The idea is that the master key is only accessible to your password manager and therefore there is only one spot to try and attack. And if it’s stored in your computer they have to compromise your computer directly at which point they can probably just have a keylogger get all your info anyway.

Reusing a password for many sites runs the risk that a compromise of any one of those sites compromises your account on all of them. Say you use your strong password on a poorly coded niche gaming forum that saved your password as a plain md5 hash (which is easily reversed). And that site gets tagged by an automated scraper looking for old vulnerabilities that just DB dumps the whole thing.

Now that person has an e-mail and password they can try and log into your bank, or cell phone provider, or any number of other important things.

If you make sure to never use your important strong password on anything but well run sites like banks, the risk of reuse is mitigated of course. But people tend to reuse passwords between their bank and gaming forums if they are reusing them.

Alternatively say someone falls for an e-bay phishing e-mail. For one managers tend to really not like putting passwords into those. And even if you did the attacker at least doesn’t also have access to your bank directly.

Password manager enables you to have a different password for each site. This in turn increases your overall security and saves you time changing every single account you own’s password if any one password was breeched as you only need to address the breech.

If your password is already strong, your next weaknesses are either any one of the accounts security measures beeing poor or you enter your password in a well tailored phishing attack.

A password manager is unlikely to fill a phishing website.

The thing is that you are supposed to not just have one strong password, but a different strong password for each account.

If you reuse the same password across multiple sites, it only takes one site to be compromised to have all your accounts across all sites endangered.

The password manager is supposed to help you have individual passwords for each site, which would otherwise be hard to memorize.

The password manager either stores your password locally or in the cloud in an encrypted form, so it tends to be relatively safe if done right.

The chief danger password mangers are supposed to protect against is that if a website gets hacked and they now have your email and the password (or a hash of the password) you used on this site and can try it everywhere else.

Most passwords aren’t “cracked” but usually obtained from hacks where they have been stored in plain text from an insecure web server.
If you use the same password then one bad website gives access to many others.

Every website you make an account on gets your password every time you log in. What if one of your banks gets hacked and reports your password to criminals? Then the criminals can try your username and your password on your email provider, your other banks’ websites, and everything else you use. If they get in successfully, they can wreck lots of things for you.

they don’t bother to crack your password, they hack some website that shares with facebook…you know when some site says “log with Facebook or Google”

So that 3rd party site gets phised and hacked and they access logins.

Then they try that password with banks, ebay, or job. just as so many people use 12345 or ‘password’ so do lots of folks use the same one for different sites.

I get really annoyed with sites that require military grade passwords dingbats and all, nobody remembers them so we either write them down, or go through a password reset routine that depends on whatever weakass security you have on your end.

> A malicious user would take the same amount of time to crack that 25-long password in my password manager

Random websites often don’t secure passwords very well, and so it may be easier for an attacker to retrieve. Or you may be tricked into typing it in to a phishing website.

Password managers’ tend to put a lot of effort into protecting your master password, because that is literally their purpose. And you know that this password is only to be used with your password manager so you’re less likely to fall for a phishing attack.

Also worth pointing out that some websites have different requirements for passwords.

My bank only allows 6 alphanumeric, my golf club is minimum 8, max 16 alphanumeric and selected symbols, countless other things.

So you end up with a bunch of different password everywhere simply because not all websites let you have the same 25 character strong password, and have to remember them all somehow. That’s where the security usually falls down – putting them in a notebook or a phone note or something.

Putting into a password manager keeps them available AND secure.

You have the same password on all websites. Someone gets the password database from one of them. What’s in that database can range from plain text to modern password hashing algorithms, but a pretty significant portion (I don’t want to say *most*, since there’s no practical way to check, but I wouldn’t be surprised) will use inappropriate or outdated hashing algorithms. You’re on a clock to change all your passwords, and you don’t even know it yet. How quickly does the site notify users of the breach, if they ever do? Now go change your password on every website you’ve ever used. Hope you don’t forget anything.

Alternatively, you have a password manager. The user database is breached. They aren’t able to get the data records (that’s too much to download), but they can start cracking the master passwords. It’ll take a while — security is the whole point of a password manager, and unlike (for example) a bank, they don’t have any legacy requirements keeping them from using a good password hashing algorithm. By the time the hackers have broken any passwords (except the people who thought `P@55w0rd1` is a good master password), the admins can set all account passwords as expired. And he password manager supports MFA (and not just via SMS) so you’re not *totally* screwed even if they do crack your password.

In the worst-case scenario, maybe the data records *were* downloaded. This isn’t likely, but it could happen. You’re in a pretty similar position as you would have been if you used the same password everywhere and a site with good security got breached. It’s still better than if a poorly-secured site were breached, though. You also have a list of sites where you need to change your password, so while it’s still *annoying*, you won’t forget any of them. (If you still consider the password manager trustworthy, you might even be able to click links from it directly to the change password pages instead of having to find them yourself.)

The other common way passwords are stolen is phishing. Password managers can also help here, since they won’t autofill on phishing sites.

I use a password manager, and have something like 250 passwords, from forums to shopping sites to multiple financial institutions.

The security comes from different passwords for each site.

The security of your bank vs your model train hobby forum are very very different. And thats picking a low ball. Look at breach lists and you will find 100s of sites that you would treat as trustworthy and should have security under control and get breached.

They all also have different complexity options, sometimes 6 chars sometimes 20.