It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.8K Posts
- 70.2K Comments
- Modlog
I actually combine a password manager with a password book, don’t like storing data for sensitive accounts on servers that can be breached and I’m too lazy to self host 😬 and I can remember my password phrases for sensitive accounts I use normally.
I’d be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn’t make me feel like taking action if everything feels sketchy.
I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.
+1 for bitwarden
I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.
What happened with Authy? (As someone who uses it)
Couple of things happened, this and this. I got soured and needed to find a better alternatives for my TOTP.
I use Safe in Cloud but nobody ever talks about this one. Is it a bad one?
I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.
I do that too.
I’ve been using Firefoxs integrated password manager for lots of unimportant logins, KeePass for everything else.
I clear everything on close
I think you might be preaching to the choir here.
Circlejerkin on lemmy is our mutual hobby here
I use a password pattern. I have hundreds of different passwords all stored in my head and all between 10-20 characters long. The trick is to have a deterministic formula for picking a password.
Example: short word + First 6 in url + symbol + short word capitalised + number
Let’s say the first word is cat and second is dog, symbol is - and number is 5 and you have a Gmail it would give you
“catgmail-Dog5”
https://www.passwordmonster.com/ gives it 61 years to crack this one but if you use longer words you get better times.
Wait are you saying that with the example your provided your password for Lemmy would be catlemmy-Dog5? Because that’s a terrible system.
Maybe it’s not for you then. It’s been working pretty well for me and my passwords aren’t saved anywhere but locally in the browser.
It’s better than reusing the same password, but not by much. If one of your passwords get compromised, an attacker can easily guess to try to just replace “gmail” by whatever service they’re attempting to log into as you, and give it a shot.
That’s assuming that a human will ever see it. People cracking passwords either have all of them and then use an automated tool or hack a person specifically by decrypinc a password hash which will take an immense amount of time and electricity.
Still since that’s a concern I can modify the formula. By splitting gmail into g and mail and sticking g at the front.
gcatmail-Dog5
Not how it works.
First of all, there’s far too many companies out there still storing passwords in plaintext.
Second of all, even with a good hash algorithm, hacking a specific person’s password out of a leaked database is still feasible when your passwords are variants of a few dictionary words with a few numbers and symbols attached.
Creating fully randomized, unique passwords in a password manager really is the best way. Even an older hash method of storage on the web site’s part will likely protect it.
It is truly upsetting to see how complicated for use password managers are.
I grow up around computers and I can barely mange them. Other people just don’t understand how to use them, it is complicated and inconvenient. Even after I set them up and show them multiple times, friends don’t manage.
In browser password managers cover 90%, but I guess web sites and apps need to start testing UX for password managers. Some of them introduce stupid flows that brake all of them.
Android is complete shit show.
It is not users, but applications and UX that doesn’t care about security.
iCloud Keychain is super easy to use, but obviously you need a iOS/macOS to take advantage.
What’s wrong with android? I have bitwarden setup any basically any time I tap a password field it offers me to fill in from my vault.
I used to use a plain text system, “encoded” in such a way that only I knew what the actual password was, and I kept it on Google Keep.
But that for harder and harder to manage, coupled with, if I were to get run over by a bus, no one else would be able to access my accounts.
Now I’ve been using Dashlane for a few years. Not just for passwords, but secure notes as well.
Works seamlessly on all of my devices and zero complaints.
I do exactly this (the google keep notes plain text encoded passwords idea), right now. Perhaps I’ll go the same route as you then… I was wondering what manager to use.
I’m using Bitwarden, 1Password and KeePass. Works like a charme.
Why all three? Redundancy?
I started with Bitwarden as a replacement for KeePass and changed to 1Password due to the way they secure the login password (password + random string). KeePass is now my backup place for 1Password and I support Bitwarden with a subscription because I like to support their OSS way.
I have the need to have different accounts to everything. Hate to perform the sign up process over and over again. They really need to standardize this.
Passkeys is one step forward but far from enough.
I hate the idea of having to login again and again with just a minute interval that I see BankID requires as it is for different things. Like I constantly have to prove it is still me here. BankID is the app in my country that gives you access to your Bank account, government stuff and so on. It connects to your personal number and ID you in real life.
So the issues you describe is just the result of how bad designed the web is today. It is simple for every company but hard for the user.
I am curious what country you’re from that they require a specific app for “official” business.
Sweden with BankID. The main app for it. Sometimes the goverment(not the banks) offers the alternative Freja E-ID https://frejaeid.com/. The banks built BankID and charge companies that use it(not consumers).
Sweden
They don’t require it, you can also go to a physical office if you don’t have BankID. Also BankID is a private company wo is problematic on several levels.
Many government agencies have started accepting multiple ways to identify yourself such as Freja.
Some politicians would prefer a standardized governmental solution to identity.https://www.dagensps.se/bors-finans/kinberg-batra-infor-statlig-bank-id/
I’m not so sure about that though.
It’s an ongoing topic. We’ll see more where it goes.
I migrated to Bitwarden from Firefox a few months ago and I regret it as it’s slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
How did you login to apps in your phone? Go to the computer and open Firefox? Bitwarden on the phone integrates into the apps directly.
Same as Firefox. You go to your Android settings and set Firefox as password manager. No need to go to the computer.
Ah interesting. I didn’t know that was possible!
They did a poor job advertising it…
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it’s equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.
On android, there’s a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I’m not going to switch from Firefox anytime soon but it’s super easy to export passwords and the Firefox password manager works for any apps on Android.
I also use Firefox on Android with a fairly recent stock ROM phone. At best the whole process to pasting my password into the webform takes 5 seconds.
If the vault is still within unlock period the auto-fill takes even less time (assuming the authentication URL regex is correct. It’s a bit annoying with subdomains)
I agree, but I just know that someday Mozilla is going to go down and I’m gonna lose my passwords and I won’t even be able to get into my email to reset them.
Quick question? Since Firefox is open source couldn’t you in theory modify where the password manager is going. Syncing your passwords from the browser to your local server. Idk, I just thought of that and know that that’ll never work or it may be too much work when there’s an alternative for that anyways. Just something I thought of from what you were saying about “if Mozilla may kill their servers” which they will imo.
There are several Firefox tools that do things like this if you look!
You can (and probably should) backup your passwords. Same goes for any hosted solution.
The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.
Please don’t confused this with backup as a sync could trigger a delete.
You can also test it by logging in to a new computer and getting all your passwords there too
Been using Bitwarden for a couple years now…
No regrets
My dad somehow believes that that password managers are very insecure ( he got that from some sort of ‘reputable source’, so me telling him bitwarden is secure doesn’t help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.
My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.
I have relatives that do this, but they record it accurately and put it in a safe.
Is your dad Ron Swanson? /j
He’s doing something right.
You can’t hack a paper note over the internet.
You can’t grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.
At least reputable companies do 3rd party audits and I have yet to hear about bitwarden getting pwned.
One of the only possibilities is them and their infrastructure getting ransomed
Honestly this is the part that scares me the most. Well maybe it’s the fact we have multiple plausible scenarios… What happens when you get locked out of bitwarden? I imagine the 256 randomized salted hash passwords will be hard to call, some companies will likely be able to restore your password via phone support. During that time, informed attackers will potentially have the master keys to your entire life. Fighting ai chatbots trying to recall security questions. During that time your phone and Internet service could be shut off, secondary emails changed and validated, money transferred out of bank accounts, stocks and crypto sold. Crowdstrike was a valuable security company.
The FAQ answers the question of getting locked out: https://bitwarden.com/help/forgot-master-password/
TLDR: You are fucked if you lost the recovery codes.
Best case: You do encrypted backups every once in a while
It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans
I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)
Only until he gets a keylogger on his computer
Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.
Well yeah I guess that’s true
Why preach to this choir? I get you, but we also get it.