Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible. And some of these password managers seem shady themselves. And if said manager needs a password that means someone only needs the one password which puts us back at square one.
These days I’ve resorted to physically writing my passwords down because I straight up don’t trust anything that connects to the internet anymore for this kind of information. Like some lame puzzle in a video game where you have to look around the room for the password. But it still feels safer than anything that’s connected to the internet.
How about KeePass then? It’s an encrypted local database file you can sync/backup how and where you want. There are clients to open/edit it for Android, Linux and even Windows. The Android version can use fingerprint, if your phone has this hardware.
My main issue is that it doesn’t solve the “borrowing someone’s computer” problem. With a hosted password manager, you can login to an online vault to get your passwords, but that’s not an option with keepass.
That’s a pretty rare use case though, but it is something I run into periodically.
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Exactly. Without a password manager, every single service you have reuses your password on is a security risk, because any one of them will compromise the rest. And it has repeatedly been demonstrated that even large software companies don’t follow best practices regarding passwords. So any one of them being compromised is a risk. With a password manager, as long as it is properly encrypted and secured with a strong master password, the only point of attack will be your master password.
It’s less about keeping all your eggs in one basket, and more about reducing attack vectors that hackers have access to. With reused passwords, every single individual service is a potential vector of attack.
Several of the larger password managers have started requiring MFA on new accounts. Bitwarden, for example, now requires at least an email verification. They encourage you to use other MFA methods instead, like an Authenticator app. But they at least have the email as a last-ditch “fucking fine, you really don’t want to install an Authenticator app? Here, we’re forcing you to use this as the bare minimum” backup.
Nah a lot of those services are ripe for abuse… The correct answer is to just use your own… keepass for “offline” on a USB stick type of thing… or host your own vaultwarden.
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible. And some of these password managers seem shady themselves. And if said manager needs a password that means someone only needs the one password which puts us back at square one.
These days I’ve resorted to physically writing my passwords down because I straight up don’t trust anything that connects to the internet anymore for this kind of information. Like some lame puzzle in a video game where you have to look around the room for the password. But it still feels safer than anything that’s connected to the internet.
How about KeePass then? It’s an encrypted local database file you can sync/backup how and where you want. There are clients to open/edit it for Android, Linux and even Windows. The Android version can use fingerprint, if your phone has this hardware.
My main issue is that it doesn’t solve the “borrowing someone’s computer” problem. With a hosted password manager, you can login to an online vault to get your passwords, but that’s not an option with keepass.
That’s a pretty rare use case though, but it is something I run into periodically.
that’s a bit risky. the foreign computer could capture passwords.
however, in that use case, you could either display the password on the phone and manually enter it or use a portable keepass on a usb stick
Linux: How to run: https://docs.appimage.org/introduction/quickstart.html#ref-how-to-run-appimage Download: https://keepassxc.org/download/#linux
Windows only: https://keepass.info/help/v2/setup.html#portable
I use lastpass and have my vault on my phone.
But I have a hard time using someone else’s browser these days . … too many custom plugins.
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Exactly. Without a password manager, every single service you have reuses your password on is a security risk, because any one of them will compromise the rest. And it has repeatedly been demonstrated that even large software companies don’t follow best practices regarding passwords. So any one of them being compromised is a risk. With a password manager, as long as it is properly encrypted and secured with a strong master password, the only point of attack will be your master password.
It’s less about keeping all your eggs in one basket, and more about reducing attack vectors that hackers have access to. With reused passwords, every single individual service is a potential vector of attack.
And do yourself a favor and get MFA on that password manager. That dramatically increases the skill level needed to hack your master pass.
Several of the larger password managers have started requiring MFA on new accounts. Bitwarden, for example, now requires at least an email verification. They encourage you to use other MFA methods instead, like an Authenticator app. But they at least have the email as a last-ditch “fucking fine, you really don’t want to install an Authenticator app? Here, we’re forcing you to use this as the bare minimum” backup.
And that’s how it should be. In fact, I switched banks to the only one I could find that had MFA, because I value security as an option.
Nah a lot of those services are ripe for abuse… The correct answer is to just use your own… keepass for “offline” on a USB stick type of thing… or host your own vaultwarden.