Password Managers? 🗝️

[Melooon]

Do you use a password manager? How do you feel about them?

There are two kinds of password managers out there:

• Managers like your browser that just save your last used password.
• 3rd party managers who give you a random secure password and save it for you using an extension.

I held off using one for a very long time and just stuck with Firefoxes built-in one, but about 2 years ago I started using 1Password and I can't imagine going back to having the mess of trying to remember passwords across multiple browsers that I used before However there are also valid concerns and arguments against saving all your password in one place, so I'd like to hear how others manage their password lives!

Here is an in-depth technical video from the University of Nottingham that gets a lot of facts out of the way for those who want it!

[Cobra!]

I use KeePass, and put the database in a cloud storage I'm subscribed to, and the key file to unlock it in another. It's been great so far, and the client I use (KeePassXC) generated passwords for you.

[Inkerlink]

I use BitWarden, and as long as it remains open-source and free, I'll keep using it. I'm not worried enough about privacy to go full self-storage, the ease of use and integration it offers is very convenient for me.
I'm not too worried about having one point of failure for my passwords since my master password is quite complex and unless there is a BitWarden breach of somekind, the chances of my account getting hacked is basically zero. The only place my master password is stored is in my head, so unless I'm captured by an evil group and tickle-tortured, no one is getting into my accounts.   

[almostcorporeal]

I have really terrible memory problems due to a bunch of medical stuff so a password manager is kind of super important to me! Otherwise I feel like I absolutely would forget my passwords to things [like I have with ichi.city and can't seem to figure out how to reset...] and be up the creek without a paddle (x

I use BitWarden but I'm interested in moving to a self-hosted password manager once I get my home server up and running. Currently BitWarden works great for me but some more medical stuff means that privacy is one of the key things I value, so moving from BitWarden to something self-hosted will help mentally mostly. I have no major qualms with the program outside of definitely not feeling comfortable enough to use some of it's features [such as credit card and identity storage] lol which is entirely a me thing and unrelated to the program itself! (x

I keep my master password written down and tucked away for safe keeping [Otherwise I would absolutely forget it, thanks memory ;;] and it's a generated password that is VERY different from my typical password convention so like Interlink said, I'm not worried unless something drastic or a breach happens haha

Do also want to leave on the note that I love this topic! Things like this are very interesting to me and I love seeing how others manage something I consider to be very tedious and loathsome haha 

[xandra]

I use BitWarden, and as long as it remains open-source and free, I'll keep using it. I'm not worried enough about privacy to go full self-storage, the ease of use and integration it offers is very convenient for me.
I'm not too worried about having one point of failure for my passwords since my master password is quite complex and unless there is a BitWarden breach of somekind, the chances of my account getting hacked is basically zero. The only place my master password is stored is in my head, so unless I'm captured by an evil group and tickle-tortured, no one is getting into my accounts.   

i also use bitwarden and second third them! i used to use lastpass, but after the breach that happened, i couldn't really put my trust in that company anymore. i really love that bitwarden is open-source!

also: *takes notes* writing in your file that tickle torture is the most effective method! XD

[Melooon]

Another question I have for people! Do you use 2 Factor Authentication often?

And if so, do you use your password manager as your 2FA generator; or do you keep them separate? I still keep them very separate, I use Authy as a 2FA client - so in theory even if 1Pass totally failed (prob impossible) and all my passwords were published online - most critical accounts would still be safe! 

Also for those of you interested in self-hosting? What do you think about the argument that self-hosting could be less safe? You're basically taking on all the responsibility yourself instead of trusting a company that's entirely dedicated to security; or do you feel the obscurity of a private server mitigates that?

[kandeez]

I will die on my complex stupid hill of passwords are meant to be reset. Unless its something I KNOW I'm gonna have to login for multiple times (ie wizard101) I will make a password a keyboard smash of ultimate magnitude and then reset it whenever I need to login. Especially when its something that you have to make an account for and know you're gonna use it once. The only login I need to keep secure is my email and then I just reset whenever I need.
I feel like its way easier than having to log passwords in a password manager and I don't have to really ever worry about third parties or breaches. It was definitely one of the things my teacher didn't recommend when teaching us about account safety but its never failed me.

Edit: I want to add that alongside my reset it everytime mantra I also more or less use the same password for everything else and only change up the special character so I'm not foolproof.

[j]

I can't imagine going back to having the mess of trying to remember passwords across multiple browsers that I used before

Dan Bull did a neat nerdcore rap on the struggle of this here - you just reminded me! :D

as a libre FOSS supporter, im an advocate for self-hosting and therefore use pass, which is amazing if youve got a Virtual Private Server lying spare and are familiar with the command line, bash and gpg :)

It was definitely one of the things my teacher didn't recommend when teaching us about account safety but its never failed me.

it's likely they didn't recommend it because a longer password doesn't guarantee more security. passwords that are brute-forced work with the maths of the total possible characters that any one character can be to the power of the length of the password. cs50 did a great video on this. saying that, password security is often quoted in cybsersecurity using entropy instead, which is a measure of how unpredictable and unguessable a password is - theres a cool calculator for that here so you dont have to work with logarithms!

for instance, a password of 10 random lowercase characters on your keyboard has an entropy of 47 bits whereas a password of 20 characters including lowercase and uppercase letters, digits and numbers has an entropy of 131.3 bits. ive mentioned why this is important in a blog post alongside why passwords arent the be-all and end-all of security, but i figured its probably nice to add on to why your teacher probably didnt recommend this :)

[j]

Another question I have for people! Do you use 2 Factor Authentication often?

And if so, do you use your password manager as your 2FA generator; or do you keep them separate? I still keep them very separate, I use Authy as a 2FA client - so in theory even if 1Pass totally failed (prob impossible) and all my passwords were published online - most critical accounts would still be safe! 

Also for those of you interested in self-hosting? What do you think about the argument that self-hosting could be less safe? You're basically taking on all the responsibility yourself instead of trusting a company that's entirely dedicated to security; or do you feel the obscurity of a private server mitigates that?

adding on because i missed this!!

multi-factor authentication is a MUST for anything important to me. i prefer 3FA, which tom scott covers nicely here as: something you know, something you have and something you are (i.e. a password, a USB key and biometrics).

stuff like forums are less of a concern to me, but if i can add 3FA why not?

as for self-hosting, i personally believe that it's less about trying to completely stop an attacker; instead im trying to raise the bar as high as possible so they move onto someone else (something i learnt from the preiously linked CS50 vid!): similar to a house alarm not stopping someone robbing you, instead making it more likely that they'll rob the person next to you without an alarm, eventually someone will always be robbed

besides, at least when i self-host stuff, it's guaranteed that i am the only one accessing things - whereas i cant say the same for bitwarden even though i used to use it. dont get me wrong, i think theyre completely fine, but there's fewer points of failure when i host things myself, which is always a plus

[wodaro]

I just write mine down in a book 

I've never been very good with tech. I always get scared that if I keep my passwords on my computer somewhere they won't be safe. Plus if my computer broke I don't know if I would have access to them anymore! So I keep them all in a little book. it also makes it easy to look through all of them and see which ones haven't been changed in a long time.

I never use 2 Factor Authentication unless a website requires it. Too many extra steps! Maybe I should tho...

[Melooon]

I just write mine down in a book

That's ok An offline book is totally safe as long as you don't lose it. I kinda made this topic to see how widespread knowledge of this subject was and maybe see if people needed support with it. We can definitely work on a web security guide for non-techies if people need it!

i prefer 3FA

All my servers including the one this forum runs on are 3FA, I think that's fair if you are anticipating becoming a target, but I think it's prob overkill for everyday use!

I will make a password a keyboard smash of ultimate magnitude and then reset it whenever I need to login

I hate this so much, but I can't really fault it, it seems like a flawless plan as long as your email is accessible :TnT:

advocate for self-hosting

I would still say unless you REALLY know what your doing and are willing to dedicate time to make sure it's secure and doesn't get lost somehow, it's still prob much better for most people not to do this. Knowing my track record for messing up Linux installs, losing data and deleting things I shouldn't... I'd avoid self-hosting passwords like the plague

[CyberCat2000]

I recall at first, I used a password book. Then I decided to try out password managers, and I never looked back. Currently, I use KeePass, with the file stored on cloud storage. As for 2FA, I also use Authy, admittedly...

[Guest]

I'm a bit mixed on password managers. On one hand, it makes it a lot easier to use complex and different passwords for everything. On the other, it's a single point of failure. It's not unheard of for password managers to be compromised.

That said, I'm keeping it a secret how I manage my passwords. Now excuse me while I release these pigeons and scatter a deck of cards on the West-facing side of an Applebee's during a thunderstorm.

[Guest]

I remember all of my different 13+ characters long passwords in my head.

[Inkerlink]

I remember all of my different 13+ characters long passwords in my head.

'abcdefghijklm' isn't secure, no matter how much you protest!