• just another dev@lemmy.my-box.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    I guess now is as good a time as any for them to start using a proper password manager.

    Personally, I recommend Keepass - it has multiple clients for all platforms, and you can keep the file in sync with a program of your own choosing, like Dropbox, syncthing or whatever you like.

      • Ilovethebomb@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        This is the first suggestion here that’s actually within the technical abilities of most people, even most Lemmy users.

        The level of technical knowledge some of people here seem to think the general public has is absurd.

        • just another dev@lemmy.my-box.dev
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          5 months ago

          If getting a Dropbox account is too difficult for them, I seriously wonder why they’d be subscribed here, or reading articles about password management in browsers.

        • tabular@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          I’m usually the one promoting technical literacy to all but in this case I honestly don’t use a password manager.

          • Ilovethebomb@lemm.ee
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            It’s honestly seemed like more trouble than it’s worth, there’s a few websites where I just reset my password every time.

      • just another dev@lemmy.my-box.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        If you never, ever need your passwords outside of your home, that’s great advice - it’s as secure as can be against digital theft. Less so against fire though, and backups are out of the question.

        • thejoker954@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          Backups are easy? Just copy to another piece of paper and store somewhere else.

          I’m just being facetious though.

          • just another dev@lemmy.my-box.dev
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            5 months ago

            I’m not being facetious though. Off-site backups of a digital password collection are easy to setup and maintain. But when you change your password or add a new entry, it’s going to be a pain in the ass to have to drive over and update a physical copy.

            If you can live with those downsides, that’s fine. But in my opinion it would be facetious to pretend a physical backup is “just as good/usable” as a digital one.

            -edit: whoops, misread that as implying that I was being facetious. As you were sir -

      • OfficerBribe@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        I store my DB in Dropbox and use KeePass2Android on phone which has built in Dropbox sync.

      • NekuSoul@lemmy.nekusoul.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Most amazingly, this setup is also unexpectedly resilient against merge conflicts and can sync even when two copies have changed. You wouldn’t expect that from tools relying on 3rd party file syncing.

        I still try to avoid it, but every time it accidentally happened, I could just merge the changes automatically without losing data.

        • Shatur@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          How did you enable merge conflict resolution for KeePassXC databases?

          • NekuSoul@lemmy.nekusoul.de
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            5 months ago

            Depends a bit on the clients.

            • KeePass: Will ask you if you want to synchronize/overwrite/discard the database when saving.
            • KeePassXC: Will autoreload the database in the background, so merge conflicts shouldn’t happen in the first place. Otherwise there’s ‘Merge database’ in the menu.
            • KeePass2Android: So I mixed up the names and this is the client I actually use. This one does all changes to an internal copy of the database that is then synchronized on request.
            • KeePassDX: As far as I can see it also has a mechanism similar too KeePass2Android.

            Assuming you only have one desktop and mobile client you should never run into any issues. If you do have multiple KeePassXC clients it’s all fine as well assuming Syncthing always has another client it can sync with.

    • GissaMittJobb@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Bitwarden is probably a more pragmatic choice for most users, given that it’s free and without having to manage the syncing yourself.

      Any password manager is better than the alternative, though.

      • 🅿🅸🆇🅴🅻@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        5 months ago

        I’m not sure what you’re comparing it to. Keepass is free too, in fact it’s open source. In my opinion, local software and database that is under your control is always superior to cloud.

        Keepass over Bitwarden offers a lot of plugins and integrations, again, if you want more customization or automation.

        But, I would say you can use any online password manager as long as it’s end to end encrypted, so Bitwarden is a good choice.

        • GissaMittJobb@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          Also, local software and database is always superior to cloud.

          Now there’s an unfounded blanket statement if I ever saw one.

          • Enoril@jlai.lu
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            Statement related to previous cloud hacks i assume.

            Should have say: self-hosting is always superior to cloud hosting.

            Bitwarden (the client) + Vaultwarden (the self-hosted server) is a good combo if you have some knowledge on how to setup it.

            • GissaMittJobb@lemmy.ml
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              Should have say: self-hosting is always superior to cloud hosting.

              That statement still comes with a pretty damn big caveat though - you need to have the know-how, the time to invest and the hardware (i.e money) to actually set something like this up.

              If all of those are true, then self-hosting can definitely be an attractive option for you.

              It’s only true for a vanishingly small fraction of the population, though.

              Hence, Bitwarden is a pragmatic solution that will be superior for the vast majority of the population.

        • fmstrat@lemmy.nowsci.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          No dislike for Keepass here, but I prefer Bitwarden. It’s also super easy to self host with Vaultwarden.

        • evulhotdog@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          I think your bias may be showing. The average computer user doesn’t even think about using a password manager. It just exists and works in their browser.

      • GoJimi@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Exactly! Self hosted FTW. Chances of a data breach… Typically pretty minor if you are smart.

        • Lem453@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          Keep vaultwarden behind wireguard for local only access then also use https certs and good master password. Very secure like this

            • Lem453@lemmy.ca
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              Security in layers.

              All your services should be using https. Vaultwarden in particular won’t even run without https unless you bypass a bunch of security measures.

              This is how to setup local only and external https, I highly recommend this as a baseline setup for every homelab. It allows you to choose how much security you want on a per app basis and makes adding new apps trivially easy.

              https://youtu.be/liV3c9m_OX8?si=TSWXoN_8SJDpAHaW

      • N1ghtstalk3r@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        +1 for a self-hosted Vaultwarden instance. If you’re technically capable and have extra hardware laying around this is the best way to go.

    • suction@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Never trust your credentials to a private company, they could be bought out by state actors.

      • Katana314@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Never trust your credentials to yourself, you can be bought out by beer, poor decisions, and tripping over the cables connected to your home server you cobbled together.

      • CosmicGiraffe@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        The xz compromise having demonstrated that FOSS projects are totally immune to interference from state actors…

  • Pissipissini Johnson 🩵! :D@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    I put all my passwords in a text document, then print it on a little strip of paper and shove it up my ass. Whenever I take a crap, I dig it out from the turds and try to memorise some of them again. Then I shove it back up there where noone else can find my data and I won’t lose it.

      • ikidd@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Not a bad idea to back up to a json, but every computer you’ve used has a local encrypted copy you can export from using the app or extension.

    • communism@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      5 months ago

      Keepass with syncthing is completely free and doesn’t rely on cloud hosting

    • Gregor@gregtech.eu
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      I self host my own Vaultwarden instance (a bitwarden server written in Rust) and it’s more reliable than Google’s password manager.

  • communism@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Me when I don’t use Chrome, I don’t use Windows, and I don’t use browser password saving either

    • Kayn@dormi.zone
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      I switched to Pass recently after having used Bitwarden for a couple years. I’d say Bitwarden still has a slight edge in terms of features, but Pass has gotten good enough and it’s included in my Proton subscription.

      • Gregor@gregtech.eu
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        The server side literally doesn’t matter. Even if it is FOSS they could do anything they please with it, other than reading it, because it’s all encrypted. They could wipe all passwords if they so wanted.

  • krimson@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Recently started using Bitwarden and it works really well. You can even ditch authenticator because it has OTP built in too.

    I selfhost it though because I trust nobody with this type of sensitive data, encrypted or not.

      • Allero@lemmy.today
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        5 months ago

        Yep, and Vaultwarden too!

        Though the most secure practice is to store them separately.

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          The most secure practice for any high-value accounts (email etc) is to use WebAuthn with a hardware key like a Yubikey.

          TOTP is still vulnerable to phishing (a fake login page can ask for both a password and a TOTP code) so business/corporate environments are moving away from them.

      • krimson@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Technically yes if my vault gets compromised I would be fucked. I have it firewalled tho and only accessible from home (or VPN to home). So should be pretty secure. I used google authenticator but found it a major pita (can’t even search entries on Android, wtf?). If they make this more user friendly I’ll gladly switch back to a seperate OTP store.

      • EddoWagt@feddit.nl
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Not really as you’re still protected from password breaches, which is most likely to happen anyways, especially if you self host.

        If you’re actively being targeted for your bitwarden password, you likely have bigger problems

          • Godnroc@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            To set a scene, you awake in the middle of the night because your phone is making noise. Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep. The intruder now has access to your password manager!

            They attempt to log into your bank and drain your life savings, but despite having your password it sends another prompt to your phone. This time, you wake up enough to realize something is wrong. This time, you deny the prompt.

            The entire second paragraph cannot happen if your MFA is a single factor. Don’t store MFA in your password manager!

            • JackbyDev@programming.dev
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep.

              The idea that people would approve that is wild to me.

              • Godnroc@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                5 months ago

                Mate, I’ve had users who were sharing an account that only some of them had MFA prompts for. They didn’t bother checking who had initiated the prompt, they just approved it because it was easier. And that was while they were fully awake and thinking…

                • JackbyDev@programming.dev
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  5 months ago

                  What’s funny to me is that doing this while you know your target is asleep probably has a higher success rate just because they’re more likely to press the wrong thing just because their eyes are groggy. I can read my phone without my glasses but when I wake up in the night that’s not the case right away.

            • Hexarei@programming.dev
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              If your MFA is stored in your password manager, you’re not getting prompts to your phone about it. You’re just prompted for a otp code that you have to go out of your way to copy/paste or type in from the manager.

            • subtext@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              I mean yeah it’s less secure than if they were separated. But my mom is never going to use a separate app for passwords and 2FA, so the two in one app is still better than nothing.

            • Telorand@reddthat.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              Bruh, if my phone is sending me notifications in the middle of the night, the first thing I’m doing is uninstalling whatever app is sending me notifications.

              If people are that gullible to fall prey to an attack like this, managing OTP in two apps is probably more than they can handle anyway. Everybody has a different threat model, and it’s okay if it’s not covered by hardware passkeys and locally hashed and managed databases.

    • WarlordSdocy@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      I was thinking about self hosting but I was worried it would be less secure. I don’t really know a lot about setting that kind of thing up (I do have programming experience but don’t have a lot of server hosting experience outside of doing it for games like Minecraft) and I feel like I’d mess it up and it would be a lot easier to get into than a hardened server. Especially cause the odds I get a virus or something is probably higher then the odds someone breaks into bitwarden’s server. Idk if I’m wrong about this, would love to be corrected if I am, was just my initial thoughts when I switched over from a different password manager to bitwarden.

      • subtext@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        If you don’t trust yourself 110%, don’t host it yourself. Too risky. I self-host everything, but I leave email and passwords to someone else because it’s just too important.

  • daddy32@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    “Chrome users” or “Chrome under windows users” would be closer to the truth. Still, quite a screw up.

    • DreamButt@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Something like 2/3rds of the world uses chrome for desktop. I’d bet that number is higher for windows specifically. If you’re the rare person who doesn’t use chrome then you’re savy enough to know this doesn’t apply to you

    • dan1101@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      All of them are vulnerable to bugs though. Just a matter of luck.

        • Feathercrown@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          If he knew, do you think he’d be wasting time talking here about it instead of, I don’t know, ransoming millions of user passwords?

          • communism@lemmy.ml
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            I like to think that most people would just contact the devs privately to get a fix pushed asap instead of ransoming everyone’s passwords.

            • Feathercrown@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              Right, but my point was that there aren’t public bugs in encryption algorithms just hanging around. Asking for those is categorically bad faith.

        • dorythefish@discuss.online
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          One of the mobile clients corrupted all passwords for me. I ended up losing only 2 passwords, and only 1 I wasn’t able to restore. Good lesson on why backups are important though :)

          • PrettyFlyForAFatGuy@feddit.uk
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            One of the reasons i use Mega to sync my keepass db across devices where it’s needed. They have version control, so if it gets corrupted then i can restore from a previous version