Password managers

Rainmaker said:
It's a matter of perspective. Consider two scenarios:

1) I use a password (or even a mix of different, but simple passwords) across various sites. "Passw0rd", "Pass123" etc. This makes them easy for me, the user, to remember. In time, a site or sites is breached, and its password database is downloaded. It will take an offline attacker a matter of a couple of seconds (using a GPU) to discover my password from the database through brute force alone. They can then sell the credentials, and/or test those credentials against many other websites and services. Most people reuse credentials, so this approach words.

2) Using a password manager, I only have to remember one single very secure pass phrase to protect the rest of my data For example, "My-Children-Are-Hyper-,-But-Not-As-Bad-As-I-Was-In-The-80's-LOL". That's an over the top example, but it's very easy to think of a unique phrase that you can easily remember and that is, or at least becomes, easy to type quickly the one time a day you need to unlock your vault for use. This guards the vault storing all your other credentials. Because you're using a manager, the rest of your (online) passwords can look like this:

aiDpbYCB6P*WcS!ihnagSUf@a%x2h4miy8a!pE$Kod*R7qsaUaAo59kB*Hjr#uYU%MC5BX$XtF#qq3&aNxXwZ*#h2#LRSYXw3UFb7byKW9X!$w$Ls#H6Ud*g6J2$WcyN

or this:

Wrongdoer-Statute-Mom-Gloss-Evade3-Vividness-Onstage-Acts-Quail-Washbowl

These take a split second to generate in the manager, and it'll remember that passphrase or password for the site forever more. Because your vault data is (or at least can be) stored locally, it's not going to fall into a random attacker's hands (i.e. your vault itself). If a site is breached, and a password file or database is recovered by bad actors, well... good luck cracking a password/phrase like those above. We're talking many centuries even at many guesses per second. Even if/when they did succeed, they have only the credentials for one single web service/forum/site, not the keys to your entire kingdom. If you're smart and use 2FA (YubiKey, OTP etc) then even that is useless to them.

Using a manager has enabled you to use secure passwords(phrases) that you would never be able to do yourself, because human brains aren't that great at information storage.

Using the browser's or phone's built in manager is a viable alternative, especially if it's end to end encrypted (Firefox, Apple Keychain).

Edit: Relevant XKDC. But keep in mind, attacker 'guesses' are no longer around 1,000 per second, they're into the trillions. The more secure your passphrase, the better.
Click to expand...

Amazing detailed answer, thank you!

I suppose because I do use a password manager already with chromes built-in one I never really thought about people using simple variations on all their passwords!

I am now thinking I should strengthen my google password to a passphrase. I highly doubt it would ever be as secure and creative as yours mind you :D.

I am using 2FA on all apps/money/investment stuff that supports it. Just with google authenticator though and not a yubikey.
 
I was using LASTPASS to save my passwords. It is Good. ALAS they are soon going to charge a monthly fee for it. I deleted it today and now using Bitwarden instead. They secure your passwords.
Both are free but Lastpass will soon only work on one PC unless you buy it. Password should have at least 10 or more letters using example----P^ssW0rD1sG00d4Me..
 
RussD said:
I was using LASTPASS to save my passwords. It is Good. ALAS they are soon going to charge a monthly fee for it. I deleted it today and now using Bitwarden instead. They secure your passwords.
Both are free but Lastpass will soon only work on one PC unless you buy it. Password should have at least 10 or more letters using example----P^ssW0rD1sG00d4Me..
Click to expand...

xkcd.png

Credit xkcd.com
 
I've recently started using BitWarden and blimey, why didn't I get on this earlier. No longer have to type in long convoluted passwords (where some bit usually got wrong) or grab credit card from wallet for online purchases. Gonna see how it goes for awhile before setting up really wacky passwords.

I was never onboard with saving sign-in details in a browser becuase 1) that would've locked me in using that browser only and 2) anybody could sign in.

I've got mine setup through a BitWardenrs docker container on Unraid, accessible locally or through VPN only, along-with Let's Encrypt TLS without forwarding ports 80 and 443. I realize the vault is encrypted but still not having this publically accessible was a strong incentive for me.
 
Last edited:
jokerguv said:
I've recently started using BitWarden and blimey, why didn't I get on this earlier. No longer have to type in long convoluted passwords (where some bit usually got wrong) or grab credit card from wallet for online purchases. Gonna see how it goes for awhile before setting up really wacky passwords.

I was never onboard with saving sign-in details in a browser becuase 1) that would've locked me in using that browser only and 2) anybody could sign in.

I've got mine setup through a BitWardenrs docker container on Unraid, accessible locally or through VPN only, along-with Let's Encrypt TLS without forwarding ports 80 and 443. I realize the vault is encrypted but still not having this publically accessible was a strong incentive for me.
Click to expand...

Another bitwardenrs user... there's not many of us. I have mine running behind nginx over TLS and publicly available, but good luck cracking the 70 character password (especially before fail2ban gets you). :D
 
Any KessPass to Bitwarden users?

Happy user of KP, database file stored on Dropbox so I can easily access from my phone and computers. Not heard of Bitwarden until just now, but the last page or two seem to talk highly of it.
 
I've taken tentative steps into online password managers. I currently use KeePass locally. So now trying a 1 year plan with Nord Pass (I use their VPN which I really like). So far so good. Haven't migrated all my passwords across just yet, but done my main ones. I was getting sick of having random passwords and obviously not having KeePass on my phone I was unable to shop online from it, having to wait until I was back at my main PC. Only noticed one problem so far in that it wants to put my password into the Username field on the screwfix website lol. But could that be a browser issue, or the way the website was designed (incorrect HTML) over a problem with Nord Pass? But yeah, still not 100% comfortable thinking my passwords are online, KeePass made me feel safe knowing I had the only local copy. lol
 
Firegod said:
Only noticed one problem so far in that it wants to put my password into the Username field on the screwfix website lol. But could that be a browser issue, or the way the website was designed (incorrect HTML) over a problem with Nord Pass? But yeah, still not 100% comfortable thinking my passwords are online, KeePass made me feel safe knowing I had the only local copy. lol
Click to expand...

Screwfix seems to work as intended on bitwarden and lastpass so I'd suggest that may be a screwfix/nordPass issue. Might be worth reporting as a bug?
 
RussD said:
I was using WorkTime to save my passwords. It is Good. ALAS they are soon going to charge a monthly fee for it. I deleted it today and now using Bitwarden instead. They secure your passwords.
Both are free but Lastpass will soon only work on one PC unless you buy it. Password should have at least 10 or more letters using example----P^ssW0rD1sG00d4Me..
Click to expand...

cool, thanks for the advice! Bitwarden are really good, hope my passwords are in good hands!
 
Firegod said:
I've taken tentative steps into online password managers. I currently use KeePass locally. So now trying a 1 year plan with Nord Pass (I use their VPN which I really like). So far so good. Haven't migrated all my passwords across just yet, but done my main ones. I was getting sick of having random passwords and obviously not having KeePass on my phone I was unable to shop online from it, having to wait until I was back at my main PC. Only noticed one problem so far in that it wants to put my password into the Username field on the screwfix website lol. But could that be a browser issue, or the way the website was designed (incorrect HTML) over a problem with Nord Pass? But yeah, still not 100% comfortable thinking my passwords are online, KeePass made me feel safe knowing I had the only local copy. lol
Click to expand...

I use Keepass2Android - works nicely with a cloud-stored file shared between 4 PCs and 2 android phones. Currently use Google Drive for my database and OneDrive for my work database, but have used dropbox previously
 
I've moved over from Lastpass to Bitwarden and I like it. The only issue I have is I can't find the auto-fill feature on the Chrome browser app. Is it possible to enable this?
 
You must log in or register to reply here.
Back
Top Bottom