Yeah, true story. Really weird.

Marginally better than using discord itself as your password manager (also a true story!)

It’s not that bad, but tell her that she can set Bitwarden as the default option for auto-fill in the settings and everything will get automatically filled in, just like with the normal Safari password manager

Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient

Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser

Why?

1337

I am fighting this with people at work.

No, it is not “one more password to remember”

You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.

I even generated a sample password from bitwarden and drew them a picture of how to remember it lol

Still about 10% of people forgot their password in the first 2 months.

People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.

These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.

1. Make sure that you are regularly typing your master password for the first bit. After that you’ll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.

2. This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can’t be hacked (as it doesn’t have access to your passwords).

As Kramer said. Levels. If tou layer your security 2 becomes a non issue. What you have, what you know, and who you are. Which plays into 1. The 3-2-1 of backup. 3 copies of the data. 2 different media. At least 1 off site. Suprising as it might be, writing a great backup is to write your password down. I have a piece of paper with my password in a lock box in my apartment, in a safety deposit box at my bank, and at my parent’s house

1. Ultimitaly its up to the user to remember the master password. I’m not familiar with how bitwarden works, but do use keepssXC. I hear bitwarden is better for less techical people due to having built in account/sync options. (You can also self-host BW if you want)

Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It’s automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.

KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.

That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I’d love an decent alternative if anyone has one).

For Android I like KeepassDX and Keepass2Android.

2. Getting hacked is a legitimate concern. However the greatest risk is still duplicate passwords. The time it will take crack an individual database is going to be less well spent than dumping a million username/password sets into a thousand sites and hoping for a match.

Realistically, if you’re the specific target of a hacker going specificaly after your database files you’re best off freezing your credit and bank accounts.

If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.

First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.

Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won’t lose the emails that let you reset everything else. If the email gets cracked, they won’t have a convient list of accounts to go mess with. Also make sure the emails have all the security and recovery options available setup.

3, bonus round Finally for fincial security, don’t have your credit card saved on every site. I don’t let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a “1-time use” card for anythibg irregular.

Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won’t work. I’ll get an email and can just cancel the privacy card for amazon (I’d probably kill them all to be safe) and then work on resecuring everything.

To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.

But what if you lose the notebook? Or just don’t have it on you, when you need it? God help ya if someone malicious gets it. Keep it digital, always available, backed up, and secure.

This is not a real solution. You’re supposed to have a unique password for everything. Managing that notebook would be an hassle, not to mention backing it up. It would easily have dozens of records, if not hundreds.

If you’re on Linux and you like minimalism, pass is also a great option

even if their servers were compromised it’s all encrypted. it only decrypts on your end

But the bad aspects of cloud services worry me a little about this

KeePassXC is entirely local.

so I’m thinking of exporting my passwords to another safe place for such cases.

I’m also using ProtonPass, and I agree it’s a game changer. I love the interface, the Android app is amazing and well integrated.

To not be locked in into ProtonPass in case of real disaster, once a month I export the ProtonPass data and import to KeepassXC in my local machine. It’s pretty easy, you just have to export to CSV, and import into KeepassXC, the interface will help you to map the CSV fields accordingly, and you will have a local accessible backup in case of disaster. Don’t forget to remove the CSV from your computer after importing to KeepassXC.

You can export all your passwords to an encrypted and password protected file. I ocasionally back it up to a USB device so that I always have an offline copy available.

Still, one of these days I was logged out of my proton pass on Android and couldn’t connect to the internet. I was locked down.

I disagree. Password managers are still target of threat actors, a juicy one at that, but it’s not too often you hear of breaches of good password managers. Chances are the people behind the good password managers are better at security than 99% of users (including more technical ones). Even after a breach exporting all the passwords and moving them to another service, and changing all your passwords again with more secure ones is trivially easy.

If everyone used them sure there’d be more pressure on said password managers but hackers will find it a lot more difficult to hack anything in general and it will still not be worthwhile to hack average users who use a password manager.

Same and she has the balls to ask me for passwords!

Did you export ProtonPass to CSV?

I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.

Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too

My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.

Is your dad Ron Swanson? /j

I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)

deleted by creator

He’s doing something right.
You can’t hack a paper note over the internet.