Store passwords in a text file… is it really much worse than a password manager?

My idea:

Storing my passwords in a text file kept on Dropbox and accessed through a python script to quickly retrieve the password for the site I want to access.

My motives:

I want to be platform-independent as much as possible (currently, my passwords are stored in Safari’s integrated password manager). Also I don’t want to use any third party services, free or otherwise, just to store my passwords. I try to be as minimalist as possible even in my online life.

My reasoning:

Firstly, all the passwords for my core services (gmail, apple id, bank, dropbox) are long, random, and only stored offline in my brain + I use two-factor authentication on all of them. So it’s not like I am devising a system that needs to keep my most prized assets. The text file would only include passwords for less important websites and services. The worst that could happen if someone were to get access to the text file is that he posts stupid questions online under my name 😀 …something I don’t think professional hackers usually do.

Furthermore, in order to access the text file containing the passwords, you would need to get into my dropbox (which is protected by a strong password + two-factor authentication), get into my mac (which is protected by a strong password), or access my hard disk (which is encrypted through FileVault).

Also, if someone breaks into my mac they are gonna have access to the passwords kept in safari anyway. Soooo… what am I missing?

PS: keep in my that I don’t know anything about cyber security, encryption, or anything like that. I am not looking for a technical answer that I wouldn’t be able to understand. Thanks.

Is this a secure way to protect passwords when they must be in plaintext?

I am building a web app which will use my school’s online grade reporting system. Students will sign in to my app using their credentials for the grade website. However, it does not provide an API, which means that my web app will have to store each user’s password to get access to their grade data or force each user to log in every time my app needs access. The web app will need to be able to verify the data from the grade reporting website, so the server will need to log in, which means that the plaintext password will at some point have to be on the server.

My solution is to have each user’s login details be stored locally in plaintext, then have the client send the credentials to the server whenever the server needs access to the grade system. The server would use the credentials to log in, then delete them. Everything uses HTTPS.

I believe that this system is secure because the plaintext passwords are on the server for only a short time and an attacker would not be able to access data stored on the client (assuming my web app is not vulnerable to XSS).

I’m planning to create the server in NodeJS and run it on a VPS.

Is this system secure? If not, what possible attacks exist and how could I prevent them?

How secure are the default, randomized passwords that ISP routers come with?

Did a little searching an could not find an answer to this. A lot of ISPs these days are providing combination router/modem units, and they come with a pre-configured password that is a random string of letters and numbers, such as 1kd94nc9. Are these passwords reasonably secure, or should the end user change it to their own custom password (ignoring the fact that these can be hard for someone to remember)?

How to set LastPass to verify before opening my vault and viewing all passwords

I am new to LastPass and I was shocked when I realised that once I logged in to LastPass browser extension, I could open my vault and view all the passwords even after I exited my browser and reopened it.

How is this even safe? Even Google password manager does not allow the user to view any password without further verification. Google now can also generate random passwords.

Is there any way to let LastPass ask for verification before openning my vault or viewing any passwords? If it is not possible, is it advisable to switch to Google password manager?

Why are WPA2 passwords longer than 16 bytes more secure than 16 byte passwords?

In this good Information Security StackExchange question, the answers reveal that a long WPA2-PSK password does not degrade performance of the network. The reasoning is that the password itself is never transmitted, and the generated CMAC that is transmitted is always 128 bits (16 bytes).

Why then, are WPA2 passwords longer than 16 bytes more secure than WPA2 passwords of 16 bytes?

Should breached passwords be changed if 2FA or MFA is enabled?

If a site has experienced a breach such that usernames and passwords have been leaked, should passwords be changed if 2FA or MFA is enabled?

Before this question is potentially marked as duplicate, the question “Will 2FA protect me if there is a password breach” limits the response to the efficacy of 2FA and does not consider if passwords should be changed.

Microsoft recently announced the limitations of password expiration which suggests that passwords should not change as long as they meet the standards set out by NIST and/or banning the use of common passwords.

Given the different types of 2FA or MFA, should passwords be changed in all scenarios or are there scenarios that passwords don’t need to change?

Is LocalStorage in web browsers safe enough to store passwords?

I currently have a system I’m building where users can enter an email address and password into my login page, and if they click the signup button after doing that, it stores that data in LocalStorage, before redirecting the user to the signup page.

The signup page then checks the LocalStorage and autofills the email and password from the previous page.

My question is, how safe is LocalStorage for storing that type of data? Storing RAW passwords in this fashion seems like it could be a bad idea. That being said, it is all local on the users device. It isn’t being sent to any server or anything, so the chance of attack is reduced.

I’ve also considered deleting the item from LocalStorage after retrieving it on the signup page. Which would make it safer.

How secure is LocalStorage for storing RAW passwords and this type of data?