It was literally a battle for me to have a strong unique password for our baby monitor… Wife was not happy about that but I came out on top.
This is a really bad idea. Passwords can be compromised.
What exactly did you think the point of the meme was?
hey guys sort the comments by new for some free lemmy account passwords (
joke)Well once you get passkeys implemented in every website. Now they’ll need to steal your phone. Haha.
I get the joke.
But related real talk phones get got a lot. They won’t need to steal your phone they’ll just hack it like every other computer on the planet.
You don’t have to look much for the evidence.
https://www.pcmag.com/news/ileakage-flaw-can-prompt-apples-safari-to-expose-passwords-sensitive-data
I came up with a formula for my passwords - as easy to remember as a single password and makes a unique login for every site feasible without a password manager. Can be updated as often as you like and all you gotta do is remember the latest version of the formula. At the very least, the hashes will be different and it’d take someone having more than two of my passwords to figure out the pattern.
I also use over 100 email aliases with my own domain name so that my most important accounts have a separate login that isn’t a common domain that wouldn’t be easy for someone to guess.
It would take a lot of concentrated effort for someone to get at any of my important accounts, and even my less important ones would be pretty difficult to get into even if multiple accounts are compromised, due to using a smaller pool of aliases under common domains for less important accounts.
Someone got into half a dozen of my accounts a few years ago and I finally started taking security seriously.
I’ve actually come up with a way to have a complex and unique password for each service which is also resilient againt forced password changes, doenst require a password manager, and if Im being tortured I still wont be able to tell them what it is because I dont know it unless Im at the login screen. If the service changes the layout of their login screen though, Im fucked.
How? 😂
It must be some sort of compression algorithm of the information presented at the log-in screen.
If they change/rebrand the login he’s screwed. Just use a password manager people.
I’ve been thinking of starting to use one more and more, is there any you would recommend? Are all the good ones a paid service? And my biggest concern is someone getting into the password manager itself, is that something that I should worry about?
1Password is a solid service if you’re OK with the proprietary aspect. I use it personally and we use it at work (I’m an infosec consultant)
I don’t trust a service for my passwords so I’d rather trust an open-source software.
Try KeePass, it runs both on a PC as well as a phone so just carry your encrypted passwords with you.
Edit: And passwords aren’t enough, use multi-factor for services that offer it. Preferably via an app instead of SMS.
1Pass.
Bitwarden has been working well for me, and it’s open source and free to use. I started using it when it was clear that using LastPass was not a long term solution.
I like Bitwarden. It’s open source. The Firefox plugin and Android app work great. Also free.
I’ll second the other comment suggesting KeePass, but the biggest issue I had with it was syncing the database across devices. Ultimately I stored it in OneDrive, but it occurred to me that at that point it wasn’t much different to a cloud password manager, which I especially didn’t trust.
I now self host a Vaultwarden instance from my Raspberry Pi, and that works perfectly for me, but it does require a bit of Linux experience and a spare device to run the server.
I’m using KeepassXC and sync with Syncthing (which is P2P), and I’m quite happy with it. Seems like you got your setup figured out, but this is a bit simpler for someone looking into password managers
KeepassXC also has a great browser integration c:
Use a passphrase, so much better and more secure
But that doesn’t do anything to mitigate using the same password/phrase on multiple services.
This meme couldn’t explain it better - a strong password crumbles like a cardboard castle when used across multiple sites. Nails the message to the T.
Same mail at a shady provider
[ admin ]
Imagine a site telling you “Sorry, you can’t use
asdf123as your password: you’ve already used it on that other site”.It would be better if you had a local tool telling you that - one that you control and only exists on your personal devices, kind of like secure messaging platforms such as Signal.
Another great later would be for all compromised passwords found in breaches to never be usable anywhere ever again, thus helping to thwart the most common form of breach we see today: credential stuffing.
Sorry you can’t use *******
That wouldn’t help that much
This was supposed to be a joke; of course it wouldn’t.
It’s a pretty old meme, hunter11, but it checks out.
That’s not as far fetched as it sounds. Any website worth its salt will store your password as a hash, so if they started sharing the hashes with each other they could prevent you from reusing passwords without changing much security-wise
Any website worth its salt will salt the hash as well…
Counterpoint: Password Manager = One point of failure
Multiple Strong Passwords that have to be changed every 3 months even to sign on to your cornerstore rewards program without a password manager? Guess you’re never accessing any account older than 3 months because you’ve forgotten th3 b1lli0n$ oF s+r0ng p4s5w0rds Y0u h4Ve cr3atEd!
That’s…not a counterpoint.
You can have strong authentication on your central password manager, and have an encrypted container protecting it.
There is no logical argument against password vaults as a concept. There are bad implementations of specific password vaults, but a password vault is the answer for the highest possible password based security available in 2023.
And figuring out which password managers to use is not a task which a lot of people know where to start, and it is STILL a single point of failure
I have no idea about how to protect a password manager with an encrypted container.
And to be honest with you, it’s not something I’m likely to do even if you do attempt to explain the 60 minute long $10 18-step process to me. Or however long it takes and whatever it costs.
And really, for all my ignorant ass knows you could’ve just as well been encouraging me to get malware and I’d be none the wiser.
What makes it completely unusable for me is that I don’t have a single work computer I use. I have to bounce around computers at work, my personal phone, computer, work iPad, etc.
Okay and now let’s get into threat modelling and risk management.
What is the purpose of a password manager? What are the possible threats against them, and what are those against singular passwords for services? What is the risk of each of those?
Guys, before you argue with me, password security is something that EVERYONE in the 1st world has to deal with, not just tech nerds. If you need to grow up around computers or take a class for it to be a good form of security, its a shit form of security for the general public
But you don’t?
Password managers really are not hard to use. Also there’s stuff like the password manager built into iOS, for example, which you don’t even have to think about.
My comment about threat modelling was that you do not seem to understand the purpose of password managers. A way bigger problem for the average person online is password reuse, not targeted attacks against password vaults. That is the problem they solve.
The weird trope I’ve seen now is “don’t use the password manager in your browser”. For the life of me, I can’t think why some think a browser plugin to a commercial password manager is safer than the built in version.
They probably think it’s safer somehow. But I don’t really get how.
Most built-in password managers allow for you to setup a master password of sorts if you try to sync everything to a new device, and most also require you to use your computer’s native verification to view a single password in plaintext or export all of them as plaintext. (For browsers on Windows, they use Windows Hello; for browsers on Android, they use the fingerprint scanner or the lock screen pin.)
I’ve had security fatigue for years now. I’m sure most of you have. I’ve written down so many usernames and passwords and it’s still not half of what I have, and to top it off, several of the written passwords are now wrong after obligatory password changes and I don’t remember the new ones.
Actually you are the single point of failure
I mean yeah, the security benefit from being un-notable isnt negligible
i use this on all sites:
3 lower case 3 uppercase 3 special chars and 3 numbers, (pseudo) randomly arranged, (pseudo) randomly generated.
How do you keep track of your passwords, if you don’t mind me asking? That’s where I get stuck
I’m sure I’ll get shredded for this, but I keep my passwords in a notebook. Every once in a while I go through and change them all into other random nonsense and reorganize to keep it neat. I am a bit of a notebook fanatic and a have a whole shelf full of them. If someone ever broke into my house there’s no way they’re going through all of them to find anything like that. If the house burned down, maybe a bit of a problem, but as long as I have my phone I can get my email back, and between my phone and email I can get any of the important ones back as well.
If I had corporate or government secrets and was the target of espionage I’d probably rethink, but the danger of anything is so minuscule.
To be fair: A notebook with a bunch of strong passwords is probably more secure than a human brain memorising a bunch of weak passwords.
Derive the pseudorandom parts somehow from the url domain and you’ll always be able to figure it out.
I’ve done this and it has been convenient, but using a password manager is still the way to go IMO. The personal password algorithm approach starts to be a pain when you need to follow a different set of character rules or change a password. With a password manager there’s no hesitation or friction when considering a password change.
Yeah, if you use your own password cipher, you never have to memorize a password again. Just derive it based on some common input value, like the company name or url. Makes password rotation tricky, though, and it’s a pain when a website won’t allow a special character you generally use, creating “one offs” that are hard to track.
I did this for years. Yep, it works enoughish, but I’m so much happier on a password manager now, and it’s pretty fun to see the managed passwords having so much more entropy than even the most obscure things I was algorithmically generating. Also, the speed of using a manager is great. Somehow I ended up with multiple Ticketmaster accounts (from using a different email address for some one-off season tickets that migrated into TM later). I think the moment I realized I wanted to change to a manager was when I was walking up to a concert and realized I hadn’t downloaded my ticket. I got into TM and realized I needed to switch accounts. So then I’m trying to walk and type my big fucky nerd-assed brain-generated password on mobile, fat-fingering the touchscreen keyboard, almost locking myself out of the account when I just want to get into the venue and relax. Later, that first moment trying an integrated pass manager and effortlessly switching between accounts, each with far stronger passes than I would have remembered, limited only by the loading speed of the site and with virtually zero chance of locking myself out… that really made me feel like fancy Pooh meme.
A password manager. I personally use 1Password, I’ve seen a lot of recommendations for BitWarden, and my workplace uses KeePass.
Just use a password manager, then you get the benefits of having a single password to remember without the security-related downsides.
I never got over the fact that I somehow need to trust to an absurdly high degree a proprietary software to store ALL my passwords. Is this really a good idea?
It’s the choice between trusting one company (or if you self host, trusting yourself) to have their security all in order and properly encrypt the password vault. Using one password for every site you use means that you have to trust each of those sites equally, because if one leaks your password because they have atrocious password policies (eg. storing it in plain text), it’s leaked everywhere and you need to remember every place you used it before.
Good password managers allow audits, and do at times still get hacked naturally (which isn’t 100% preventable). Yet neither of these should result in passwords being leaked. Why? Because they properly secure your master password so it can’t be reverse engineered to plain text, and without the master password your encrypted password vault is just a bunch of random bytes. And even in the extreme situation it did, you know to switch to a better password manager, and you have a nice big list of all the places where you need to change your password rather than trying to remember them all.
Human memory is fallible and we want the least amount of effort, because of that we usually make bad passwords. Your average site does not have their password security up to date (There’s almost a 0% chance not one of your passwords can be found here). If you data is encrypted accordingly, it doesn’t matter if it gets leaked in any way or stolen by some rogue employee, so long as they do not have your master password. So yes, I’d say that’s a good idea.
Nicely said, thanks for the long read!
There are libre off-line password managers. Variants of Keepass for example.
Indeed it’s a bad idea to store passwords in a propietary system. Specially a cloud based one being hacked time to time, like 1password.
I’m unaware of 1password ever getting hacked.
Even if they did, there’s some really smart technology at play here. I think your paranoia here is unjustified. I felt the same way until I read about their technology. At that point I felt comfortable using their service.
I mean, just three days ago we had this incident, which is probably what they are referring to: https://blog.1password.com/okta-incident/
Anyway, iirc, 1password is architected in a way where a breach won’t actually disclose the passwords of their users, but I’m too tired to do the requisite double-checking to verify it
Yeah I did my research long ago. I don’t think this anything to worry about
I’m unaware of 1password ever getting hacked.
https://cybersecuritynews.com/1password-hacked/?amp
I think your paranoia here is unjustified
You are right in a way. I always assume company sysadmins have access to company data, even if they say the opposite, and I always assume there are undisclosed data leaks. Which may seem a little paranoid.
It’s like closing your car’s door when leaving it alone: Is it paranoid to assume that always there are someone willing to steal stuff?
1password employees don’t have access to the data let alone anyone else. The encryption is not bullshit
1password employees don’t have access to the data let alone anyone else.
That’s a common good practice.
It’s still good idea to assume the opposite.
If you can see plain text passwords, some malicious actor at their side can too. No matter if it’s encrypted at rest.
No, I don’t think it’s healthy to move through life in such a paranoid state. If I thought that, I wouldn’t use a password manager and that would leave several problems unsolved, chiefly I would only be able to remember a couple passwords, opening my identity up for hacking several orders of magnitude likelier to actually happen than 1password’s entire technology stack failing at its one job.
A lot of weird hate for 1Password on Lemmy the past couple days. I highly recommend reading their white paper, I think most of the hate comes from ignorance of what they are actually doing.
https://1passwordstatic.com/files/security/1password-white-paper.pdf
You can use KeePass, but you’ll have to figure out a way to have your password vault available on other devices (can do it by using any cloud shares, i.e. GDrive). This way you’ll be in charge of almost every aspect of your passwords. But you’ll have to take care of backups and keep everything in sync.
It seems bitwarden is a bit more user friendly and also quite good in terms of security and privacy related issues (FOSS as well!) . Thanks for the help!
I have this issue with bit warden
KeePass
I’m sorry but no. I’m physically incapable of not moving the capital letter one space and I’m not entrusting my passwords to what I’ve irrationally decided IS named KeepAss. I just can’t.
Just imagine keeping your passwords in your ass and you should be fine.
I’ve had that dream before, didn’t help…
I like Vaultwarden. Open source rust server compatible with bitwarden.
Syncthing works very well for cross platform syncing
Or simply can use, Bitwarden or Protonpass
I read a bit into bitwarden and it seems quite good, also with browser extension etc. Maybe I will think about my stance on password managers and give it a try
I have been wondering as of lately, I’m an old Bitwarden user and I use their generated passwords which are just a random mess for my eye, anyway when a leak occurs I usually tend to type my known passwords to match it with the leak lists, but now all this being auto generated and I be totally clueless of which is which, how would I ever notice if one of those more secure passwords are leaked?
Does Bitwarden let you know of leaked passwords as Chrome and I think Firefox does? Because I don’t recall having this info in hand.
You can go into your vault and choose a password to see if it’s been exposed on the web. It’s a little check mark by the password.
So all my passwords are locked behind a single password? Isnt this essentially the same as using the same password for every site. In that they only need to cracl o e password to have access to everything?
deleted by creator
Depends if you trust your password manager site more than either site you put the same pw into
This is not necessarily true.
For example, consider the case of a 1Password vault falling into the hands of an attacker. They do not have the option to just crack your password, as the password is mixed with a randomly generated value to ultimately derive the key. They would need to simultaneously brute force your password and that random value. This should almost be impossible. However, given access to a client that already has knowledge of the secret value, it would fall back to brute forcing the password.
In theory, yes but if you use a good password manager and have a strong master password the encryption should be practically impossible to break. The fact that you only have to remember one password means that this password can and should be a very strong one. 20+ characters with upper and lowercase letters, numbers and symbols should take centuries to crack.
You should be safe as long as your master password isn’t small, less than 15 characters. The longer the password, the better. Personally what I do is use a pass phrase to make it easily memorable, and then use it as a base to inflate security somewhat artificially.
Wrap the pass phrase around in brackets or symbols; mix lower/upper case; replace (or add to) a word in your pass phrase with one from a random other language, so instead of hello you type bonjour. Bonus points if you are able to replace even a few letters in your pass phrase with fancy diacritics, or fuck it add an emoji or two.
Then again there are a LOT of other factors which go into security. Theoretically the lyrics of song are decent as a pass phrase but there’s not much point if everyone knows what your favourite song is, or if you are learning Spanish then you’ll replace the English words with Spanish.
Unless you’re in a position where you’re targeted by nations or are working extremely high profile jobs like CEO or digital security you should be safe really with all these but as I said there’s a lot to keep in mind.
Just don’t use your master password anywhere else than your password manager.
If your password manager only works offline, then it is impossible to leak on the internet.
I just use engine model codes and body series# with special characters. Most of them are not even from the same vehicle so I doubt any one can remember. Shit sometimes I even forget what engine I coded with a certain vehicle. And then I get the you “can’t used the same password” which was enter previously to login.
