this post was submitted on 14 Aug 2024

598 points (96.3% liked)

Privacy

34089 readers

181 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

598

Use a password manager (lemmy.ml)

submitted 6 months ago by [email protected] to c/[email protected]

337 comments fedilink hide all child comments

It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can't remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn't tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don't just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They're not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser's password storage is better than nothing. Don't reuse passwords, use long randomly generated ones.

It's free, it's convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I'm preaching to the choir, but if even one of you decides to use a password manager after this then it's an easy win.

Please, don't wait. If you aren't using a password manager right now, take a few minutes. You'll thank yourself later.

(page 5) 50 comments

sorted by: hot top controversial new old

[–] [email protected] -2 points 6 months ago (3 children)

just. write it down? in a notebook? keepassxc is rly good if you dont want to do that though

load more comments (3 replies)

[–] [email protected] 6 points 6 months ago (1 children)

Is ProtonPass okay?

load more comments (1 replies)

[–] [email protected] 4 points 6 months ago (2 children)

If you're on Linux and you don't want to use KeepassXC, you can check out Secrets on Flathub, it has imo a better UI/UX

load more comments (2 replies)

[–] [email protected] 0 points 6 months ago (6 children)

i dont understand this post. like every browser has a password manager, why install some 3rd party you can even trust less?! am i missing something? doesnt safari have a password manager? is keepasscx really safe (CVE-2023-32784)? or bitwarden (https://blog.redteam-pentesting.de/2024/bitwarden-heist/)?

[–] [email protected] 7 points 6 months ago* (last edited 6 months ago)

With keepasscx YOU have the password-file. Period. You know what's been done with it: Nothing, as it doesn't phone home except update-checks. Which you can also disable.

With the browser-addon you'll get the same result but with control.

[–] [email protected] 5 points 6 months ago

Bitwarden exploit was already patched. And required a domain joined PC with Windows Hello active, and the attackers already had access to the DC. Not exactly a large vector. Also enterprise PCs shouldn’t be using windows hello to begin with, IMO. Now if we look at CVEs affecting browser password managers, there are literally exploits for download on GitHub.

load more comments (4 replies)

[–] [email protected] 7 points 6 months ago (2 children)

How do I convince my girlfriend to stop using her safari password manager and migrate it to bitwarden? Is the password manager in Safari so unsafe that it's worth the additional effort she might ask.

[–] [email protected] 12 points 6 months ago (1 children)

Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient

Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser

[–] [email protected] 2 points 6 months ago (3 children)

Thanks for the update! I will keep an eye out

load more comments (3 replies)

load more comments (1 replies)

[–] [email protected] 8 points 6 months ago (9 children)

Quick question - what are your opinions on using Firefox's inbuilt password manager? I've installed Bitwarden as an extension, but I find Firefox to be more convenient.

I mostly use FF on Linux, Windows, and Android and have no issues with using FF cross platforms.

[–] [email protected] 4 points 6 months ago (2 children)

Don't. It's not in your hand is the simple reason.

My advice is keepassxc. Got a ff-addon that does basically the same. But you have your password-file under your control. And do backups!

load more comments (2 replies)

[–] [email protected] 4 points 6 months ago (2 children)

While it's so convenient, anyone gaining access to your browser while your laptop is open can gain access to everything. Bitwarden usually add an extra step to unlock it (which you could disable if you want) when you want to use the extension. By the way, it has an extension for Firefox, so just hitting Ctrl + Shift + L it auto-fills the login/password fields of your login page just like firefox would. But with the extra step that gaining access to the browser doesn't straight away unlock all your passwords for anyone to see.

load more comments (2 replies)

[–] [email protected] 4 points 6 months ago (1 children)

I'm in the same boat. FF is just too damn convenient

load more comments (1 replies)

load more comments (6 replies)

[–] [email protected] 2 points 6 months ago (1 children)

And also set-up SSO/LDAP in your homelab if you run one so you don't have 3000 loose outdated account entries for IPs like 192.168.10.5 user: admin password:*****

load more comments (1 replies)

[–] [email protected] 7 points 6 months ago (7 children)

Is there manager than create password based on masterpassword and domain/username? Do not want to lose all password just because drive dies. Do NOT want to use cloud anywhere.

[–] [email protected] 3 points 6 months ago (1 children)

There's a few. LessPass is one that has been going a few years.

[–] [email protected] 2 points 6 months ago (2 children)

LessPass and similar software has some problems. Things like you can't simply change your master password, you must then recompute and change every site. It's also not strictly stateless, since you need to know which password iteration you're on and the user name. Full fledged password managers also typically provide other secret management features, like API keys, SSH keys, credit/debit cards, and identity cards.

[–] [email protected] 4 points 6 months ago

That's true. But they do give you easy, portable, site specific passwords. No apps or database syncing required.

If you just want to log in to Lemmy on a work computer at lunch it seems a good option to me.

load more comments (1 replies)

[–] [email protected] 8 points 6 months ago (2 children)

backups backups backups.

keep a copy on your computer, your phone, and every spare drive u have in the house. ask a friend to store the file at their place.

also, whats wrong with a cloud provider, if the file is encrypted ?

[–] [email protected] -1 points 6 months ago (5 children)

Encryption won't last forever. The moment Quantum-computing will be a thing, all current encryption will be pointless. Depends on your level of paranoia and planning for the future 😁

load more comments (5 replies)

load more comments (1 replies)

load more comments (5 replies)

[–] [email protected] 0 points 6 months ago* (last edited 6 months ago) (1 children)

Unless you really really need portability between devices, paying for an online password manager is idiotic in my view, you're generally just waiting for someone to hack it (which happens all the time).

I use firefox's local, inbuilt manager and that's everything I need.

[–] [email protected] 7 points 6 months ago (1 children)

Wild ass comment.

Unless you really really need portability between devices

Who doesn't??? What do you do, copy 20-char randomly generated passwords manually all the time? That's the whole point of password managers...

I use firefox's local, inbuilt manager

Browsers are NOT a secure storage for sensitive data, if you want a local password manager at least please use KeePassXC.

load more comments (1 replies)

load more comments