this post was submitted on 14 Aug 2024
583 points (96.5% liked)

Privacy

32471 readers
259 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can't remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn't tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don't just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They're not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser's password storage is better than nothing. Don't reuse passwords, use long randomly generated ones.

It's free, it's convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I'm preaching to the choir, but if even one of you decides to use a password manager after this then it's an easy win.

Please, don't wait. If you aren't using a password manager right now, take a few minutes. You'll thank yourself later.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 125 points 4 months ago (3 children)

One person even told me they were upset that websites wouldn't tell you password requirements after you create your account,

To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

[–] [email protected] 59 points 4 months ago (8 children)

My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn't help unless you realize they're doing this and use a short one.

[–] [email protected] 25 points 4 months ago (1 children)

My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.

load more comments (1 replies)
load more comments (7 replies)
[–] [email protected] 22 points 4 months ago (1 children)

Clarification: They reuse the same password (such as "Password") and whenever they create an account they have to add special characters (like "Password1&" if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don't know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.

But yes, there is an unrelated frustration where password requirements aren't presented upfront.

[–] [email protected] 10 points 4 months ago (1 children)

But yes, there is an unrelated frustration where password requirements aren't presented upfront.

And pinnacle of this frustration is "password too long"... Talk about security

[–] [email protected] 14 points 4 months ago (2 children)

which doesn't make sense as a requirement, as the passwords themselves are not even (supposed to be) stored

limits of 128+ characters? Sure.

Limits of 30, 20, 18, or 16 as I've seen in many places? I suddenly don't trust your website.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 55 points 4 months ago (2 children)

In my experience preaching this same thing to many users at work and just personal friends, they won't change their ways. Because "omg not another password to remember" and "that's too much work to login just to get a password".

I've just stopped trying to educate people at this point. That's on them when their info gets leaked or accounts drained.

[–] [email protected] 19 points 4 months ago (2 children)

People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.

[–] [email protected] 9 points 4 months ago (6 children)

Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don't need to use my phone.

load more comments (6 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 40 points 4 months ago (1 children)

My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.

But I get where people have an issue. It's one point of failure vs. many, but they don't realize It's easier to well secure the one than it is to not spread the same vulnerability everywhere.

[–] [email protected] 12 points 4 months ago

Honestly as someone who has helped family members set up a password manager one person felt this way and the rest are just not tech savvy. All the simple straightforward stuff took ages because they had never done it before.

[–] [email protected] 36 points 4 months ago* (last edited 4 months ago) (2 children)

You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don't know about bitwarden. I usually recommend bitwarden or proton pass. (I'm self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I'm waiting for proton pass self-hosting option).

[–] [email protected] 22 points 4 months ago

but bitwarden, keepassxc don't pay them.... RHEEEE

load more comments (1 replies)
[–] [email protected] 32 points 4 months ago (2 children)

I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn't use password managers at work. Nor were you allowed to bring them in.

Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.

Plus, the computers themselves had a custom-configured OS and you couldn't install any software on them that wasn't on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.

I didn't get to mess around with password managers until I retired a couple years ago, and they've been a game changer! In the military, we needed unique complex passwords for everything, can't reuse passwords, can't write down passwords, and you had to change them every 60 days.

Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it's been wonderful.

I don't know why the military doesn't get some sort of password manager approved for use. This is far more secure than what they've been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I'd forget them (and again, we weren't allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don't even need to remember it. I love it!

[–] [email protected] 13 points 4 months ago (2 children)

The DoD actually did a study I thought "recently" on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.

Don't think they changed their policy though.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 23 points 4 months ago* (last edited 4 months ago) (1 children)

Personally, I use PassWord123! for everything. It says its a strong and secure password so why wouldn't I use it for everything?

load more comments (1 replies)
[–] [email protected] 20 points 4 months ago (5 children)

My dad somehow believes that that password managers are very insecure ( he got that from some sort of 'reputable source', so me telling him bitwarden is secure doesn't help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.

[–] [email protected] 44 points 4 months ago (1 children)

He's doing something right.
You can't hack a paper note over the internet.

[–] [email protected] 8 points 4 months ago (4 children)

You can't grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.

load more comments (4 replies)
[–] [email protected] 27 points 4 months ago (3 children)

I mean he's not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)

load more comments (3 replies)
load more comments (3 replies)
[–] [email protected] 18 points 4 months ago (2 children)

I have a password manager with a family plan so my wife can use it. Does she? Absolutely not. And that's why we don't share bank accounts.

load more comments (2 replies)
[–] [email protected] 18 points 4 months ago

Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.

[–] [email protected] 17 points 4 months ago (6 children)

Say, what are the chances either

  1. someone comes to depend on the password manager to get into their accounts, gets locked out of the password manager, and loses access to all their accounts (e.g. using the password manager to create and store passwords they might never have even seen);

or

  1. their password manager (or account) gets hacked, somehow, and all their accounts get taken at once
[–] [email protected] 9 points 4 months ago (2 children)

These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.

  1. Make sure that you are regularly typing your master password for the first bit. After that you'll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.

  2. This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can't be hacked (as it doesn't have access to your passwords).

load more comments (2 replies)
load more comments (5 replies)
[–] [email protected] 15 points 4 months ago

Been using Bitwarden for a couple years now…

No regrets

[–] [email protected] 14 points 4 months ago (2 children)

I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.

Is there risk in keeping all your passwords in one place, whether it's on your hardware or someone else's? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use 'pencil' for all your passwords because you can't be arsed to memorize anything more complex? OH HELL YES.

Sure, if you're defending against nation state level agressors, maybe using a password manager isn' the wisest choice, but for easily 99% of computer users, we're at the level of "keeping people from drooling on their shoes". So password managers are probably a GREAT idea.

load more comments (2 replies)
[–] [email protected] 13 points 4 months ago (1 children)

I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.

load more comments (1 replies)
[–] [email protected] 12 points 4 months ago* (last edited 4 months ago) (5 children)

I've been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton's best service.

It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.

Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.

Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I'm told Keepass is fantastic but having it sync across all her devices would be challenging for her.

Most Proton services feel kinda underbaked but Proton Pass is excellent.

load more comments (5 replies)
[–] [email protected] 12 points 4 months ago* (last edited 4 months ago) (11 children)

Using 2FA on all accounts that offer it is just as important. And make sure to use a good, open-source TOTP client like Aegis on Android or Tofu on iOS.

Definitely make sure to backup your seeds in an encrypted format (e.g. Veracrypt container or GPG-encrypted files). If you lose your seeds, you lose access to your accounts.
I like to use the automatic backup feature in Aegis, which syncs my encrypted vault to my Nextcloud server. You can also enable compatibility with Android's backup API and use that if your ROM includes a backup solution like Seedvault.

load more comments (11 replies)
[–] [email protected] 11 points 4 months ago (3 children)

Self-hosted bitwarden. Highly recommend

load more comments (3 replies)
[–] [email protected] 11 points 4 months ago (10 children)

is it possible to sync keepassxc between computers + phone?

[–] [email protected] 12 points 4 months ago

Syncthing has worked well for me between 3 devices(Linux, android, windows). I've had one conflict in 6mo and it was easy to identify the right copy to select in keepass' prompt since the more recent one was a larger file.

Synchthing also provides optional version control which makes backing up easy.

load more comments (9 replies)
[–] [email protected] 11 points 4 months ago (1 children)

On the plus side, the more people who don't use password managers the more chance us password manager users will remain not worth the effort.

It's kinda like security through obscurity mixed with only having to be faster than the slowest person to outrun a lion.

load more comments (1 replies)
[–] [email protected] 10 points 4 months ago

Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.

[–] [email protected] 9 points 4 months ago (4 children)

I'd be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn't make me feel like taking action if everything feels sketchy.

load more comments (4 replies)
[–] Ashen 8 points 4 months ago (14 children)

Quick question - what are your opinions on using Firefox's inbuilt password manager? I've installed Bitwarden as an extension, but I find Firefox to be more convenient.

I mostly use FF on Linux, Windows, and Android and have no issues with using FF cross platforms.

load more comments (14 replies)
[–] [email protected] 8 points 4 months ago (7 children)

I've been using Firefox's built in password store, plus 2fa for sensitive accounts when possible. Are there any known issues? Uploading all my passwords to someone else's server sounds silly.

[–] [email protected] 8 points 4 months ago (8 children)

Theoretically, it's possible to store a encrypted database on someone else's system in a way where they never have the ability to see its contents, as you encryption and decryption only ever happens in the client on your devices.

Whether this is actually done in a way that enforces that on various password managers is unknowable with proprietary code.

Personally I self-host vaultwarden. All the benefits of syncing my passwords across devices, but the server enabling that, runs on my hardware.

load more comments (8 replies)
load more comments (6 replies)
load more comments
view more: next ›