I put all my passwords in a text document, then print it on a little strip of paper and shove it up my ass. Whenever I take a crap, I dig it out from the turds and try to memorise some of them again. Then I shove it back up there where noone else can find my data and I won’t lose it.
Ah yes, KeepAss
Spectacular
I’m scared of downloading after that Mexican party
sh.itjust.works
Forgot to mention I delete the text document and set fire to the computer’s hard drive. The passwords are only ever in my ass, with the rest of my personal shit.
Following up your own shit post with another shit post is shit post gold.
This tracks very close to my idea of the suppository flask stick.
Have you ever tried anal, my beautiful gentleman?
Maybe, but it would have to be personal and in my ass if I had or ever did.
Bitwarden here. Works well.
No $10 gift card?
Lame.
“Chrome users” or “Chrome under windows users” would be closer to the truth. Still, quite a screw up.
Something like 2/3rds of the world uses chrome for desktop. I’d bet that number is higher for windows specifically. If you’re the rare person who doesn’t use chrome then you’re savy enough to know this doesn’t apply to you
“Here’s what you need to know” - Avoid anything Google.
And backup your password vault
No-one should be using any password manager built into any browser, neither Chromium-based nor Firefox-based. Browser password databases are almost trivially easy for malware to harvest.
Go with something external, BitWarden or 1Password, or if you are entirely within the Apple ecosystem their new password system built into iOS 18 is apparently really good.
I use Keepass. Free, secure, great.
That’s what I used before 1password. The UI is a bit finicky but it works great. Plus you can shove it into DropBox or other various cloud sync things to get a “cloud” version lol.
I have that as an offline DB. Holds 100% of all creds that can go offline (no 2FA, unfortunately) and a bunch of extra stuff that most other managers aren’t flexible enough to do.
What makes the built-in database easier to attack than a separate one?
What makes the built-in database easier to attack than a separate one?
For performance reasons, early versions weren’t even encrypted, and later versions were encrypted with easily-cracked encryption. Most malware broke the encryption on the password DB using the user’s own hardware resources before it was even uploaded to the mothership. And not everyone has skookum GPUs, so that bit was particularly damning.
Plus, the built-in password managers operated within the context of the browser to do things like auto-fill, which meant only the browser needed to be compromised in order to expose the password DB.
Modern password managers like BitWarden can be configured with truly crazy levels of encryption, such that it would be very difficult for even nation-states to break into a backed-up or offline vault.
It’s protected by the user’s login password. If an attacker can steal that or knows it already, the passwords are all there for them to see.
Bitwarden (on the other hand, for example) has 2FA options to unlock the database.
Oh, so you mean local vs external, not browser-based vs other local solutions.
How does this work if accessing Bitwarden via the browser extension? I don’t like needing to type my master password in all the time as it’s long, so I have the setting turned on that times the vault out periodically, but so it’s also unlockable with a pin rather than requiring the master password every time. I understand the pin is shorter, but does the protection of the vault still stand?
That’s a good question. I don’t actually know the answer to that. I know the passwords are hashed locally when your vault is locked and before being synced, but I’m not sure whether it’s in plaintext when it’s unlocked or if it uses some kind of on-demand decryption. It’s probably in their docs, I should think.
Keepass has been working with no issues
All of them are vulnerable to bugs though. Just a matter of luck.
Which bugs breaks Keepass encryption?
One of the mobile clients corrupted all passwords for me. I ended up losing only 2 passwords, and only 1 I wasn’t able to restore. Good lesson on why backups are important though :)
One of the reasons i use Mega to sync my keepass db across devices where it’s needed. They have version control, so if it gets corrupted then i can restore from a previous version
If he knew, do you think he’d be wasting time talking here about it instead of, I don’t know, ransoming millions of user passwords?
I like to think that most people would just contact the devs privately to get a fix pushed asap instead of ransoming everyone’s passwords.
Right, but my point was that there aren’t public bugs in encryption algorithms just hanging around. Asking for those is categorically bad faith.
Recently started using Bitwarden and it works really well. You can even ditch authenticator because it has OTP built in too.
I selfhost it though because I trust nobody with this type of sensitive data, encrypted or not.
By storing your passwords and otp in the same place it becomes 1 factor authentification
Not really as you’re still protected from password breaches, which is most likely to happen anyways, especially if you self host.
If you’re actively being targeted for your bitwarden password, you likely have bigger problems
deleted by creator
Not if you use 2 factor to access the password manager.
It’s still just one factor. You just secured it better.
To set a scene, you awake in the middle of the night because your phone is making noise. Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep. The intruder now has access to your password manager!
They attempt to log into your bank and drain your life savings, but despite having your password it sends another prompt to your phone. This time, you wake up enough to realize something is wrong. This time, you deny the prompt.
The entire second paragraph cannot happen if your MFA is a single factor. Don’t store MFA in your password manager!
If your MFA is stored in your password manager, you’re not getting prompts to your phone about it. You’re just prompted for a otp code that you have to go out of your way to copy/paste or type in from the manager.
I mean yeah it’s less secure than if they were separated. But my mom is never going to use a separate app for passwords and 2FA, so the two in one app is still better than nothing.
Bruh, if my phone is sending me notifications in the middle of the night, the first thing I’m doing is uninstalling whatever app is sending me notifications.
If people are that gullible to fall prey to an attack like this, managing OTP in two apps is probably more than they can handle anyway. Everybody has a different threat model, and it’s okay if it’s not covered by hardware passkeys and locally hashed and managed databases.
Blearily you unlock it, glance at a prompt, and then approve a login and fall back asleep.
The idea that people would approve that is wild to me.
Mate, I’ve had users who were sharing an account that only some of them had MFA prompts for. They didn’t bother checking who had initiated the prompt, they just approved it because it was easier. And that was while they were fully awake and thinking…
What’s funny to me is that doing this while you know your target is asleep probably has a higher success rate just because they’re more likely to press the wrong thing just because their eyes are groggy. I can read my phone without my glasses but when I wake up in the night that’s not the case right away.
Technically yes if my vault gets compromised I would be fucked. I have it firewalled tho and only accessible from home (or VPN to home). So should be pretty secure. I used google authenticator but found it a major pita (can’t even search entries on Android, wtf?). If they make this more user friendly I’ll gladly switch back to a seperate OTP store.
I use aegis for the MFA portion.
Modern problems require modern solutions
so no more authy? BITWARDEN HAS THAT BUILT IN??? thats AWESOME
So does keepass
Yep, and Vaultwarden too!
Though the most secure practice is to store them separately.
Alr
It is a paid feature though if you don’t selfhost
Oh
But it’s cheap! $10 a YEAR when I last checked.
alr
Yep, for only $10 per year. But just make sure to keep backups of your vault and/or make an emergency kit.
Alr
I was thinking about self hosting but I was worried it would be less secure. I don’t really know a lot about setting that kind of thing up (I do have programming experience but don’t have a lot of server hosting experience outside of doing it for games like Minecraft) and I feel like I’d mess it up and it would be a lot easier to get into than a hardened server. Especially cause the odds I get a virus or something is probably higher then the odds someone breaks into bitwarden’s server. Idk if I’m wrong about this, would love to be corrected if I am, was just my initial thoughts when I switched over from a different password manager to bitwarden.
If you don’t trust yourself 110%, don’t host it yourself. Too risky. I self-host everything, but I leave email and passwords to someone else because it’s just too important.
It’s pretty easy to setup using docker, you do need to know that ofcourse and how to setup dns and stuff.
I have it firewalled so my vault is not accessible from the internet, only from home or vpn to home.
And it can also store passkeys to effortlessly sync between desktop/Android/iOS
deleted by creator
A better statement should be: you should remain vigilant and light on attachment to any banner. If an ill wind blows and you don’t like it, it’s time to move. Control your data- aspire to be a digital nomad.
Firefox isn’t without it’s own issues, recently. Google used to be viewed as a paragon once, too.
Google was always incorrectly viewed as a paragon.
Once upon a time I think they were largely harmless … but once they started leaning into profit over quality they went rotten in a hurry. Exactly why I’m concerned with mozilla’s path.
How do you know someone runs Linux?
Don’t worry, they’ll tell you.
deleted by creator
Well, there does keep being more reasons by the day…
I don’t use the password manager in Firefox, what a terrible idea.
Use an independent password manager, something purpose-built.
And using Linux? Hahaha, right, right. Call me when there’s a serious OneNote, or even more importantly, Excel competitor. (Or even a standard shell on Linux, or the same set of tools built in).
Call me when there’s a serious OneNote…
OneNote works on the web, but there’s also Notenook if someone is looking for similar features with an app for offline access + End-to-end encryption and open source alternative. I’ve got it syncing to my Android, Windows, Linux and Mac clients without issue.
…or even more importantly, Excel competitor.
There’s OnlyOffice which has a spreadsheet. Yeah it’s not Excel which has existed for a million years, but it should work for the vast majority of users’ basic needs. It may not work for your specific use case, but it is a viable alternative that exists today. If you want more online collaborative features (like the o365 version has) you can use CryptPad, which provides an end-to-end encrypted and open-source collaboration suite, including the web version of OnlyOffice Spreadsheets.
Or even a standard shell on Linux…
What does this even mean? Nearly every major Linux distro sets bash as the default shell, and if not the default, is probably already installed and called if needed. Not sure I understand the problem here.
…or the same set of tools built in
Stick to a single OS and you get the same set of tools built in? This is a strange statement to be making against a system that not only thrives on diversity but has lots of niche systems that require a myriad of default tools.
I do completely agree about not using any browser’s built-in password manager.
Firefox Sync was purposefully built too, they didn’t wake up one day to find it on the porch in a basket.
It syncs passwords, works on desktop and mobile and can do some other cool stuff — syncs tabs and bookmarks, alerts you to password breaches, send tabs from one device to another, lets you export your passwords etc. It’s a good password manager.
Say there’s no standard shell on Linux again and I’ll Bash your head in
Funny troll is funny
It is not the software which can lack seriousness, but the developer and the user. One is proprietary where the developer controls the user’s computing - the other is free software where the user is in control (free as in freedom).
A friend has a notebook next to her computer with all her passwords in it. Initially I was horrified - what if you’re burgled? - but actually it’s genius. Much more secure than letting a browser remember them, and she doesn’t even need to memorise a Bitwarden password.
In a household it’s probably not that bad. There aren’t many people breaking into homes looking for account details.
I’ve had my identity stolen several times, and every single time it was stolen from a Fortune 500 company.
I just make all of my passwords password123 then I don’t have to worry about memorizing them
*********** that’s what I see
Really? hunter2
Yeah, when you type hunter2, all I see is *******
Maybe they’re using one of those instances that censors things, lol
It’s an ancient meme. https://web.archive.org/web/20040604194346/http://bash.org/?244321
Yeah, these newfangled password requirements ruined my life. I refuse to sign up for any website that doesn’t let me use hunter2.
Just add the same memorized bit to the end. Something simple like “123” would work. Even if the book is stolen it won’t do them any good.
Kind of like salting.
This concept is also known as Double Blind Passwords or Horcruxing.
That’s an excellent idea! I’ll mention it to her.
It’s a primitive password manager, primitive because unencrypted and not integrated into your devices, but far better than not having a password manager.
Assuming the laptop is running bitlocker (often on by default), has a user password, and is offline, that’s pretty decent.
Notebook refers to a paper notebook. Not a laptop.
And in which world is bitlocker on by default? Nope.
A world where we all go insane from explaining “we can’t just ‘hack’ your bitlocker key” over and over to every older relative we have…
My mom told me that she was made fun of for having a book of hand written account credentials related to running her business (6 people total). I told her it was the best way to do it that wasn’t massively overcomplicated for her situation and to keep it up. The only recommendation I made is that she use different long passwords for every site since she’s already not memorizing them.
Personally I’m not convinced this isn’t the best way unless you’re being targeted by physical bad actors
Where is this book? In the office? I’d say that’s absolutely horrible. If it’s at home I think that’s more okay.
Or maybe behind a keyed lock in the office? Not a keypad, a physical key.
Nah, most locks are really crappy.
Sure, if someone knows her physical address, knows how to disable the building alarm, knows what drawer she keeps the passwords locked in, and knows how to pick the lock, she could be in trouble. But that is a very targeted attack and if someone is that determined she’s screwed anyway.
99.9% of attacks are the “low hanging fruit, protected from repercussions by not physically being there” kind.
Someone like an employee, janitor, or maintenance worker who has physical access to the building already is what I’m talking about. That’s definitely a low hanging fruit type of attack. See your boss’s passwords while your pissed off, snap a picture with your phone, fuck with them later.
Premium Bitwarden is so cheap and effective that I find it difficult to justify using an alternative.
Keepass with syncthing is completely free and doesn’t rely on cloud hosting
Still. Back it up
Not a bad idea to back up to a json, but every computer you’ve used has a local encrypted copy you can export from using the app or extension.
Well sure… I have a local offline encrypted copy, rather than a whole separate password manager.
I use encfs and sync it to dropbox etc. Then use gopass password manager to store password in the encfs folders. Not fully auto-integrated but good enough for me.
No password manager is 100% safe. Make back-ups.
feel like “aaand it’s gone” would fit better here
Me when I don’t use Chrome, I don’t use Windows, and I don’t use browser password saving either
That’s definitely a change from companies just leaving passwords around for anyone to find.
