It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
Been using Bitwarden for a couple years now…
No regrets
Quick question - what are your opinions on using Firefox’s inbuilt password manager? I’ve installed Bitwarden as an extension, but I find Firefox to be more convenient.
I mostly use FF on Linux, Windows, and Android and have no issues with using FF cross platforms.
While it’s so convenient, anyone gaining access to your browser while your laptop is open can gain access to everything. Bitwarden usually add an extra step to unlock it (which you could disable if you want) when you want to use the extension. By the way, it has an extension for Firefox, so just hitting Ctrl + Shift + L it auto-fills the login/password fields of your login page just like firefox would. But with the extra step that gaining access to the browser doesn’t straight away unlock all your passwords for anyone to see.
Firefox has an option to set a master password, doesn’t it?
It does
I use bitwarden over Firefox because it can auto fill into apps. So, my bank apps or whatever else. And I’m not tied to Firefox if, for some reason, I want to stop using it.
It’s similar to why I don’t use Samsung pass on my phone. It’d work better filling in the fields, but that’s not going to help me on my PC, and I don’t want to maintain multiple managers.
And I’m not tied to Firefox if, for some reason, I want to stop using it.
Not gonna happen.
Firefox password manager is brilliant, my move to Bitwarden wasn’t worth it and I regret it.
I’m in the same boat. FF is just too damn convenient
Yeah, the used to have the lockwise app, which was awesome, I don’t know why they scrapped it
Don’t. It’s not in your hand is the simple reason.
My advice is keepassxc. Got a ff-addon that does basically the same. But you have your password-file under your control. And do backups!
What permissions does the extension need to work? Then, what is the maximum level of damage a malicious update to said extension can do with those permissions?
I don’t know. You wouldn’t really need it, if you’re concerned. If you’re fine you can just C&P or even let keepassxc use it’s auto-type. So no addon needed. It’s just more comfortable. And you can never have security AND comfort. Security is absolutely always uncomfortable.
i dont understand this post. like every browser has a password manager, why install some 3rd party you can even trust less?! am i missing something? doesnt safari have a password manager? is keepasscx really safe (CVE-2023-32784)? or bitwarden (https://blog.redteam-pentesting.de/2024/bitwarden-heist/)?
With keepasscx YOU have the password-file. Period. You know what’s been done with it: Nothing, as it doesn’t phone home except update-checks. Which you can also disable.
With the browser-addon you’ll get the same result but with control.
Bitwarden exploit was already patched. And required a domain joined PC with Windows Hello active, and the attackers already had access to the DC. Not exactly a large vector. Also enterprise PCs shouldn’t be using windows hello to begin with, IMO. Now if we look at CVEs affecting browser password managers, there are literally exploits for download on GitHub.
In-built password managers for browsers are straightforward to crack. Like… Terrifyingly easy. It’s much better to use something like Bitwarden, Vaultwarden if you don’t trust Bitwarden, 1Password if you really want the reassurance of paying someone for trust, or KeePass if you don’t trust anyone at all (I, personally, fit into this category).
show me an example of the firefox password manager being “cracked”. i mean i still sync them into my local nextcloud. @[email protected] suggests it is cool to have your passwords in a file?!
doubt there is a scenario where using MORE services makes anything safer. Well maybe for Windows Users…but thats a dying species with the win11 crap.
so no. third party corpos…the worst.
I migrated from Bitwarden to Proton Pass (mostly due to their TOP integrations) and I am enjoying it very much. They are constantly improving it, which is also a plus.
Do you mean OTP?
I self-host vaultwarden, and I have that. I think it’s a paid feature if not self-hosting?
In my experience preaching this same thing to many users at work and just personal friends, they won’t change their ways. Because “omg not another password to remember” and “that’s too much work to login just to get a password”.
I’ve just stopped trying to educate people at this point. That’s on them when their info gets leaked or accounts drained.
I am fighting this with people at work.
No, it is not “one more password to remember”
You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.
I even generated a sample password from bitwarden and drew them a picture of how to remember it lol
Still about 10% of people forgot their password in the first 2 months.
People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.
Yup, they couldnt care less about any 2FA. But then they get the surprised Pikachu face when they get breached after being phished lol.
Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don’t need to use my phone.
whats that and how can i use it to get rid of 2fa?
Instead of opening Google authenticator or Authy or whatever your preferred 2FA is, you can take photos of the QR codes in Bitwarden mobile to store the TOTP codes in it, and then Bitwarden puts them on your clipboard to paste into websites
you might have just inadvertedly sold me on bitwarden.
does it work with 3rd party sort of authentication apps? like when 2fa is inside the manufacturer app?
It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.
How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.
That kinda defeats the purpose of 2fa though, if you use bitwarden for both
Using Proton Pass was a game changer to me , I don’t have to ignore the necessity to put a strong and complicated password for security reasons anymore, Proton generate it to me and stores everything ( so I don’t need to remember which password I set for which account ) But the bad aspects of cloud services worry me a little about this: the possibility of a security breach of the service, or the possibility of not being able to access it for any reason is a real disaster if it happens… so I’m thinking of exporting my passwords to another safe place for such cases.
But the bad aspects of cloud services worry me a little about this
KeePassXC is entirely local.
I know , but won’t that affect my storage if I added +1000 password ?
unless your storage is a floppy disk, won’t be a problem
I actually considered sticking it on a floppy disk I have. It really is a wonder how Linux is able to recognize floppy disks immediately…
Passwords don’t take up much space.
It shouldn’t take up too much space. My personal password file is under 2 KB, so for you it may be 1 MB at most.
Which creates issue with having to synchronize it between devices. There is always something to worry about :)
Don’t let perfect be the enemy of good.
Exactly, so use Proton :P
that’s nice soundbite, i am just saying you have to be realistic. if you are aiming at people who up until now had their passwords on post-it on the monitor, switching to tool where you need to come up with some synchronization system on your own might not be what convinces them.
so I’m thinking of exporting my passwords to another safe place for such cases.
I’m also using ProtonPass, and I agree it’s a game changer. I love the interface, the Android app is amazing and well integrated.
To not be locked in into ProtonPass in case of real disaster, once a month I export the ProtonPass data and import to KeepassXC in my local machine. It’s pretty easy, you just have to export to CSV, and import into KeepassXC, the interface will help you to map the CSV fields accordingly, and you will have a local accessible backup in case of disaster. Don’t forget to remove the CSV from your computer after importing to KeepassXC.
You can export all your passwords to an encrypted and password protected file. I ocasionally back it up to a USB device so that I always have an offline copy available.
Still, one of these days I was logged out of my proton pass on Android and couldn’t connect to the internet. I was locked down.
even if their servers were compromised it’s all encrypted. it only decrypts on your end
I store my master password on a sticky note attached to the bottom of my desktop’s power supply. Easily accessible if I were to die, but sufficiently secure that if it were physically compromised I would have significantly worse problems on my hands.
So many folks talking about which software they use, and how they sync it between devices etc.
You all know there are hardware password keepers right? They present to your devices as a usb and/or bluetooth keyboard and just type out the user/password that you select. They have browser plugins to ease the experience. Now your password is not even stored on the device you’re using to perform your login and it will work on any modern device even without internet access.
Oh and no subscription fee to cover the costs of cloud infrastructure.
Curiously enough, I never heard of those. Do you happen to know good ones so I can further check?
I’m a pretty big fan of the mooltipass. They’re sold out and between iterations right now, but a new one is expected soon. One of my coworkers is pretty into their OnlyKey.
Mooltipass looks sick actually. I have my reservations regarding the ble part, but I would have to look into it more to understand it. Might get one to check around how well it works (once availability is there)
What happens if it gets lost stolen or broken?
I save copies of the password database in several locations. I have to keep them synchronized manually but that’s preferable to using commercial ones that take turns in getting their data breached.
That will vary from vendor to vendor. In the case of the one I like there are a few relevant things.
The password db is stored encrypted on the device. Accessing the passwords requires all of:
- the device
- a smartcard with a particular secret on it
- the 4 digit hex pin to unlock the secret on said smartcard, which is what is used to decrypt the db
Three PIN failures and the smart card is invalidated.
That sort of covers “stolen” and “lost + recovered by a baddie”. Your bad actor would need to have their hands on both physical pieces and guessed the 4 digit hex code in 3 tries.
As far as a user recovering from a lost or failed device or smart card goes, you can export the encrypted version of the db for backups, which I do to a thumb drive I keep in my document safe. I do the same with a backup smart card. So that and a backup device or purchasing a new one if yours fails or is lost/stolen.
In the super “just in case” move, I also keep a keepassdb on said thumb drive. In case my device fails and it’s just not possible to get a new one. Kind of like keeping two cloud providers in case LastPass goes bankrupt or something.
Hyptothetically, couldnt an attacker clone the smart card and retry on the copies?
I would believe a salted and hashed 0-knowledge password vault is more secure than a US-company which could be forced to surrender private keys used for the encryptionHow would any company, regardless of geography have the secret I generated? This is a stand alone hardware device. They seller is not involved at all once I’ve received my package.
Could a sophisticated/well resourced actor clone the smart card they stole or you lost? Sure, brute force attacks are brute force attacks. At least you’d know your device and card are stolen. Now you’re in a race to reset your passwords before they finish making 500 clones of the smart card they stole.
Hypothetically I could blackmail someone at LastPass and have a backdoor is installed for me.
Someone could bust down my door while I have it connected and unlocked and just login to all my things. ¯_(ツ)_/¯
You lost an arm. Remember to use the
\to escape the markdown ;)I don’t know much of smart cards and the whole hardware based authentication beyond knowing they exist at all so please take my questions for what they are.
I was thinking the encryption on those cards are done with a private key and a writer/reader by the manufacturer (like HID). So if the NSA busts down the door and demands the key you could technically decrypt it.
So if you generate your own private key that vector is obviously mitigated, assuming they are providing the tool with a non-reversible hashing process or a guide on how to generate the key so it wouldn’t aid in the brure forces decryption.Thank you for the info :)
I saw the lack of arm and facepalmed but I was half asleep poo posting so got over it :p (fixed now!)
I’ve been using this device for ~5 years now, so my memory is a little hazy on it, but I’m pretty sure for the particular device I prefer (which is to say, I have nfc what the setup is for other vendors, which could be greatly superior) the AES-256 key used for encryption isn’t generated until you setup your first card.
Whatever solution you think you can come up with is most likely not secure.
Having my passwords written down on a piece of paper is not safe ?
Maybe it’s secure but not safe. You won’t know if you have mistaken a character until it’s too late, or when you have written it ambiguously but you still remember it and don’t notice.
Sorry for the bother, but I get a little annoyed when people try to argue semantic difference in synonyms. What do you think is the difference between secure and safe?
Security and safety are not synonymous, they have a different meaning.
Security is that your password is stored in a way that it cannot be accessed by those you don’t want. Safety means that you won’t lose access to it and that it remains usable.
The distimction may be clearer with an other example.
A factory is secure if only the employees can enter, and it is safe if it does not want to fall apart and the machines in it don’t kill the employees.
Maybe it can be generalized so that security is for the access, safety is for the mistakes and the disasters.
No. Anyone near you or with access to your place can see it. And most people know of the tricks.
Also you can’t encrypt it and most of all you can’t really generate as strong passwords as those generated by password managers, meaning I don’t even need the paper to try and crack your password
you can’t encrypt it
My friend, you will be surprised that encryption is something that not only the magical internet machine can do.
Is there a password manager i can use across ios and windows?
1password
Bitwarden
Pretty much any of them.
Say, what are the chances either
- someone comes to depend on the password manager to get into their accounts, gets locked out of the password manager, and loses access to all their accounts (e.g. using the password manager to create and store passwords they might never have even seen);
or
- their password manager (or account) gets hacked, somehow, and all their accounts get taken at once
As Kramer said. Levels. If tou layer your security 2 becomes a non issue. What you have, what you know, and who you are. Which plays into 1. The 3-2-1 of backup. 3 copies of the data. 2 different media. At least 1 off site. Suprising as it might be, writing a great backup is to write your password down. I have a piece of paper with my password in a lock box in my apartment, in a safety deposit box at my bank, and at my parent’s house
- Ultimitaly its up to the user to remember the master password. I’m not familiar with how bitwarden works, but do use keepssXC. I hear bitwarden is better for less techical people due to having built in account/sync options. (You can also self-host BW if you want)
Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It’s automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.
KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.
That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I’d love an decent alternative if anyone has one).
For Android I like KeepassDX and Keepass2Android.
- Getting hacked is a legitimate concern. However the greatest risk is still duplicate passwords. The time it will take crack an individual database is going to be less well spent than dumping a million username/password sets into a thousand sites and hoping for a match.
Realistically, if you’re the specific target of a hacker going specificaly after your database files you’re best off freezing your credit and bank accounts.
If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.
First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.
Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won’t lose the emails that let you reset everything else. If the email gets cracked, they won’t have a convient list of accounts to go mess with. Also make sure the emails have all the security and recovery options available setup.
3, bonus round Finally for fincial security, don’t have your credit card saved on every site. I don’t let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a “1-time use” card for anythibg irregular.
Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won’t work. I’ll get an email and can just cancel the privacy card for amazon (I’d probably kill them all to be safe) and then work on resecuring everything.
To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.
For privacy.com:
- great for anyone in the USA
- don’t worry about difficult subscription cancellations again, just turn that one’s dedicated card off
- I have personally blown past the daily spend limit of 250$ without issue, idk if that limit is real. The 1000$/mo may be though I’ve never hit that.
- I’ve used privacy.com for everything from Amazon to car insurance to gym memberships.
On credit freezes:
- a freeze means that your consumer report will not be shared, which means applications for credit in your name will be denied
- all USA consumer reporting agencies (data brokers) are legally required to freeze sharing of your reports for free upon your request
- you can temporarily unfreeze when you get a new credit card, apply for rental property, etc.
- don’t let them upsell it or try to direct you to another page with similar language, it is free
- credit monitoring products need to request your report to see if any new accounts have opened. Don’t monitor it, prevent it by freezing the reports
- freezes are required for any data broker, not just credit. This includes LexisNexis (job history), and presumably the ones that do rental and vehicle ownership history though i don’t know their names.
I was talking about the individual card limits that can be set, those definatly work.
Edit, looking my account, I too have 250daily and 1000 monthy limit. The next paragraph might be be outdated?
I know the total daily limit is “adaptive” or something set based on your spending habits. I’d prefer setting the limit myself, but it is what it is.
These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.
-
Make sure that you are regularly typing your master password for the first bit. After that you’ll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.
-
This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can’t be hacked (as it doesn’t have access to your passwords).
Well, what if they somehow manage to get into my password manager account? I mean, it has a login, like any other account. The way to prevent it would be to have a strong enough password. Regardless, if they somehow got my main password, they’d have free access to all my credentials everywhere, and would be able to log into them as easily as I can. I mean, it is easier to secure one account well vs. however many others that the password manager can take care of. But still, a centralised hub with easy access to all my accounts feels like a one-stop shop for taking over my online life
I mean, to myself, I can deal with the consequences of my choices (as much as they can suck sometimes). But recommending stuff to other people I find complicated. I mean, I’ve gotten locked out of accounts due to 2fa (some being old and lost to time, others due to an unlucky series of events and a last minute half-assed backup) and even had to troubleshoot and/or reinstall (Linux) operating systems on my laptop (one instance of which relates to the aforementioned 2fa incident). To recommend something to someone and risk something like that, and be responsible for it… I mean, I once had to help troubleshoot a non-booting Linux machine via messages and photos during lunch out, and I myself am not an expert, so I had to online research from my phone and relay the information
These are all good points. This is why it is important to match your recommendations to the person. For example if I know they have Chrome and a Google account I might just recommend using that. Yes, it isn’t end-to-end encrypted and Google isn’t great for privacy but at least they are already managing logins over all of their devices.
In many cases perfect is the enemy of better. I would rather them use any password manager and unique passwords (even “a text file on their desktop”) than them sticking to one password anywhere because other solutions are too complicated.
-
Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.
My password manager is
mkdir ~/Account/some.domain cd $_ genpasswd | openssl some-cipher -k 'really strong encryption password' >pass.enc echo username >login#decrypt cd ~/Account/some.domain openssl some-cipher -d <pass.enc | xclip #paste in field xclip login #paste in fieldCouldn’t be easier, couldn’t be safer.
Why?
Why would I use a password manager when this is much simpler and less error-prone?
Nothing about this is simpler than just using a proper password manager.
One must imagine skill issue.
I suggest looking at how many dynlibs your password manager links against and tell me it’s “simpler” again.
Replying to this pretentious comment for the sake of others reading this:
Run
history | grep genpasswdfor why this is not a good password storage solution. One must image skill issue.If you think the CLI is the cool kid way to go, use https://www.passwordstore.org/, but tbh I don’t recommend that either.
1337
I migrated to Bitwarden from Firefox a few months ago and I regret it as it’s slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
I agree, but I just know that someday Mozilla is going to go down and I’m gonna lose my passwords and I won’t even be able to get into my email to reset them.
The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.
You can also test it by logging in to a new computer and getting all your passwords there too
Quick question? Since Firefox is open source couldn’t you in theory modify where the password manager is going. Syncing your passwords from the browser to your local server. Idk, I just thought of that and know that that’ll never work or it may be too much work when there’s an alternative for that anyways. Just something I thought of from what you were saying about “if Mozilla may kill their servers” which they will imo.
You can (and probably should) backup your passwords. Same goes for any hosted solution.
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it’s equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.On android, there’s a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I’m not going to switch from Firefox anytime soon but it’s super easy to export passwords and the Firefox password manager works for any apps on Android.
How did you login to apps in your phone? Go to the computer and open Firefox? Bitwarden on the phone integrates into the apps directly.
Same as Firefox. You go to your Android settings and set Firefox as password manager. No need to go to the computer.
Ah interesting. I didn’t know that was possible!
Personally, I use PassWord123! for everything. It says its a strong and secure password so why wouldn’t I use it for everything?
Its the best one to use, all password hacking tools avoid this one when they’re attacking.
