Jan
John OpdenakkerI’ve asked this on Twitter before but let’s also try it here in the hope to reach more people outside of the #infosec bubble.
Do you use a password manager?
Reblogs appreciated!
Yes
No
What’s a password manager?
Show results
Poll ended at .
For the people that answer no, also interested to know why. Is it because you don’t trust it, or rather because you don’t know how to use it, or…?
Nick@j_opdenakker all your info in one place. If someone gets into it, you're screwed
4dw@r3 
🦬@nickchuckwalter @j_opdenakker require MFA for all logins and keep the tokens separately.
joosteto@nickchuckwalter @j_opdenakker True, but it's either that or the same password for (almost all) sites.
dirk dierickx@nickchuckwalter don't use a 'cloud' based pwdmgr, keep it local, ensure that the pwd db file is properly encrypted and use a really strong pwd itself to access it.
alteropen@nickchuckwalter @j_opdenakker what's your alternative?
Luna M@j_opdenakker I have never found one that was easy and fast to use that played well with my ADHD. Modern UX is a huge barrier for me; the old-style menu tree navigation of yore has been replaced with Ribbons and Sidebars and Gestures. Raised buttons that used to be labeled with words replaced with flat symbols that aren't consistent across applications (or even screens within the same application!) and have no dividers to indicate their edges. Learning any new application is a huge time and energy investment for me now, so I have to be very sure that I want to use it for the foreseeable future.
Most password managers feel confusing, look cheaply made from some UX template, and so don't inspire confidence. I've kept a paper password book for years...it's worked--I have never even once lost my Pw to a critical site or account--and so it's hard to change, even though I know I probably should. Also, a book doesn't require power or internet access to work, and someone has to physically take it to see what's in it. And I can arrange what I write in it any way I see fit.
I do use a password *generator* to reset or otherwise make new passwords...but as for managing/storing them, a paper log is all I've used since I was a teenager in the 90s.
Bundyo@j_opdenakker Master password is a much less secure option for me. Prefer to remember my passwords, even if I sometimes forget them.
Didier@bundyo @j_opdenakker I have 312 passwords (according to my passwordmanager)... No way I can remember all of them. How do you manage that?
Fran Devos@ON8SD @j_opdenakker I avoid having that many. 😁
@bundyo @j_opdenakker I would LOVE to do that! 😂
@ON8SD @j_opdenakker I try to use OAuth or similar services whenever available + 2FA.
@bundyo @j_opdenakker 2FA is a good practice 😎. OAuth can be a solution for the password as long as you don't use Twitter for it 😂
Lars 
@ON8SD @bundyo @j_opdenakker
1. Make a base Password with #diceware
2. Apply a personal #algorithm, to alter your base #Password for each website/app and spice it up with some special characters and numbers
3. Now you can "remember"/reconstruct/create a password for EVERY Site/App, regardless the quantity.
1. Make a base Password with #diceware
2. Apply a personal #algorithm, to alter your base #Password for each website/app and spice it up with some special characters and numbers
3. Now you can "remember"/reconstruct/create a password for EVERY Site/App, regardless the quantity.
@bundyo @j_opdenakker lots of weak similar passwords < one strong password with 2fa
Niko 🎮 🎧 📚@j_opdenakker hopefully it isn't because they use one password everywhere.
@niksii Indeed :)
@j_opdenakker @niksii 😂
I do know some people that do that, because 'they can't remember paswords' (nor codes, usually the same people).
Funny enough one of them can't figure out how it is possible that I can have difficulties remembering complex Close Harmony tunes in all voices after hearing them twice 😵💫
I do know some people that do that, because 'they can't remember paswords' (nor codes, usually the same people).
Funny enough one of them can't figure out how it is possible that I can have difficulties remembering complex Close Harmony tunes in all voices after hearing them twice 😵💫
lainee42@j_opdenakker I don't trust it. Everything is hackable. I have a paper list but in a way no one could use it because I use code to formulate the PWs.
René Stoltenberg@lainee42 @j_opdenakker I would say a sheet of paper can also be a password safe. The main point is to use different and strong passwords for every account.
Bart Champagne ON6BC 
@j_opdenakker Brain training to remember all passwords !
And also since I trust the online versions less than a paper notebook in my top desk shelf.
(No, I don't have such a notebook)
And also since I trust the online versions less than a paper notebook in my top desk shelf.
(No, I don't have such a notebook)
El Vector ⁂ 🐸🐌@j_opdenakker I don't trust it. My "password manager" is a piece of paper saved on a safe place.
mastodonnie@j_opdenakker I write my important passwords down in a notebook lol 👴
1435@j_opdenakker I've never really felt the need to use it, for the moment I just remember all my passwords
Nigel Small@j_opdenakker I started using passwords before password managers existed, and never changed my habits. Also across multiple devices such as computers, phones, TVs, etc, I'd have to install the manager everywhere.
I tend to use very obscure passwords, such as initials of phrases that only mean something to me and, more recently, much longer passwords that are chains of words (correct horse battery staple).
I also reuse passwords regularly, which I know a lot of people frown on.
Minihood@j_opdenakker I don't understand how it doesn't make passwords significantly less secure?
You now have one point of weakness, the password manager, which would reveal ALL your other passwords, no?
Tom@j_opdenakker @Minihood it allows me to have passwords which are completely random and have a length of 25+ which propably no one could have ever just remembered. A alternative would be to have them written down somewhere which is fair I guess, but since I don’t use cookies that would make me type them out everytime instead of c&p. If you add 2FA to all the accounts in your password manager it is not one point of weakness.
Josh Soref@Minihood @j_opdenakker if you use your browser's password manager, then your attack surface is roughly unchanged from using your browser:
•the room where you were when your browser suggested the password the first time (video camera)
•the video path from your computer to your screen when your browser suggested the password the first time (mitm)
•your operating system
•all running software on your computer
•your browser
•any add-ons for your browser
•the room where you were when your browser suggested the password the first time (video camera)
•the video path from your computer to your screen when your browser suggested the password the first time (mitm)
•your operating system
•all running software on your computer
•your browser
•any add-ons for your browser
@Minihood @j_opdenakker
Consider a pen and paper log:
•that video camera in your room is still a risk, but now it's a risk when you aren't in the room, and it's a risk each time you log into the site going forward
These are all still risks:
•your operating system
•all running software on your computer
•your browser
•any add-ons for your browser
@Minihood @j_opdenakker browser and operating system vendors invest a lot of time and resources into finding, fixing, and delivering fixes for their bugs because their reputation is really important to them.
Browser vendors will kick out evil or suspect add-ons for the same reason. OS vendors will to some extent, although depending on the OS you might supplement with anti-malware (Malwarebytes?).
@Minihood @j_opdenakker your computer should have disk encryption (modern cell phones do as does macOS with FileVault and Windows Pro with BitLocker).
@Minihood @j_opdenakker you can set up your Mac to use 2FA in the form of a YubiKey (something you have + the pin for it=something you know): https://support.yubico.com/hc/en-us/articles/360016649059
@Minihood @j_opdenakker you can do something similar for Windows: https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide
Rupert Reynolds@Minihood @j_opdenakker A single point of failure for all of a person's passwords would make it a higher priority target, I assume.
Once upon a time, a little black book of passwords was seen as a foolish move, second only to the post-it note or bit of card stuck to the side of the monitor. Oh my, how times have changed :-)
ocdtrekkie@j_opdenakker Password managers are a single point of failure, all of which have experienced some sort of major vulnerability or compromise. While I've used them in *very limited* contexts, I consider them a generally bad idea, and actively encourage the security industry to stop recommending them.
A cloud-synced password manager can be attacked by anyone on the planet, the post-it note on my monitor can be attacked by people who can see into my office. The latter is vastly more secure.
Ormur@j_opdenakker I have a system memorised to make a different password for every site that I think is good enough and 2fa for the really important stuff.
Figuring out how a password manager works and setting it up for all the various sites I use sounds like a bother.
Figuring out how a password manager works and setting it up for all the various sites I use sounds like a bother.
Rafael@j_opdenakker I don't particularly trust password managers (LastPass y'know). I prefer to use long nonsense phrases. Easy to remember (I can just keep them in my head) hard to brute force.
TheBarefootSage ☑️@j_opdenakker I don't trust that it is safe.
Wendy’s World@j_opdenakker Partly wonder if they are safer or not safer than my hand written notebook, and learning another new tech thing is hard.
@j_opdenakker "No" because I tried a couple many years ago, and they were too clunky, but also because every app and every database will leak if you wait long enough. The meltdown I'd have if I had to change every PW in one day after a leak is too much to imagine.
"Who cares" accounts have "who cares" passwords and the important ones (bank, e-mail I use for recovering passwords) have strong passwords I wrote down (using a code I can do in my head).
Eli the Bearded@j_opdenakker I use encrypted files because a ton of my password usage involves free form text notes such as what lies I told when asked for my name or birthday, what nonsense I gave for security questions, what alternative accounts I may have at the service, what email address I used. And because some I use from command line and I want command line access to them.
John CrispAll my users - and most people I know - never think about it because browsers made it "easy" for them.
They're all horrified when I ask them for a password, they proudly tell me they don't remember it as it's saved in the browser and not written down, and then I show them.
Work all use a password manager now.
(We use Keepass, not a cloud service)
Ampelios@j_opdenakker Yes, largely a lack of trust. I'm an old millennial. I have seen many services come and go.
Can't imagine the PITA if my password manager's company went under one day. Hard pass.
Squidbilly@j_opdenakker
I've lost access to a password manager and it was excruciatingly painful resetting all my passwords because I had forgotten nearly all of them.
I've lost access to a password manager and it was excruciatingly painful resetting all my passwords because I had forgotten nearly all of them.
For clarity a browser password manager is also a password manager :)
Fossery Tech 
@j_opdenakker browser password managers are for normies lol
Andrew Waite@j_opdenakker yes, LastPass, but not necessarily for the usual reasons.
I’ve also convinced some family to use and join my family account; the ability to safely share passwords and entire accounts on death is a huge stress relief.
As morbid as it sounds, cracking a deceased relatives PC a day after their funeral so their widow can access household services is not an experience I want to replicate.
I handle the household tech; if I’m hit by a bus I want to ensure my kids have access to the family backups. Like a lot of folks, we have relatively few physical photo albums to pass down the generations.
Veticia Misumena 🕷️🌺@j_opdenakker
I answered no but kind of yes. My browser is my password manager but I also don't use any external one.
I answered no but kind of yes. My browser is my password manager but I also don't use any external one.
janszoon 🐧@j_opdenakker i don't like working with them. For important accounts I work with 2 factor indification.
lamp@j_opdenakker i use google passwords
Lisa@j_opdenakker I once described a password manager as "a nice basket to put all your eggs in."
My issues being:
1. it introduces a single point of failure that would potentially give an attacker access to everything.
2. it sets the passwords to something difficult for me to remember, if I know them at all. Which means if I don't have access to the password manager, then I don't have access to anything.
@TicklishHoneyBee @j_opdenakker I setupmfa and keep the tokens elsewhere so even if bitwarden were hacked they still wouldn't have access.
Xebulun EnEssEitch
dre 
@j_opdenakker Absolutely, #Bitwarden for the win!
Julian Harris@j_opdenakker 1Password. One pattern is to share login details for SaaS providers who don’t understand “occasional use between a bunch of team members” and want to charge us for every user who touches the system at any point in 12 months (eg framer.com) so we have a Google group as the email and we can all log in. Obvs no good for anything critical or for larger teams but for very small teams it works well
🇺🇦luc@j_opdenakker
Yes. I use a Enpass and utilize my Nextcloud to sync the data. Works great and my data is not transferred to any foreign servers (hopefully).
Is using a password mamanger a good or a bad thing from an Infosec perspective? It could also be a single point of failure…
@luc it’s certainly a good thing. Better a good secured password manager than not using a pw manager and reusing passwords that would put you much more at risk.
@j_opdenakker #diceware + a personal algorithm to get a unique password for every site/app.
Tony Norlin@j_opdenakker I miss the plural option.. password managers 😄