Use a password manager
Use a password manager
It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can't remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn't tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don't just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They're not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser's password storage is better than nothing. Don't reuse passwords, use long randomly generated ones.
It's free, it's convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I'm preaching to the choir, but if even one of you decides to use a password manager after this then it's an easy win.
Please, don't wait. If you aren't using a password manager right now, take a few minutes. You'll thank yourself later.
One person even told me they were upset that websites wouldn't tell you password requirements after you create your account,
To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.
My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn't help unless you realize they're doing this and use a short one.
Login and password set/reset forms being out of sync is a classic. 😆
I haven’t seen that one in a while luckily.
I like the password in my thinkpad's bios that's case sensitive when entering it to log in, but setting the password it's not. That took me a while to figure out.
Omfg, one of my banks did this to me and was infuriating. I was able to call in to fix it and made a bug report, but goddamn, what idiot silently truncates the sign up password but not also the login form?!?
Similarly, sites that don't handle backslashes properly. I've had a few where I had to use my password sans all the backslashes because it interpreted them as an escape character.
Clarification: They reuse the same password (such as "Password") and whenever they create an account they have to add special characters (like "Password1&" if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don't know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.
But yes, there is an unrelated frustration where password requirements aren't presented upfront.
True but doesn't a new password then prompt bitwarden for you to update the credentials ?
people who use a password manager but store the master password on Discord
??????????
Yeah, true story. Really weird.
I really want to know what the logic behind their thinking was...or maybe they were just lazy? I don't know, it's so weird that they'd get to the point of using a password manager but then still make such a basic error.
In my experience preaching this same thing to many users at work and just personal friends, they won't change their ways. Because "omg not another password to remember" and "that's too much work to login just to get a password".
I've just stopped trying to educate people at this point. That's on them when their info gets leaked or accounts drained.
People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.
I am fighting this with people at work.
No, it is not "one more password to remember"
You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don't care. Use a passphrase if you have troubles with passwords.
I even generated a sample password from bitwarden and drew them a picture of how to remember it lol
Still about 10% of people forgot their password in the first 2 months.
My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.
But I get where people have an issue. It's one point of failure vs. many, but they don't realize It's easier to well secure the one than it is to not spread the same vulnerability everywhere.
Honestly as someone who has helped family members set up a password manager one person felt this way and the rest are just not tech savvy. All the simple straightforward stuff took ages because they had never done it before.
You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don't know about bitwarden. I usually recommend bitwarden or proton pass. (I'm self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I'm waiting for proton pass self-hosting option).
but bitwarden, keepassxc don't pay them.... RHEEEE
whats missing, since the proton pass source code is available?
I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn't use password managers at work. Nor were you allowed to bring them in.
Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.
Plus, the computers themselves had a custom-configured OS and you couldn't install any software on them that wasn't on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.
I didn't get to mess around with password managers until I retired a couple years ago, and they've been a game changer! In the military, we needed unique complex passwords for everything, can't reuse passwords, can't write down passwords, and you had to change them every 60 days.
Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it's been wonderful.
I don't know why the military doesn't get some sort of password manager approved for use. This is far more secure than what they've been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I'd forget them (and again, we weren't allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don't even need to remember it. I love it!
The DoD actually did a study I thought "recently" on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.
Don't think they changed their policy though.
I work at a university IT department. It's been a struggle with our auditors to loosen up the password expiration requirements. At least with the students they let anyone with 2FA to go without password expiration, which acts as a nice little carrot-and-stick. But for staff it's two years (2FA always required), regardless of password quality. I'd rather be able to base password expiration on password quality, personality.
This is crazy to read, thanks for sharing! How did you store/remember all the passwords?
My dad somehow believes that that password managers are very insecure ( he got that from some sort of 'reputable source', so me telling him bitwarden is secure doesn't help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.
He's doing something right.
You can't hack a paper note over the internet.I mean he's not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)
Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it's more secure, but there is a point of "reasonably secure enough" for most people and at some point, you are just inconveniencing yourself for no tangible gain.
Well yeah I guess that's true
Only until he gets a keylogger on his computer
Is your dad Ron Swanson? /j
My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.
I have a password manager with a family plan so my wife can use it. Does she? Absolutely not. And that's why we don't share bank accounts.
Same and she has the balls to ask me for passwords!
Same here. Kinda feels good to know I am not alone with this, though.
Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.
Say, what are the chances either
- someone comes to depend on the password manager to get into their accounts, gets locked out of the password manager, and loses access to all their accounts (e.g. using the password manager to create and store passwords they might never have even seen);
or
- their password manager (or account) gets hacked, somehow, and all their accounts get taken at once
These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.
-
Make sure that you are regularly typing your master password for the first bit. After that you'll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.
-
This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can't be hacked (as it doesn't have access to your passwords).
Well, what if they somehow manage to get into my password manager account? I mean, it has a login, like any other account. The way to prevent it would be to have a strong enough password. Regardless, if they somehow got my main password, they'd have free access to all my credentials everywhere, and would be able to log into them as easily as I can. I mean, it is easier to secure one account well vs. however many others that the password manager can take care of. But still, a centralised hub with easy access to all my accounts feels like a one-stop shop for taking over my online life
I mean, to myself, I can deal with the consequences of my choices (as much as they can suck sometimes). But recommending stuff to other people I find complicated. I mean, I've gotten locked out of accounts due to 2fa (some being old and lost to time, others due to an unlucky series of events and a last minute half-assed backup) and even had to troubleshoot and/or reinstall (Linux) operating systems on my laptop (one instance of which relates to the aforementioned 2fa incident). To recommend something to someone and risk something like that, and be responsible for it… I mean, I once had to help troubleshoot a non-booting Linux machine via messages and photos during lunch out, and I myself am not an expert, so I had to online research from my phone and relay the information
-
- Ultimitaly its up to the user to remember the master password. I'm not familiar with how bitwarden works, but do use keepssXC. I hear bitwarden is better for less techical people due to having built in account/sync options. (You can also self-host BW if you want)
Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It's automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.
KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.
That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I'd love an decent alternative if anyone has one).
For Android I like KeepassDX and Keepass2Android.
- Getting hacked is a legitimate concern. However the greatest risk is still duplicate passwords. The time it will take crack an individual database is going to be less well spent than dumping a million username/password sets into a thousand sites and hoping for a match.
Realistically, if you're the specific target of a hacker going specificaly after your database files you're best off freezing your credit and bank accounts.
If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.
First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.
Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won't lose the emails that let you reset everything else. If the email gets cracked, they won't have a convient list of accounts to go mess with. Also make sure the emails have all the security and recovery options available setup.
3, bonus round Finally for fincial security, don't have your credit card saved on every site. I don't let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a "1-time use" card for anythibg irregular.
Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won't work. I'll get an email and can just cancel the privacy card for amazon (I'd probably kill them all to be safe) and then work on resecuring everything.
To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.
For privacy.com:
- great for anyone in the USA
- don’t worry about difficult subscription cancellations again, just turn that one’s dedicated card off
- I have personally blown past the daily spend limit of 250$ without issue, idk if that limit is real. The 1000$/mo may be though I've never hit that.
- I’ve used privacy.com for everything from Amazon to car insurance to gym memberships.
On credit freezes:
- a freeze means that your consumer report will not be shared, which means applications for credit in your name will be denied
- all USA consumer reporting agencies (data brokers) are legally required to freeze sharing of your reports for free upon your request
- you can temporarily unfreeze when you get a new credit card, apply for rental property, etc.
- don’t let them upsell it or try to direct you to another page with similar language, it is free
- credit monitoring products need to request your report to see if any new accounts have opened. Don’t monitor it, prevent it by freezing the reports
- freezes are required for any data broker, not just credit. This includes LexisNexis (job history), and presumably the ones that do rental and vehicle ownership history though i don’t know their names.
As Kramer said. Levels. If tou layer your security 2 becomes a non issue. What you have, what you know, and who you are. Which plays into 1. The 3-2-1 of backup. 3 copies of the data. 2 different media. At least 1 off site. Suprising as it might be, writing a great backup is to write your password down. I have a piece of paper with my password in a lock box in my apartment, in a safety deposit box at my bank, and at my parent's house
Been using Bitwarden for a couple years now…
No regrets
I've been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton's best service.
It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.
Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.
Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I'm told Keepass is fantastic but having it sync across all her devices would be challenging for her.
Most Proton services feel kinda underbaked but Proton Pass is excellent.
I'm a little miffed that 2FA support is a paid feature.
I'm using KeePassXC and have no intention of switching, plus I'm paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn't be locked behind a paywall.100% agree. Charging for the unlimited email alias is fine but 2FA? :/
If that wasn't a scripted ad, you should go into sales.
I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.
I am very "passionate" about Proton Pass but don't take me for a Proton chill, I have a lot of criticism about their other products.
I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can't see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton's suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.
I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.
Is there risk in keeping all your passwords in one place, whether it's on your hardware or someone else's? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use 'pencil' for all your passwords because you can't be arsed to memorize anything more complex? OH HELL YES.
Sure, if you're defending against nation state level agressors, maybe using a password manager isn' the wisest choice, but for easily 99% of computer users, we're at the level of "keeping people from drooling on their shoes". So password managers are probably a GREAT idea.
I feel like password managers are more targeted to companies where sharing and controlling login data shouldnt be logged on some table in an excel sheet.
It just so happens that a manager is also god damn convenient for the private individualI don't think that's always the case. 1Password started out as a personal password manager and only added the corporate/teams/families features later.
I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.
I do that too.
- Its not like people are gonna steal book
- the password crackin people are not the breakin people
Using 2FA on all accounts that offer it is just as important. And make sure to use a good, open-source TOTP client like Aegis on Android or Tofu on iOS.
Definitely make sure to backup your seeds in an encrypted format (e.g. Veracrypt container or GPG-encrypted files). If you lose your seeds, you lose access to your accounts.
I like to use the automatic backup feature in Aegis, which syncs my encrypted vault to my Nextcloud server. You can also enable compatibility with Android's backup API and use that if your ROM includes a backup solution like Seedvault.What's frustrating is that most sites want your phone number. Even though it's less secure than totp, but that sweet sweet data using your phone number as a common index is irresistible
And best case on an actual separate device.
And if the company doesnt supply one, use your own at your own discretion /shrugI don't really think a separate device like a phone is necessary to store 2FA tokens, the only option I would consider is a hardware key like YubiKey for storing TOTPs.
Any comments on bit Warden for totp?
Personally I wouldn't keep my TOTP together with my passwords, but it's up to you
TOTP is standardised by RFC 6238 so all TOTP clients must comply with the standard and therefore work equally well. Pick the one whose UI you like the most and is otherwise good enough for your use case and personal preferences. It's similar to arguments over CPU thermal paste—its presence or absence makes a much larger difference than the method of application.
You do, however, want to pick something that is free and open-source and also popular. Google Authenticator (closed source) definitely is a functional TOTP client but you have to trust that the Google engineers have done a good job building a secure app. Since it's Google, they probably have, but a principle in security is that you should not have to trust more people than absolutely necessary.
On the plus side, the more people who don't use password managers the more chance us password manager users will remain not worth the effort.
It's kinda like security through obscurity mixed with only having to be faster than the slowest person to outrun a lion.
I disagree. Password managers are still target of threat actors, a juicy one at that, but it's not too often you hear of breaches of good password managers. Chances are the people behind the good password managers are better at security than 99% of users (including more technical ones). Even after a breach exporting all the passwords and moving them to another service, and changing all your passwords again with more secure ones is trivially easy.
If everyone used them sure there'd be more pressure on said password managers but hackers will find it a lot more difficult to hack anything in general and it will still not be worthwhile to hack average users who use a password manager.
Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.
is it possible to sync keepassxc between computers + phone?
Syncthing has worked well for me between 3 devices(Linux, android, windows). I've had one conflict in 6mo and it was easy to identify the right copy to select in keepass' prompt since the more recent one was a larger file.
Synchthing also provides optional version control which makes backing up easy.
I have it synced across 4 computers and my phone. You just need a central repository. For that I use nextcloud. I suppose you could use OneDrive, Google drive, box, sync thing, or something else though.
tbh i just keep the master version on my computer and physically transfer it to my phone every so often. i try to avoid using too many password-requiring services on my phone.
i used to do this, until I started using syncthing
i only add password entries on my laptop then sync the file directly to my phone using syncthing to avoid conflict
Yes. The easiest/most reliable is syncthing. Yet there's the online-component which is inherently vulnerable. Depends on how paranoid you are.
You can lock your password database with a key file (this is a standard feature in keepassxc) and transfer the key file once between devices via sneakernet (microsd or usb drive). That way even if someone intercepts your database file, AND knows your password, it is still virtually impossible to crack. Should be a good enough solution, unless you are quantum-tier paranoid
Yes, but it's a bit involved to automate it. KeePassXC has a less technical recommendation here
A long time ago, I used Syncthing to do this. Sometimes there would be file conflicts, which was a pain to resolve, so I switched to BitWarden (using their server for syncing) and have been using it ever since.
You can keep the database on a device accessable by all of your other devices. I'm sure there are many other solutions but that's worked for me over the years.
I'd be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn't make me feel like taking action if everything feels sketchy.
I'm paying for Bitwarden's Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it's in my opinion the best bang for your buck. But try out their free option and form your own opinion.
I've been using Firefox's built in password store, plus 2fa for sensitive accounts when possible. Are there any known issues? Uploading all my passwords to someone else's server sounds silly.
Theoretically, it's possible to store a encrypted database on someone else's system in a way where they never have the ability to see its contents, as you encryption and decryption only ever happens in the client on your devices.
Whether this is actually done in a way that enforces that on various password managers is unknowable with proprietary code.
Personally I self-host vaultwarden. All the benefits of syncing my passwords across devices, but the server enabling that, runs on my hardware.
Uploading all my passwords to someone else’s server sounds silly.
KeePassXC is entirely local.
Are there any known issues?
LastPass (ironically) explains this best: https://blog.lastpass.com/posts/2022/06/why-you-shouldnt-store-passwords-in-a-browser
Thanks but the LastPass article is partly inapplicable and partly marketing. The one good point it makes for non-corporate users is about leaving your browser open where attackers can access it, say at the office. For a while I tried using a FIDO2 token but they weren't well enough supported at the time. Maybe that is easier now.
I think you might be preaching to the choir here.
Circlejerkin on lemmy is our mutual hobby here
Quick question - what are your opinions on using Firefox's inbuilt password manager? I've installed Bitwarden as an extension, but I find Firefox to be more convenient.
I mostly use FF on Linux, Windows, and Android and have no issues with using FF cross platforms.
While it's so convenient, anyone gaining access to your browser while your laptop is open can gain access to everything. Bitwarden usually add an extra step to unlock it (which you could disable if you want) when you want to use the extension. By the way, it has an extension for Firefox, so just hitting Ctrl + Shift + L it auto-fills the login/password fields of your login page just like firefox would. But with the extra step that gaining access to the browser doesn't straight away unlock all your passwords for anyone to see.
I'm in the same boat. FF is just too damn convenient
Yeah, the used to have the lockwise app, which was awesome, I don't know why they scrapped it
Don't. It's not in your hand is the simple reason.
My advice is keepassxc. Got a ff-addon that does basically the same. But you have your password-file under your control. And do backups!
I use bitwarden over Firefox because it can auto fill into apps. So, my bank apps or whatever else. And I'm not tied to Firefox if, for some reason, I want to stop using it.
It's similar to why I don't use Samsung pass on my phone. It'd work better filling in the fields, but that's not going to help me on my PC, and I don't want to maintain multiple managers.
Firefox password manager is brilliant, my move to Bitwarden wasn't worth it and I regret it.
Using Proton Pass was a game changer to me , I don't have to ignore the necessity to put a strong and complicated password for security reasons anymore, Proton generate it to me and stores everything ( so I don't need to remember which password I set for which account ) But the bad aspects of cloud services worry me a little about this: the possibility of a security breach of the service, or the possibility of not being able to access it for any reason is a real disaster if it happens... so I'm thinking of exporting my passwords to another safe place for such cases.
You can export all your passwords to an encrypted and password protected file. I ocasionally back it up to a USB device so that I always have an offline copy available.
Still, one of these days I was logged out of my proton pass on Android and couldn't connect to the internet. I was locked down.
so I’m thinking of exporting my passwords to another safe place for such cases.
I'm also using ProtonPass, and I agree it's a game changer. I love the interface, the Android app is amazing and well integrated.
To not be locked in into ProtonPass in case of real disaster, once a month I export the ProtonPass data and import to KeepassXC in my local machine. It's pretty easy, you just have to export to CSV, and import into KeepassXC, the interface will help you to map the CSV fields accordingly, and you will have a local accessible backup in case of disaster. Don't forget to remove the CSV from your computer after importing to KeepassXC.
Is there manager than create password based on masterpassword and domain/username? Do not want to lose all password just because drive dies. Do NOT want to use cloud anywhere.
backups backups backups.
keep a copy on your computer, your phone, and every spare drive u have in the house. ask a friend to store the file at their place.
also, whats wrong with a cloud provider, if the file is encrypted ?
Cloud can go down, cloud can delete my file, cloud can be hacked and someone try crack encryption (rsa vulnerable to quantum compute in future, maybe similar happen to aes).
There's a few. LessPass is one that has been going a few years.
LessPass and similar software has some problems. Things like you can't simply change your master password, you must then recompute and change every site. It's also not strictly stateless, since you need to know which password iteration you're on and the user name. Full fledged password managers also typically provide other secret management features, like API keys, SSH keys, credit/debit cards, and identity cards.
I migrated to Bitwarden from Firefox a few months ago and I regret it as it's slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it's equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.
Is ProtonPass okay?
Yes. As long as it's secure and open-source, has all the features you need and you're comfortable with the user interface, there is absolutely nothing wrong with it, and you should use what you like.
I don't even understand why I need to make a password for some sites anymore. They send a code to my phone everytime.to make.sure it's me so it seems like there's practically no point.
Because different layers protect you against different things. It's like how you have anti-lock brakes, a seatbelt, an airbag, and crumple zones on your car. You don't just have one thing to protect you.
Password is necessary for two-factor authentication. The factors of authentication are something you know (like a password), something you have (like a cell phone), and something you are (like a biometric).
An example of three-factor authentication would be this—imagine a spy going into a secret bunker. They need to scan their iris, insert a key card, and then enter a passcode before the door opens. This has all three factors of authentication; the passcode is something they know, the key card is something they have, the iris scan is something they are.
If it just sends a code to your phone, that's one-factor authentication (something you have). Anyone with your phone can get into your account. Unless, of course, your phone hides its notifications and you have a screen lock. Then that's actually two-factor authentication because you also need to know the phone PIN or have the biometric.
If it just asks for a password, that's one-factor authentication (something you know).
If it asks for your password and then sends a code to your phone, which you need a fingerprint or face scan to unlock, you have achieved three-factor authentication.
Edit: Interesting tidbit—in the USA, you can rent a mailbox at the post office to receive mail when you don't want to give out your real address. Useful for privacy reasons. I'm sure they have similar things in other countries. These mailboxes come with a key. This is actually two-factor authentication, because the keys usually don't have the mailbox number written on them! So you have to have the key and also have to know which mailbox among the hundreds at the post office it opens.
Wow, the PO Box analogy is the best, most simple way I've ever seen anyone explain 2FA. Thanks, I'm stealing that for when I need to explain it to my tech-illiterate family members for the umpteen millionth time :')
Why preach to this choir? I get you, but we also get it.
How do I convince my girlfriend to stop using her safari password manager and migrate it to bitwarden? Is the password manager in Safari so unsafe that it's worth the additional effort she might ask.
Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient
Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser
It's not that bad, but tell her that she can set Bitwarden as the default option for auto-fill in the settings and everything will get automatically filled in, just like with the normal Safari password manager
So many folks talking about which software they use, and how they sync it between devices etc.
You all know there are hardware password keepers right? They present to your devices as a usb and/or bluetooth keyboard and just type out the user/password that you select. They have browser plugins to ease the experience. Now your password is not even stored on the device you're using to perform your login and it will work on any modern device even without internet access.
Oh and no subscription fee to cover the costs of cloud infrastructure.
What happens if it gets lost stolen or broken?
I save copies of the password database in several locations. I have to keep them synchronized manually but that's preferable to using commercial ones that take turns in getting their data breached.
That will vary from vendor to vendor. In the case of the one I like there are a few relevant things.
The password db is stored encrypted on the device. Accessing the passwords requires all of:
- the device
- a smartcard with a particular secret on it
- the 4 digit hex pin to unlock the secret on said smartcard, which is what is used to decrypt the db
Three PIN failures and the smart card is invalidated.
That sort of covers "stolen" and "lost + recovered by a baddie". Your bad actor would need to have their hands on both physical pieces and guessed the 4 digit hex code in 3 tries.
As far as a user recovering from a lost or failed device or smart card goes, you can export the encrypted version of the db for backups, which I do to a thumb drive I keep in my document safe. I do the same with a backup smart card. So that and a backup device or purchasing a new one if yours fails or is lost/stolen.
In the super "just in case" move, I also keep a keepassdb on said thumb drive. In case my device fails and it's just not possible to get a new one. Kind of like keeping two cloud providers in case LastPass goes bankrupt or something.
If you're on Linux and you don't want to use KeepassXC, you can check out Secrets on Flathub, it has imo a better UI/UX
If you're on Linux and you like minimalism, pass is also a great option
Interesting, thanks for the recommendation.
But I wanna tell people my master password to my pw manager. It's such a fantastic password that no one could ever possibly guess I would have. I wanna gloat.
I always recommend Proton Pass. A) because they have a forever free version and B) because hopefully they start looking into the whole suite in general and even if they don't subscribe, they are more aware afterwards (hopefully).
I've been using Firefoxs integrated password manager for lots of unimportant logins, KeePass for everything else.
I clear everything on close
It is truly upsetting to see how complicated for use password managers are.
I grow up around computers and I can barely mange them. Other people just don't understand how to use them, it is complicated and inconvenient. Even after I set them up and show them multiple times, friends don't manage.
In browser password managers cover 90%, but I guess web sites and apps need to start testing UX for password managers. Some of them introduce stupid flows that brake all of them.
Android is complete shit show.
It is not users, but applications and UX that doesn't care about security.
Bitwarden on Android, particularly if you have biometric unlock enabled, is extremely simple to setup and use.
Sorta. I find it doesn't always pop up Bitwarden to select an autofill. Then I unlock it manually, and sometimes it then gives me the button for autofill. Sometimes not and I have to manually copy and paste.
And sometimes there's a broken ass app that blocks you pasting passwords. People need to be fired for this.
Same thing happened to me on Last Pass, so I'm pretty sure it's an Android issue.
What's wrong with android? I have bitwarden setup any basically any time I tap a password field it offers me to fill in from my vault.
iCloud Keychain is super easy to use, but obviously you need a iOS/macOS to take advantage.
Whatever solution you think you can come up with is most likely not secure.
Having my passwords written down on a piece of paper is not safe ?
No. Anyone near you or with access to your place can see it. And most people know of the tricks.
Also you can't encrypt it and most of all you can't really generate as strong passwords as those generated by password managers, meaning I don't even need the paper to try and crack your password
@Charger8232 I have been using Vaultwarden (Unofficial Bitwarden compatible server written in Rust) selfhosted for a few years now, and I have to say I'm very happy with it. I also use the backup strategy, on some media (USB stick and SSD) encrypted with Veracrypt.
What's wrong with a password manager built in the browser?
Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.
- No more password reuse, per site random passwords.
- Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn't auto-fill.
- Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.
I think these are the two biggest benefits and every browser password manager will accomplish both.
This is what I do: I use my browser to store all my randomly generated passwords. If I ever need them on my phone I either sync or go to my desktop and view the password and type it over.
That's what I've resorted to, but I only use Firefox because it has a master password.
Chrome has no master password so what stops any fool from stealing your passwords while you're taking a piss, I don't know.
Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.
I like using Bitwarden since it lets me input passwords for various apps on my phone as well as my other devices. Using one built into your browser seems fine as long as the passwords are stored securely.
I have been using password gestoires for a long time. First LastPass, until I switched to GNU/linux and discovered Keepass and then KeepassXC.... For me they are indispensable. That's the one I used until about 1 year ago when I started having problems with the Firefox addon. It did not recognize the pages. I tried ProtonPass and I like it, but I don't like having them online, no matter how secure the site is. I've tried going back to KeepassXC, locally, but the file I export from ProtonPass won't load in KeepassXC. I feel stuck.
Translated with DeepL.com (free version)
I have the need to have different accounts to everything. Hate to perform the sign up process over and over again. They really need to standardize this.
Passkeys is one step forward but far from enough.
I hate the idea of having to login again and again with just a minute interval that I see BankID requires as it is for different things. Like I constantly have to prove it is still me here. BankID is the app in my country that gives you access to your Bank account, government stuff and so on. It connects to your personal number and ID you in real life.
So the issues you describe is just the result of how bad designed the web is today. It is simple for every company but hard for the user.
I am curious what country you're from that they require a specific app for "official" business.
Sweden
They don't require it, you can also go to a physical office if you don't have BankID. Also BankID is a private company wo is problematic on several levels.
Many government agencies have started accepting multiple ways to identify yourself such as Freja.
Some politicians would prefer a standardized governmental solution to identity.https://www.dagensps.se/bors-finans/kinberg-batra-infor-statlig-bank-id/
I'm not so sure about that though.
It's an ongoing topic. We'll see more where it goes.
Sweden with BankID. The main app for it. Sometimes the goverment(not the banks) offers the alternative Freja E-ID https://frejaeid.com/. The banks built BankID and charge companies that use it(not consumers).
And also set-up SSO/LDAP in your homelab if you run one so you don't have 3000 loose outdated account entries for IPs like 192.168.10.5 user: admin password:*****
Except a lot of homelab software doesn't support things like LDAP
I used to use a plain text system, "encoded" in such a way that only I knew what the actual password was, and I kept it on Google Keep.
But that for harder and harder to manage, coupled with, if I were to get run over by a bus, no one else would be able to access my accounts.Now I've been using Dashlane for a few years. Not just for passwords, but secure notes as well.
Works seamlessly on all of my devices and zero complaints.
I do exactly this (the google keep notes plain text encoded passwords idea), right now. Perhaps I'll go the same route as you then.. I was wondering what manager to use.
I use Safe in Cloud but nobody ever talks about this one. Is it a bad one?
I actually combine a password manager with a password book, don’t like storing data for sensitive accounts on servers that can be breached and I’m too lazy to self host 😬 and I can remember my password phrases for sensitive accounts I use normally.
I'm using Bitwarden, 1Password and KeePass. Works like a charme.
Why all three? Redundancy?
I started with Bitwarden as a replacement for KeePass and changed to 1Password due to the way they secure the login password (password + random string). KeePass is now my backup place for 1Password and I support Bitwarden with a subscription because I like to support their OSS way.
i dont understand this post. like every browser has a password manager, why install some 3rd party you can even trust less?! am i missing something? doesnt safari have a password manager? is keepasscx really safe (CVE-2023-32784)? or bitwarden (https://blog.redteam-pentesting.de/2024/bitwarden-heist/)?
With keepasscx YOU have the password-file. Period. You know what's been done with it: Nothing, as it doesn't phone home except update-checks. Which you can also disable.
With the browser-addon you'll get the same result but with control.
Bitwarden exploit was already patched. And required a domain joined PC with Windows Hello active, and the attackers already had access to the DC. Not exactly a large vector. Also enterprise PCs shouldn’t be using windows hello to begin with, IMO. Now if we look at CVEs affecting browser password managers, there are literally exploits for download on GitHub.
I’m not in IT but I followed the Michael Bazzell podcast until he disappeared. Guy was a bit paranoid but there was great info there. My understanding was browser saving passwords isn’t secure, that those passwords are open to scraping from bad players. Ofc I can’t reference this because the entire body of over 300 podcasts disappeared with him.
Agree on Bitwarden and such.
just. write it down? in a notebook? keepassxc is rly good if you dont want to do that though
But what if you lose the notebook? Or just don't have it on you, when you need it? God help ya if someone malicious gets it. Keep it digital, always available, backed up, and secure.
This is not a real solution. You're supposed to have a unique password for everything. Managing that notebook would be an hassle, not to mention backing it up. It would easily have dozens of records, if not hundreds.
oh shit fair enough!! i use temp-mail.org for most things so i frogot about accounts for every tiny service lmao
I use a password pattern. I have hundreds of different passwords all stored in my head and all between 10-20 characters long. The trick is to have a deterministic formula for picking a password.
Example: short word + First 6 in url + symbol + short word capitalised + number
Let's say the first word is cat and second is dog, symbol is - and number is 5 and you have a Gmail it would give you
"catgmail-Dog5"
https://www.passwordmonster.com/ gives it 61 years to crack this one but if you use longer words you get better times.
My password manager is
mkdir ~/Account/some.domain cd $_ genpasswd | openssl some-cipher -k 'really strong encryption password' >pass.enc echo username >login#decrypt cd ~/Account/some.domain openssl some-cipher -d <pass.enc | xclip #paste in field xclip login #paste in fieldCouldn't be easier, couldn't be safer.
I don't recommend Bitwarden. I used them in a corporate environment and they lost all of our company's credentials. It was a huge hit that cost tens of thousands worth of man-hours to overcome. Their response was to shrug and say sorry. We were paying a premium for their services, too, and have moved onto LastPass.
LastPass? the one that leaked people's private notes that were not encrypted?
second the back up question by u/@[email protected]
Why weren't any backups created?
Idk, not my department.
90% chance it was some kind of user error.
moved onto LastPass.
I couldn't imagine a worse decision.
Agreed, but it wasn't my decision and TBF they didn't lose our passwords.