clunky compared with the famous ones. I like that it has extensions for outlier web browsers (Brave, Vivaldi and Tor).
I wonder if there is anything that you can do to mitigate the 'single point of failure'. I always see two factor authentication as a liability because you're combining something you can forget with something you can lose. So it's single point of failure times two. I had a cunning idea: use several password managers and portion passwords out to them so if there's a catastrophe with one it only affects a portion of the things you log into. I like that idea in theory, but I suppose you'd have to be able to instantly remember which password manager to invoke for every log in. Tricky…and maybe the extensions would clash. You could use a different browser for each password manager…but it's getting complex now. Do I sound neurotic with all this? I don't think anxiety about putting your whole life in one basket is neurotic, but I need to work something out and get on with my digital life. I wonder if you can have duplicate second factors (2FA). If you can, then that would mean the single point of failure is mitigated and the loss—or breaking—of the second factor is probably alleviated. So if I was using my phone as a second factor and dropped it down a well…but had a Yubi Key with the same authentication on it…no worries, eh? Can you do that?