Why would you trust companies like BitWarden or 1Password?

Because they are end-to-end encrypted, as evidenced by their account-recovery mechanisms: they cannot offer one.

Why? Because the encryption on your data files is based - in small part - on your master password. So if you cannot get back in with your master password, they can’t get in without it, either.

The only exception is corporate accounts, which are linked back to a master account made by your employer, which has rights to access anything in your specific account and who can expose company-wide accounts to you based on groups and rules.

Plus, BitWarden also has the capability to entirely self-host, keeping their public servers and domains entirely out of the loop. It’s just between you and the server you configure yourself.

But they put a backdoor into their programs.

LastPass had a mere security breach, and they suffered a 50+% market share drop between 2001 and 2024. An active backdoor would drive any company to 0% market share damn quick, which in business terms is called a fatal level of risk -- a business killer for anyone in the security industry.

Bitwarden, in particular, has openly committed itself to fighting any attempt to legislate a back door into their product, and - like other companies like Signal - would rather exit an entire market than build a back door into their product.

And I do actually keep them separately and on paper. Laught about it if you want to, but it's easy and most reliable. I've had pc's die on me, so I'm happy to have it that way.

Wow.

I’m not laughing… I feel sorry for you.

I put the mention of Excel and paper options in as a dare from colleagues. They didn’t think you would out yourself as such a security anti-intellectual.

For the record, not only can you script secure BitWarden exports to your storage enclave of choice, but you can even script exports to KeePass for offline access.

Granted, with an export to KeePass there are things like ToTP and secondary/tertiary URLs that won’t come along for the ride, as it’s not something that KeePass does, but most everything else will.

in the last 25 years, not a single one of my accounts got hacked by my fault. I had 1 Ubisoft account hacked, but that was because their servers got hacked and the password was stolen from there.

X-Doubt.

Ubisoft did not store their passwords in plaintext. Those passwords were all hashed appropriately.

If your password was successfully un-hashed and used, it was because either,

1. You re-used a password from elsewhere that had previously and unknowingly been exploited, or
2. It was simple enough to un-hash by itself, or
3. It was represented in a rainbow table to be trivially un-hashed.

In all three cases, it’s user error on your part.

https://haveibeenpwned.com/

Check it out, it’s wild. Betchya more than just Ubisoft will pop up.