I have met people like this, and I think mostly it's "I know I'm not supposed to reuse passwords but I don't know how else to implement that." Although a password manager seems like the most...
I have met people like this, and I think mostly it's "I know I'm not supposed to reuse passwords but I don't know how else to implement that."
Although a password manager seems like the most natural thing in the world to me, I remember trying to set my folks up with Last ass (years ago), thinking it would be more foolproof than my dropbox sync keepass + mobile and desktop apps method. The UX on iOS was shockingly bad.
With Magi keyboard, Keepass is easier than ever to use on mobile. But I think most of the no-techrati will end up on Firefox, google, or apple's native password managers. It's probably a net win, even if it does mean even more vendor lock in.
Edit: I see the Last pass autocorrect typo, but it's too good so I'm leaving it.
Is there a slang word for a typo caused by autocorrect doing the wrong thing? I feel like there should be.
I like it! I got the tip here on tildes to use KeepassDX for android. It has a keyboard that you can switch to that can type the username, password, etc directly into forms and apps. It works...
autocorrupt
I like it!
I got the tip here on tildes to use KeepassDX for android. It has a keyboard that you can switch to that can type the username, password, etc directly into forms and apps. It works well, and is great for those occasional apps that don't implement or blok paste.
I have the opposite experience. I don't pay for Bitwarden and it's so bad I still feel like I lost something. The sharing of passwords is unnecessarily cumbersome, requiring "organizations" that...
I have the opposite experience. I don't pay for Bitwarden and it's so bad I still feel like I lost something. The sharing of passwords is unnecessarily cumbersome, requiring "organizations" that passwords and users belong to. The iOS app is clunky and has high latency (native version in beta though) on top of bad design. You can't create passwords unless you're online because the sync algorithm is too naive to handle potential conflicts.
Love FOSS, but Bitwarden needs to spend some of their $100 million in funding towards polishing up the user experience. As it is, no one I've recommended Bitwarden to has made the switch and they continue to use insecure methods. Now I'm hoping the iOS native passwords app later this month will be their savior.
Agree. My employer just recently had us all implement Bitwarden. It sucks. It tries to load user/pass into random text boxes, it doesn't load user/pass into half the fields it should, and god...
Agree. My employer just recently had us all implement Bitwarden. It sucks. It tries to load user/pass into random text boxes, it doesn't load user/pass into half the fields it should, and god forbid you have a common domain with subdirectories.
The UX on iOS amazing if you're using their password manager... and it gives you alerts if you're reusing passwords or if it sees a password that has been seen in a breach. I prefer KeePass...
The UX on iOS amazing if you're using their password manager... and it gives you alerts if you're reusing passwords or if it sees a password that has been seen in a breach.
I prefer KeePass myself, but by default the iPhone/iOS setup is pretty solid.
I lol'ed hard My wife is like this. She forget all of her passwords and just resets it. I already showed my KeepassXC full of.passwords, but she doesn't care It's trivial to reset passwords so......
Last ass
I lol'ed hard
My wife is like this. She forget all of her passwords and just resets it.
I already showed my KeepassXC full of.passwords, but she doesn't care
It's trivial to reset passwords so...
And I don't blame her. While it's easy for me to care for my keepass file, it still work I have to do (setup syncthing on phone and computer and make periodic backups to an external drive and cloud storage).
When we were first married, I set up our Keepass system and taught my wife how to do it. She hates creating accounts and coming up with passwords, so she was a mostly willing inductee. An...
When we were first married, I set up our Keepass system and taught my wife how to do it. She hates creating accounts and coming up with passwords, so she was a mostly willing inductee.
An unexpected benefit is that either of us can get access to passwords we need. No more, "what password did you set on the bank account" BS. 2FA has eaten into the effectiveness of this a little though. I have toyed with trying to use one of the 2fa plugins for keepass, but then it loses independence.
I'm not sure about upstream KeePass, but KeePassXC has support for TOTP keys which can sometimes work in place of two-factor. I've had a couple companies force me to set up two-factor, and being...
I'm not sure about upstream KeePass, but KeePassXC has support for TOTP keys which can sometimes work in place of two-factor. I've had a couple companies force me to set up two-factor, and being that I don't carry a cellphone, I've needed to set this up just to access those accounts.
It's slightly buried under a submenu which could make it difficult to explain to others, but it's also probably easier than having the whole "Hey I need you to forward me this code" conversation every time.
I need to get off of Authy onto some other syncing 2fa tool, so when I do, I'll probably try to find one that can between all our devices but is separate from our keepass setup, just to maintain...
I need to get off of Authy onto some other syncing 2fa tool, so when I do, I'll probably try to find one that can between all our devices but is separate from our keepass setup, just to maintain some independence of the second factor.
Personally I just don't use it. The auto in the implementation means that it has negative utility to me. I'd rather accept the occasional typo then the lost time. I have no idea if it is used for...
Is there a slang word for a typo caused by autocorrect doing the wrong thing?
Personally I just don't use it. The auto in the implementation means that it has negative utility to me. I'd rather accept the occasional typo then the lost time. I have no idea if it is used for training or data collection or something but the implementation is not there for the user.
I agree with your concerns, so I use the Typewise Offline Keyboard. No network permissions at all. I've been using it for years and it works well enough. I wrote more about it here.
Tbh, I also do this sometimes, even though I use a password manager. When it's something I basically don't care at all about or I consider it too unimportant to add it into my password manager, I...
Tbh, I also do this sometimes, even though I use a password manager. When it's something I basically don't care at all about or I consider it too unimportant to add it into my password manager, I do basically the same thing.
For example on every random company's job application crapware when I'm sending out CVs. I'll generate a random password, use it, but not save it anywhere. Rinse and repeat. All data contained in my CV is publicly available information anyway, so them keeping this data for e.g. 2 or 5 years basically means nothing to me.
I mean, it's a pattern that is enforced in some cases. World of Hyatt, for instance, does not have logins with passwords - the only option is that they send you an email with a temporary login link.
I mean, it's a pattern that is enforced in some cases. World of Hyatt, for instance, does not have logins with passwords - the only option is that they send you an email with a temporary login link.
The McDonald and Toast apps both work this way, though with Toast it's a phone number. I suppose its possible they looked at their logins and said, "50% of people do forgot password every time, so...
The McDonald and Toast apps both work this way, though with Toast it's a phone number. I suppose its possible they looked at their logins and said, "50% of people do forgot password every time, so lets just streamline that workflow. "
But I think it is more likely a way to connect you more solidly to your data in their analytics.
Personally, I think this is a good pattern and more websites should use it alongside social media sign-ins as The login pattern. Heck, it's easier because you don't have to deal with passwords...
Personally, I think this is a good pattern and more websites should use it alongside social media sign-ins as The login pattern. Heck, it's easier because you don't have to deal with passwords yourself, just time-limited tokens.
A lot of people don't use password managers (because they can be something of a hassle) so they end up reusing passwords. Which means your email and password are in a random small website's database, which has a much higher chance of being leaked than your email service's password.
I feel the exact opposite, I can't stand having to wait for an email or a texted code or whatever their extra step is, and having to leave the app I'm trying to use to retrieve it. If that became...
I feel the exact opposite, I can't stand having to wait for an email or a texted code or whatever their extra step is, and having to leave the app I'm trying to use to retrieve it. If that became the default experience life would just be that tiny bit worse.
I'd also be much less worried about a random small website being targeted for a data breach than a major email provider unless there was clearly some indication that it would provide valuable user data (e.g. a yacht club membership site may have lots of wealthy members, a niche geocaching forum not so much).
I think it's as simple as people taking the quickest route to solve their immediate problem, i.e., get logged in to do something. It would take time to add the credential to a password manager, or...
I think it's as simple as people taking the quickest route to solve their immediate problem, i.e., get logged in to do something. It would take time to add the credential to a password manager, or learn how to use a manager, etc. Where it is an infrequently used service, I could see that being people's norm. It's not really any different than the developer who just gets the short-term fix in instead of the proper refactor, or the sysadmin who does the manual deploy instead of writing the ansible playbook. Sometimes you just need to get the outcome quickly.
Also, I've occasionally worked places that didn't have or allow password managers. So I could reuse passwords, let the browser remember, or just randomize passwords and do the forgot password dance, which seemed the least bad option for the services I interacted with.
Could cybersecurity folks tell me whether using Firefox password manager alongside a browser unlock password might be a bad idea? Are lastpass and keeppass better or more secure than Firefox' service?
Could cybersecurity folks tell me whether using Firefox password manager alongside a browser unlock password might be a bad idea? Are lastpass and keeppass better or more secure than Firefox' service?
I have seen no security benefit in using lastpass or keeppass instead of the browser built-ins from chrome, firefox, or edge. All password managers suffer from the all-eggs-in-one-basket weakness,...
I have seen no security benefit in using lastpass or keeppass instead of the browser built-ins from chrome, firefox, or edge. All password managers suffer from the all-eggs-in-one-basket weakness, but in practice, it hasn't been a huge issue. I use the one in Chrome myself.
Browsers are both a way larger, and a way more lucrative attack surface than a password manager. That's the biggest potential risk to me, but overall it's not enough of a risk to be strong factor...
Browsers are both a way larger, and a way more lucrative attack surface than a password manager. That's the biggest potential risk to me, but overall it's not enough of a risk to be strong factor either way.
Keepass works in more cases since it has a nice(r) interface for accessing passwords (e.g. the physical keypad at work), it also stores more types of data, such as ssh keys or arbitrary files. I...
Keepass works in more cases since it has a nice(r) interface for accessing passwords (e.g. the physical keypad at work), it also stores more types of data, such as ssh keys or arbitrary files. I like this because it allows me to only use method for storage.
It's also possible to split your passwords in several files, I have separated my personal and work passwords so as to put my eggs in two baskets, but it could be any number based on your needs.
From an improved security when logging in to regular webpages it's possibly the last one that matters. I haven't seen anyone recommend it though. So I wouldn't worry unless you saw a specific need.
I use keepass because I have passwords on things that are not websites, that's all. (I also leverage the ability to store my password database remotely using standard sftp.)
I use keepass because I have passwords on things that are not websites, that's all. (I also leverage the ability to store my password database remotely using standard sftp.)
TL;DR: For security use KeepassXC or Bitwarden I haven't used other password managers. But as a security and cryptography enthusiast, I've compared their security. 1Password, Nordpass, Dashlane,...
TL;DR: For security use KeepassXC or Bitwarden
I haven't used other password managers. But as a security and cryptography enthusiast, I've compared their security.
1Password, Nordpass, Dashlane, Lastpass, SecureSafe are all closed source. There is some type of religion online around 1Password, I guess they have a good marketing team, but there is no way to analyse their security, since they're closed source like all the others. Lastpass was claiming for years that "everything was encrypted", until they got hacked, and details leaked. The encryption was very weak, and only the passwords were encrypted, criminals could use the clear-text metadata to target websites of lastpass users, since they could get websites and logins from the metadata.
In the open-source world, where you can audit the source code, there are three contenders:
pass: the oldest. It's written by the same person who wrote Wireguard, the new more secure VPN solution, which is now the standard replacement for OpenVPN on Linux, and built-in the kernel. It's a very nerdy setup. I uses GPG, which is the standard for security, doesn't try to do its own encryption. But it leaks a little bit of metadata.
Bitwarden: this is what I recommend to non-technical users in my family. It's easy to set-up, it's opensource, and was audited by Cure53. Last time I checked, it was encrypted the entire vault with PBKDF2 (the recommendation for password key derivation is Argon2 nowadays, but PBKDF2 is still good) to seed AES-CBC. (the recommendation for encryption is XSalsa20 nowadays, AES-CDC is still secure, but getting old.) They messed up the default amount of iterations for PBKDF2, so you have to login to their web UI to increase the iterations for your vault, for old vaults. (not great, that means they could snoop your password if they wanted) I believe that new vaults use a sensible amount of iterations for PBKDF2 now.
KeepassXC: it uses the KDBX 4 file format by default. This checks all the boxes for best encryption: Argon2 to seed a Chacha20 encryption, which encrypts the entire file as well. (Chacha20 is supposed to be even better than the recommended XSalsa20)
In terms of security, KeepassXC is the best, followed by Bitwarden. In terms of usability for a non-technical user, Bitwarden is definitely better, and it has built-in sync. While still being very good, pass is the worst of both categories.
There is this whole thing with KeepassXC as well that your browser doesn't have the passwords. It uses an extension to connect to KeepassXC and request the password to the KeepassXC without saving them. I find this ingenious.
There is also Protonpass which is open-source, but I personally don't have the best trust in Proton. And I couldn't find any documentation about their encryption.
Thank you for the detailed breakdown, I appreciate it! I’ll stick with BitWarden for now, in that case. A few years ago when I first looked into this, LastPass seemed “good enough” and then they...
Thank you for the detailed breakdown, I appreciate it!
I’ll stick with BitWarden for now, in that case. A few years ago when I first looked into this, LastPass seemed “good enough” and then they got hacked twice.
I’d been dragging my feet on dealing with migrating away from LastPass, because while they said passwords were encrypted, I also assume it’s just a matter of time until it’s broken. If you have an offline file to decrypt, it’s really just a matter of time before you can decrypt it if you’ve got the hardware.
Recently, there was an unauthorised attempt to log into one of my accounts (thank 2FA for saving my arse here!) that I know must have been from the LastPass leak, because it doesn’t use an email address as the login, therefore there’s no “oops used the same email and password” crossover to make it vulnerable from other data leaks.
So now I’m wanting to speed run getting a new password manager, migrating things over, and changing the old passwords. Step one (get BitWarden) is done now, and you’ve confirmed here that it’s not just swapping one leaky password manager for another one, so I can focus on the next steps.
Tech blogs love to recommend 1Password and nordpass. I've used both a good amount. Both are proprietary and pretty sucky. Not secure in my opinion. I'm not going to pay monthly to get a feature...
Tech blogs love to recommend 1Password and nordpass. I've used both a good amount. Both are proprietary and pretty sucky. Not secure in my opinion. I'm not going to pay monthly to get a feature complete program. The in-browser password managers for both chrome and firefox are okay, but they don't get anything outside of the browser and tend to be inconsistent. I wouldn't trust a super important password to just linger on firefox.
I haven't used many open source password managers because I found keepassxc first, and it's perfect for me.
It runs on anything.
It can hold more data than just username/password.
It has a cli, if you're weird (or your computer breaks)
The file is stored locally, not in the cloud.
It has a browser extension for ease of use.
I know it's good because I haven't thought about it until now. It does it's job and nothing more.
You’ve touched on an aspect I’m not sure about — I think personally, getting locked out of my accounts is more devastating than having someone else access them, although both are pretty bad. I...
The file is stored locally, not in the cloud.
You’ve touched on an aspect I’m not sure about — I think personally, getting locked out of my accounts is more devastating than having someone else access them, although both are pretty bad.
I understand the security of not having things in the cloud means the chance for leaks is significantly reduced, but on the other hand I think I want to design my personal security situation around the possibility of (for example) a house fire destroying every physical thing I have, including computers and phones.
I currently lean in heavily on my password manager, and every single account I create goes into it, with a randomised generated password that I will never ever be able to remember off the top of my head (email addresses included).
If everything dies, and I’m starting from nothing, my password manager is the first point for everything else. So for me, the idea of all my passwords not being backed up to ~the cloud~ someone else’s computer isn’t something I’m willing to risk.
I completely agree. Keepassxc has a feature to backup the file on time intervals or when it's edited. I have mine setup to backup to all 3 drives of my computer, my laptop, and my phone. I'm not...
I completely agree. Keepassxc has a feature to backup the file on time intervals or when it's edited. I have mine setup to backup to all 3 drives of my computer, my laptop, and my phone.
I'm not against putting the database file in the cloud... just not a cloud that would also contain the password and/or hash data to open the database. In case of a leak, all the security features are null and void.
Ah, I see! Yeah I’m okay with my bucket of data being in the cloud, as long as it’s not just hanging around in plaintext or whatever. I’m currently using BitWarden, do you know if their own...
Ah, I see! Yeah I’m okay with my bucket of data being in the cloud, as long as it’s not just hanging around in plaintext or whatever.
I’m currently using BitWarden, do you know if their own service ever has access to unencrypted versions of the info or if it’s all only ever decrypted in my own device?
I know that last year my phone died (water damage, even though it’s supposed to be rated for much deeper under water than I’ve ever been) so the replacement phone didn’t get a chance to get backup files handed over from phone to phone, but restoring the phone from iCloud and then logging into BitWarden with my “master password” was enough to get everything back.
It should only ever be decrypted locally, according to them. I just don't like the idea of the hash key being in the same place as the database file. BitWarden seems more trustworthy than other...
It should only ever be decrypted locally, according to them. I just don't like the idea of the hash key being in the same place as the database file.
BitWarden seems more trustworthy than other closed source managers, though. I am, admittedly quite paranoid.
If I'm ever tasked with making a login page, you bet I'm doing the notion thing and skipping the concept of passwords altogether. Having a "press the thing in the link", where I don't need to...
If I'm ever tasked with making a login page, you bet I'm doing the notion thing and skipping the concept of passwords altogether.
Having a "press the thing in the link", where I don't need to story any permanent data for this stuff just sounds too damn convenient.
The strange thing is why they didn't instead learn to use their browser's built-in password manager? My guess is it's because they don't trust computers and have learned to say "no" whenever it...
The strange thing is why they didn't instead learn to use their browser's built-in password manager? My guess is it's because they don't trust computers and have learned to say "no" whenever it prompts them to do something new.
Or they access accounts from both a phone and computer, that don’t sync passwords. I’m guilty of this, where I do manually put “important” accounts into both, but some more “throwaway” accounts...
Or they access accounts from both a phone and computer, that don’t sync passwords.
I’m guilty of this, where I do manually put “important” accounts into both, but some more “throwaway” accounts for random retailers didn’t get this. So then on the rare occasion I go back to it from the wrong device, I have to do a password reset. And then six months later, when I access it from my other device that then autofills the wrong password, sometimes I’ve done the password reset rather than going into the other room for my phone.
So while I definitely don’t intentionally do it the way described in the article, there are definitely a few sites where I did it that way for a good year or so before finally finding it into both my phone and browser password savers.
Yeah, but every major browser has a profile sync that transfers passwords. Though that would also mean that the user would have to have the same browser on desktop and mobile and they were logged...
Yeah, but every major browser has a profile sync that transfers passwords.
Though that would also mean that the user would have to have the same browser on desktop and mobile and they were logged into those services on both, which means that not everyone will know about this feature.
TL;DR
I have met people like this, and I think mostly it's "I know I'm not supposed to reuse passwords but I don't know how else to implement that."
Although a password manager seems like the most natural thing in the world to me, I remember trying to set my folks up with Last ass (years ago), thinking it would be more foolproof than my
dropbox sync keepass + mobile and desktop appsmethod. The UX on iOS was shockingly bad.With Magi keyboard, Keepass is easier than ever to use on mobile. But I think most of the no-techrati will end up on Firefox, google, or apple's native password managers. It's probably a net win, even if it does mean even more vendor lock in.
Edit: I see the Last pass autocorrect typo, but it's too good so I'm leaving it.
Is there a slang word for a typo caused by autocorrect doing the wrong thing? I feel like there should be.
I believe the slang term is "fucking autocorrect."
Actually it's "ducking autocorrelation"
I prefer “autocucumber” but I don’t think there’s a universally used word or phrase for it
Like "RAM disk", "fucking autocorrect" is not an operating procedure.
I just call it
autocorrupt.BTW, what is this "Magi keyboard" that you refer to?
Alternative android keyboard that comes with KeepassDX.
It is a keyboard that copy and paste your user and password.
Android -- explains why I hadn't heard of it (haven't used Android in a while), thanks.
I like it!
I got the tip here on tildes to use KeepassDX for android. It has a keyboard that you can switch to that can type the username, password, etc directly into forms and apps. It works well, and is great for those occasional apps that don't implement or blok paste.
Especially with all the data breaches, I defaulted to assuming it was intentional...like Micro$oft.
Last I checked 1password hasn’t had any breaches.
From what I've seen, Bitwarden is a good userfriendlier FOSS alternative to Keepass. I've set it up with relatives without much issue.
I have the opposite experience. I don't pay for Bitwarden and it's so bad I still feel like I lost something. The sharing of passwords is unnecessarily cumbersome, requiring "organizations" that passwords and users belong to. The iOS app is clunky and has high latency (native version in beta though) on top of bad design. You can't create passwords unless you're online because the sync algorithm is too naive to handle potential conflicts.
Love FOSS, but Bitwarden needs to spend some of their $100 million in funding towards polishing up the user experience. As it is, no one I've recommended Bitwarden to has made the switch and they continue to use insecure methods. Now I'm hoping the iOS native passwords app later this month will be their savior.
Agree. My employer just recently had us all implement Bitwarden. It sucks. It tries to load user/pass into random text boxes, it doesn't load user/pass into half the fields it should, and god forbid you have a common domain with subdirectories.
Don't know about the beta iOS native app, but I'm using the beta Android native app and it's miles better than the old one.
That's a pity.
The UX on iOS amazing if you're using their password manager... and it gives you alerts if you're reusing passwords or if it sees a password that has been seen in a breach.
I prefer KeePass myself, but by default the iPhone/iOS setup is pretty solid.
That's good to know. My parents have said this is their "last" iphone, but we will see.
I lol'ed hard
My wife is like this. She forget all of her passwords and just resets it.
I already showed my KeepassXC full of.passwords, but she doesn't care
It's trivial to reset passwords so...
And I don't blame her. While it's easy for me to care for my keepass file, it still work I have to do (setup syncthing on phone and computer and make periodic backups to an external drive and cloud storage).
When we were first married, I set up our Keepass system and taught my wife how to do it. She hates creating accounts and coming up with passwords, so she was a mostly willing inductee.
An unexpected benefit is that either of us can get access to passwords we need. No more, "what password did you set on the bank account" BS. 2FA has eaten into the effectiveness of this a little though. I have toyed with trying to use one of the 2fa plugins for keepass, but then it loses independence.
I'm not sure about upstream KeePass, but KeePassXC has support for TOTP keys which can sometimes work in place of two-factor. I've had a couple companies force me to set up two-factor, and being that I don't carry a cellphone, I've needed to set this up just to access those accounts.
It's slightly buried under a submenu which could make it difficult to explain to others, but it's also probably easier than having the whole "Hey I need you to forward me this code" conversation every time.
I need to get off of Authy onto some other syncing 2fa tool, so when I do, I'll probably try to find one that can between all our devices but is separate from our keepass setup, just to maintain some independence of the second factor.
We use Autokerwrong.
It's clumsy, but we like it.
Personally I just don't use it. The auto in the implementation means that it has negative utility to me. I'd rather accept the occasional typo then the lost time. I have no idea if it is used for training or data collection or something but the implementation is not there for the user.
Also, very prozaically - automess-up.
I agree with your concerns, so I use the Typewise Offline Keyboard. No network permissions at all. I've been using it for years and it works well enough. I wrote more about it here.
Auto-cowrecked
I use autoincorrect
Tbh, I also do this sometimes, even though I use a password manager. When it's something I basically don't care at all about or I consider it too unimportant to add it into my password manager, I do basically the same thing.
For example on every random company's job application crapware when I'm sending out CVs. I'll generate a random password, use it, but not save it anywhere. Rinse and repeat. All data contained in my CV is publicly available information anyway, so them keeping this data for e.g. 2 or 5 years basically means nothing to me.
I mean, it's a pattern that is enforced in some cases. World of Hyatt, for instance, does not have logins with passwords - the only option is that they send you an email with a temporary login link.
The McDonald and Toast apps both work this way, though with Toast it's a phone number. I suppose its possible they looked at their logins and said, "50% of people do forgot password every time, so lets just streamline that workflow. "
But I think it is more likely a way to connect you more solidly to your data in their analytics.
Personally, I think this is a good pattern and more websites should use it alongside social media sign-ins as The login pattern. Heck, it's easier because you don't have to deal with passwords yourself, just time-limited tokens.
A lot of people don't use password managers (because they can be something of a hassle) so they end up reusing passwords. Which means your email and password are in a random small website's database, which has a much higher chance of being leaked than your email service's password.
I feel the exact opposite, I can't stand having to wait for an email or a texted code or whatever their extra step is, and having to leave the app I'm trying to use to retrieve it. If that became the default experience life would just be that tiny bit worse.
I'd also be much less worried about a random small website being targeted for a data breach than a major email provider unless there was clearly some indication that it would provide valuable user data (e.g. a yacht club membership site may have lots of wealthy members, a niche geocaching forum not so much).
But at the same time, it is really power-user-hostile.
I think it's as simple as people taking the quickest route to solve their immediate problem, i.e., get logged in to do something. It would take time to add the credential to a password manager, or learn how to use a manager, etc. Where it is an infrequently used service, I could see that being people's norm. It's not really any different than the developer who just gets the short-term fix in instead of the proper refactor, or the sysadmin who does the manual deploy instead of writing the ansible playbook. Sometimes you just need to get the outcome quickly.
Also, I've occasionally worked places that didn't have or allow password managers. So I could reuse passwords, let the browser remember, or just randomize passwords and do the forgot password dance, which seemed the least bad option for the services I interacted with.
Could cybersecurity folks tell me whether using Firefox password manager alongside a browser unlock password might be a bad idea? Are lastpass and keeppass better or more secure than Firefox' service?
I have seen no security benefit in using lastpass or keeppass instead of the browser built-ins from chrome, firefox, or edge. All password managers suffer from the all-eggs-in-one-basket weakness, but in practice, it hasn't been a huge issue. I use the one in Chrome myself.
Source: been in IT since the 90's
Nice - thanks
Browsers are both a way larger, and a way more lucrative attack surface than a password manager. That's the biggest potential risk to me, but overall it's not enough of a risk to be strong factor either way.
Keepass works in more cases since it has a nice(r) interface for accessing passwords (e.g. the physical keypad at work), it also stores more types of data, such as ssh keys or arbitrary files. I like this because it allows me to only use method for storage.
It's also possible to split your passwords in several files, I have separated my personal and work passwords so as to put my eggs in two baskets, but it could be any number based on your needs.
From an improved security when logging in to regular webpages it's possibly the last one that matters. I haven't seen anyone recommend it though. So I wouldn't worry unless you saw a specific need.
Keepass can do much more, but if you don't care and the browser password manager can export your passwords if you decide to leave, it's fine I guess.
I use keepass because I have passwords on things that are not websites, that's all. (I also leverage the ability to store my password database remotely using standard sftp.)
For anyone who does this, keepassxc is probably the best password manager
Which other password managers have you used and what was it about them that dropped them down your list?
TL;DR: For security use KeepassXC or Bitwarden
I haven't used other password managers. But as a security and cryptography enthusiast, I've compared their security.
1Password, Nordpass, Dashlane, Lastpass, SecureSafe are all closed source. There is some type of religion online around 1Password, I guess they have a good marketing team, but there is no way to analyse their security, since they're closed source like all the others. Lastpass was claiming for years that "everything was encrypted", until they got hacked, and details leaked. The encryption was very weak, and only the passwords were encrypted, criminals could use the clear-text metadata to target websites of lastpass users, since they could get websites and logins from the metadata.
In the open-source world, where you can audit the source code, there are three contenders:
pass: the oldest. It's written by the same person who wrote Wireguard, the new more secure VPN solution, which is now the standard replacement for OpenVPN on Linux, and built-in the kernel. It's a very nerdy setup. I uses GPG, which is the standard for security, doesn't try to do its own encryption. But it leaks a little bit of metadata.In terms of security, KeepassXC is the best, followed by Bitwarden. In terms of usability for a non-technical user, Bitwarden is definitely better, and it has built-in sync. While still being very good,
passis the worst of both categories.There is this whole thing with KeepassXC as well that your browser doesn't have the passwords. It uses an extension to connect to KeepassXC and request the password to the KeepassXC without saving them. I find this ingenious.
There is also Protonpass which is open-source, but I personally don't have the best trust in Proton. And I couldn't find any documentation about their encryption.
Thank you for the detailed breakdown, I appreciate it!
I’ll stick with BitWarden for now, in that case. A few years ago when I first looked into this, LastPass seemed “good enough” and then they got hacked twice.
I’d been dragging my feet on dealing with migrating away from LastPass, because while they said passwords were encrypted, I also assume it’s just a matter of time until it’s broken. If you have an offline file to decrypt, it’s really just a matter of time before you can decrypt it if you’ve got the hardware.
Recently, there was an unauthorised attempt to log into one of my accounts (thank 2FA for saving my arse here!) that I know must have been from the LastPass leak, because it doesn’t use an email address as the login, therefore there’s no “oops used the same email and password” crossover to make it vulnerable from other data leaks.
So now I’m wanting to speed run getting a new password manager, migrating things over, and changing the old passwords. Step one (get BitWarden) is done now, and you’ve confirmed here that it’s not just swapping one leaky password manager for another one, so I can focus on the next steps.
Tech blogs love to recommend 1Password and nordpass. I've used both a good amount. Both are proprietary and pretty sucky. Not secure in my opinion. I'm not going to pay monthly to get a feature complete program. The in-browser password managers for both chrome and firefox are okay, but they don't get anything outside of the browser and tend to be inconsistent. I wouldn't trust a super important password to just linger on firefox.
I haven't used many open source password managers because I found keepassxc first, and it's perfect for me.
I know it's good because I haven't thought about it until now. It does it's job and nothing more.
You’ve touched on an aspect I’m not sure about — I think personally, getting locked out of my accounts is more devastating than having someone else access them, although both are pretty bad.
I understand the security of not having things in the cloud means the chance for leaks is significantly reduced, but on the other hand I think I want to design my personal security situation around the possibility of (for example) a house fire destroying every physical thing I have, including computers and phones.
I currently lean in heavily on my password manager, and every single account I create goes into it, with a randomised generated password that I will never ever be able to remember off the top of my head (email addresses included).
If everything dies, and I’m starting from nothing, my password manager is the first point for everything else. So for me, the idea of all my passwords not being backed up to ~the cloud~ someone else’s computer isn’t something I’m willing to risk.
I completely agree. Keepassxc has a feature to backup the file on time intervals or when it's edited. I have mine setup to backup to all 3 drives of my computer, my laptop, and my phone.
I'm not against putting the database file in the cloud... just not a cloud that would also contain the password and/or hash data to open the database. In case of a leak, all the security features are null and void.
Ah, I see! Yeah I’m okay with my bucket of data being in the cloud, as long as it’s not just hanging around in plaintext or whatever.
I’m currently using BitWarden, do you know if their own service ever has access to unencrypted versions of the info or if it’s all only ever decrypted in my own device?
I know that last year my phone died (water damage, even though it’s supposed to be rated for much deeper under water than I’ve ever been) so the replacement phone didn’t get a chance to get backup files handed over from phone to phone, but restoring the phone from iCloud and then logging into BitWarden with my “master password” was enough to get everything back.
It should only ever be decrypted locally, according to them. I just don't like the idea of the hash key being in the same place as the database file.
BitWarden seems more trustworthy than other closed source managers, though. I am, admittedly quite paranoid.
For that scenario, you do need an offsite backup somewhere, but it doesn't need to be in the cloud, necessarily.
(Or perhaps a fireproof safe.)
If I'm ever tasked with making a login page, you bet I'm doing the notion thing and skipping the concept of passwords altogether.
Having a "press the thing in the link", where I don't need to story any permanent data for this stuff just sounds too damn convenient.
The strange thing is why they didn't instead learn to use their browser's built-in password manager? My guess is it's because they don't trust computers and have learned to say "no" whenever it prompts them to do something new.
Or they access accounts from both a phone and computer, that don’t sync passwords.
I’m guilty of this, where I do manually put “important” accounts into both, but some more “throwaway” accounts for random retailers didn’t get this. So then on the rare occasion I go back to it from the wrong device, I have to do a password reset. And then six months later, when I access it from my other device that then autofills the wrong password, sometimes I’ve done the password reset rather than going into the other room for my phone.
So while I definitely don’t intentionally do it the way described in the article, there are definitely a few sites where I did it that way for a good year or so before finally finding it into both my phone and browser password savers.
Yeah, but every major browser has a profile sync that transfers passwords.
Though that would also mean that the user would have to have the same browser on desktop and mobile and they were logged into those services on both, which means that not everyone will know about this feature.