https://pi.math.cornell.edu/~mec/2003-2004/cryptography/diffiehellman/diffiehellman.html

I’m saying the very idea that you need to ever even think about this as a defense against the enemy is the hobby. There’s only a battle to be fought here if you want there to be, and most people don’t want that. The impact on their lives is not actually tangible. Ad tech doesn’t really hurt anyone. No one likes it, and at best, it feels a little gross, but feeling vaguely icky is not the kind of tangible impact that reliably drives people to action. What happens to you when Facebook or Google bundle you into anonymized groups of eyeballs and promise advertisers that they’ll show you ads relevant to the profile they’ve built of you? Nothing really. If you think about the way they built that profile by tracking your every move online, then yes, it feels creepy, but that’s it.

But that’s not the kind of privacy we’re talking about. Privacy discussions are largely about ad tech and tracking. The post here isn’t calling people idiots because he thinks Threads is more likely to leak your credit card numbers and nudes. He’s calling people idiots for not caring about tracking the way he does. And the reality is that there’s no real reason why they should care. The argument boils down to just, “c’mon, don’t you think it’s creepy?”. And if I say, “not really”, we’re kind of at an impasse. There’s just no obvious pragmatic harm you can point to to reason them over to your side. You may as well being trying to convince them to enjoy pineapple on pizza. If they don’t already, the game’s pretty much over.

I’d also say that those health issues are much more practically impactful than Instagram showing you ads for luggage when you’ve bought a plane ticket.

Caring about ad tech is a hobby. It’s as good a hobby as any other, but that’s what it is.

A good password manager will be encrypted on device using your master password and only the encrypted data ever synced anywhere. So if Bitwarden gets hacked, and the worst case scenario happens, that means an attacker makes off with the complete contents of your vault. But all they have is an encrypted file. To decrypt it, they need your master password. Bitwarden doesn’t have the keys to lose – they only have the lock, and only you have the key. So an attacker would need to compromise Bitwarden (the company) to get access to the vault, and then separately, compromise you personally to get your master password (the key).

Alternately, they could try to brute-force the master password offline. If you think you could guess a user’s password if you tried 100,000,000,000 guesses, and each guess took you 1 nanosecond, you could guess all hundred billion in a little under two minutes. Bitwarden uses techniques to make it intentionally very slow (slow if you’re a CPU at least) to generate the hashes needed to compare a password. If it takes you 100,000 nanoseconds per guess instead, then instead of two minutes, it takes almost 4 months. Those numbers are completely made up, by the way, but that’s the general principle. Bitwarden can’t leak your actual passwords directly, because they never get them from you. They only get the encrypted data. And if an attacker gets the encrypted data, it will take them quite a bit of time to brute force things (if they even could – a sufficiently good master password is effectively impossible to brute force at all). And that’s time you can use to change your important passwords like your email and banking passwords.

One important realization for people to have is that none of us get to choose perfection here. You don’t only have to worry about Bitwarden getting hacked. You also have to worry about you forgetting them. You have to worry about someone figuring out your “cryptic messages that only I understand” scheme. Security is generally about weighing risks, convenience, and impact and choosing a balance that works best for you. And for most people, the answer should be a password manager. The risks are pretty small and mitigation is pretty easy (changing your passwords out of caution if the password manager is breached), and the convenience is high. And because it’s, as you put it, “a pain in the ass” to manage good unique passwords yourself, virtually no one actually does it. Maybe they have one or two good passwords, and rest are awful.