Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible. And some of these password managers seem shady themselves. And if said manager needs a password that means someone only needs the one password which puts us back at square one.
These days I’ve resorted to physically writing my passwords down because I straight up don’t trust anything that connects to the internet anymore for this kind of information. Like some lame puzzle in a video game where you have to look around the room for the password. But it still feels safer than anything that’s connected to the internet.
How about KeePass then? It’s an encrypted local database file you can sync/backup how and where you want. There are clients to open/edit it for Android, Linux and even Windows. The Android version can use fingerprint, if your phone has this hardware.
My main issue is that it doesn’t solve the “borrowing someone’s computer” problem. With a hosted password manager, you can login to an online vault to get your passwords, but that’s not an option with keepass.
That’s a pretty rare use case though, but it is something I run into periodically.
It’s absolutely risky, but sometimes the risk is low enough that it makes sense, like you’re at a relative’s house and setting up access to some self hosted stuff. I use it sometimes on a new install/work computer where I don’t want to set up the password manager long term.
The USB drive works in all those cases, but I rarely bring USB drives with me, especially since I only need to access it like 1-2x/year.
This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.
That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.
I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible.
The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.
Yeah, the level of effort required is extremely low, and it’s really nice for things like sharing passwords with an SO for things where separate logins don’t work.
So yeah, I use Bitwarden. I plan to self-host soon (vaultwarden), I’m just figuring out how password sharing works before I go and switch my SO’s stuff over. But it’s audited, FOSS, and generally the dev makes decent decisions (though I hate the new UX overhaul).
I self-host a bunch of stuff too. I am transitioning from Nextcloud to OwnCloud Infinite Scale now that I posixfs is in experimental status (I only use file hosting from Nextcloud anyway). However, my password manager has been very far down the list for me, because the level of effort required exceeds the value I’d get from it, especially compared to other things I can set up.
The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are.
Exactly. Use literally any password manager that uses MFA, and set up MFA (Google Authenticator works, I personally use Aegis). I also recommend BitWarden, but there are several decent options available.
The most important thing for them to know is that passwords should be different between services, and you can and should automate that.
I’ve just set up vaultwarden recently and at least for that solution I can just log into my selfhosted database and grab them from there, but the inconvenience is still enough to put most people off.
I reuse passwords quite intentionally. It reduces memory use.
Does the account have any saved personal info (other than email)? No? Continue.
Was the account used for credit card info? No? Continue.
Do I care about the account in some way? No, plus no to all of the above? Don’t care, use an easy to remember password and don’t bother saving it to my overly bloated password manager.
It absolutely causes problems with some cloudflare sites because that email/password combo was compromised decades back, but I usually have no intention of accessing the account again when I use it so I don’t actually care. It’s their problem at that point, and I never use legit info for any of it anyway (I have a spam email I use for these things, never with my own name or info, because they don’t fucking need it)
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible. And some of these password managers seem shady themselves. And if said manager needs a password that means someone only needs the one password which puts us back at square one.
These days I’ve resorted to physically writing my passwords down because I straight up don’t trust anything that connects to the internet anymore for this kind of information. Like some lame puzzle in a video game where you have to look around the room for the password. But it still feels safer than anything that’s connected to the internet.
How about KeePass then? It’s an encrypted local database file you can sync/backup how and where you want. There are clients to open/edit it for Android, Linux and even Windows. The Android version can use fingerprint, if your phone has this hardware.
My main issue is that it doesn’t solve the “borrowing someone’s computer” problem. With a hosted password manager, you can login to an online vault to get your passwords, but that’s not an option with keepass.
That’s a pretty rare use case though, but it is something I run into periodically.
that’s a bit risky. the foreign computer could capture passwords.
however, in that use case, you could either display the password on the phone and manually enter it or use a portable keepass on a usb stick
Linux: How to run: https://docs.appimage.org/introduction/quickstart.html#ref-how-to-run-appimage Download: https://keepassxc.org/download/#linux
Windows only: https://keepass.info/help/v2/setup.html#portable
It’s absolutely risky, but sometimes the risk is low enough that it makes sense, like you’re at a relative’s house and setting up access to some self hosted stuff. I use it sometimes on a new install/work computer where I don’t want to set up the password manager long term.
The USB drive works in all those cases, but I rarely bring USB drives with me, especially since I only need to access it like 1-2x/year.
This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.
That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.
I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:
The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.
Yeah, the level of effort required is extremely low, and it’s really nice for things like sharing passwords with an SO for things where separate logins don’t work.
So yeah, I use Bitwarden. I plan to self-host soon (vaultwarden), I’m just figuring out how password sharing works before I go and switch my SO’s stuff over. But it’s audited, FOSS, and generally the dev makes decent decisions (though I hate the new UX overhaul).
I self-host a bunch of stuff too. I am transitioning from Nextcloud to OwnCloud Infinite Scale now that I posixfs is in experimental status (I only use file hosting from Nextcloud anyway). However, my password manager has been very far down the list for me, because the level of effort required exceeds the value I’d get from it, especially compared to other things I can set up.
Exactly. Use literally any password manager that uses MFA, and set up MFA (Google Authenticator works, I personally use Aegis). I also recommend BitWarden, but there are several decent options available.
The most important thing for them to know is that passwords should be different between services, and you can and should automate that.
I’ve just set up vaultwarden recently and at least for that solution I can just log into my selfhosted database and grab them from there, but the inconvenience is still enough to put most people off.
I use lastpass and have my vault on my phone.
But I have a hard time using someone else’s browser these days . … too many custom plugins.
I reuse passwords quite intentionally. It reduces memory use.
Does the account have any saved personal info (other than email)? No? Continue.
Was the account used for credit card info? No? Continue.
Do I care about the account in some way? No, plus no to all of the above? Don’t care, use an easy to remember password and don’t bother saving it to my overly bloated password manager.
It absolutely causes problems with some cloudflare sites because that email/password combo was compromised decades back, but I usually have no intention of accessing the account again when I use it so I don’t actually care. It’s their problem at that point, and I never use legit info for any of it anyway (I have a spam email I use for these things, never with my own name or info, because they don’t fucking need it)