Same, just gotta watch out for sites that don’t support it and don’t tell you that they don’t. I got into a password reset loop with a site once, until I realized it was truncating my 20 character password to their supported max of 16. They never said the max was 16, and never game an error that 20 wasn’t allowed. Just simply an asshole design. I probably could check bitwarden for whatever password I changed the most and see if it’s still an issue with the site.
I use Bitwarden!! It’s great cause I have a long complicated password to access the vault (my phone will do it by fingerprint though) but it’s the only password I need to actually memorize. Don’t know how someone can be secure without one nowadays, way too many services
I used to, and it was a fairly easy process. I eventually just decided to use Bitwarden’s own servers because I didn’t trust myself to not lose all my passwords while self hosting
+1 for bitwarden. The only problem I encountered was all of logins are saved from login folder. Now I have 100+ saved passwords on single folder and have to scroll or search for this mess. But I think that’s on me.
Would be better if the app has a “add to new folder” prior to saving passwords.
But what about Bitwarden? What you say about the breach is exactly what I’m worried about when having ONE source that has EVERY password. At least now I have different passwords for different sites so only one can be affected, it’s just a pain in the ass to have to go look them up. I save a portion of my passwords with cryptic messages that only I understand.
I can’t think of anything that hasn’t been hacked, I feel like it’s just a matter of time before these password sites are too if they haven’t already. :/
A good password manager will be encrypted on device using your master password and only the encrypted data ever synced anywhere. So if Bitwarden gets hacked, and the worst case scenario happens, that means an attacker makes off with the complete contents of your vault. But all they have is an encrypted file. To decrypt it, they need your master password. Bitwarden doesn’t have the keys to lose – they only have the lock, and only you have the key. So an attacker would need to compromise Bitwarden (the company) to get access to the vault, and then separately, compromise you personally to get your master password (the key).
Alternately, they could try to brute-force the master password offline. If you think you could guess a user’s password if you tried 100,000,000,000 guesses, and each guess took you 1 nanosecond, you could guess all hundred billion in a little under two minutes. Bitwarden uses techniques to make it intentionally very slow (slow if you’re a CPU at least) to generate the hashes needed to compare a password. If it takes you 100,000 nanoseconds per guess instead, then instead of two minutes, it takes almost 4 months. Those numbers are completely made up, by the way, but that’s the general principle. Bitwarden can’t leak your actual passwords directly, because they never get them from you. They only get the encrypted data. And if an attacker gets the encrypted data, it will take them quite a bit of time to brute force things (if they even could – a sufficiently good master password is effectively impossible to brute force at all). And that’s time you can use to change your important passwords like your email and banking passwords.
One important realization for people to have is that none of us get to choose perfection here. You don’t only have to worry about Bitwarden getting hacked. You also have to worry about you forgetting them. You have to worry about someone figuring out your “cryptic messages that only I understand” scheme. Security is generally about weighing risks, convenience, and impact and choosing a balance that works best for you. And for most people, the answer should be a password manager. The risks are pretty small and mitigation is pretty easy (changing your passwords out of caution if the password manager is breached), and the convenience is high. And because it’s, as you put it, “a pain in the ass” to manage good unique passwords yourself, virtually no one actually does it. Maybe they have one or two good passwords, and rest are awful.
The way that Bitwarden stores your data, it is encrypted as a blob on AWS. If anyone compromises Bitwardens infrastructure, they can’t do anything because even Bitwarden doesn’t have the keys to decrypt your vault.
Your vault can only be decrypted with your master passwords, and decryption happens locally, on device. No decrypted information is sent over the internet.
As far as someone gaining access to your master password and this all other passwords stored in the pass manager, that is why 2 factor authentication exists.
I could give you my Bitwarden master password right now, but that won’t help if you don’t also have my 2fa code.
And that’s just talking about using the hosted version of Bitwarden.
If you self host, you don’t even have to have the app available to the public internet, and can access it purely through a vpn to your LAN.
Then the attacker would not only need to have access to your local network, also know your master password, and have access to your 2fa.
If they know that much about you, you have larger concerns.
So in short, your concern is mostly addressed and not really a concern if you utilize the features provided, such as 2fa
KeePassXC here. Locally encrypted, Locally stored, cloud backup of an encrypted file, synced with SyncThing to mobile devices. I will never trust nor recommend a cloud based manager with all the breaches.
Oh yeah, someone, finally :D KeepassXC on PC, KeepassDX on Android, Syncthing for synchronization. I like when my password is just one file, that I can easily backup, not some cloud thing 🙂
Yeah, KeePassXC + SyncThing all day every day. Can’t in good conscience trust someone else with my sensitive data, even if I encrypt it before it gets to their servers. My database is keys-to-the-kingdom level shit.
Same! I’ve got a script that runs weekly to back mine up in 5 different places including a synching folder. No surprises, no losses, and no need to trust anyone else ever with my entire password db.
Everyone should be using a password manager. Every service should have a different password (and some service should have several passwords) and it’s impossible for the average person to keep track of all of those. Every time I hear about someone losing control of an account it’s because they were using the same password as another service.
I recommend:
KeePassDX: Can be completely offline. Probably the most secure but can be a little awkward to use sometimes.
Bitwarden: Cloud based but open source. You could run a server but the main service offers MOST of the features for free.
Your mileage may very with some of the proprietary platforms. However my job uses 1 Password and it seems to be fairly safe.
Bitwarden is the best! I actually started with one of the more popular ones, Dashlane, and the thing I found most annoying about it was the boxes and stuff that would always pop up anytime I clicked on a text field. Bitwarden never puts a box on the middle of the screen.
It’s free, open source, use it on your phone, mac, PC, browser extension for Firefox. It’s the best.
I love that you can assign a shortcut for autofill. I found the automatic autofill a bit too trigger happy and the shortcut solves that since it’ll only autofill when I know there’s actually a username/password box on the page. It also works perfectly with websites that ask for the username and password at seperate times (google, Microsoft, etc).
Not using a password manager (be it digital or simply a paper notebook) is just asking for a breach or getting hacked.
No one can remember the amount and complexity of passwords that are needed to live a secure digital live.
Every service/account you register for years now and couldn’t live without it. I’ve set up a paper notebook for my mother and that works too.
But reusing passwords or using too short or insecure passwords is the number one reason why people get hacked or stuff gets leaked and stolen.
As a side note: a secure password doesn’t have to include weird characters. Just make it long. Everything with 32 letters and numbers or longer will be super secure for a while. And because your password manager takes of it, you don’t even notice.
Use KeePass!! It’s an opensource, offline if you’d like, password manager that doesn’t trust any third party servers to manage your sensitive information. keepass.info
Yep. I’ll second this. I’ve used it for years and across many laptop changes, phone changes, etc. It’s painless but you’re also responsible for not losing everything.
Password manager-less life with notebooks and reused passwords is life in the stone age. If you or anyone you know isn’t using one, get on bitwarden.
Everyone knows why password manageras are absolutely essential, but here’s an often neglected perk: I can list every site I ever signed up to. Wanna delete some old accounts? “Did you sign up to X yet?” Simples.
Add comment