It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
I’ve been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton’s best service.
It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.
Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.
Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I’m told Keepass is fantastic but having it sync across all her devices would be challenging for her.
Most Proton services feel kinda underbaked but Proton Pass is excellent.
I’m a little miffed that 2FA support is a paid feature.
I’m using KeePassXC and have no intention of switching, plus I’m paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn’t be locked behind a paywall.100% agree. Charging for the unlimited email alias is fine but 2FA? :/
I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can’t see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton’s suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.
If that wasn’t a scripted ad, you should go into sales.
I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.
I am very “passionate” about Proton Pass but don’t take me for a Proton chill, I have a lot of criticism about their other products.
so is it bad to store my 2FA backup codes as notes in those same login’s bitwarden entries?
I do this too. I would need them if I lost my phone, so bitwarden/keepass is a good place for them to be.
I think it is less secure though since someone who somehow has the unencrypted vault without your 2FA device could get in with the codes - but if someone cracks my master password I’m screwed in a whole bunch of ways so I’m not sure it matters too much at that point.
It depends on your threat model. It does mostly reduce the benefit from 2FA, but you are probably still very safe if you use a random password per site. I mostly use 2FA when forced (other than a few high-value accounts) so I don’t worry about it. For most people having a random password which is auto-filled so that you don’t type it into the wrong site is more than sufficient to keep themselves secure.
I don’t recommend Bitwarden. I used them in a corporate environment and they lost all of our company’s credentials. It was a huge hit that cost tens of thousands worth of man-hours to overcome. Their response was to shrug and say sorry. We were paying a premium for their services, too, and have moved onto LastPass.
deleted by creator
Agreed, but it wasn’t my decision and TBF they didn’t lose our passwords.
LastPass? the one that leaked people’s private notes that were not encrypted?
second the back up question by u/@[email protected]
Right lol
I get people hating on bitwarden being hosted by 3p but let’s be real it provides a lot more benefit then risk to any normie.
if you are such a big dick security/privacy daddy, then selfhost… but most people just need a useful service. bitwarden is free for all the needs a normie would ever come with, then pro version is like 10 bucks a year.
Why weren’t any backups created?
Idk, not my department.
90% chance it was some kind of user error.
You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don’t know about bitwarden. I usually recommend bitwarden or proton pass. (I’m self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I’m waiting for proton pass self-hosting option).
but bitwarden, keepassxc don’t pay them… RHEEEE
whats missing, since the proton pass source code is available?
I have only found the source code for the Android and iOS application, but not for the server.
deleted by creator
Changing passwords is almost always completely useless, and requiring it dramatically weakens security.
What’s the logic behind this statement? I would’ve thought that if a website’s logins and passwords were somehow leaked, the more often I change my password, the less likely it is for the leaked password to still be usable by bad guys based on the shorter time horizon.
Leaked how? No good practice allows any way for a password to “leak”.
What rotating passwords does is ensure people who don’t use a password manager either write their password down more and more frequently, or use a weaker password with some simple changing pattern that doesn’t add anything.
Leaked how? No good practice allows any way for a password to “leak”.
Suppose a social media website has a data breach.
What rotating passwords does is ensure people who don’t use a password manager either write their password down more and more frequently, or use a weaker password with some simple changing pattern that doesn’t add anything.
Okay, but suppose I use a password manager like Keepass, then does rotating my passwords not make me any safer in the event a social media website’s data is breached and ends up being sold off on the dark web?
I used to use a plain text system, “encoded” in such a way that only I knew what the actual password was, and I kept it on Google Keep.
But that for harder and harder to manage, coupled with, if I were to get run over by a bus, no one else would be able to access my accounts.Now I’ve been using Dashlane for a few years. Not just for passwords, but secure notes as well.
Works seamlessly on all of my devices and zero complaints.
Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.
So many folks talking about which software they use, and how they sync it between devices etc.
You all know there are hardware password keepers right? They present to your devices as a usb and/or bluetooth keyboard and just type out the user/password that you select. They have browser plugins to ease the experience. Now your password is not even stored on the device you’re using to perform your login and it will work on any modern device even without internet access.
Oh and no subscription fee to cover the costs of cloud infrastructure.
What happens if it gets lost stolen or broken?
I save copies of the password database in several locations. I have to keep them synchronized manually but that’s preferable to using commercial ones that take turns in getting their data breached.
That will vary from vendor to vendor. In the case of the one I like there are a few relevant things.
The password db is stored encrypted on the device. Accessing the passwords requires all of:
- the device
- a smartcard with a particular secret on it
- the 4 digit hex pin to unlock the secret on said smartcard, which is what is used to decrypt the db
Three PIN failures and the smart card is invalidated.
That sort of covers “stolen” and “lost + recovered by a baddie”. Your bad actor would need to have their hands on both physical pieces and guessed the 4 digit hex code in 3 tries.
As far as a user recovering from a lost or failed device or smart card goes, you can export the encrypted version of the db for backups, which I do to a thumb drive I keep in my document safe. I do the same with a backup smart card. So that and a backup device or purchasing a new one if yours fails or is lost/stolen.
In the super “just in case” move, I also keep a keepassdb on said thumb drive. In case my device fails and it’s just not possible to get a new one. Kind of like keeping two cloud providers in case LastPass goes bankrupt or something.
Hyptothetically, couldnt an attacker clone the smart card and retry on the copies?
I would believe a salted and hashed 0-knowledge password vault is more secure than a US-company which could be forced to surrender private keys used for the encryptionHow would any company, regardless of geography have the secret I generated? This is a stand alone hardware device. They seller is not involved at all once I’ve received my package.
Could a sophisticated/well resourced actor clone the smart card they stole or you lost? Sure, brute force attacks are brute force attacks. At least you’d know your device and card are stolen. Now you’re in a race to reset your passwords before they finish making 500 clones of the smart card they stole.
Hypothetically I could blackmail someone at LastPass and have a backdoor is installed for me.
Someone could bust down my door while I have it connected and unlocked and just login to all my things. ¯\_(ツ)_/¯
You lost an arm. Remember to use the
\to escape the markdown ;)I don’t know much of smart cards and the whole hardware based authentication beyond knowing they exist at all so please take my questions for what they are.
I was thinking the encryption on those cards are done with a private key and a writer/reader by the manufacturer (like HID). So if the NSA busts down the door and demands the key you could technically decrypt it.
So if you generate your own private key that vector is obviously mitigated, assuming they are providing the tool with a non-reversible hashing process or a guide on how to generate the key so it wouldn’t aid in the brure forces decryption.Thank you for the info :)
I saw the lack of arm and facepalmed but I was half asleep poo posting so got over it :p (fixed now!)
I’ve been using this device for ~5 years now, so my memory is a little hazy on it, but I’m pretty sure for the particular device I prefer (which is to say, I have nfc what the setup is for other vendors, which could be greatly superior) the AES-256 key used for encryption isn’t generated until you setup your first card.
Curiously enough, I never heard of those. Do you happen to know good ones so I can further check?
I’m a pretty big fan of the mooltipass. They’re sold out and between iterations right now, but a new one is expected soon. One of my coworkers is pretty into their OnlyKey.
Mooltipass looks sick actually. I have my reservations regarding the ble part, but I would have to look into it more to understand it. Might get one to check around how well it works (once availability is there)
I’m not in IT but I followed the Michael Bazzell podcast until he disappeared. Guy was a bit paranoid but there was great info there. My understanding was browser saving passwords isn’t secure, that those passwords are open to scraping from bad players. Ofc I can’t reference this because the entire body of over 300 podcasts disappeared with him.
Agree on Bitwarden and such.
Using 2FA on all accounts that offer it is just as important. And make sure to use a good, open-source TOTP client like Aegis on Android or Tofu on iOS.
Definitely make sure to backup your seeds in an encrypted format (e.g. Veracrypt container or GPG-encrypted files). If you lose your seeds, you lose access to your accounts.
I like to use the automatic backup feature in Aegis, which syncs my encrypted vault to my Nextcloud server. You can also enable compatibility with Android’s backup API and use that if your ROM includes a backup solution like Seedvault.What’s frustrating is that most sites want your phone number. Even though it’s less secure than totp, but that sweet sweet data using your phone number as a common index is irresistible
It might not be any more private but I give out my Google voice number to people/businesses I don’t really want to hear from or suspect my data will be sold by.
What’s really frustrating is that some services detect GV (and other VOIP providers) and just say you can’t use it.
True. Even government websites refuse to verify you over a VoIP line.
Forgot to add this bit in my first reply:
This is especially bad since I’m more confident that GV is less susceptible to a SIM swap type of attack since I can disable it on my account which is of course protected by real 2FA (not SMS).
Meanwhile T-Mobile has shown a few times that they’re vulnerable to SIM swap attacks.
And best case on an actual separate device.
And if the company doesnt supply one, use your own at your own discretion /shrugI don’t really think a separate device like a phone is necessary to store 2FA tokens, the only option I would consider is a hardware key like YubiKey for storing TOTPs.
Any comments on bit Warden for totp?
You can but shouldnt.
Ok would you tell more?
Personally I wouldn’t keep my TOTP together with my passwords, but it’s up to you
TOTP is standardised by RFC 6238 so all TOTP clients must comply with the standard and therefore work equally well. Pick the one whose UI you like the most and is otherwise good enough for your use case and personal preferences. It’s similar to arguments over CPU thermal paste—its presence or absence makes a much larger difference than the method of application.
You do, however, want to pick something that is free and open-source and also popular. Google Authenticator (closed source) definitely is a functional TOTP client but you have to trust that the Google engineers have done a good job building a secure app. Since it’s Google, they probably have, but a principle in security is that you should not have to trust more people than absolutely necessary.
I store my master password on a sticky note attached to the bottom of my desktop’s power supply. Easily accessible if I were to die, but sufficiently secure that if it were physically compromised I would have significantly worse problems on my hands.
If you’re on Linux and you don’t want to use KeepassXC, you can check out Secrets on Flathub, it has imo a better UI/UX
If you’re on Linux and you like minimalism, pass is also a great option
Interesting, thanks for the recommendation.
How do I convince my girlfriend to stop using her safari password manager and migrate it to bitwarden? Is the password manager in Safari so unsafe that it’s worth the additional effort she might ask.
It’s not that bad, but tell her that she can set Bitwarden as the default option for auto-fill in the settings and everything will get automatically filled in, just like with the normal Safari password manager
Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient
Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser
Thanks for the update! I will keep an eye out
My understanding is that your GF will be using Apple’s KeyChain, which is pretty good except that it’s hard to look inside and manually edit. It’s not just in Safari.
The upcoming Password app is just a nice user interface to KeyChain. So no change to the functionality as such, but I think it’ll make a big difference to how it’s used.
it’s hard to look inside and manually edit
It’s actually pretty easy when you’re on a Mac. They bundle an app called Keychain Access, which lets you look at and edit everything.
Yes, that’s true. Keychain Access helps a lot.
just. write it down? in a notebook? keepassxc is rly good if you dont want to do that though
This is not a real solution. You’re supposed to have a unique password for everything. Managing that notebook would be an hassle, not to mention backing it up. It would easily have dozens of records, if not hundreds.
oh shit fair enough!! i use temp-mail.org for most things so i frogot about accounts for every tiny service lmao
But what if you lose the notebook? Or just don’t have it on you, when you need it? God help ya if someone malicious gets it. Keep it digital, always available, backed up, and secure.
My dad somehow believes that that password managers are very insecure ( he got that from some sort of ‘reputable source’, so me telling him bitwarden is secure doesn’t help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.
I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)
Only until he gets a keylogger on his computer
Well yeah I guess that’s true
Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.
He’s doing something right.
You can’t hack a paper note over the internet.You can’t grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.
It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans
Is your dad Ron Swanson? /j
My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.
deleted by creator
