It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
is it possible to sync keepassxc between computers + phone?
Yes. The easiest/most reliable is syncthing. Yet there’s the online-component which is inherently vulnerable. Depends on how paranoid you are.
You can lock your password database with a key file (this is a standard feature in keepassxc) and transfer the key file once between devices via sneakernet (microsd or usb drive). That way even if someone intercepts your database file, AND knows your password, it is still virtually impossible to crack. Should be a good enough solution, unless you are quantum-tier paranoid
That is actually a good idea. I’m not using one rn as i only manually transfer it. Might be worth considering. Thanks
I have it synced across 4 computers and my phone. You just need a central repository. For that I use nextcloud. I suppose you could use OneDrive, Google drive, box, sync thing, or something else though.
Syncthing has worked well for me between 3 devices(Linux, android, windows). I’ve had one conflict in 6mo and it was easy to identify the right copy to select in keepass’ prompt since the more recent one was a larger file.
Synchthing also provides optional version control which makes backing up easy.
tbh i just keep the master version on my computer and physically transfer it to my phone every so often. i try to avoid using too many password-requiring services on my phone.
i used to do this, until I started using syncthing
i only add password entries on my laptop then sync the file directly to my phone using syncthing to avoid conflict
Yes, but it’s a bit involved to automate it. KeePassXC has a less technical recommendation here
A long time ago, I used Syncthing to do this. Sometimes there would be file conflicts, which was a pain to resolve, so I switched to BitWarden (using their server for syncing) and have been using it ever since.
I’d be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn’t make me feel like taking action if everything feels sketchy.
I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.
I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.
What happened with Authy? (As someone who uses it)
I have been using password gestoires for a long time. First LastPass, until I switched to GNU/linux and discovered Keepass and then KeepassXC… For me they are indispensable. That’s the one I used until about 1 year ago when I started having problems with the Firefox addon. It did not recognize the pages. I tried ProtonPass and I like it, but I don’t like having them online, no matter how secure the site is. I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.
Translated with DeepL.com (free version)
Did you export ProtonPass to CSV?
I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.
Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
My English is very poor for technical explications… I search the issue in KeepassXC Github but I don’t found similar solution.
Proton Pass is a pretty new service, maybe there haven’t been much users yet who have moved to KeepassXC from it. I would say give it a try, it’s not that bad.
Something else you could try is:
a) check the Bitwarden repo if anyone had a similar problem as you. If so, it’s more likely that it’s a Proton Pass problem, and maybe they have some tips.
b) import your Proton Pass export to another password manager (Bitwarden, original Keepasd), export it from there, and try to import this in KeepassXC. Though this might have a higher chance of losing some information, in the sense of metadata. If you go this way, don’t forget to make a fresh export of your Proton Pass account, in case you have changed something there in the meantime
Absolutely this. Been using KeePassDX for years and its made my life so much easier. I am waiting for it to support passkeys so i can start using them where possible.
Personally, I use PassWord123! for everything. It says its a strong and secure password so why wouldn’t I use it for everything?
Its the best one to use, all password hacking tools avoid this one when they’re attacking.
But I wanna tell people my master password to my pw manager. It’s such a fantastic password that no one could ever possibly guess I would have. I wanna gloat.
I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.
I do that too.
- Its not like people are gonna steal book
- the password crackin people are not the breakin people
I have the need to have different accounts to everything. Having to perform the sign up process over and over again. They really need to standadize this.
Passkeys is one step forward but far from enough.
I hate the idea of having to login again and again with just a minute interval that I see BankID requires as it is for different things. Like I constantly have to prove it is still me here. BankID is the app in my country that gives you access to your Bank account, government stuff and so on. It connects to your personal number and ID you in real life.
So the issues you describe is just the result of how bad designed the web is today. It is simple for every company but hard for the user.
I am curious what country you’re from that they require a specific app for “official” business.
Sweden
They don’t require it, you can also go to a physical office if you don’t have BankID. Also BankID is a private company wo is problematic on several levels.
Many government agencies have started accepting multiple ways to identify yourself such as Freja.
Some politicians would prefer a standardized governmental solution to identity.https://www.dagensps.se/bors-finans/kinberg-batra-infor-statlig-bank-id/
I’m not so sure about that though.
It’s an ongoing topic. We’ll see more where it goes.
so is it bad to store my 2FA backup codes as notes in those same login’s bitwarden entries?
It depends on your threat model. It does mostly reduce the benefit from 2FA, but you are probably still very safe if you use a random password per site. I mostly use 2FA when forced (other than a few high-value accounts) so I don’t worry about it. For most people having a random password which is auto-filled so that you don’t type it into the wrong site is more than sufficient to keep themselves secure.
I do this too. I would need them if I lost my phone, so bitwarden/keepass is a good place for them to be.
I think it is less secure though since someone who somehow has the unencrypted vault without your 2FA device could get in with the codes - but if someone cracks my master password I’m screwed in a whole bunch of ways so I’m not sure it matters too much at that point.
I think you might be preaching to the choir here.
Circlejerkin on lemmy is our mutual hobby here
Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.
I’m using Bitwarden, 1Password and KeePass. Works like a charme.
Why all three? Redundancy?
I started with Bitwarden as a replacement for KeePass and changed to 1Password due to the way they secure the login password (password + random string). KeePass is now my backup place for 1Password and I support Bitwarden with a subscription because I like to support their OSS way.
And also set-up SSO/LDAP in your homelab if you run one so you don’t have 3000 loose outdated account entries for IPs like 192.168.10.5 user: admin password:*****
My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.
But I get where people have an issue. It’s one point of failure vs. many, but they don’t realize It’s easier to well secure the one than it is to not spread the same vulnerability everywhere.
Honestly as someone who has helped family members set up a password manager one person felt this way and the rest are just not tech savvy. All the simple straightforward stuff took ages because they had never done it before.
I use a password pattern. I have hundreds of passwords all stored in my head and all between 10-20 characters long
Wait are you saying that with the example your provided your password for Lemmy would be catlemmy-Dog5? Because that’s a terrible system.
Maybe it’s not for you then. It’s been working pretty well for me and my passwords aren’t saved anywhere but locally in the browser.
It’s better than reusing the same password, but not by much. If one of your passwords get compromised, an attacker can easily guess to try to just replace “gmail” by whatever service they’re attempting to log into as you, and give it a shot.
That’s assuming that a human will ever see it. People cracking passwords either have all of them and then use an automated tool or hack a person specifically by decrypinc a password hash which will take an immense amount of time and electricity.
Still since that’s a concern I can modify the formula. By splitting gmail into g and mail and sticking g at the front.
gcatmail-Dog5
Not how it works.
First of all, there’s far too many companies out there still storing passwords in plaintext.
Second of all, even with a good hash algorithm, hacking a specific person’s password out of a leaked database is still feasible when your passwords are variants of a couple of dictionary words with a few numbers and symbols attached.
Creating fully randomized, unique passwords in a password manager really is the best way. Even an older hash method of storage on the web site’s part will likely protect it.
