Thanks for this article! I want to challenge/comment on a few of your statements, however. The web browser's password store gets you 60% of the way to "great" security. For most of the internet, getting them to use unique passwords generated, stored, and synced via their browser is a huge win. I would absolutely recommend browser password stores for the majority of people. It's the biggest win (60% of the way there) with the smallest change to user behavior. I agree that someone with access to the local filesystem can read those passwords in plaintext. That gets protected in the last 40%. For the vast majority of people on the internet, that's an OK accepted risk. For the readership of dev.to, I think your statement works because we're all super technical and ready to add a little complexity to make sure we're doing the right thing. (we all unit test, right?!)
Password managers are awesome and I would love if everyone used them. That gets you another 10% of the way to "great" security. I would include Lastpass and 1Password alongside Dashlane, as I believe those two have a larger market share. Going with the biggest password manager generally means you're going to go with the company with the most eyes on them and security issues will get fixed much more quickly. Lastpass's turnaround for notification, remediation, and publication to production is generally a couple hours. It's pretty incredible. I use a different open-source password manager but gotta give them credit where it's due.
In terms of your password creation recommendations, using a sentence you know to generate a passphrase is awesome. Although, last year NIST rolled back their recommendations that you need a bunch of numbers and symbols in your password. They've admitted their guy basically made up those rules and they heavily inconvenience users trying to remember them. That part I don't believe is in the report but said in an interview. The full publication is here, although it's dull so it's easier to read Auth0's summary of the report here. TLDR; if you have to remember a password, use a long passphrase made up of a sentence you will remember (from your favorite book or something). If you don't, let your password manager or browser generate a long one for you.
The last 30% of great security comes from setting up 2FA but that's not strictly password security so it's fine to leave out in a post like this. Including here so you get where the nice 100% comes from, in my mind.
I couldn't hope for a better comment 😮
You made a counter argument in your first paragraph, if only accessing your file system can lead to a theft of data then it's not safe at all. While browsers don't really protect your passwords because of a lack of master keys, password managers does that very well. But remember that some self-hosted password managers are stored locally, that means that it can be taken and deciphered (depending on your master key).
Auto-generated passwords can be really bad when it's generated from a website or a platform that has internet connection. They can store them in their database, so your password could not be really safe. On the other hand, it's safe to generate it locally.
By the way, every passwords can be taken by phishing (2FA inclued).
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.