Mastodawn

The 8232 Project

Use a password manager

https://lemmy.ml/post/19156372

Use a password manager - Lemmy

It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password. Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden [https://bitwarden.com/] or KeePassXC [https://keepassxc.org/]. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones. It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win. Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.

shortwavesurfer Aug 14, 2024

Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.

land Aug 14, 2024

You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don’t know about bitwarden. I usually recommend bitwarden or proton pass. (I’m self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc.

vovo Aug 14, 2024

whats missing, since the proton pass source code is available?

mrmojo Aug 15, 2024

I have only found the source code for the Android and iOS application, but not for the server.

root Aug 14, 2024

In my experience preaching this same thing to many users at work and just personal friends, they won’t change their ways. Because “omg not another password to remember” and “that’s too much work to login just to get a password”.

I’ve just stopped trying to educate people at this point. That’s on them when their info gets leaked or accounts drained.

zephorah Aug 14, 2024

People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.

Jessica Aug 14, 2024

Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don’t need to use my phone.

subtext Aug 14, 2024

It’s $10 per year

Bitwarden Password Manager Pricing & Plans | Bitwarden

Check out the Bitwarden Password Manager pricing and sign up for a Free Trial to get access to all the great features that will help secure your digital life.

Bitwarden

morrowind Aug 15, 2024

That kinda defeats the purpose of 2fa though, if you use bitwarden for both

☂️-Aug 15, 2024

whats that and how can i use it to get rid of 2fa?

Jessica Aug 16, 2024

Instead of opening Google authenticator or Authy or whatever your preferred 2FA is, you can take photos of the QR codes in Bitwarden mobile to store the TOTP codes in it, and then Bitwarden puts them on your clipboard to paste into websites

☂️-Aug 16, 2024

you might have just inadvertedly sold me on bitwarden.

does it work with 3rd party sort of authentication apps? like when 2fa is inside the manufacturer app?

Jessica Aug 16, 2024

It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.

How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.

root Aug 14, 2024

Yup, they couldnt care less about any 2FA. But then they get the surprised Pikachu face when they get breached after being phished lol.

JustEnoughDucks Aug 15, 2024

I am fighting this with people at work.

No, it is not “one more password to remember”

You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.

I even generated a sample password from bitwarden and drew them a picture of how to remember it lol

Still about 10% of people forgot their password in the first 2 months.

Kit Aug 14, 2024

I don’t recommend Bitwarden. I used them in a corporate environment and they lost all of our company’s credentials. It was a huge hit that cost tens of thousands worth of man-hours to overcome. Their response was to shrug and say sorry. We were paying a premium for their services, too, and have moved onto LastPass.

The 8232 Project Aug 14, 2024

Why weren’t any backups created?

Kit Aug 16, 2024

Idk, not my department.

sunzu2 Aug 14, 2024

LastPass? the one that leaked people's private notes that were not encrypted?

second the back up question by u/@Charger8232

The 8232 Project Aug 14, 2024

One of many LastPass leaks

The LastPass disclosure of leaked password vaults is being torn apart by security experts

LastPass is facing harsh criticism from some cybersecurity experts, who claim that its explanation of a recent breach lacks context and misleads customers about how safe their encrypted password vaults are.

The Verge

Steve Aug 14, 2024

90% chance it was some kind of user error.

JustMarkov Aug 15, 2024

moved onto LastPass.

I couldn’t imagine a worse decision.

Kit Aug 16, 2024

Agreed, but it wasn’t my decision and TBF they didn’t lose our passwords.

Anomaly Aug 14, 2024

@Charger8232 I have been using Vaultwarden (Unofficial Bitwarden compatible server written in Rust) selfhosted for a few years now, and I have to say I'm very happy with it. I also use the backup strategy, on some media (USB stick and SSD) encrypted with Veracrypt.

T (they/she)Aug 14, 2024

I migrated from Bitwarden to Proton Pass (mostly due to their TOP integrations) and I am enjoying it very much. They are constantly improving it, which is also a plus.

MentalEdge Aug 14, 2024

Do you mean OTP?

I self-host vaultwarden, and I have that. I think it’s a paid feature if not self-hosting?

T (they/she)Aug 15, 2024

Oh yes I meant OTP, typo of my part

AbidanYre Aug 14, 2024

One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,

To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

The 8232 Project Aug 14, 2024

Clarification: They reuse the same password (such as “Password”) and whenever they create an account they have to add special characters (like “Password1&” if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don’t know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.

But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

14th_cylon Aug 14, 2024

But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

And pinnacle of this frustration is “password too long”… Talk about security

Eager Eagle Aug 14, 2024

which doesn’t make sense as a requirement, as the passwords themselves are not even (supposed to be) stored

limits of 128+ characters? Sure.

Limits of 30, 20, 18, or 16 as I’ve seen in many places? I suddenly don’t trust your website.

The 8232 Project Aug 15, 2024

Steam and Spotify are notorious for this.

ZeDoTelhado Aug 15, 2024

Do you want to know the kicker? There banks (yes, you heard me right) that straight up don’t allow more than 20 chars. 20!!! And they say you got to use the app for X things because it’s secure and shit (e.g.: use the app to 2FA credit card transactions). Meanwhile, does not allow you to add a yubikey for Fido authentication

floofloof Aug 14, 2024

My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.

KickMeElmo Aug 14, 2024

Similarly, sites that don’t handle backslashes properly. I’ve had a few where I had to use my password sans all the backslashes because it interpreted them as an escape character.

fuckwit_mcbumcrumble Aug 14, 2024

I like the password in my thinkpad’s bios that’s case sensitive when entering it to log in, but setting the password it’s not. That took me a while to figure out.

Preflight_Tomato Aug 15, 2024

My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.

viking Aug 15, 2024

My webhost allows passwords of all length and complexities in the password set field, but will strip $ and & on the login mask on their main website, like in the top right corner.

A failed login will automatically bring you to a dedicated login.xxx.yyy subdomain and prompt a password reset, but if you use the login mask there instead, the exact same password works.

jollyrogue Aug 15, 2024

Login and password set/reset forms being out of sync is a classic. 😆

I haven’t seen that one in a while luckily.

AeroLemming Aug 15, 2024

That sounds too completely absurd to be real, which is why I believe it. Yikes.

AbidanYre Aug 17, 2024

Reddit used to silently truncate passwords. I can’t log in to my original account because they “fixed” the issue at some point

Passerby6497 Aug 16, 2024

Omfg, one of my banks did this to me and was infuriating. I was able to call in to fix it and made a bug report, but goddamn, what idiot silently truncates the sign up password but not also the login form?!?

HappyFrog Aug 17, 2024

www.youtube.com/watch?v=MzescXc5SW0

"a$$word" LITERALLY SAVED PayPal | Prime Reacts

YouTube

Hanrahan Aug 15, 2024

True but doesn’t a new password then prompt bitwarden for you to update the credentials ?

ssm Aug 14, 2024

My password manager is

mkdir ~/Account/some.domain genpasswd | openssl some-cipher -k 'really strong encryption password' >$_/pass.bf #decrypt openssl some-cipher -d < ~/Account/some.domain/pass.bf | xclip

Couldn’t be easier

The 8232 Project Aug 14, 2024

Why?

ssm Aug 15, 2024

Why would I use a password manager when this is much simpler and less error-prone?

Tywèle [she|her]Aug 15, 2024

Nothing about this is simpler than just using a proper password manager.

ssm Aug 15, 2024

One must imagine skill issue

qqq Aug 15, 2024

Replying to this pretentious comment for the sake of others reading this:

Run history | grep genpasswd for why this is not a good password storage solution. One must image skill issue.

If you think the CLI is the cool kid way to go, use www.passwordstore.org.

ssm Aug 16, 2024

Replying to this pretentious comment for the sake of others reading this:

Replying to this pretentious comment for the sake of others reading this:

Run history | grep genpasswd for why this is not a good password storage solution. One must image skill issue.

I have history disabled in my shell, and unless your shell logs to a file, the password stays in memory.

Assian_Candor [comrade/them]Aug 14, 2024

1337

StanislavP Aug 14, 2024

I always recommend Proton Pass. A) because they have a forever free version and B) because hopefully they start looking into the whole suite in general and even if they don’t subscribe, they are more aware afterwards (hopefully).

solrize Aug 14, 2024

I’ve been using Firefox’s built in password store, plus 2fa for sensitive accounts when possible. Are there any known issues? Uploading all my passwords to someone else’s server sounds silly.

The 8232 Project Aug 14, 2024

Uploading all my passwords to someone else’s server sounds silly.

KeePassXC is entirely local.

Are there any known issues?

LastPass (ironically) explains this best: blog.lastpass.com/…/why-you-shouldnt-store-passwo…

Why You Shouldn't Store Passwords in a Browser - The LastPass Blog

Your browser seems like a safe and convenient place to store passwords. But is it the best option People often think they dont need a password manager because their browse[..]

solrize Aug 14, 2024

Thanks but the LastPass article is partly inapplicable and partly marketing. The one good point it makes is about leaving your browser open where attackers can access it, say at the office. For a while I tried using a FIDO2 token but they weren’t well enough supported at the time. Maybe that is easier now.

The 8232 Project Aug 14, 2024

I guess the reasons I would make would be not all accounts are web-based, and using a browser for anything other than browsing is a bad idea. Browsers aren’t exactly focused on keeping passwords safe, so why not use a tool designed for it? Don’t keep all your eggs in one basket

solrize Aug 14, 2024

I guess I use a few APIs with auth tokens that are like passwords but I don’t see how a password manager would help. Yeah the tech for this stuff could be better, but vendors keep messing it up.

The 8232 Project Aug 14, 2024

What about your Lemmy account?

solrize Aug 14, 2024

On my laptop I use the Firefox password store. On my phone I mostly use Voyager which presumably stores the password in a protected app file. It could probably be extracted by rooting the phone but that has gotten harder to do, and anyway it’s also in Firefox on the same phone. Voyager is basically an API client. I can see some interesting ways to improve this but haven’t cared enough.