It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,
To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.
My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.
My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.
My webhost allows passwords of all length and complexities in the password set field, but will strip $ and & on the login mask on their main website, like in the top right corner.
A failed login will automatically bring you to a dedicated login.xxx.yyy subdomain and prompt a password reset, but if you use the login mask there instead, the exact same password works.
Omfg, one of my banks did this to me and was infuriating. I was able to call in to fix it and made a bug report, but goddamn, what idiot silently truncates the sign up password but not also the login form?!?
Login and password set/reset forms being out of sync is a classic. 😆
I haven’t seen that one in a while luckily.
deleted by creator
Reddit used to silently truncate passwords. I can’t log in to my original account because they “fixed” the issue at some point
I like the password in my thinkpad’s bios that’s case sensitive when entering it to log in, but setting the password it’s not. That took me a while to figure out.
Clarification: They reuse the same password (such as “Password”) and whenever they create an account they have to add special characters (like “Password1&” if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don’t know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.
But yes, there is an unrelated frustration where password requirements aren’t presented upfront.
But yes, there is an unrelated frustration where password requirements aren’t presented upfront.
And pinnacle of this frustration is “password too long”… Talk about security
which doesn’t make sense as a requirement, as the passwords themselves are not even (supposed to be) stored
limits of 128+ characters? Sure.
Limits of 30, 20, 18, or 16 as I’ve seen in many places? I suddenly don’t trust your website.
Do you want to know the kicker? There are banks (yes, you heard me right) that straight up don’t allow more than 20 chars. 20!!! And they say you got to use the app for X things because it’s secure and shit (e.g.: use the app to 2FA credit card transactions). Meanwhile, does not allow you to add a yubikey for Fido authentication
My dad somehow believes that that password managers are very insecure ( he got that from some sort of ‘reputable source’, so me telling him bitwarden is secure doesn’t help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.
He’s doing something right.
You can’t hack a paper note over the internet.You can’t grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.
It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans
At least reputable companies do 3rd party audits and I have yet to hear about bitwarden getting pwned.
One of the only possibilities is them and their infrastructure getting ransomedI have yet to hear about bitwarden getting pwned
Honestly this is the part that scares me the most. Well maybe it’s the fact we have multiple plausible scenarios… What happens when you get locked out of bitwarden? I imagine the 256 randomized salted hash passwords will be hard to call, some companies will likely be able to restore your password via phone support. During that time, informed attackers will potentially have the master keys to your entire life. Fighting ai chatbots trying to recall security questions. During that time your phone and Internet service could be shut off, secondary emails changed and validated, money transferred out of bank accounts, stocks and crypto sold. Crowdstrike was a valuable security company.
The FAQ answers the question of getting locked out: https://bitwarden.com/help/forgot-master-password/
TLDR: You are fucked if you lost the recovery codes.
Best case: You do encrypted backups every once in a while
I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)
Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.
Only until he gets a keylogger on his computer
Well yeah I guess that’s true
I have relatives that do this, but they record it accurately and put it in a safe.
Is your dad Ron Swanson? /j
My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.
people who use a password manager but store the master password on Discord
???
Yeah, true story. Really weird.
I really want to know what the logic behind their thinking was…or maybe they were just lazy? I don’t know, it’s so weird that they’d get to the point of using a password manager but then still make such a basic error.
Marginally better than using discord itself as your password manager (also a true story!)
How does this work? Do they ask other people to remember their passwords?
Some people keep journal servers where it’s just them in a server alone, could be that
yes, it’s that.
Been using Bitwarden for a couple years now…
No regrets
I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.
I do that too.
- Its not like people are gonna steal book
- the password crackin people are not the breakin people
I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.
Is there risk in keeping all your passwords in one place, whether it’s on your hardware or someone else’s? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use ‘pencil’ for all your passwords because you can’t be arsed to memorize anything more complex? OH HELL YES.
Sure, if you’re defending against nation state level agressors, maybe using a password manager isn’ the wisest choice, but for easily 99% of computer users, we’re at the level of “keeping people from drooling on their shoes”. So password managers are probably a GREAT idea.
So password managers are probably a GREAT idea.
That is, when they can manage to use it.
I feel like password managers are more targeted to companies where sharing and controlling login data shouldnt be logged on some table in an excel sheet.
It just so happens that a manager is also god damn convenient for the private individualI don’t think that’s always the case. 1Password started out as a personal password manager and only added the corporate/teams/families features later.
Using 2FA on all accounts that offer it is just as important. And make sure to use a good, open-source TOTP client like Aegis on Android or Tofu on iOS.
Definitely make sure to backup your seeds in an encrypted format (e.g. Veracrypt container or GPG-encrypted files). If you lose your seeds, you lose access to your accounts.
I like to use the automatic backup feature in Aegis, which syncs my encrypted vault to my Nextcloud server. You can also enable compatibility with Android’s backup API and use that if your ROM includes a backup solution like Seedvault.What’s frustrating is that most sites want your phone number. Even though it’s less secure than totp, but that sweet sweet data using your phone number as a common index is irresistible
It might not be any more private but I give out my Google voice number to people/businesses I don’t really want to hear from or suspect my data will be sold by.
What’s really frustrating is that some services detect GV (and other VOIP providers) and just say you can’t use it.
True. Even government websites refuse to verify you over a VoIP line.
Forgot to add this bit in my first reply:
This is especially bad since I’m more confident that GV is less susceptible to a SIM swap type of attack since I can disable it on my account which is of course protected by real 2FA (not SMS).
Meanwhile T-Mobile has shown a few times that they’re vulnerable to SIM swap attacks.
Any comments on bit Warden for totp?
Personally I wouldn’t keep my TOTP together with my passwords, but it’s up to you
TOTP is standardised by RFC 6238 so all TOTP clients must comply with the standard and therefore work equally well. Pick the one whose UI you like the most and is otherwise good enough for your use case and personal preferences. It’s similar to arguments over CPU thermal paste—its presence or absence makes a much larger difference than the method of application.
You do, however, want to pick something that is free and open-source and also popular. Google Authenticator (closed source) definitely is a functional TOTP client but you have to trust that the Google engineers have done a good job building a secure app. Since it’s Google, they probably have, but a principle in security is that you should not have to trust more people than absolutely necessary.
You can but shouldnt.
Ok would you tell more?
And best case on an actual separate device.
And if the company doesnt supply one, use your own at your own discretion /shrugI don’t really think a separate device like a phone is necessary to store 2FA tokens, the only option I would consider is a hardware key like YubiKey for storing TOTPs.
I have a password manager with a family plan so my wife can use it. Does she? Absolutely not. And that’s why we don’t share bank accounts.
Same and she has the balls to ask me for passwords!
Same here. Kinda feels good to know I am not alone with this, though.
In my experience preaching this same thing to many users at work and just personal friends, they won’t change their ways. Because “omg not another password to remember” and “that’s too much work to login just to get a password”.
I’ve just stopped trying to educate people at this point. That’s on them when their info gets leaked or accounts drained.
People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.
Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don’t need to use my phone.
whats that and how can i use it to get rid of 2fa?
Instead of opening Google authenticator or Authy or whatever your preferred 2FA is, you can take photos of the QR codes in Bitwarden mobile to store the TOTP codes in it, and then Bitwarden puts them on your clipboard to paste into websites
you might have just inadvertedly sold me on bitwarden.
does it work with 3rd party sort of authentication apps? like when 2fa is inside the manufacturer app?
It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.
How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.
That kinda defeats the purpose of 2fa though, if you use bitwarden for both
I am fighting this with people at work.
No, it is not “one more password to remember”
You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.
I even generated a sample password from bitwarden and drew them a picture of how to remember it lol
Still about 10% of people forgot their password in the first 2 months.
I’d be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn’t make me feel like taking action if everything feels sketchy.
I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.
What happened with Authy? (As someone who uses it)
I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.
+1 for bitwarden
I think you might be preaching to the choir here.
Circlejerkin on lemmy is our mutual hobby here
I migrated to Bitwarden from Firefox a few months ago and I regret it as it’s slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it’s equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.On android, there’s a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I’m not going to switch from Firefox anytime soon but it’s super easy to export passwords and the Firefox password manager works for any apps on Android.
I also use Firefox on Android with a fairly recent stock ROM phone. At best the whole process to pasting my password into the webform takes 5 seconds.
If the vault is still within unlock period the auto-fill takes even less time (assuming the authentication URL regex is correct. It’s a bit annoying with subdomains)
How did you login to apps in your phone? Go to the computer and open Firefox? Bitwarden on the phone integrates into the apps directly.
Same as Firefox. You go to your Android settings and set Firefox as password manager. No need to go to the computer.
Ah interesting. I didn’t know that was possible!
They did a poor job advertising it…
I agree, but I just know that someday Mozilla is going to go down and I’m gonna lose my passwords and I won’t even be able to get into my email to reset them.
The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.
You can also test it by logging in to a new computer and getting all your passwords there too
Please don’t confused this with backup as a sync could trigger a delete.
You can (and probably should) backup your passwords. Same goes for any hosted solution.
Quick question? Since Firefox is open source couldn’t you in theory modify where the password manager is going. Syncing your passwords from the browser to your local server. Idk, I just thought of that and know that that’ll never work or it may be too much work when there’s an alternative for that anyways. Just something I thought of from what you were saying about “if Mozilla may kill their servers” which they will imo.
There are several Firefox tools that do things like this if you look!
I’ve been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton’s best service.
It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.
Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.
Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I’m told Keepass is fantastic but having it sync across all her devices would be challenging for her.
Most Proton services feel kinda underbaked but Proton Pass is excellent.
I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can’t see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton’s suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.
I’m a little miffed that 2FA support is a paid feature.
I’m using KeePassXC and have no intention of switching, plus I’m paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn’t be locked behind a paywall.If that wasn’t a scripted ad, you should go into sales.
I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.
I am very “passionate” about Proton Pass but don’t take me for a Proton chill, I have a lot of criticism about their other products.
Why preach to this choir? I get you, but we also get it.
I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn’t use password managers at work. Nor were you allowed to bring them in.
Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.
Plus, the computers themselves had a custom-configured OS and you couldn’t install any software on them that wasn’t on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.
I didn’t get to mess around with password managers until I retired a couple years ago, and they’ve been a game changer! In the military, we needed unique complex passwords for everything, can’t reuse passwords, can’t write down passwords, and you had to change them every 60 days.
Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it’s been wonderful.
I don’t know why the military doesn’t get some sort of password manager approved for use. This is far more secure than what they’ve been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I’d forget them (and again, we weren’t allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don’t even need to remember it. I love it!
The DoD actually did a study I thought “recently” on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.
Don’t think they changed their policy though.
I work at a university IT department. It’s been a struggle with our auditors to loosen up the password expiration requirements. At least with the students they let anyone with 2FA to go without password expiration, which acts as a nice little carrot-and-stick. But for staff it’s two years (2FA always required), regardless of password quality. I’d rather be able to base password expiration on password quality, personality.
2 years seems perfectly reasonable. I thought you were gonna say every 30-60-90 days.
This is crazy to read, thanks for sharing! How did you store/remember all the passwords?
