My MIL literally has a notebook in her house where she writes down her passwords. I scoffed when I found out about this, but then considered, well, it's a lot more secure than what she was doing before she had it, and the chances of someone breaking into her physical house for it are pretty slim.
Maybe suggest that to them?
I mean, I dunno. Knowing how to press an icon or copy-paste content from one app to another is sort of computer table stakes in 2018. These are problems on the user end, not the product end. It would be terribly insecure if their passwords were just automatically input every time someone on their computer opened a login screen.
> ...the chances of someone breaking into her physical house for it are pretty slim
I find this to be quite an under-represented opinion whenever I encounter password security discussions. How many people's threat models need consider physical security of their house? Surely most people's number one - if not only - threat is using a compromised service, so a password manager is just another vector; albeit one whose raison d'etre is security.
I fully agree with you and it's nice to see that someone else is thinking pragmatically and not ending up arguing over three letter agencies.
If your machine with the password manager gets pwned then it's probably game over, and you can do that remotely for a networked device. So at the very least it's reasonable to compare the physical security of a paper notebook and a computer.
Yes you might have encrypted the device but as everyone is so fond of saying 'once you have physical access it's game over anyway', so by that logic the notebook and computer are as secure as one another as they both rely on physical security. Maybe the computer is even less secure as you can attack it over the network!
It's important to plan for disaster recovery though. That's probably a more reasonable fear - something like fire or accidentally spilling coffee over the book would be pretty bad. Maybe a backup copy in a waterproof fire safe would be a 'good enough' solution for priority accounts like email from where you can probably reset/recover all other accounts.
My approach is that anyone breaking into my home could do far more damage, and I'd have far more to worry about, than taking my passwords -- ultimately, nothing I have electronically is valuable/secret enough that someone is going to specifically target me and break into my house to try and gain access. Having a paper copy of my master password isn't much of a liability in that threat model (and probably makes me more secure day-to-day - I can use a longer, more complex master password without the fear that I will forget it and lose access to everything).
Also, petty thieves just don't care about your book of passwords. Just like they don't care about seeing if your hard drive is unencrypted when they steal your laptop - they just pawn it off.
Of course, the ideal for security is that the best options are so convenient that you might as well do them. But there sure is a lot of circlejerking that happens when someone is exposed as "doing it wrong."
Maybe suggest that to them?
I mean, I dunno. Knowing how to press an icon or copy-paste content from one app to another is sort of computer table stakes in 2018. These are problems on the user end, not the product end. It would be terribly insecure if their passwords were just automatically input every time someone on their computer opened a login screen.