Password managers

[Ice Tea]

1Password is the latest victim of Okta’s compromise

Says logins are safe, as high-profile customers complain they knew about the breach before Okta

www.theregister.com

1Password is confirming it was attacked by cyber criminals after Okta was breached for the second time in as many years, but says customers' login details are safe.

 

[Feek]

"On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."

Okta Support System incident and 1Password | 1Password

We detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.

blog.1password.com

 

[SixTwoSix]

I'm with 1password but with the way it works with having a key on one side they don't even know, i'm still happy to continue with them for the foreseeable.

 

[kindai]

Today is the day I finally nuked my crappass account.

Have been using proton exclusively for the last month and zero issues. Not missing anything from lastpass at all.

 

[SixTwoSix]

Today is the day I finally nuked my crappass account.

Have been using proton exclusively for the last month and zero issues. Not missing anything from lastpass at all.

Something like £4 million of crypto was stolen from compromised lastpass users recently as well.

 

[Mr_Orange]

I've been considering getting a password manager but it just seems like a matter of time before whichever service I chose gets compromised.

 

[Orcvader]

I'm starting to notice more services rolling out passkeys. Bitwarden just recently updated both their US and EU servers to support it, and according to their X account the clients should be updated within a couple of days.

I'm still a bit confused with passkeys, are they meant to replace both passwords and 2FA?

 

[kindai]

I'm starting to notice more services rolling out passkeys. Bitwarden just recently updated both their US and EU servers to support it, and according to their X account the clients should be updated within a couple of days.

I'm still a bit confused with passkeys, are they meant to replace both passwords and 2FA?

Yes.

Think of a 2fa as a "backup" to your password. Even if the password is compromised the 2fa keeps people out.

Passkeys does away with the weakness of a password as it is end to end encrypted from your device to the service.

 

[keyser van someone]

I've been considering getting a password manager but it just seems like a matter of time before whichever service I chose gets compromised.

Hah yes I had used Lasspass and another for a while until a couple of years ago when they started getting hacked and encrypted passwords leaked.

I've been using Google/Chrome to save passwords plus MFA for more important accounts, plus I use a Pixel phone so it makes sense for me. If Google is ever hacked the whole world is screwed.

Just remember to transfer the MFA accounts correctly when transferring to a new phone.

 

[Noxia]

I forgot I even had a bitwarden account but got an email yesterday saying about failed access attempts so I just deleted it.

 

[Glanza]

Going to give Proton pass another go now it looks like it's been updated and features added.

 

[kmax86]

Im liking passkeys very much. Started using yubikeys last october and have it setup as passkeys for accounts that support it. Cant wait for bitwarden to have full support for it

 

[kindai]

I've been considering getting a password manager but it just seems like a matter of time before whichever service I chose gets compromised.

Protons security model is a bit more secure than other password managers.

Every item in a vault is individually encrypted. (including metadata)
Each vault is individually encrypted.
And then your account itself is secured using bcrypt, end to end encryption, TOTP if you have it enabled, and argon2id and passkeys coming soon.

The top item is the most important, as even if proton is compromised, hackers wont be able to see "Online banking login" or "My 2 million bitcoin seed phrase". It will just be hashed information.

Im liking passkeys very much. Started using yubikeys last october and have it setup as passkeys for accounts that support it. Cant wait for bitwarden to have full support for it

Last time I checked yubikeys had a limited number of passkeys they can support, as well as no ability to create backups? Has that changed?

 

[kmax86]

Didnt know about the passkey limit but i have not encountered it yet. So far i enrolled only a handful of passkeys.

For backup, i have a separate yubikey that is also registered as a passkey. No cloning feature though so had to register the 2 keys.

 

[Glanza]

So far so good with Proton Pass and importing from Bitwarden, few websites that it's not detecting the login form to autofill (i.e no icon appearing) that Bitwarden does detect and fill.

 

[uvarvu]

Anyone else been creating passkeys? I used watchtower in 1Password to find all the supported logins and create passkeys for each. It always seems to fallback to the password login though, shouldn't all the sites and apps provide an option to actually delete the password leaving only the passkey for login?

 

[ChrisD.]

Anyone else been creating passkeys? I used watchtower in 1Password to find all the supported logins and create passkeys for each. It always seems to fallback to the password login though, shouldn't all the sites and apps provide an option to actually delete the password leaving only the passkey for login?

Very few support true passwordless (is that even a word?), Microsoft do it and I think Google do.

 

[UberTiger]

Be careful as some sites apparently disabled 2FA when you enable passkeys, namely Github. Not sure if they fixed this yet.

I've avoided them for the time being, I should probably experiment with one or two sites though.

 

[UberTiger]

lol, just used the exposed passwords report tool in bitwarden and I had the password admin for something local I was testing, exposed nearly 2M times

 

[Rainmaker]

Anyone else been creating passkeys? I used watchtower in 1Password to find all the supported logins and create passkeys for each. It always seems to fallback to the password login though, shouldn't all the sites and apps provide an option to actually delete the password leaving only the passkey for login?

I use passkeys everywhere they're available. They're much better security wise (cryptographic single-use certificate based pukbey auth), and they're painless for the user. I generally set up two passkeys per service to be safe, one in Vaultwarden (self-hosted Bitwarden) and one on my iCloud Apple Keychain. That way, every site I visit with a passkey has the Bitwarden addon pop up with the key as soon as I hit the login page, but if I'm ever somewhere on a shared computer, or somehow Vaultwarden is unavailable, I have a backup that works anywhere using my phone's camera. I love them.

Be careful as some sites apparently disabled 2FA when you enable passkeys, namely Github. Not sure if they fixed this yet.

I've avoided them for the time being, I should probably experiment with one or two sites though.

I have Yubikey, OTP and passkeys enabled on Github and they all work. I just use whichever I get to first (press my Yubikey or hit enter on the Bitwarden popup if it 'wins').