27 votes

I'm thinking of getting a password manager. How does it work and any advice on transitioning to one?

The reason why is to make more accounts for reddit, YouTube (one for entertainment and Portuguese content each) news sites where signing up is an alternative to pass a paywall and other sites with comment sections. Bad euphemism bro. Also some sense of "praxis" in order to gain privacy.

Edit: And also getting anxious at the idea of remembering all my passwords, and putting them in a note in my old phone, which I am not bringing into my new phone and want to use this to delete.

According to these two articles, I can save my old passwords I had before and maybe even still make new ones after, and put them in a folder behind one true (master) password, which is the one you will truly care about, and they will be saved in a way in which the managing company won't know your password?

There's also figuring out which provider to use (and probably a similar post for alt-mail providers.) This is overwhelmingly for mobile (Android). No real space constraints for apps, only price, because I'm not working age.

44 comments

  1. [11]
    Durallet
    Link
    Any good password manager will have the ability to import your existing passwords (whether it's from your desktop browser or another password manager). Privacytools.io recommendations for password...

    Any good password manager will have the ability to import your existing passwords (whether it's from your desktop browser or another password manager).

    Privacytools.io recommendations for password managers:
    For local only copies try Keepass XC. If you want a cloud syncing solution try BitWarden.

    Please note that the usage of a password manager does not automatically "improve your privacy", since privacy is an ongoing continuous process. You will need to fundamentally change your outlook on how to use everything/anything. That involves questioning the data collection practices of everybody (government, businesses, individuals, etc) and being overly aggressive about it will not make you any friends.

    23 votes
    1. [3]
      RNG
      Link Parent
      This is a really good point that's often missed. The utility of a password manager is two-fold: it helps you avoid password reuse and allows you to opt for stronger passwords. Only you know if...

      Please note that the usage of a password manager does not automatically "improve your privacy", since privacy is an ongoing continuous process.

      This is a really good point that's often missed. The utility of a password manager is two-fold: it helps you avoid password reuse and allows you to opt for stronger passwords. Only you know if password complexity/password reuse is something you should invest in this tool for.

      The pros definitely outweigh the cons of having a password manager, but keep the cons of pw mangers in mind:

      • They can be complex
      • They may not work on every system you have
      • Forgetting the master password may lock you out of critical accounts
      • Master password compromise is catastrophic

      For older folks, I always recommend keeping passwords in a physical password notebook. Not only does this allow your family easier access to your accounts posthumously, but is simpler and more secure than just about any other solution (given that you trust those with physical access to your home and the book.)

      Maybe the logbook answer won't get you points on your cert exam, but in reality no one is breaking into your house searching for your password book, they're there to pawn your electronics and steal your meds.

      17 votes
      1. [2]
        whbboyd
        Link Parent
        This answer is Schneier-certified, so maybe it should. My two major caveats about the paper password manager approach are, first, it's difficult to back up; and second (and much more importantly),...

        Maybe the logbook answer won't get you points on your cert exam

        This answer is Schneier-certified, so maybe it should.

        My two major caveats about the paper password manager approach are, first, it's difficult to back up; and second (and much more importantly), humans are absolutely garbage at doing random anything. If people generate passwords with their brains (tempting when it has to get handwritten in a booklet), they will almost without fail not be strong passwords. Making it convenient to have a computer generate your password using real sources of randomness and a vetted secure PRNG is one of the biggest benefits of a digital password manager.

        7 votes
        1. skybrian
          Link Parent
          Don’t do it yourself, but sources of randomness aren’t hard to find, either. You can generate a random number and write it down.

          Don’t do it yourself, but sources of randomness aren’t hard to find, either. You can generate a random number and write it down.

          1 vote
    2. [3]
      babypuncher
      Link Parent
      I use KeepassXC and store the database on my iCloud Drive. Keepassium for iOS allows me to integrate that database natively with the password autofill API.

      I use KeepassXC and store the database on my iCloud Drive. Keepassium for iOS allows me to integrate that database natively with the password autofill API.

      5 votes
      1. [2]
        Wes
        Link Parent
        Similarly, I can recommend Keepass2Android on Android. I sync it with Dropbox, but I imagine any popular cloud provider should work.

        Similarly, I can recommend Keepass2Android on Android. I sync it with Dropbox, but I imagine any popular cloud provider should work.

        4 votes
        1. p2004a
          Link Parent
          And it doesn't have to be necessarily a cloud privider. I'm using Syncthing for synchronization across multiple devices.

          And it doesn't have to be necessarily a cloud privider. I'm using Syncthing for synchronization across multiple devices.

          3 votes
    3. freddy
      Link Parent
      Thanks for mentioning PrivacyTools.io, as a team member, it's always nice to see the site getting shared.

      Thanks for mentioning PrivacyTools.io, as a team member, it's always nice to see the site getting shared.

      3 votes
    4. streblo
      Link Parent
      Bitwarden is also open source and self-hostable, which is awesome.

      Bitwarden is also open source and self-hostable, which is awesome.

      2 votes
    5. [2]
      Kuromantis
      Link Parent
      How meaningful is the difference? And where are local copies stored exactly? Just in the phone's memory, just like any downloaded file?

      For local only copies try Keepass XC. If you want a cloud syncing solution try BitWarden.

      How meaningful is the difference? And where are local copies stored exactly? Just in the phone's memory, just like any downloaded file?

      1 vote
      1. Durallet
        Link Parent
        With BitWarden, you don't need to do anything special to sync information across your different devices (phone, pc, browser extension etc), thus "cloud syncing". The app keeps a local encrypted...

        How meaningful is the difference?

        With BitWarden, you don't need to do anything special to sync information across your different devices (phone, pc, browser extension etc), thus "cloud syncing". The app keeps a local encrypted copy and regularly syncs the encrypted data with the central bitwarden server.

        And where are local copies stored exactly? Just in the phone's memory, just like any downloaded file?

        With Keepass XC, the encrypted password vault is specifically located in your device's storage (i.e. phone flash memory, so yes like a regular file) and you'll need to do some configuration with another app like SyncThing to sync with any other device.

        6 votes
  2. tomf
    Link
    I really like Bitwarden. The best way to get going is to install the browser extension then use the internet like normal. As you log into sites, update the passwords with a generated one and save...

    I really like Bitwarden. The best way to get going is to install the browser extension then use the internet like normal. As you log into sites, update the passwords with a generated one and save it.

    For your main password, use something strong but easy to remember / enter. I prefer song lyrics (with spaces.)

    The main issues I had with other password managers was when I was using two machines at once and the sync wasn't working as well as I had hoped.

    For email, I use Zoho with a domain. The email is set as a catch-all. For tildes I use tildes@domain.com, for instance. If Tildes sells off my email or is breached, I simply block tildes@domain.com and update it to tildes1@domain.com, and so on.

    All in all, having a password manager is great. Run through the options and see which works best for you. For me, this has been Bitwarden since it came out. I came from Lastpass > 1Password > KeepassXC

    11 votes
  3. [15]
    streblo
    (edited )
    Link
    A comment on passwords in general: Using a password manager is great because you can isolate your accounts with strong passwords while not accruing a lot of mental overhead. But you still need a...

    A comment on passwords in general:

    Using a password manager is great because you can isolate your accounts with strong passwords while not accruing a lot of mental overhead. But you still need a good password to secure the password manager itself. Sometime in the early or mid 2000s websites began to demand people to make their passwords more secure by inserting numbers and non-alphanumeric characters into their passwords, which has led to a really flawed view of password strength in the general public.

    To secure your password manager, you should think about using diceware. Diceware is a method to generate a password that will be secure for at least another decade. Simply get out 5 dice and roll them, then arrange them left-to-right. This five digit number (11111-66666) corresponds to a word from this list or this list -- write it down. Then repeat this process 5 more times for a total of 6 words. Your password is then just "word1 word2 word3 word4 word5 word6". Feel free to reroll a word if you'd like, but do not just choose words from the list.

    9 votes
    1. [2]
      Good_Apollo
      Link Parent
      I thought using repeating patterns like that was bad for password strength?

      I thought using repeating patterns like that was bad for password strength?

      3 votes
      1. streblo
        (edited )
        Link Parent
        The only thing that really matters is password entropy. Even if the attacker knows you use the diceware method and knows which word list you used it's still a massive search space for them to...

        The only thing that really matters is password entropy.

        Even if the attacker knows you use the diceware method and knows which word list you used it's still a massive search space for them to brute force. A diceware word list has 7776 words in it so a password with 6 words has 7776^6 ~= 2.2e+23 possible combinations or about log(2.2e+23)/log(2) ~= 77.5 bits of entropy which is perfectly reasonable.

        Edit: To compare to your own password, every ASCII-printable character (assuming you select your password from the full set) in your password adds 6.570 bits of entropy, so for example an 8 character password has 52.56 bits of entropy. Of course this flies out the window if your password is something that can conceivably show up in a dictionary attack.

        6 votes
    2. [12]
      Kuromantis
      Link Parent
      TIL the password I put the least thought into might be the strongest just by virtue of being moderately longer and @tomf is actually being the smart one by using song lyrics, which I immediately...

      Sometime in the early or mid 2000s websites began to demand people to make their passwords more secure by inserting numbers and non-alphanumeric characters into their passwords, which has led to a really flawed view of password strength in the general public.

      TIL the password I put the least thought into might be the strongest just by virtue of being moderately longer and @tomf is actually being the smart one by using song lyrics, which I immediately found weird.

      But anyway, what's a "bit of entropy" and how are certain types of characters and changes to a password given certain entropy values which can give those estimates? Isn't the reason we have all this because if someone knows a password only has letters, brute forcing it is easier because there is less stuff to brute force? Feel free to point me to an article if you prefer.

      Diceware is a method to generate a password that will be secure for at least another decade. Simply get out 5 dice and roll them, then arrange them left-to-right. This five digit number (11111-66666) corresponds to a word from this list or this list -- write it down. Then repeat this process 5 more times for a total of 6 words. Your password is then just "word1 word2 word3 word4 word5 word6". Feel free to reroll a word if you'd like, but do not just choose words from the list.

      I assume I can just use an RNG site for this?

      3 votes
      1. [2]
        spit-evil-olive-tips
        (edited )
        Link Parent
        Imagine flipping a coin. That's one bit of entropy. Imagine instead of numbers and letters, your password was a sequence of heads & tails. Say your password was required to be exactly 10...
        • Exemplary

        But anyway, what's a "bit of entropy" and how are certain types of characters and changes to a password given certain entropy values which can give those estimates? Isn't the reason we have all this because if someone knows a password only has letters, brute forcing it is easier because there is less stuff to brute force? Feel free to point me to an article if you prefer.

        Imagine flipping a coin. That's one bit of entropy.

        Imagine instead of numbers and letters, your password was a sequence of heads & tails. Say your password was required to be exactly 10 coinflips. There's 1024 (210) possible passwords, which is the same as saying there's 10 bits of entropy.

        If passwords were instead required to be 3 numbers, you'd have 1000 possible passwords (000-999). 10 bits of entropy resulted in 1024 possibilities, so that's just less than 10 bits of entropy. The exact amount is:

        >>> math.log2(1000)
        9.965784284662087
        

        Now, instead of digits, we'll require passwords to be 3 lowercase characters. The number of possible passwords is now 26 * 26 * 26 = 17576. How many bits of entropy does this have?

        >>> math.log2(17576)
        14.101319154423276
        

        So, a 3-character all-lowercase password has about 14 bits of entropy.

        Next, open it up to uppercase, lowercase, and digits, and require a 12-character password. There's 62 possible characters (26 + 26 + 10), so the total number of possible passwords is:

        >>> 62**12
        3226266762397899821056
        

        And the bits of possible entropy:

        >>> math.log2(62**12)
        71.4503557246425
        

        70-ish bits of entropy, compared to just 14 for the 3-character password. This gives us a convenient measure to express how random the password could be.

        It doesn't necessarily mean the password is that random, of course - "aaaaaaaaaaaa" and "pmBxvLTE89zE" are both passwords meeting those requirements. It just gives us an upper bound on the size of the search space - if someone guessing your password did it totally brute-force, about how many guesses would it require?

        You can also use it to compare password strengths of various lengths / character sets. Which is better, a long password that's only lowercase letters, or a shorter password that uses uppercase, lowercase, numbers, and punctuation symbols?

        >>> math.log2(26**32)
        150.41407098051494
        >>> math.log2(95**16)
        105.11768973329517
        

        So a 32-character password that's only lowercase letters is significantly stronger (at least, against a brute-force attack) than a 16-character one that uses uppercase/lowercase/numbers/punctuation. (I used this chart which lists 33 punctuation symbols, for a total of 26 + 26 + 10 + 33 = 95)

        I assume I can just use an RNG site for this?

        Yes, as well as every password manager in existence will have a secure password generator built in.

        Diceware and similar systems are most useful if you want very secure passphrases, such as for offline Bitcoin wallets, and want to be sure the passphrase is truly random and not saved by any malware on your phone or computer. For the things you're talking about using a password manager for, you don't really need them (but could certainly play around with them if it suits your fancy).

        8 votes
        1. streblo
          Link Parent
          Much better explanation than mine, thanks. :) For me, I see my password manager password as a weak point. If my Bitwarden instance gets compromised, the hash is the only thing standing in the way...

          Much better explanation than mine, thanks. :)

          Diceware and similar systems are most useful if you want very secure passphrases

          For me, I see my password manager password as a weak point. If my Bitwarden instance gets compromised, the hash is the only thing standing in the way of someone decrypting all my passwords.

          3 votes
      2. streblo
        Link Parent
        A "bit of entropy" can be thought of a shorthand for describing the size of the search space for brute forcing the password. Something with 77.5 bits of entropy has 2^77.5 possible combinations....

        A "bit of entropy" can be thought of a shorthand for describing the size of the search space for brute forcing the password. Something with 77.5 bits of entropy has 2^77.5 possible combinations. Each bit of entropy doubles the search space, so something with 55 bits of entropy will take twice as long to fully search as something with 54 bits of entropy. This assumes the attacker knows the search space as well.

        I'm not the person to ask but I've heard a high-end consumer GPU has a hashrate of around 2^55 hashes/day. So if your password has 2^55 bits of entropy and your password hash ends up in the hands of someone who wants to crack it it will take on average half a day and is guaranteed in one day. Every additional bit of entropy you add will double this time.

        I assume I can just use an RNG site for this?

        Probably, but using dice guarantees a) the distribution is close to uniform and b) no one can take advantage of you if it isn't perfectly uniform.

        2 votes
      3. [8]
        tomf
        Link Parent
        I got the song lyrics thing from Samy Kamkar, actually. It works really well. You don't need crazy, incomprehensible passwords to be secure -- which is why passphrases also work well. Don't test...

        I got the song lyrics thing from Samy Kamkar, actually. It works really well. You don't need crazy, incomprehensible passwords to be secure -- which is why passphrases also work well.

        Don't test real passwords, but compare generated passwords (letters, numbers, symbols) vs passphrases with something like https://password.kaspersky.com. Especially for times where you need to enter a password where you can't paste it (e.g. into something like Kodi, a game system, etc), passphrases are great.

        Anyway, every password manager I've seen comes with some sort of generator. Just use those instead of rolling your own.

        2 votes
        1. [7]
          Kuromantis
          Link Parent
          Again, that goes against basically everything I've ever known about passwords. Anyway: On https://password.kaspersky.com: What's up with that?

          I got the song lyrics thing from Samy Kamkar, actually. It works really well. You don't need crazy, incomprehensible passwords to be secure -- which is why passphrases also work well.

          Again, that goes against basically everything I've ever known about passwords.

          Anyway:

          Don't test real passwords, but compare generated passwords (letters, numbers, symbols) vs passphrases with something like https://password.kaspersky.com.

          On https://password.kaspersky.com:

          Check your password

          Your password is not safe if it can be brute-forced or found in a database of leaked passwords.

          We do not collect or store your passwords. (Learn more)

          What's up with that?

          1 vote
          1. tindall
            Link Parent
            It's all about the number of possibilities. With a password which contains characters from the set of 26 lower case letters, 26 upper case letters, 10 numbers, and, let's say, 14 symbols, you've...

            It's all about the number of possibilities.

            With a password which contains characters from the set of 26 lower case letters, 26 upper case letters, 10 numbers, and, let's say, 14 symbols, you've got 26+26+10+14 = 76 possibilities per letter. For a 12 character password (which would be very difficult to remember), you get 76^12 or 4 * 10^22 possibilities.

            Even just using the most common 5,000 English words, you can achieve this complexity with a longer but easier to remember password of 6 words (log base 5000 of 4e22). And that's assuming the attacker somehow knows you'll be using those words, which they don't. Throw in a "sodium hexaflouride" or "antecambrian", words you could remember but which aren't in most dictionary files, and you'll have a very difficult to brute force password that's not difficult to keep in your head.

            5 votes
          2. [5]
            tomf
            Link Parent
            @tindall, as always, pretty much summed it up :) When it comes to security, usually the simplest answer is the best -- e.g. long but easy to remember passwords, a post-it note over a webcam, etc....

            @tindall, as always, pretty much summed it up :)

            When it comes to security, usually the simplest answer is the best -- e.g. long but easy to remember passwords, a post-it note over a webcam, etc.

            On a somewhat related note, years ago when Adobe had a big breach, someone made a crossword puzzle out of the password hints.. https://zed0.co.uk/crossword. Some folks use the worst passwords and then give fairly accurate password hints. Once you move to a password manager, you can enter another generated password for the hints if they require it. You can keep those in your PM's notes.

            After you change your passwords, pop some into https://haveibeenpwned.com/Passwords to see if they're part of any breach. I'd also suggest signing your email or domain up so you get notifications when your account was part of a leak. Since you won't be reusing passwords ever again, you'll only have to update one password.

            5 votes
            1. cfabbro
              (edited )
              Link Parent
              Also worth mentioning is monitor.firefox.com, which was made by Mozilla in partnership with HIBP. However, unlike the notification system at HIBP itself, where you can only have breach alerts sent...

              Also worth mentioning is monitor.firefox.com, which was made by Mozilla in partnership with HIBP. However, unlike the notification system at HIBP itself, where you can only have breach alerts sent to an affected email address, Monitor allows you to monitor multiple email addresses for breaches and have all the relevant alerts be sent to your primary email address if that's what you want. Monitor's custom dashboard also allows you to view all the alerts related to your associated email addresses in one convenient place, mark them as "resolved" once you have dealt with the issue, and also see more detailed information about all the known breaches in the database.

              6 votes
            2. [3]
              Kuromantis
              Link Parent
              Thanks for you, @tindall @streblo, @spit-evil-olive-tips and a few others for explaining to me how using a long sentence is better personal security than the top example of that XKCD comic. But my...

              Thanks for you, @tindall @streblo, @spit-evil-olive-tips and a few others for explaining to me how using a long sentence is better personal security than the top example of that XKCD comic.

              But my main question for this comment in particular is the bottom question about that password strength website:

              Why shouldn't you plug in passwords you currently or intend to use in a password strength site like the one you linked?

              If you shouldn't do that, why do they (or at least the one you linked) ask you to do just that and link you to a page about how that is perfectly safe? Also, why does Kaspersky not support spaces?

              2 votes
              1. tindall
                Link Parent
                Because they suck, tbh. There's no reason not to support certain characters, because if you're handling passwords in an actual correct way, they are hashed before being stored anywhere. They could...

                why does Kaspersky not support spaces?

                Because they suck, tbh. There's no reason not to support certain characters, because if you're handling passwords in an actual correct way, they are hashed before being stored anywhere.

                Why shouldn't you plug in passwords you currently or intend to use in a password strength site like the one you linked?

                They could add that password, or its components, to a database of passwords or sub-rainbow table. Or, worse, if there is a XSRF on your email, bank, or other important sites, they could try the password and get into an important account.

                5 votes
              2. spit-evil-olive-tips
                Link Parent
                There's two ways to make a "type your password in here and we'll tell you how strong it is" webpage. One way would be entirely in your browser, using client-side Javascript, and the password never...

                There's two ways to make a "type your password in here and we'll tell you how strong it is" webpage.

                One way would be entirely in your browser, using client-side Javascript, and the password never leaving your computer.

                The other way would be to send the password to a backend server, calculate how strong it is there, and then send the result back.

                The first way can be made to be secure, with some caveats (for example, a malicious browser extension might be able to capture what you fill into the form and send it somewhere, even if the page itself isn't doing it).

                The second way is definitely not secure. It might be actively malicious (recording every password sent to it for later use) or not (someone's toy / homework project that was never meant to be secure, for example).

                Without carefully inspecting the View Source of a page, you can't tell the two apart (and even then, you could write a page that looks like the first on casual inspection but does sneaky tricks behind the scenes).

                3 votes
  4. [3]
    petrichor
    Link
    The main benefit of a password manager is being able to use strong and completely different passwords for everything, while only needing to remember one "master" password. It's like taking all of...

    The main benefit of a password manager is being able to use strong and completely different passwords for everything, while only needing to remember one "master" password.

    It's like taking all of your passwords, writing them down on pieces of paper (and marking what they're for), and locking them in a safe. Your master password is the one key that can be used to control access to your password - you can unlock the safe to put your old passwords in, add new passwords, and change any passwords when need be.

    Now, if you have the only copy of the key, then there's no harm in giving your safe to someone for safekeeping (assume that that someone can't look at the inside of the lock for the sake of the metaphor). In the case of most modern password managers, that means syncing it to the cloud, so that it can be used across different devices or recovered in case your computer stops working one day. For example, on Android, whatever password manager you have downloads your safe, which you can unlock and access by entering your master password / key.

    This does mean you're making two assumptions - (one) that your key is the only way to open (decrypt) your safe (passwords), and (two) that whatever password manager software you're using securely opens and closes your safe, without exposing your passwords to anyone else, or secretly snooping on them. The first is generally a safe assumption to make, regardless of the password manager. The actual way content can be encrypted and decrypted behind a master password / key securely is a whole field of research of itself, with several generally accepted and known-to-be-formally-safe protocols (if you're interested in this, Numberphile has many high-quality videos on cryptography and how it works). Password managers are almost always up-front about how they do this (mistakes can be made in implementation, but more on that later).

    The second assumption is a bit trickier to make safely. With just a program or app binary, you can'teasily be sure that there isn't a line of code in there to randomly and maliciously steal your passwords and phone them home to the company or other organization. But, if the code behind said program or app is open-source, you and anyone else can check that there's no malicious code in the codebase, and then make sure the binary you're running is correct by either compiling it yourself, or comparing the unique hash of the binary to another known compiled version (these are called reproducible builds).

    Pretty much the only downside of using a password manager is that if you forget your master password, there's no way to recover any of your other passwords. I, personally, am never too concerned about this, because I enter my master password very frequently, and most-to-all of my accounts also let me send a reset password to my email (single point-of-failure, yay), which I also know and enter frequently. The password manager I use for just about everything is called password-store, but I wouldn't necessarily recommend it - it's very Unix-y and doesn't sync between devices well (which isn't useful to me anyway). Instead, I'd agree with the general consensus in the thread and suggest you use either Bitwarden or KeyPassXC - both are open-source (necessary), have web, desktop, and Android clients (necessary for your use case), and have companion browser extensions that auto-fill login pages (a nice feature, also eliminates any malicious websites checking your clipboard for copied passwords).

    8 votes
    1. [2]
      crdpa
      Link Parent
      Pass can "sync" using a git repository, but i won't recommend for the average computer user. If you are a linux user and familiar with git, it is really good. I have it on my laptop and...

      Pass can "sync" using a git repository, but i won't recommend for the average computer user. If you are a linux user and familiar with git, it is really good.

      I have it on my laptop and smartphone. The new android pass app have autofill that works with Firefox.

      4 votes
      1. tindall
        Link Parent
        Yeah, pass is incredible if you're willing to set it up, which is a huge pain.

        Yeah, pass is incredible if you're willing to set it up, which is a huge pain.

        3 votes
  5. [4]
    Arghblarg
    Link
    Apologies if it's considered to be in bad taste to plug a product here, but I just so happen to make and sell a line of offline password generator/recall rings, key fobs, bracelets and cards which...

    Apologies if it's considered to be in bad taste to plug a product here, but I just so happen to make and sell a line of offline password generator/recall rings, key fobs, bracelets and cards which help to do this: tindie.com/stores/russtopia

    The advantage to these is that they are not software which can be hacked like password wallets, being completely offline and are convenient to keep on your person.

    6 votes
    1. [3]
      Kuromantis
      Link Parent
      From the code of conduct:

      Apologies if it's considered to be in bad taste to plug a product here

      From the code of conduct:

      Self-promotion

      If you have your own site/project/channel/etc. that you'd like to share on Tildes, that's generally fine (in moderation), but it shouldn't be the primary reason that you post on the site. Tildes is a community, not a free advertising platform. Sharing your own content is welcome as long as you're involved in the community, but don't just treat Tildes as a source of an audience.

      6 votes
      1. [2]
        cfabbro
        Link Parent
        Also worth mentioning is the unspoken rule of most self-promotion restrictions: If what you make is cool then it's a lot more acceptable to post about it... and IMO those password generator key...

        Also worth mentioning is the unspoken rule of most self-promotion restrictions: If what you make is cool then it's a lot more acceptable to post about it... and IMO those password generator key fobs are pretty dang cool, @Arghblarg. :P

        7 votes
  6. spit-evil-olive-tips
    Link
    Somewhat inexact analogy: You take all your usernames & passwords, and write them down in a notebook. Then you store that notebook in a safety deposit box at your local bank. Since it's just a...

    Somewhat inexact analogy:

    You take all your usernames & passwords, and write them down in a notebook. Then you store that notebook in a safety deposit box at your local bank.

    Since it's just a notebook, you can absolutely write your existing passwords in it, as well as new passwords as you create new accounts.

    The key to your safety deposit box is like your master password. It opens the safety deposit box, and you can take out the notebook and look up whatever password you need. Then you lock the notebook back up for next time.

    Your bank, as long as you trust them not to break into your box, cannot steal your passwords (this is where the analogy starts to break down, as modern password management software uses cryptography in a way that prevents them from looking at your passwords, even if they want to).

    Your various accounts (reddit, youtube, etc) don't even know or care that you're using a password management system like this. They just see your username and password like they always have.

    I use, and would recommend, Bitwarden. They have a free version that would meet all your requirements (in particular, syncing between desktop and mobile, which some password managers either don't support or support poorly).

    5 votes
  7. Macil
    Link
    Everyone is recommending dedicated password management programs, but I'd just like to plug the built-in password managers of browsers such as Chrome and Firefox. They both have built-in password...

    Everyone is recommending dedicated password management programs, but I'd just like to plug the built-in password managers of browsers such as Chrome and Firefox. They both have built-in password managers, their browser integration is well-reviewed (which is not true of all dedicated password management programs!), they can sync your passwords between your devices, they work on each OS and mobile, and you already have them installed. If you're just storing website passwords, there's no need to reach beyond the browser's password manager.

    5 votes
  8. tempestoftruth
    Link
    I use KeePassXC. I chose a local solution because it maximizes my control over my passwords, but there are plenty of useful cloud solutions. If you have multiple devices that need to sync with...

    I use KeePassXC. I chose a local solution because it maximizes my control over my passwords, but there are plenty of useful cloud solutions. If you have multiple devices that need to sync with each other fairly often, a cloud solution will be simpler.

    Here is a guide by InfoSec Handbook on how to set up KeePassXC, among many others you can find online.

    As @Durallet says, setting up a password manager is a great first step but you can augment the base level of security it gives through additional strategies and good practices. With a manager, you can afford to create different passwords for every account. For some accounts, I use a password generator built into KeePassXC to create random 32-character strings for passwords, which makes a successful brute-force attack nearly impossible. I don't need to remember these since the manager does that for me. You can further increase the security of your accounts by enabling two-factor authentication, for example.

    4 votes
  9. Weldawadyathink
    Link
    Since I didn’t see it mentioned, I thought I would give my password manager recommendation. If you are slightly ok with technology and computers, Bitwarden is great. However, I recently switched...

    Since I didn’t see it mentioned, I thought I would give my password manager recommendation. If you are slightly ok with technology and computers, Bitwarden is great. However, I recently switched to 1Password. 1Password is the first password manager that works for “technology illiterate” people. I previously strongarmed my family into using bitwarden. When I transitioned to 1Password, most of the growing pains they had disappeared. I have since set my grandparents up with 1Password, which I could not have done with Bitwarden.

    1Password does all this while having one of the most robust feature sets I have seen on a password manager. I, as a techie person, do not feel like I am missing out.

    It has a new feature integrating with privacy.com. It will generate a unique “credit card” number for each website that you can cancel at any time.

    The only drawback is the price. If you don’t want to spend anything, use Bitwarden.

    3 votes
  10. vord
    Link
    I'll echo that Bitwarden is hard to beat, especially if you want to self host. Having a unified password store for my family has been immensely useful. Just make sure that you're taking regular...

    I'll echo that Bitwarden is hard to beat, especially if you want to self host. Having a unified password store for my family has been immensely useful.

    Just make sure that you're taking regular backups, ideally including one offline, unencrypted one as well.

    3 votes
  11. [3]
    Kuromantis
    Link
    Now that I've put a few accounts on BitWarden I have 2 questions: When I'm anywhere else, how do I log in to BitWarden to access my "vault"? Do I just type in bitwarden.com and login normally or...

    Now that I've put a few accounts on BitWarden I have 2 questions:

    When I'm anywhere else, how do I log in to BitWarden to access my "vault"? Do I just type in bitwarden.com and login normally or is there anything more to it?

    BitWarden has a "who owns this" field for email addresses and the new protonmail account I made is there, but it doesn't seem to give me a way to change what email address an account can belong to. How do I change this? Or do I need to make another BitWarden 'vault' for the accounts on my Gmail address?

    3 votes
    1. [2]
      admicos
      Link Parent
      If you're on desktop, Bitwarden has extensions for most sane browsers, where you can do autofill (on page load), or right click the login form and tell it to fill in the credentials of the...

      When I'm anywhere else, how do I log in to BitWarden to access my "vault"? Do I just type in bitwarden.com and login normally or is there anything more to it?

      If you're on desktop, Bitwarden has extensions for most sane browsers, where you can do autofill (on page load), or right click the login form and tell it to fill in the credentials of the specific account.

      On Android (it's the only other platform I have experience with), Bitwarden can hook into Android's autofill API, which pops up a little window under the login forms to do the same thing like you can do on the browser. Android versions older than 8 (?) can use an accessibility API workaround to do this where the autofill API doesn't exist.


      I didn't really understand your second question (that could be me, it's almost 4 AM), so I cannot answer it at the moment.

      4 votes
      1. Bauke
        Link Parent
        On iOS the Bitwarden app also integrates with iOS's autofill passwords system. In the iOS settings you can choose which password manager to fill passwords from and then whenever you're entering...

        On iOS the Bitwarden app also integrates with iOS's autofill passwords system. In the iOS settings you can choose which password manager to fill passwords from and then whenever you're entering credentials it magically detects everything and gives you the option to autofill.

        2 votes
  12. Kenny
    Link
    I use 1Password and enjoy the usability of their system.

    I use 1Password and enjoy the usability of their system.

    2 votes