Password managers

seanyc5

seanyc5

seanyc5

Associate
Joined
30 Nov 2011
Posts
1,131
Rainmaker said:
It's a matter of perspective. Consider two scenarios:

1) I use a password (or even a mix of different, but simple passwords) across various sites. "Passw0rd", "Pass123" etc. This makes them easy for me, the user, to remember. In time, a site or sites is breached, and its password database is downloaded. It will take an offline attacker a matter of a couple of seconds (using a GPU) to discover my password from the database through brute force alone. They can then sell the credentials, and/or test those credentials against many other websites and services. Most people reuse credentials, so this approach words.

2) Using a password manager, I only have to remember one single very secure pass phrase to protect the rest of my data For example, "My-Children-Are-Hyper-,-But-Not-As-Bad-As-I-Was-In-The-80's-LOL". That's an over the top example, but it's very easy to think of a unique phrase that you can easily remember and that is, or at least becomes, easy to type quickly the one time a day you need to unlock your vault for use. This guards the vault storing all your other credentials. Because you're using a manager, the rest of your (online) passwords can look like this:

aiDpbYCB6P*WcS!ihnagSUf@a%x2h4miy8a!pE$Kod*R7qsaUaAo59kB*Hjr#uYU%MC5BX$XtF#qq3&aNxXwZ*#h2#LRSYXw3UFb7byKW9X!$w$Ls#H6Ud*g6J2$WcyN

or this:

Wrongdoer-Statute-Mom-Gloss-Evade3-Vividness-Onstage-Acts-Quail-Washbowl

These take a split second to generate in the manager, and it'll remember that passphrase or password for the site forever more. Because your vault data is (or at least can be) stored locally, it's not going to fall into a random attacker's hands (i.e. your vault itself). If a site is breached, and a password file or database is recovered by bad actors, well... good luck cracking a password/phrase like those above. We're talking many centuries even at many guesses per second. Even if/when they did succeed, they have only the credentials for one single web service/forum/site, not the keys to your entire kingdom. If you're smart and use 2FA (YubiKey, OTP etc) then even that is useless to them.

Using a manager has enabled you to use secure passwords(phrases) that you would never be able to do yourself, because human brains aren't that great at information storage.

Using the browser's or phone's built in manager is a viable alternative, especially if it's end to end encrypted (Firefox, Apple Keychain).

Edit: Relevant XKDC. But keep in mind, attacker 'guesses' are no longer around 1,000 per second, they're into the trillions. The more secure your passphrase, the better.
Click to expand...

Amazing detailed answer, thank you!

I suppose because I do use a password manager already with chromes built-in one I never really thought about people using simple variations on all their passwords!

I am now thinking I should strengthen my google password to a passphrase. I highly doubt it would ever be as secure and creative as yours mind you :D.

I am using 2FA on all apps/money/investment stuff that supports it. Just with google authenticator though and not a yubikey.
 

RussD

RussD

RussD

Associate
Joined
24 Jan 2008
Posts
734
Location
Swansea, South Wales. UK
I was using LASTPASS to save my passwords. It is Good. ALAS they are soon going to charge a monthly fee for it. I deleted it today and now using Bitwarden instead. They secure your passwords.
Both are free but Lastpass will soon only work on one PC unless you buy it. Password should have at least 10 or more letters using example----P^ssW0rD1sG00d4Me..
 

d_brennen

d_brennen

d_brennen

Soldato
Joined
30 Jan 2009
Posts
17,193
Location
Aquilonem Londinensi
RussD said:
I was using LASTPASS to save my passwords. It is Good. ALAS they are soon going to charge a monthly fee for it. I deleted it today and now using Bitwarden instead. They secure your passwords.
Both are free but Lastpass will soon only work on one PC unless you buy it. Password should have at least 10 or more letters using example----P^ssW0rD1sG00d4Me..
Click to expand...

xkcd.png

Credit xkcd.com
 

jokerguv

jokerguv

jokerguv

Associate
Joined
25 Mar 2020
Posts
131
I've recently started using BitWarden and blimey, why didn't I get on this earlier. No longer have to type in long convoluted passwords (where some bit usually got wrong) or grab credit card from wallet for online purchases. Gonna see how it goes for awhile before setting up really wacky passwords.

I was never onboard with saving sign-in details in a browser becuase 1) that would've locked me in using that browser only and 2) anybody could sign in.

I've got mine setup through a BitWardenrs docker container on Unraid, accessible locally or through VPN only, along-with Let's Encrypt TLS without forwarding ports 80 and 443. I realize the vault is encrypted but still not having this publically accessible was a strong incentive for me.
 
Last edited:

Rainmaker

Rainmaker

Rainmaker

Soldato
Joined
18 Aug 2007
Posts
9,710
Location
Liverpool
jokerguv said:
I've recently started using BitWarden and blimey, why didn't I get on this earlier. No longer have to type in long convoluted passwords (where some bit usually got wrong) or grab credit card from wallet for online purchases. Gonna see how it goes for awhile before setting up really wacky passwords.

I was never onboard with saving sign-in details in a browser becuase 1) that would've locked me in using that browser only and 2) anybody could sign in.

I've got mine setup through a BitWardenrs docker container on Unraid, accessible locally or through VPN only, along-with Let's Encrypt TLS without forwarding ports 80 and 443. I realize the vault is encrypted but still not having this publically accessible was a strong incentive for me.
Click to expand...

Another bitwardenrs user... there's not many of us. I have mine running behind nginx over TLS and publicly available, but good luck cracking the 70 character password (especially before fail2ban gets you). :D
 

doodah

doodah

doodah

Caporegime
Joined
18 Oct 2002
Posts
28,112
Location
London
Any KessPass to Bitwarden users?

Happy user of KP, database file stored on Dropbox so I can easily access from my phone and computers. Not heard of Bitwarden until just now, but the last page or two seem to talk highly of it.
 

Firegod

Firegod

Firegod

Soldato
Joined
12 Sep 2003
Posts
10,107
Location
Newcastle, UK
I've taken tentative steps into online password managers. I currently use KeePass locally. So now trying a 1 year plan with Nord Pass (I use their VPN which I really like). So far so good. Haven't migrated all my passwords across just yet, but done my main ones. I was getting sick of having random passwords and obviously not having KeePass on my phone I was unable to shop online from it, having to wait until I was back at my main PC. Only noticed one problem so far in that it wants to put my password into the Username field on the screwfix website lol. But could that be a browser issue, or the way the website was designed (incorrect HTML) over a problem with Nord Pass? But yeah, still not 100% comfortable thinking my passwords are online, KeePass made me feel safe knowing I had the only local copy. lol
 

b0rn2sk8

b0rn2sk8

b0rn2sk8

Soldato
Joined
9 Mar 2003
Posts
14,458
Firegod said:
Only noticed one problem so far in that it wants to put my password into the Username field on the screwfix website lol. But could that be a browser issue, or the way the website was designed (incorrect HTML) over a problem with Nord Pass? But yeah, still not 100% comfortable thinking my passwords are online, KeePass made me feel safe knowing I had the only local copy. lol
Click to expand...

Screwfix seems to work as intended on bitwarden and lastpass so I'd suggest that may be a screwfix/nordPass issue. Might be worth reporting as a bug?
 

deanpearl71

deanpearl71

deanpearl71

Associate
Joined
6 Apr 2021
Posts
1
Location
Canada
RussD said:
I was using WorkTime to save my passwords. It is Good. ALAS they are soon going to charge a monthly fee for it. I deleted it today and now using Bitwarden instead. They secure your passwords.
Both are free but Lastpass will soon only work on one PC unless you buy it. Password should have at least 10 or more letters using example----P^ssW0rD1sG00d4Me..
Click to expand...

cool, thanks for the advice! Bitwarden are really good, hope my passwords are in good hands!
 

Andre

Andre

Andre

Soldato
Joined
25 Feb 2003
Posts
2,713
Location
Deep dark hole
Firegod said:
I've taken tentative steps into online password managers. I currently use KeePass locally. So now trying a 1 year plan with Nord Pass (I use their VPN which I really like). So far so good. Haven't migrated all my passwords across just yet, but done my main ones. I was getting sick of having random passwords and obviously not having KeePass on my phone I was unable to shop online from it, having to wait until I was back at my main PC. Only noticed one problem so far in that it wants to put my password into the Username field on the screwfix website lol. But could that be a browser issue, or the way the website was designed (incorrect HTML) over a problem with Nord Pass? But yeah, still not 100% comfortable thinking my passwords are online, KeePass made me feel safe knowing I had the only local copy. lol
Click to expand...

I use Keepass2Android - works nicely with a cloud-stored file shared between 4 PCs and 2 android phones. Currently use Google Drive for my database and OneDrive for my work database, but have used dropbox previously
 

The1nonly1

The1nonly1

The1nonly1

Associate
Joined
24 Jul 2009
Posts
2,090
Location
-
I've moved over from Lastpass to Bitwarden and I like it. The only issue I have is I can't find the auto-fill feature on the Chrome browser app. Is it possible to enable this?
 
You must log in or register to reply here.
Back
Top Bottom