It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.

It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.

Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.

  • zephorah@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I’m not in IT but I followed the Michael Bazzell podcast until he disappeared. Guy was a bit paranoid but there was great info there. My understanding was browser saving passwords isn’t secure, that those passwords are open to scraping from bad players. Ofc I can’t reference this because the entire body of over 300 podcasts disappeared with him.

    Agree on Bitwarden and such.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.

  • T (they/she)@beehaw.org
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I migrated from Bitwarden to Proton Pass (mostly due to their TOP integrations) and I am enjoying it very much. They are constantly improving it, which is also a plus.

    • MentalEdge@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Do you mean OTP?

      I self-host vaultwarden, and I have that. I think it’s a paid feature if not self-hosting?

  • x@niwego.com
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    @Charger8232 I have been using Vaultwarden (Unofficial Bitwarden compatible server written in Rust) selfhosted for a few years now, and I have to say I’m very happy with it. I also use the backup strategy, on some media (USB stick and SSD) encrypted with Veracrypt.

  • AbidanYre@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,

    To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Clarification: They reuse the same password (such as “Password”) and whenever they create an account they have to add special characters (like “Password1&” if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don’t know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.

      But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

      • 14th_cylon@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

        And pinnacle of this frustration is “password too long”… Talk about security

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          which doesn’t make sense as a requirement, as the passwords themselves are not even (supposed to be) stored

          limits of 128+ characters? Sure.

          Limits of 30, 20, 18, or 16 as I’ve seen in many places? I suddenly don’t trust your website.

          • ZeDoTelhado@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            3 months ago

            Do you want to know the kicker? There are banks (yes, you heard me right) that straight up don’t allow more than 20 chars. 20!!! And they say you got to use the app for X things because it’s secure and shit (e.g.: use the app to 2FA credit card transactions). Meanwhile, does not allow you to add a yubikey for Fido authentication

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.

      • KickMeElmo@sopuli.xyz
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Similarly, sites that don’t handle backslashes properly. I’ve had a few where I had to use my password sans all the backslashes because it interpreted them as an escape character.

      • jollyrogue@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Login and password set/reset forms being out of sync is a classic. 😆

        I haven’t seen that one in a while luckily.

      • Preflight_Tomato@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.

        • viking@infosec.pub
          link
          fedilink
          arrow-up
          0
          ·
          3 months ago

          My webhost allows passwords of all length and complexities in the password set field, but will strip $ and & on the login mask on their main website, like in the top right corner.

          A failed login will automatically bring you to a dedicated login.xxx.yyy subdomain and prompt a password reset, but if you use the login mask there instead, the exact same password works.

      • fuckwit_mcbumcrumble@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        I like the password in my thinkpad’s bios that’s case sensitive when entering it to log in, but setting the password it’s not. That took me a while to figure out.

      • Passerby6497@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        Omfg, one of my banks did this to me and was infuriating. I was able to call in to fix it and made a bug report, but goddamn, what idiot silently truncates the sign up password but not also the login form?!?

  • land@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    3 months ago

    You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don’t know about bitwarden. I usually recommend bitwarden or proton pass. (I’m self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I’m waiting for proton pass self-hosting option).

  • Kit@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I don’t recommend Bitwarden. I used them in a corporate environment and they lost all of our company’s credentials. It was a huge hit that cost tens of thousands worth of man-hours to overcome. Their response was to shrug and say sorry. We were paying a premium for their services, too, and have moved onto LastPass.

  • cyph3rPunk@infosec.pub
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    KeepassXC ++ Yubikey ++ STRONG password changed every 7 days.

    Tap for spoiler

    This solution is compatible with virtually all platforms & browsers

      • yo_scottie_oh@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        What’s the logic behind this statement? I would’ve thought that if a website’s logins and passwords were somehow leaked, the more often I change my password, the less likely it is for the leaked password to still be usable by bad guys based on the shorter time horizon.

        • conciselyverbose@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          3 months ago

          Leaked how? No good practice allows any way for a password to “leak”.

          What rotating passwords does is ensure people who don’t use a password manager either write their password down more and more frequently, or use a weaker password with some simple changing pattern that doesn’t add anything.

  • solrize@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I’ve been using Firefox’s built in password store, plus 2fa for sensitive accounts when possible. Are there any known issues? Uploading all my passwords to someone else’s server sounds silly.

      • solrize@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        3 months ago

        Thanks but the LastPass article is partly inapplicable and partly marketing. The one good point it makes for non-corporate users is about leaving your browser open where attackers can access it, say at the office. For a while I tried using a FIDO2 token but they weren’t well enough supported at the time. Maybe that is easier now.

        • The 8232 Project@lemmy.mlOP
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          3 months ago

          I guess the reasons I would make would be not all accounts are web-based, and using a browser for anything other than browsing is a bad idea. Browsers aren’t exactly focused on keeping passwords safe, so why not use a tool designed for it? Don’t keep all your eggs in one basket

          P.S. Yes, FIDO2 is much more supported

          • solrize@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            I guess I use a few APIs with auth tokens that are like passwords but I don’t see how a password manager would help. Yeah the tech for this stuff could be better, but vendors keep messing it up.

              • solrize@lemmy.world
                link
                fedilink
                arrow-up
                0
                ·
                3 months ago

                On my laptop I use the Firefox password store. On my phone I mostly use Voyager which presumably stores the password in a protected app file. It could probably be extracted by rooting the phone but that has gotten harder to do, and anyway it’s also in Firefox on the same phone. Voyager is basically an API client. I can see some interesting ways to improve this but haven’t cared enough.

    • MentalEdge@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Theoretically, it’s possible to store a encrypted database on someone else’s system in a way where they never have the ability to see its contents, as you encryption and decryption only ever happens in the client on your devices.

      Whether this is actually done in a way that enforces that on various password managers is unknowable with proprietary code.

      Personally I self-host vaultwarden. All the benefits of syncing my passwords across devices, but the server enabling that, runs on my hardware.

      • solrize@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        To use that remote encrypted db, you need a stored client side secret, and a customer service department that deals with users who have lost that. See also “mud puddle test”.

        • MentalEdge@sopuli.xyz
          link
          fedilink
          arrow-up
          0
          ·
          3 months ago

          and a customer service department that deals with users who have lost that

          I’d not heard of the “mud puddle test” but I immediately thought that any provider that does that, is doing it wrong.

          Unless there’s an exploit of which I’m unaware, my self-hosted solutions pass the mud puddle test.

          • solrize@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            Companies have to know about the mud puddle test, but then they have to make an informed decision about whether they want to pass it. Hard disk and data recovery companies have been known to employ grief counsellors to assist their customers in coping with finding out that their disk drive is too trashed for the data to be restored. Choosing to fail the mud puddle test puts the password manager company in the same position. Some customers may, in fact, expect that recovering from the mud puddle is one of the services they are paying the company for. It’s the same reason hosted databases like RDS are a thing. Either way though, the company should be transparent about how they handle this question.

            • MentalEdge@sopuli.xyz
              link
              fedilink
              arrow-up
              0
              ·
              3 months ago

              I agree with all of that, I was just pointing out that “uploading all your passwords to someone else’s server” can be done in a way that isn’t silly. You’re preaching to the choir.

              Though even then, the best way is for that server to be yours, not someone else’s. And it does come with advantages in terms of convenience.

              • solrize@lemmy.world
                link
                fedilink
                arrow-up
                0
                ·
                3 months ago

                The benefits of having my passwords on a server (even my own server) seem tiny compared to just occasionally having to type one into a second computer after generating it on the first. If I had used a dozen computers instead of two, maybe it would be something to think about.

                • MentalEdge@sopuli.xyz
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  3 months ago

                  I don’t understand.

                  You only use each passwords once? You never log in to things on a new device without the one on which you created the account on hand? You only ever need authentication on two devices?

                  I own half a dozen devices on which I might want to log into places, and on several occasions it has been extremely useful to be able to access my password database from a completely new device from anywhere in the world, with nothing but the memorized master credentials.

                  I don’t think you can argue that the advantages don’t exist, even if they aren’t useful to you personally.

      • kevincox@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Firefox Sync is end-to-end encrypted. So Firefox’s password manager with syncing does this.

  • root@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    In my experience preaching this same thing to many users at work and just personal friends, they won’t change their ways. Because “omg not another password to remember” and “that’s too much work to login just to get a password”.

    I’ve just stopped trying to educate people at this point. That’s on them when their info gets leaked or accounts drained.

    • zephorah@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.

      • root@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        Yup, they couldnt care less about any 2FA. But then they get the surprised Pikachu face when they get breached after being phished lol.

      • Jessica@discuss.tchncs.de
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don’t need to use my phone.

          • Jessica@discuss.tchncs.de
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            Instead of opening Google authenticator or Authy or whatever your preferred 2FA is, you can take photos of the QR codes in Bitwarden mobile to store the TOTP codes in it, and then Bitwarden puts them on your clipboard to paste into websites

            • umbrella@lemmy.ml
              link
              fedilink
              arrow-up
              0
              ·
              3 months ago

              you might have just inadvertedly sold me on bitwarden.

              does it work with 3rd party sort of authentication apps? like when 2fa is inside the manufacturer app?

              • Jessica@discuss.tchncs.de
                link
                fedilink
                arrow-up
                0
                ·
                3 months ago

                It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.

                How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.

    • JustEnoughDucks@feddit.nl
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      I am fighting this with people at work.

      No, it is not “one more password to remember”

      You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.

      I even generated a sample password from bitwarden and drew them a picture of how to remember it lol

      Still about 10% of people forgot their password in the first 2 months.

  • ssm@lemmy.sdf.org
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    3 months ago

    My password manager is

    mkdir ~/Account/some.domain
    cd $_
    genpasswd | openssl some-cipher -k 'really strong encryption password' >pass.enc
    echo username >login
    
    #decrypt
    cd ~/Account/some.domain
    openssl some-cipher -d <pass.enc | xclip
    #paste in field
    xclip login
    #paste in field
    

    Couldn’t be easier, couldn’t be safer.

  • Thordros [he/him, comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    I store my master password on a sticky note attached to the bottom of my desktop’s power supply. Easily accessible if I were to die, but sufficiently secure that if it were physically compromised I would have significantly worse problems on my hands.

  • Sudo Sodium @lemdro.id
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    Using Proton Pass was a game changer to me , I don’t have to ignore the necessity to put a strong and complicated password for security reasons anymore, Proton generate it to me and stores everything ( so I don’t need to remember which password I set for which account ) But the bad aspects of cloud services worry me a little about this: the possibility of a security breach of the service, or the possibility of not being able to access it for any reason is a real disaster if it happens… so I’m thinking of exporting my passwords to another safe place for such cases.

      • 14th_cylon@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Which creates issue with having to synchronize it between devices. There is always something to worry about :)

          • 14th_cylon@lemm.ee
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            that’s nice soundbite, i am just saying you have to be realistic. if you are aiming at people who up until now had their passwords on post-it on the monitor, switching to tool where you need to come up with some synchronization system on your own might not be what convinces them.

    • chrand@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      so I’m thinking of exporting my passwords to another safe place for such cases.

      I’m also using ProtonPass, and I agree it’s a game changer. I love the interface, the Android app is amazing and well integrated.

      To not be locked in into ProtonPass in case of real disaster, once a month I export the ProtonPass data and import to KeepassXC in my local machine. It’s pretty easy, you just have to export to CSV, and import into KeepassXC, the interface will help you to map the CSV fields accordingly, and you will have a local accessible backup in case of disaster. Don’t forget to remove the CSV from your computer after importing to KeepassXC.

    • pathief@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      3 months ago

      You can export all your passwords to an encrypted and password protected file. I ocasionally back it up to a USB device so that I always have an offline copy available.

      Still, one of these days I was logged out of my proton pass on Android and couldn’t connect to the internet. I was locked down.

    • Monstrosity@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      That’s what I’ve resorted to, but I only use Firefox because it has a master password.

      Chrome has no master password so what stops any fool from stealing your passwords while you’re taking a piss, I don’t know.

      Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.

      1. No more password reuse, per site random passwords.
      2. Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn’t auto-fill.
      3. Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.

      I think these are the two biggest benefits and every browser password manager will accomplish both.

      • _____@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        This is what I do: I use my browser to store all my randomly generated passwords. If I ever need them on my phone I either sync or go to my desktop and view the password and type it over.