Warning: change your password please!

[tomtoo]

Then your browser gets hijacked. I think I'll use Passkeys.

If your system is compromised, what ever you do is in danger.

 

[tomtoo]

Ok, but what is the algorithm to keep corresponding PW and sites/logins together?

Here we have a few encrypted PW lists daily backed up on the home server (NAS) for the family members. All with the same PW which is an easy to remember modified fairytale fantasy name for all of them. So the brains of the members are a nice PW back-up for each other in case of emergency.

You could use lets say first x letters of site name as prefix or postfix.Or 1,2,5 letter. Not perfect. But much better than use the same everywhere.

 

[DuncanDirkDick]

I'd stick to the common attack vectors, not to personalized ones. And in 99% of the cases it's a compromised database with people using the same username/password combination everywhere.

 

[somebodyelse]

It is open source, so more eyeballs are on the code looking for vulnerabilities. And, there is currently no hacked version of it available on the dark web, unlike KeePass.

They're both open source. Patching in some code for exfiltration and compiling doesn't need the dark web. If someone's got sufficient privs to replace the binary you're already compromised, and it probably doesn't matter which password manager you're using. I'd be interested in what BitWarden is doing differently to KeePass and its derivatives that makes it any more secure. Some of this may be OS specific.

 

[beefkabob]

So they have been hacked, twice, and you still stick with them? I'm am not sure I understand that thinking.

Who hasn't been hacked?
Since my passwords are encrypted with an obscenely long password, it doesn't really matter.
The convenience of cloud-based passwords means that I can use strong passwords. If I had to go to a file or use something not cloud-based, it'd be a pain in the ass, so I'd have less incentive to have good passwords.

 

[Nango]

Divorce is not such a big problem you learn the birthday of your new wife faster.

NO WAY I wont change all the passwords I have around the net every couple of years .......

 

[Andreas007]

I recently engaged a white hat security consultant to pen test our network at work. He hacked into our security manager's laptop, replaced his KeePass executable with a hacked version, and gained access to the admin passwords for nearly everything on our network. He left his report on the desktop of my laptop instead of emailing it to me. Needless to say, we no longer allow KeePass. He recommends BitWarden.

I don't get it why BitWarden should be better than KeePass in such a case. What does it help to change a program when your system got hacked?
If your system gets hacked no program can be trusted anymore and it's easy to eavesdrop on any data.

Switching form KeePass to BitWarden was useless if nothing else was done to secure your network instead.

 

[sofrep811]

The main use these days is to link to a site which as a result, causes Google to rank them higher in search results. But they also try to sell stuff.

OK. That makes total sense. I knew a guy in the early days of Google and that was his gig--he'd get a person's business to show up on top with certain searches. This was 2003, I think? But it's more sophisticated now.

 

[Mulder]

I recently engaged a white hat security consultant to pen test our network at work. He hacked into our security manager's laptop, replaced his KeePass executable with a hacked version, and gained access to the admin passwords for nearly everything on our network. He left his report on the desktop of my laptop instead of emailing it to me. Needless to say, we no longer allow KeePass. He recommends BitWarden.

You should of cource keep both KeePass and the key on a USB stick and only use it when needed.

 

[Steve Dallas]

I don't get it why BitWarden should be better than KeePass in such a case. What does it help to change a program when your system got hacked?
If your system gets hacked no program can be trusted anymore and it's easy to eavesdrop on any data.

Switching form KeePass to BitWarden was useless if nothing else was done to secure your network instead.

Why would you assume we did nothing else to secure the network? We implemented about a dozen recommendations not germane to this thread.

 

[sweetchaos]

I recommend Bitwarden over most of the other password managers due to it being self host able

Cool, but not everyone is inclined to self-host their own password manager.

Bitwarden (cloud-hosted, not self-hosted) or 1password (already cloud-hosted) are an easy recommendation for anyone who's not technically inclined.

If I tell any of my non-technical friends to self-host their own password manager, they'll look at me like I'm from another planet.

 

[frabor]

https://haveibeenpwned.com/ it's a great place to see if your password has been compromised. If so, you should change all the ones with the same name. I am not affiliated, just a free service I use

 

[Labjr]

Google reminds me to change my passwords all the time. You almost need a separate computer with it's own operating system designed to keep track of passwords.

 

[Blumlein 88]

Google reminds me to change my passwords all the time. You almost need a separate computer with it's own operating system designed to keep track of passwords.

Yes, on my phone google will tell me one of my passwords has been found on the dark web during their security updates process. It does not show up on https://haveibeenpwned.com/ or similar sites. I don't reuse it and in fact have changed it. I never saw any evidence of anything wrong. Of course someone else may have used the same password which is not otherwise related to me.

In any case, I do hope passkeys catch on and become the norm. For many people passwords are reaching or have reached the point where it is far too much trouble to keep them safe and they aren't proving fully safe anyway. Passkeys will be overall more convenient and much safer in several ways than passwords.

 

[Labjr]

Yes, on my phone google will tell me one of my passwords has been found on the dark web during their security updates process. It does not show up on https://haveibeenpwned.com/ or similar sites. I don't reuse it and in fact have changed it. I never saw any evidence of anything wrong. Of course someone else may have used the same password which is not otherwise related to me.

In any case, I do hope passkeys catch on and become the norm. For many people passwords are reaching or have reached the point where it is far too much trouble to keep them safe and they aren't proving fully safe anyway. Passkeys will be overall more convenient and much safer in several ways than passwords.

From what I've read Passkeys isn't going to work with Windows 10 which most people are still using. However, I'm already using it on Windwows 10 with Ebay and Best Buy. Perhaps it won't work cross-platform. I hope Google Passwords will store the Passkeys so I don't have to create new Passkeys for every device I use. It's not supposed to work with IOS 15 either. I hope they'll change these requirements so everyone doesn't need to upgrade equipment to have better password security.

 

[Blumlein 88]

From what I've read Passkeys isn't going to work with Windows 10 which most people are still using. However, I'm already using it on Windwows 10 with Ebay and Best Buy. Perhaps it won't work cross-platform. I hope Google Passwords will store the Passkeys so I don't want to have to create new Passkeys for every device I use. It's not supposed to work with IOS 15 either. I hope they'll change these requirements so everyone doesn't need to upgrade equipment to have better password security.

Should work on Android, IOS, MacOS, and Windows 11. Also they have provisions to use them cross platform. Slightly less convenient, but equally secure. You can use MacOS or IOS on Windows 10, but not in the other direction though it is promised soon.

 

[kchap]

Cool, but not everyone is inclined to self-host their own password manager.

Bitwarden (cloud-hosted, not self-hosted) or 1password (already cloud-hosted) are an easy recommendation for anyone who's not technically inclined.

If I tell any of my non-technical friends to self-host their own password manager, they'll look at me like I'm from another planet.

I can recommend Bitwarden. I do not not have any experience 1password so I cannot comment. Bitwarden is open source and they have been independently audited. It works well on Windows, Android and Linux. There is an iOS version, again I have no experience with it.

However you have to be prepared for the day some hackers download the entire cloud based database. The only thing that will save you then is long, unique but memorable pass phrase. I don't suggest using Luke, I am your father.

 

[antcollinet]

I love me some Lastpass. Just have a seriously long master password and you'll be fine no matter what. Using a different email address or login for most websites is pretty helpful too. I have a bajillion attempts to hack my business wordpress, and they're all the wrong logins attempted by scripts. I have gotten hacked before, but only because of flaws in wordpress itself, which no password program can stop.

Install wordfence (or similar) on your sites, and set it to block an IP after 5 login attempts. Kills brute force attacks. And turn off the account named admin.

 

[JPA]

I suppose the problem then is that you have to ALWAYS be able to remember the encryption pass. Back to a piece of paper in a drawer again?

No, NTFS file system encryption doesn't require an additional password beyond your login password.

 

[kthulhutu]

I would hope ASR is not storing passwords in plaintext...