It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
But I wanna tell people my master password to my pw manager. It’s such a fantastic password that no one could ever possibly guess I would have. I wanna gloat.
I’ve been using Firefoxs integrated password manager for lots of unimportant logins, KeePass for everything else.
I’m not in IT but I followed the Michael Bazzell podcast until he disappeared. Guy was a bit paranoid but there was great info there. My understanding was browser saving passwords isn’t secure, that those passwords are open to scraping from bad players. Ofc I can’t reference this because the entire body of over 300 podcasts disappeared with him.
Agree on Bitwarden and such.
Whatever solution you think you can come up with is most likely not secure.
Having my passwords written down on a piece of paper is not safe ?
No. Anyone near you or with access to your place can see it. And most people know of the tricks.
Also you can’t encrypt it and most of all you can’t really generate as strong passwords as those generated by password managers, meaning I don’t even need the paper to try and crack your password
you can’t encrypt it
My friend, you will be surprised that encryption is something that not only the magical internet machine can do.
Maybe it’s secure but not safe. You won’t know if you have mistaken a character until it’s too late, or when you have written it ambiguously but you still remember it and don’t notice.
Sorry for the bother, but I get a little annoyed when people try to argue semantic difference in synonyms. What do you think is the difference between secure and safe?
Security and safety are not synonymous, they have a different meaning.
Security is that your password is stored in a way that it cannot be accessed by those you don’t want. Safety means that you won’t lose access to it and that it remains usable.
The distimction may be clearer with an other example.
A factory is secure if only the employees can enter, and it is safe if it does not want to fall apart and the machines in it don’t kill the employees.
Maybe it can be generalized so that security is for the access, safety is for the mistakes and the disasters.
Is ProtonPass okay?
I store my master password on a sticky note attached to the bottom of my desktop’s power supply. Easily accessible if I were to die, but sufficiently secure that if it were physically compromised I would have significantly worse problems on my hands.
My dad somehow believes that that password managers are very insecure ( he got that from some sort of ‘reputable source’, so me telling him bitwarden is secure doesn’t help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.
I have relatives that do this, but they record it accurately and put it in a safe.
My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.
I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)
Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.
Well yeah I guess that’s true
Only until he gets a keylogger on his computer
He’s doing something right.
You can’t hack a paper note over the internet.You can’t grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.
At least reputable companies do 3rd party audits and I have yet to hear about bitwarden getting pwned.
One of the only possibilities is them and their infrastructure getting ransomedI have yet to hear about bitwarden getting pwned
Honestly this is the part that scares me the most. Well maybe it’s the fact we have multiple plausible scenarios… What happens when you get locked out of bitwarden? I imagine the 256 randomized salted hash passwords will be hard to call, some companies will likely be able to restore your password via phone support. During that time, informed attackers will potentially have the master keys to your entire life. Fighting ai chatbots trying to recall security questions. During that time your phone and Internet service could be shut off, secondary emails changed and validated, money transferred out of bank accounts, stocks and crypto sold. Crowdstrike was a valuable security company.
It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans
Is your dad Ron Swanson? /j
Been using Bitwarden for a couple years now…
No regrets
just. write it down? in a notebook? keepassxc is rly good if you dont want to do that though
But what if you lose the notebook? Or just don’t have it on you, when you need it? God help ya if someone malicious gets it. Keep it digital, always available, backed up, and secure.
This is not a real solution. You’re supposed to have a unique password for everything. Managing that notebook would be an hassle, not to mention backing it up. It would easily have dozens of records, if not hundreds.
oh shit fair enough!! i use temp-mail.org for most things so i frogot about accounts for every tiny service lmao
I always recommend Proton Pass. A) because they have a forever free version and B) because hopefully they start looking into the whole suite in general and even if they don’t subscribe, they are more aware afterwards (hopefully).
On the plus side, the more people who don’t use password managers the more chance us password manager users will remain not worth the effort.
It’s kinda like security through obscurity mixed with only having to be faster than the slowest person to outrun a lion.
I disagree. Password managers are still target of threat actors, a juicy one at that, but it’s not too often you hear of breaches of good password managers. Chances are the people behind the good password managers are better at security than 99% of users (including more technical ones). Even after a breach exporting all the passwords and moving them to another service, and changing all your passwords again with more secure ones is trivially easy.
If everyone used them sure there’d be more pressure on said password managers but hackers will find it a lot more difficult to hack anything in general and it will still not be worthwhile to hack average users who use a password manager.
I migrated to Bitwarden from Firefox a few months ago and I regret it as it’s slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
I agree, but I just know that someday Mozilla is going to go down and I’m gonna lose my passwords and I won’t even be able to get into my email to reset them.
You can (and probably should) backup your passwords. Same goes for any hosted solution.
Quick question? Since Firefox is open source couldn’t you in theory modify where the password manager is going. Syncing your passwords from the browser to your local server. Idk, I just thought of that and know that that’ll never work or it may be too much work when there’s an alternative for that anyways. Just something I thought of from what you were saying about “if Mozilla may kill their servers” which they will imo.
The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.
You can also test it by logging in to a new computer and getting all your passwords there too
How did you login to apps in your phone? Go to the computer and open Firefox? Bitwarden on the phone integrates into the apps directly.
Same as Firefox. You go to your Android settings and set Firefox as password manager. No need to go to the computer.
Ah interesting. I didn’t know that was possible!
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it’s equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.On android, there’s a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I’m not going to switch from Firefox anytime soon but it’s super easy to export passwords and the Firefox password manager works for any apps on Android.
I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn’t use password managers at work. Nor were you allowed to bring them in.
Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.
Plus, the computers themselves had a custom-configured OS and you couldn’t install any software on them that wasn’t on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.
I didn’t get to mess around with password managers until I retired a couple years ago, and they’ve been a game changer! In the military, we needed unique complex passwords for everything, can’t reuse passwords, can’t write down passwords, and you had to change them every 60 days.
Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it’s been wonderful.
I don’t know why the military doesn’t get some sort of password manager approved for use. This is far more secure than what they’ve been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I’d forget them (and again, we weren’t allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don’t even need to remember it. I love it!
This is crazy to read, thanks for sharing! How did you store/remember all the passwords?
The DoD actually did a study I thought “recently” on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.
Don’t think they changed their policy though.
I work at a university IT department. It’s been a struggle with our auditors to loosen up the password expiration requirements. At least with the students they let anyone with 2FA to go without password expiration, which acts as a nice little carrot-and-stick. But for staff it’s two years (2FA always required), regardless of password quality. I’d rather be able to base password expiration on password quality, personality.
2 years seems perfectly reasonable. I thought you were gonna say every 30-60-90 days.
What’s wrong with a password manager built in the browser?
That’s what I’ve resorted to, but I only use Firefox because it has a master password.
Chrome has no master password so what stops any fool from stealing your passwords while you’re taking a piss, I don’t know.
Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.
Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.
- No more password reuse, per site random passwords.
- Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn’t auto-fill.
- Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.
I think these are the two biggest benefits and every browser password manager will accomplish both.
This is what I do: I use my browser to store all my randomly generated passwords. If I ever need them on my phone I either sync or go to my desktop and view the password and type it over.
Say, what are the chances either
- someone comes to depend on the password manager to get into their accounts, gets locked out of the password manager, and loses access to all their accounts (e.g. using the password manager to create and store passwords they might never have even seen);
or
- their password manager (or account) gets hacked, somehow, and all their accounts get taken at once
As Kramer said. Levels. If tou layer your security 2 becomes a non issue. What you have, what you know, and who you are. Which plays into 1. The 3-2-1 of backup. 3 copies of the data. 2 different media. At least 1 off site. Suprising as it might be, writing a great backup is to write your password down. I have a piece of paper with my password in a lock box in my apartment, in a safety deposit box at my bank, and at my parent’s house
These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.
-
Make sure that you are regularly typing your master password for the first bit. After that you’ll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.
-
This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can’t be hacked (as it doesn’t have access to your passwords).
Well, what if they somehow manage to get into my password manager account? I mean, it has a login, like any other account. The way to prevent it would be to have a strong enough password. Regardless, if they somehow got my main password, they’d have free access to all my credentials everywhere, and would be able to log into them as easily as I can. I mean, it is easier to secure one account well vs. however many others that the password manager can take care of. But still, a centralised hub with easy access to all my accounts feels like a one-stop shop for taking over my online life
I mean, to myself, I can deal with the consequences of my choices (as much as they can suck sometimes). But recommending stuff to other people I find complicated. I mean, I’ve gotten locked out of accounts due to 2fa (some being old and lost to time, others due to an unlucky series of events and a last minute half-assed backup) and even had to troubleshoot and/or reinstall (Linux) operating systems on my laptop (one instance of which relates to the aforementioned 2fa incident). To recommend something to someone and risk something like that, and be responsible for it… I mean, I once had to help troubleshoot a non-booting Linux machine via messages and photos during lunch out, and I myself am not an expert, so I had to online research from my phone and relay the information
These are all good points. This is why it is important to match your recommendations to the person. For example if I know they have Chrome and a Google account I might just recommend using that. Yes, it isn’t end-to-end encrypted and Google isn’t great for privacy but at least they are already managing logins over all of their devices.
In many cases perfect is the enemy of better. I would rather them use any password manager and unique passwords (even “a text file on their desktop”) than them sticking to one password anywhere because other solutions are too complicated.
-
- Ultimitaly its up to the user to remember the master password. I’m not familiar with how bitwarden works, but do use keepssXC. I hear bitwarden is better for less techical people due to having built in account/sync options. (You can also self-host BW if you want)
Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It’s automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.
KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.
That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I’d love an decent alternative if anyone has one).
For Android I like KeepassDX and Keepass2Android.
- Getting hacked is a legitimate concern. However the greatest risk is still duplicate passwords. The time it will take crack an individual database is going to be less well spent than dumping a million username/password sets into a thousand sites and hoping for a match.
Realistically, if you’re the specific target of a hacker going specificaly after your database files you’re best off freezing your credit and bank accounts.
If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.
First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.
Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won’t lose the emails that let you reset everything else. If the email gets cracked, they won’t have a convient list of accounts to go mess with. Also make sure the emails have all the security and recovery options available setup.
3, bonus round Finally for fincial security, don’t have your credit card saved on every site. I don’t let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a “1-time use” card for anythibg irregular.
Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won’t work. I’ll get an email and can just cancel the privacy card for amazon (I’d probably kill them all to be safe) and then work on resecuring everything.
To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.
For privacy.com:
- great for anyone in the USA
- don’t worry about difficult subscription cancellations again, just turn that one’s dedicated card off
- I have personally blown past the daily spend limit of 250$ without issue, idk if that limit is real. The 1000$/mo may be though I’ve never hit that.
- I’ve used privacy.com for everything from Amazon to car insurance to gym memberships.
On credit freezes:
- a freeze means that your consumer report will not be shared, which means applications for credit in your name will be denied
- all USA consumer reporting agencies (data brokers) are legally required to freeze sharing of your reports for free upon your request
- you can temporarily unfreeze when you get a new credit card, apply for rental property, etc.
- don’t let them upsell it or try to direct you to another page with similar language, it is free
- credit monitoring products need to request your report to see if any new accounts have opened. Don’t monitor it, prevent it by freezing the reports
- freezes are required for any data broker, not just credit. This includes LexisNexis (job history), and presumably the ones that do rental and vehicle ownership history though i don’t know their names.
I was talking about the individual card limits that can be set, those definatly work.
Edit, looking my account, I too have 250daily and 1000 monthy limit. The next paragraph might be be outdated?
I know the total daily limit is “adaptive” or something set based on your spending habits. I’d prefer setting the limit myself, but it is what it is.
