this post was submitted on 05 Jul 2023
42 points (97.7% liked)

Asklemmy

43775 readers
1204 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

I was gonna ask about the biometrics part in a separate question, but its both about security, so might as well combine it in one post.

Okay so I don't use password managers. I just try to make easy to remember passwords 3-4 random words + 3-4 random numbers. ~~Online accounts can't be brute forced anyways.~~ Edit: I mean most websites have log in limits don't they? Maybe I've been mistaken?

For offline accounts, I just increase the words and numbers. For mobile I don't use biometrics, although I've been testing whether or not I want a pin + no biometrics or alphanumeric password + biometrics. I just can't decide.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 26 points 1 year ago (5 children)

I use the password manager Bitwarden, but Proton Pass is looking kinda nice.

[–] [email protected] 5 points 1 year ago (1 children)

Same with bitwarden, I recently made my wife change from google because I don't trust how they could be managing that kind of data.

[–] [email protected] 2 points 1 year ago (1 children)

What benefit could it be to Google for them to have access to your user and passwords?

Genuinely curious, I use bitwarden myself but can't see Google using their password manager for nefarious reasons

[–] [email protected] 4 points 1 year ago (1 children)

Sure, probably they won't use it for bad purposes.
But there's nothing saying they won't use them in any way they see fit.
Maybe they could find a way to find monetize without disclosing them and anonymized, like statistics or with the update in their policy about training their models with whatever information they can get.
Maybe you have an ad blocker and AdSense can't build a profile from you, but the google already know what sites you were interested enough to make an account and could try to advertise in other ways.

And then the biggest issue: there's no mention of encryption, so who knows how they store them and where. Could an attacker read them? How are google employees prevented from reading them?

load more comments (1 replies)
[–] [email protected] 3 points 1 year ago

I'm already on Proton's other services, so I'll likely switch to Proton Pass if it looks good

[–] [email protected] 1 points 1 year ago

Same. Works well for me and I've had no issues with the free version.

load more comments (2 replies)
[–] [email protected] 15 points 1 year ago (1 children)

Open sourced password manager + open source 2fa wherever available. For password managers many will suggest Bitwarden & i recommend that to my family for its ease of use, though I personally use Keepass (because it allows me to store multiple documents & have them readily available offline. Its not as straightforward to set up sync compared to Bitwarden, which does it by default).

I would never allow a browser to store any information such as passwords, credit card info etc

On mobile I use password in conjunction with biometrics. Sensitive apps are only ever stored inside secure folder which has no biometric access & has a different password to main area of phone.

I absolutely refuse to use google/apple/samsung pay.

Please consider password manager, once you wrap your head around not knowing any of your passwords except the strong master password it becomes second nature. Get out of the pen & paper habit!

Top tip. For any new signup, once you've generated a strong password make a note within the password manager of the email address you used to sign up with (yep, get used to using multiple email accounts). When that site inevitability suffers a data breach it makes life easier when they send the change of password verification email

[–] [email protected] 1 points 1 year ago

Get out of my mind!

[–] [email protected] 11 points 1 year ago (1 children)

I write my passwords down using a diamond-point scriber on a tablet of solid gold, which I keep in a secure location.

[–] [email protected] 5 points 1 year ago

Sounds good. Since I'm so amazed by your security, I'd like to volunter to act as security for your tablet of solid gold, would you mind telling me the location? πŸ˜‰

[–] [email protected] 11 points 1 year ago

Online accounts can't be bruteforced

I'm sorry, but that's just wrong.

Majority of sites have awful security practices, not to mention massive breaches.

Get yourself either a password manager (Bitwarden is the best), or something like Yubikey + unique sentences.

Biometrics do not provide security, they're purely for convenience.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

I run my own instance of vaultwarden (100% compatible fork of bitwarden) and use the standard bitwarden client on Android and browser plugin in Firefox. My master password is really long and I use 16 character passwords as standard in BW. I have biometric set up for my phone just to make it a bit less hassle.

Edit: and I set up MFA wherever possible with a yubikey

[–] [email protected] 3 points 1 year ago

Are you a bot?

[–] [email protected] 5 points 1 year ago (2 children)

This may be a dumb question and I see here as well as elsewhere that a password manager is the best option. What makes a password manager safer than managing passwords yourself? I see the efficiency and ease of us aspects, but I’m less clear on the security portion. Thank you!

[–] [email protected] 5 points 1 year ago (1 children)

There's plenty of vids on youtube that explain this in great detail.

load more comments (1 replies)
[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Basically, they enable you to have a different, randomly generated and very long password for each service with minimal impact to your usability.

Personally I use keepassxc with the accompanying browser addon. When I unlock my PC and need a password, I have to enter my master passwort to unlock the database. Afterwards, until I lock my PC again or manually lock the database, I can click on a single button in my browser window to automatically fill out my login information. I do not know any of my passwords beside the master passwort.

I have yet to need the forget password option after switching to a password manager since I can always look up my passwords.

[–] gentoo_biscuit 4 points 1 year ago

Been on bitwarden a few years now. It's great

[–] [email protected] 4 points 1 year ago

I'm using keepass on pc and Keepass2android offline on mobile. Protected only with a big password (you can memorize it ~however long it is, as long as you sit 15mins to learn it and use it from time to time). I try to use long random passwords (made by me). I haven't uploaded my database anywhere online. I might have printed it though.πŸ™ƒ

For only a few logins, I've saved them on my browser.

[–] [email protected] 4 points 1 year ago

Keepass xc and optionally syncthing

[–] [email protected] 3 points 1 year ago

Would strongly recommend a password manager. I use bitwarden, you can use self host it or not. If you don't like bitwarden there are plenty of free options. Random password generation and sync is going to be a better practice than much else I can think of, so I'd encourage you to go for it! 😬

[–] [email protected] 3 points 1 year ago (1 children)

I have been a paying costumer for bitwarden for couple years, but now I am planning to switch to proton pass soon. $1 for unlimited email alias is simply too good.

[–] [email protected] 2 points 1 year ago (1 children)

Do you know how long this $1 promo will last? I’m unlucky this month and can’t afford it until next month.

[–] [email protected] 1 points 1 year ago

no idea, actually I haven't realized it is a promotion until you mentioned it...

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Bitwarden for my personal stuff, KeePass for work (like to keep everything separated). Biometrics on devices that support it. I used to do what you did, and then Facebook got hacked and all my other online accounts fell like a house of cards, found out when my friend texted me asking WTF was going on and why was I posting links to porn sites everywhere. So, password manager and strong passwords for all the things. MFA is something that needs to become more common as well.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

Been using passwordstore.org for like 12 years I think

[–] [email protected] 2 points 1 year ago

Self-hosted bitwarden instance with 2FA enforced through hardware key. pretty nice and relies on having the password and the hardware key.

[–] [email protected] 2 points 1 year ago

KeePass, synced to my VPS. The key file on exists on my phone+tablet+laptops. Its biometrically authenticated on the phone+tablet - unfortunately, its just password-protected on the Debian laptop. The VPS is automatically backed-up to a completely different cloud service every other night. In the case of catastrophe on the VPS, there'd be cached copies of the vault on my devices and I can fairly easily retrieve a timestamped copy from the cloud server.

I also use a 2FA autheticator app on the phone+tablet. Its similarly biomentrically authenticated and backed-up to the VPS/Cloud.

[–] [email protected] 2 points 1 year ago
[–] [email protected] 2 points 1 year ago

I manage my passwords with Bitwarden and Authy for 2FA. Another good option, is to use KeepasXC with Symcthing to have the passwords both on the pc and smartphone

[–] [email protected] 2 points 1 year ago

I used a similar password method myself, but I did find many of my accounts getting hacked still. Unfortunately many online accounts can be brute forced, and using any combination of words and numbers makes for an easy dictionary attack.

I now use a password manager that I trust (1password), and a long hard to remember master password.

I do use biometrics when available, for the ease of use.

[–] [email protected] 1 points 1 year ago (1 children)

I use Bitwarden and I have 2FA where it’s implemented. Why do you say that online accounts cannot be brute forced?

[–] [email protected] 2 points 1 year ago (3 children)

Most online logins have limits. You can't just try a million passwords in a second.

[–] [email protected] 3 points 1 year ago (1 children)

Nobody will try to brute force your account on a login form unless you are a high value target. Databases get leaked and password hashes with them. There are tools like haveibeenpwned which check your email against known database dumps that are available to everyone on the dark web.

[–] [email protected] 2 points 1 year ago

I’m subscribed to haveibeenpwned but sometimes I read of breaches where password were plain text… a password manager is the best option, some of them also alert you of known breaches so you can change your password instantly

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

This is true, but if their password database gets compromised and they're using insecure storage then they can brute force all day. There are server farms dedicated to doing just that and the vast majority of users are using simple, easy to guess passwords. The most common password? "password" [source: https://nordpass.com/most-common-passwords-list/]. Yes, we are a stupid species.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

In theory that is correct. In practice, not always the case. Up until 8 years ago you could brute force iCloud passwords: https://www.intego.com/mac-security-blog/apple-patches-brute-force-password-cracking-security-hole-in-icloud

[–] [email protected] 1 points 1 year ago (3 children)

This may be a dumb question and I see here as well as elsewhere that a password manager is the best option. What makes a password manager safer than managing passwords yourself? I see the efficiency and ease of us aspects, but I’m less clear on the security portion. Thank you!

[–] [email protected] 4 points 1 year ago (2 children)

The idea is to use a different password in every different place so if some password gets leaked, they will only be able to harm you there.

Imagine, if you use the same password for everything, then site A leaks your password and now the bad people could look you up in many other sites and see if they can do some harm there.

Also not having to remember passwords allow for very obscure passwords very hard to bruteforce.

load more comments (2 replies)
[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Several points

They generate strong passwords - completely random with no scheme or method to guess. They are long and use many different characters. These won't be easy to memorize, but that's the point of a password manager, isn't it? Much stronger than "google-monkey123", "lemmy-monkey123" etc.

They generate unique passwords - different passwords for every login. When, inevitably, one website had their database breached and it turns out that they stored the passwords too (you never store the passwords, only a "hash", a scrambled version of it), that password of yours can't be used on other websites. Or any scheme be detected "hey that guy just appends 'monkey123' to the name of the site!" That password was truly unique and is not a danger to your other online accounts.

They protect you from phishing - consider this scenario: you get a message with a link, you click on it and the site asks you to log in, so you type in your login and password, but that was a phishing site, it looked like the real website, but really it wasn't. And now the attacker knows your username and password. A password manager that automatically fills your login details will only do so if the domain name is exactly correct, on a phishing site it will not auto-fill, giving you a moment to stop and think.

[–] [email protected] 1 points 1 year ago (2 children)

Thank you! Is it possible for a password manager to be breached?

[–] [email protected] 4 points 1 year ago (1 children)

That depends on the password manager.

There are password managers that work on your computer and the data never leaves your hardware. KeepassXC for example. The database is just a file on your computer - you are in charge of backing it up, synchronizing it to your other devices (i.e. phone) etc. The database file is fully encrypted so you could share it with a cloud provider like google drive or dropbox, or you could use syncthing which synchronizes files between your devices without cloud storage. If you use cloud storage there's a small risk that the encrypted file gets into the wrong hands (but it is encrypted so it's most likely worthless to any would be hacker).

Some other password managers offer a web service where you can log into a website to see your passwords, and they have mobile apps and browser extensions. These do store your passwords in their cloud - the risk that those get breached is considerably higher. But even there it depends on the implementation details. Bitwarden for example kind of does something similar to keepass, where your "vault" is encrypted locally and then stored on their servers. Even if they get breached, the data would be useless. Lastpass had a breach recently and it turned out that they didn't encrypt everything - so someone with access to the data could determine some details such as which sites a user had accounts on. And apparently some vaults used a weaker encryption so those might be decrypted eventually.

And a lot of password managers are closed source so there's no telling what they may do, just "trust me bro".

If I had to give a recommendation it would be bitwarden - it's open source, it's free although there is a paid plan if you need it and want to support them. It's really easy to use. If you have extreme paranoia (no judgement) then keepassxc - it's also open source and free, it's just a little more effort to set it all up so it doesn't get my first choice.

load more comments (1 replies)
[–] [email protected] 2 points 1 year ago

No, or, it shouldn't be if you're using a good one. The only way to decrypt your passwords is with your master key. If your master key is safe, then your passwords are too.

[–] [email protected] 1 points 1 year ago (2 children)

Lastpass for like 10+ years. I don't know how anyone can have any level of security without a manager. I have hundreds of passwords, all unique, and I never have to remember any of them.

[–] [email protected] 2 points 1 year ago (1 children)

Doesn't Lastpass have a data breach every two months or so? I migrated last year after hearing of the second one I knew about

[–] [email protected] 1 points 1 year ago

It hasn't worried me too much but I'll probably switch to Proton Pass soon anyway:

All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.

load more comments (1 replies)
load more comments
view more: next β€Ί