It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
Why preach to this choir? I get you, but we also get it.
I migrated to Bitwarden from Firefox a few months ago and I regret it as it’s slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
I agree, but I just know that someday Mozilla is going to go down and I’m gonna lose my passwords and I won’t even be able to get into my email to reset them.
You can (and probably should) backup your passwords. Same goes for any hosted solution.
deleted by creator
The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.
You can also test it by logging in to a new computer and getting all your passwords there too
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it’s equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.On android, there’s a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I’m not going to switch from Firefox anytime soon but it’s super easy to export passwords and the Firefox password manager works for any apps on Android.
How did you login to apps in your phone? Go to the computer and open Firefox? Bitwarden on the phone integrates into the apps directly.
Same as Firefox. You go to your Android settings and set Firefox as password manager. No need to go to the computer.
Ah interesting. I didn’t know that was possible!
I’d be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn’t make me feel like taking action if everything feels sketchy.
I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.
What happened with Authy? (As someone who uses it)
I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.
And also set-up SSO/LDAP in your homelab if you run one so you don’t have 3000 loose outdated account entries for IPs like 192.168.10.5 user: admin password:*****
Been using Bitwarden for a couple years now…
No regrets
I have been using password gestoires for a long time. First LastPass, until I switched to GNU/linux and discovered Keepass and then KeepassXC… For me they are indispensable. That’s the one I used until about 1 year ago when I started having problems with the Firefox addon. It did not recognize the pages. I tried ProtonPass and I like it, but I don’t like having them online, no matter how secure the site is. I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.
Translated with DeepL.com (free version)
I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.
Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
My English is very poor for technical explications… I search the issue in KeepassXC Github but I don’t found similar solution.
Proton Pass is a pretty new service, maybe there haven’t been much users yet who have moved to KeepassXC from it. I would say give it a try, it’s not that bad.
Something else you could try is:
a) check the Bitwarden repo if anyone had a similar problem as you. If so, it’s more likely that it’s a Proton Pass problem, and maybe they have some tips.
b) import your Proton Pass export to another password manager (Bitwarden, original Keepasd), export it from there, and try to import this in KeepassXC. Though this might have a higher chance of losing some information, in the sense of metadata. If you go this way, don’t forget to make a fresh export of your Proton Pass account, in case you have changed something there in the meantime
Did you export ProtonPass to CSV?
Whatever solution you think you can come up with is most likely not secure.
Having my passwords written down on a piece of paper is not safe ?
Maybe it’s secure but not safe. You won’t know if you have mistaken a character until it’s too late, or when you have written it ambiguously but you still remember it and don’t notice.
Sorry for the bother, but I get a little annoyed when people try to argue semantic difference in synonyms. What do you think is the difference between secure and safe?
Security and safety are not synonymous, they have a different meaning.
Security is that your password is stored in a way that it cannot be accessed by those you don’t want. Safety means that you won’t lose access to it and that it remains usable.
The distimction may be clearer with an other example.
A factory is secure if only the employees can enter, and it is safe if it does not want to fall apart and the machines in it don’t kill the employees.
Maybe it can be generalized so that security is for the access, safety is for the mistakes and the disasters.
No. Anyone near you or with access to your place can see it. And most people know of the tricks.
Also you can’t encrypt it and most of all you can’t really generate as strong passwords as those generated by password managers, meaning I don’t even need the paper to try and crack your password
you can’t encrypt it
My friend, you will be surprised that encryption is something that not only the magical internet machine can do.
My dad somehow believes that that password managers are very insecure ( he got that from some sort of ‘reputable source’, so me telling him bitwarden is secure doesn’t help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.
I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)
Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.
Well yeah I guess that’s true
Only until he gets a keylogger on his computer
He’s doing something right.
You can’t hack a paper note over the internet.You can’t grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.
At least reputable companies do 3rd party audits and I have yet to hear about bitwarden getting pwned.
One of the only possibilities is them and their infrastructure getting ransomedI have yet to hear about bitwarden getting pwned
Honestly this is the part that scares me the most. Well maybe it’s the fact we have multiple plausible scenarios… What happens when you get locked out of bitwarden? I imagine the 256 randomized salted hash passwords will be hard to call, some companies will likely be able to restore your password via phone support. During that time, informed attackers will potentially have the master keys to your entire life. Fighting ai chatbots trying to recall security questions. During that time your phone and Internet service could be shut off, secondary emails changed and validated, money transferred out of bank accounts, stocks and crypto sold. Crowdstrike was a valuable security company.
It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans
My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.
deleted by creator
Is your dad Ron Swanson? /j
Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.
I’ve been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton’s best service.
It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.
Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.
Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I’m told Keepass is fantastic but having it sync across all her devices would be challenging for her.
Most Proton services feel kinda underbaked but Proton Pass is excellent.
If that wasn’t a scripted ad, you should go into sales.
I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.
I am very “passionate” about Proton Pass but don’t take me for a Proton chill, I have a lot of criticism about their other products.
I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can’t see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton’s suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.
I’m a little miffed that 2FA support is a paid feature.
I’m using KeePassXC and have no intention of switching, plus I’m paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn’t be locked behind a paywall.
KeepassXC ++ Yubikey ++ STRONG password changed every 7 days.
Tap for spoiler
This solution is compatible with virtually all platforms & browsers
Changing passwords is almost always completely useless, and requiring it dramatically weakens security.
What’s the logic behind this statement? I would’ve thought that if a website’s logins and passwords were somehow leaked, the more often I change my password, the less likely it is for the leaked password to still be usable by bad guys based on the shorter time horizon.
Leaked how? No good practice allows any way for a password to “leak”.
What rotating passwords does is ensure people who don’t use a password manager either write their password down more and more frequently, or use a weaker password with some simple changing pattern that doesn’t add anything.
I have a password manager with a family plan so my wife can use it. Does she? Absolutely not. And that’s why we don’t share bank accounts.
Same and she has the balls to ask me for passwords!
Same here. Kinda feels good to know I am not alone with this, though.
In my experience preaching this same thing to many users at work and just personal friends, they won’t change their ways. Because “omg not another password to remember” and “that’s too much work to login just to get a password”.
I’ve just stopped trying to educate people at this point. That’s on them when their info gets leaked or accounts drained.
People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.
Yup, they couldnt care less about any 2FA. But then they get the surprised Pikachu face when they get breached after being phished lol.
Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don’t need to use my phone.
whats that and how can i use it to get rid of 2fa?
Instead of opening Google authenticator or Authy or whatever your preferred 2FA is, you can take photos of the QR codes in Bitwarden mobile to store the TOTP codes in it, and then Bitwarden puts them on your clipboard to paste into websites
you might have just inadvertedly sold me on bitwarden.
does it work with 3rd party sort of authentication apps? like when 2fa is inside the manufacturer app?
It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.
How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.
That kinda defeats the purpose of 2fa though, if you use bitwarden for both
I am fighting this with people at work.
No, it is not “one more password to remember”
You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.
I even generated a sample password from bitwarden and drew them a picture of how to remember it lol
Still about 10% of people forgot their password in the first 2 months.
I don’t recommend Bitwarden. I used them in a corporate environment and they lost all of our company’s credentials. It was a huge hit that cost tens of thousands worth of man-hours to overcome. Their response was to shrug and say sorry. We were paying a premium for their services, too, and have moved onto LastPass.
Why weren’t any backups created?
Idk, not my department.
LastPass? the one that leaked people’s private notes that were not encrypted?
second the back up question by u/@Charger8232@lemmy.ml
Right lol
I get people hating on bitwarden being hosted by 3p but let’s be real it provides a lot more benefit then risk to any normie.
if you are such a big dick security/privacy daddy, then selfhost… but most people just need a useful service. bitwarden is free for all the needs a normie would ever come with, then pro version is like 10 bucks a year.
deleted by creator
90% chance it was some kind of user error.
@Charger8232 I have been using Vaultwarden (Unofficial Bitwarden compatible server written in Rust) selfhosted for a few years now, and I have to say I’m very happy with it. I also use the backup strategy, on some media (USB stick and SSD) encrypted with Veracrypt.
