It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.

It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.

Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.

  • 𝚝𝚛𝚔@aussie.zone
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    On the plus side, the more people who don’t use password managers the more chance us password manager users will remain not worth the effort.

    It’s kinda like security through obscurity mixed with only having to be faster than the slowest person to outrun a lion.

    • EuroNutellaMan@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      3 months ago

      I disagree. Password managers are still target of threat actors, a juicy one at that, but it’s not too often you hear of breaches of good password managers. Chances are the people behind the good password managers are better at security than 99% of users (including more technical ones). Even after a breach exporting all the passwords and moving them to another service, and changing all your passwords again with more secure ones is trivially easy.

      If everyone used them sure there’d be more pressure on said password managers but hackers will find it a lot more difficult to hack anything in general and it will still not be worthwhile to hack average users who use a password manager.

  • pathief@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    3 months ago

    I’ve been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton’s best service.

    It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.

    Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.

    Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I’m told Keepass is fantastic but having it sync across all her devices would be challenging for her.

    Most Proton services feel kinda underbaked but Proton Pass is excellent.

    • Chais@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      I’m a little miffed that 2FA support is a paid feature.
      I’m using KeePassXC and have no intention of switching, plus I’m paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn’t be locked behind a paywall.

    • alkaliv2@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      3 months ago

      I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can’t see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton’s suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.

      • pathief@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        3 months ago

        I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.

        I am very “passionate” about Proton Pass but don’t take me for a Proton chill, I have a lot of criticism about their other products.

  • a Kendrick fan@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    If you’re on Linux and you don’t want to use KeepassXC, you can check out Secrets on Flathub, it has imo a better UI/UX

    • Dyskolos@lemmy.zip
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      3 months ago

      With keepasscx YOU have the password-file. Period. You know what’s been done with it: Nothing, as it doesn’t phone home except update-checks. Which you can also disable.

      With the browser-addon you’ll get the same result but with control.

    • The Cuuuuube@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      In-built password managers for browsers are straightforward to crack. Like… Terrifyingly easy. It’s much better to use something like Bitwarden, Vaultwarden if you don’t trust Bitwarden, 1Password if you really want the reassurance of paying someone for trust, or KeePass if you don’t trust anyone at all (I, personally, fit into this category).

      • zeh_ahoi@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        show me an example of the firefox password manager being “cracked”. i mean i still sync them into my local nextcloud. @Dyskolos@lemmy.zip suggests it is cool to have your passwords in a file?!

        doubt there is a scenario where using MORE services makes anything safer. Well maybe for Windows Users…but thats a dying species with the win11 crap.

        so no. third party corpos…the worst.

    • rowdy@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      Bitwarden exploit was already patched. And required a domain joined PC with Windows Hello active, and the attackers already had access to the DC. Not exactly a large vector. Also enterprise PCs shouldn’t be using windows hello to begin with, IMO. Now if we look at CVEs affecting browser password managers, there are literally exploits for download on GitHub.

  • Rubanski@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    How do I convince my girlfriend to stop using her safari password manager and migrate it to bitwarden? Is the password manager in Safari so unsafe that it’s worth the additional effort she might ask.

    • unrushed233@lemmings.world
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      It’s not that bad, but tell her that she can set Bitwarden as the default option for auto-fill in the settings and everything will get automatically filled in, just like with the normal Safari password manager

    • morgin@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient

      Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser

        • Puttaneska@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          3 months ago

          My understanding is that your GF will be using Apple’s KeyChain, which is pretty good except that it’s hard to look inside and manually edit. It’s not just in Safari.

          The upcoming Password app is just a nice user interface to KeyChain. So no change to the functionality as such, but I think it’ll make a big difference to how it’s used.

          • unrushed233@lemmings.world
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            it’s hard to look inside and manually edit

            It’s actually pretty easy when you’re on a Mac. They bundle an app called Keychain Access, which lets you look at and edit everything.

  • T (they/she)@beehaw.org
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I migrated from Bitwarden to Proton Pass (mostly due to their TOP integrations) and I am enjoying it very much. They are constantly improving it, which is also a plus.

    • MentalEdge@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Do you mean OTP?

      I self-host vaultwarden, and I have that. I think it’s a paid feature if not self-hosting?

  • AbidanYre@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,

    To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Clarification: They reuse the same password (such as “Password”) and whenever they create an account they have to add special characters (like “Password1&” if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don’t know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.

      But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

      • 14th_cylon@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

        And pinnacle of this frustration is “password too long”… Talk about security

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          which doesn’t make sense as a requirement, as the passwords themselves are not even (supposed to be) stored

          limits of 128+ characters? Sure.

          Limits of 30, 20, 18, or 16 as I’ve seen in many places? I suddenly don’t trust your website.

          • ZeDoTelhado@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            3 months ago

            Do you want to know the kicker? There are banks (yes, you heard me right) that straight up don’t allow more than 20 chars. 20!!! And they say you got to use the app for X things because it’s secure and shit (e.g.: use the app to 2FA credit card transactions). Meanwhile, does not allow you to add a yubikey for Fido authentication

    • renzev@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      3 months ago

      Marginally better than using discord itself as your password manager (also a true story!)

      • Ilandar@aussie.zone
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        I really want to know what the logic behind their thinking was…or maybe they were just lazy? I don’t know, it’s so weird that they’d get to the point of using a password manager but then still make such a basic error.

  • monobot@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    It is truly upsetting to see how complicated for use password managers are.

    I grow up around computers and I can barely mange them. Other people just don’t understand how to use them, it is complicated and inconvenient. Even after I set them up and show them multiple times, friends don’t manage.

    In browser password managers cover 90%, but I guess web sites and apps need to start testing UX for password managers. Some of them introduce stupid flows that brake all of them.

    Android is complete shit show.

    It is not users, but applications and UX that doesn’t care about security.

      • frezik@midwest.social
        link
        fedilink
        arrow-up
        0
        ·
        3 months ago

        Sorta. I find it doesn’t always pop up Bitwarden to select an autofill. Then I unlock it manually, and sometimes it then gives me the button for autofill. Sometimes not and I have to manually copy and paste.

        And sometimes there’s a broken ass app that blocks you pasting passwords. People need to be fired for this.

        Same thing happened to me on Last Pass, so I’m pretty sure it’s an Android issue.

    • ray@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      What’s wrong with android? I have bitwarden setup any basically any time I tap a password field it offers me to fill in from my vault.

  • wuphysics87@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.

    But I get where people have an issue. It’s one point of failure vs. many, but they don’t realize It’s easier to well secure the one than it is to not spread the same vulnerability everywhere.

    • icedcoffee@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      3 months ago

      Honestly as someone who has helped family members set up a password manager one person felt this way and the rest are just not tech savvy. All the simple straightforward stuff took ages because they had never done it before.

  • Caveman@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I use a password pattern. I have hundreds of passwords all stored in my head and all between 10-20 characters long

    • hatter@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      Wait are you saying that with the example your provided your password for Lemmy would be catlemmy-Dog5? Because that’s a terrible system.

      • Caveman@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        3 months ago

        Maybe it’s not for you then. It’s been working pretty well for me and my passwords aren’t saved anywhere but locally in the browser.

        • kettle@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          3 months ago

          It’s better than reusing the same password, but not by much. If one of your passwords get compromised, an attacker can easily guess to try to just replace “gmail” by whatever service they’re attempting to log into as you, and give it a shot.

          • Caveman@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            3 months ago

            That’s assuming that a human will ever see it. People cracking passwords either have all of them and then use an automated tool or hack a person specifically by decrypinc a password hash which will take an immense amount of time and electricity.

            Still since that’s a concern I can modify the formula. By splitting gmail into g and mail and sticking g at the front.

            gcatmail-Dog5

            • frezik@midwest.social
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              3 months ago

              Not how it works.

              First of all, there’s far too many companies out there still storing passwords in plaintext.

              Second of all, even with a good hash algorithm, hacking a specific person’s password out of a leaked database is still feasible when your passwords are variants of a couple of dictionary words with a few numbers and symbols attached.

              Creating fully randomized, unique passwords in a password manager really is the best way. Even an older hash method of storage on the web site’s part will likely protect it.

  • ColeSloth@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    But I wanna tell people my master password to my pw manager. It’s such a fantastic password that no one could ever possibly guess I would have. I wanna gloat.

  • mkhopper@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    3 months ago

    I used to use a plain text system, “encoded” in such a way that only I knew what the actual password was, and I kept it on Google Keep.
    But that for harder and harder to manage, coupled with, if I were to get run over by a bus, no one else would be able to access my accounts.

    Now I’ve been using Dashlane for a few years. Not just for passwords, but secure notes as well.

    Works seamlessly on all of my devices and zero complaints.