It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
is it possible to sync keepassxc between computers + phone?
tbh i just keep the master version on my computer and physically transfer it to my phone every so often. i try to avoid using too many password-requiring services on my phone.
i used to do this, until I started using syncthing
i only add password entries on my laptop then sync the file directly to my phone using syncthing to avoid conflict
A long time ago, I used Syncthing to do this. Sometimes there would be file conflicts, which was a pain to resolve, so I switched to BitWarden (using their server for syncing) and have been using it ever since.
Yes, but it’s a bit involved to automate it. KeePassXC has a less technical recommendation here
Yes. The easiest/most reliable is syncthing. Yet there’s the online-component which is inherently vulnerable. Depends on how paranoid you are.
You can lock your password database with a key file (this is a standard feature in keepassxc) and transfer the key file once between devices via sneakernet (microsd or usb drive). That way even if someone intercepts your database file, AND knows your password, it is still virtually impossible to crack. Should be a good enough solution, unless you are quantum-tier paranoid
That is actually a good idea. I’m not using one rn as i only manually transfer it. Might be worth considering. Thanks
Syncthing has worked well for me between 3 devices(Linux, android, windows). I’ve had one conflict in 6mo and it was easy to identify the right copy to select in keepass’ prompt since the more recent one was a larger file.
Synchthing also provides optional version control which makes backing up easy.
I have it synced across 4 computers and my phone. You just need a central repository. For that I use nextcloud. I suppose you could use OneDrive, Google drive, box, sync thing, or something else though.
If you’re on Linux and you don’t want to use KeepassXC, you can check out Secrets on Flathub, it has imo a better UI/UX
If you’re on Linux and you like minimalism, pass is also a great option
Interesting, thanks for the recommendation.
@Charger8232 I have been using Vaultwarden (Unofficial Bitwarden compatible server written in Rust) selfhosted for a few years now, and I have to say I’m very happy with it. I also use the backup strategy, on some media (USB stick and SSD) encrypted with Veracrypt.
I migrated from Bitwarden to Proton Pass (mostly due to their TOP integrations) and I am enjoying it very much. They are constantly improving it, which is also a plus.
Do you mean OTP?
I self-host vaultwarden, and I have that. I think it’s a paid feature if not self-hosting?
KeepassXC ++ Yubikey ++ STRONG password changed every 7 days.
Tap for spoiler
This solution is compatible with virtually all platforms & browsers
Changing passwords is almost always completely useless, and requiring it dramatically weakens security.
What’s the logic behind this statement? I would’ve thought that if a website’s logins and passwords were somehow leaked, the more often I change my password, the less likely it is for the leaked password to still be usable by bad guys based on the shorter time horizon.
Leaked how? No good practice allows any way for a password to “leak”.
What rotating passwords does is ensure people who don’t use a password manager either write their password down more and more frequently, or use a weaker password with some simple changing pattern that doesn’t add anything.
And also set-up SSO/LDAP in your homelab if you run one so you don’t have 3000 loose outdated account entries for IPs like 192.168.10.5 user: admin password:*****
What’s wrong with a password manager built in the browser?
That’s what I’ve resorted to, but I only use Firefox because it has a master password.
Chrome has no master password so what stops any fool from stealing your passwords while you’re taking a piss, I don’t know.
Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.
Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.
- No more password reuse, per site random passwords.
- Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn’t auto-fill.
- Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.
I think these are the two biggest benefits and every browser password manager will accomplish both.
This is what I do: I use my browser to store all my randomly generated passwords. If I ever need them on my phone I either sync or go to my desktop and view the password and type it over.
I have a password manager with a family plan so my wife can use it. Does she? Absolutely not. And that’s why we don’t share bank accounts.
Same and she has the balls to ask me for passwords!
Same here. Kinda feels good to know I am not alone with this, though.
I have been using password gestoires for a long time. First LastPass, until I switched to GNU/linux and discovered Keepass and then KeepassXC… For me they are indispensable. That’s the one I used until about 1 year ago when I started having problems with the Firefox addon. It did not recognize the pages. I tried ProtonPass and I like it, but I don’t like having them online, no matter how secure the site is. I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.
Translated with DeepL.com (free version)
Did you export ProtonPass to CSV?
I’ve tried going back to KeepassXC, locally, but the file I export from ProtonPass won’t load in KeepassXC. I feel stuck.
Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
Open a bug report in KeepassXC’s repository, maybe it’s a big in their code. Or they’ll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
My English is very poor for technical explications… I search the issue in KeepassXC Github but I don’t found similar solution.
Proton Pass is a pretty new service, maybe there haven’t been much users yet who have moved to KeepassXC from it. I would say give it a try, it’s not that bad.
Something else you could try is:
a) check the Bitwarden repo if anyone had a similar problem as you. If so, it’s more likely that it’s a Proton Pass problem, and maybe they have some tips.
b) import your Proton Pass export to another password manager (Bitwarden, original Keepasd), export it from there, and try to import this in KeepassXC. Though this might have a higher chance of losing some information, in the sense of metadata. If you go this way, don’t forget to make a fresh export of your Proton Pass account, in case you have changed something there in the meantime
How do I convince my girlfriend to stop using her safari password manager and migrate it to bitwarden? Is the password manager in Safari so unsafe that it’s worth the additional effort she might ask.
It’s not that bad, but tell her that she can set Bitwarden as the default option for auto-fill in the settings and everything will get automatically filled in, just like with the normal Safari password manager
Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient
Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser
Thanks for the update! I will keep an eye out
My understanding is that your GF will be using Apple’s KeyChain, which is pretty good except that it’s hard to look inside and manually edit. It’s not just in Safari.
The upcoming Password app is just a nice user interface to KeyChain. So no change to the functionality as such, but I think it’ll make a big difference to how it’s used.
it’s hard to look inside and manually edit
It’s actually pretty easy when you’re on a Mac. They bundle an app called Keychain Access, which lets you look at and edit everything.
Yes, that’s true. Keychain Access helps a lot.
My password manager is
mkdir ~/Account/some.domain cd $_ genpasswd | openssl some-cipher -k 'really strong encryption password' >pass.enc echo username >login#decrypt cd ~/Account/some.domain openssl some-cipher -d <pass.enc | xclip #paste in field xclip login #paste in fieldCouldn’t be easier, couldn’t be safer.
1337
Why?
Why would I use a password manager when this is much simpler and less error-prone?
Nothing about this is simpler than just using a proper password manager.
One must imagine skill issue.
I suggest looking at how many dynlibs your password manager links against and tell me it’s “simpler” again.
Replying to this pretentious comment for the sake of others reading this:
Run
history | grep genpasswdfor why this is not a good password storage solution. One must image skill issue.If you think the CLI is the cool kid way to go, use https://www.passwordstore.org/, but tbh I don’t recommend that either.
Using Proton Pass was a game changer to me , I don’t have to ignore the necessity to put a strong and complicated password for security reasons anymore, Proton generate it to me and stores everything ( so I don’t need to remember which password I set for which account ) But the bad aspects of cloud services worry me a little about this: the possibility of a security breach of the service, or the possibility of not being able to access it for any reason is a real disaster if it happens… so I’m thinking of exporting my passwords to another safe place for such cases.
even if their servers were compromised it’s all encrypted. it only decrypts on your end
You can export all your passwords to an encrypted and password protected file. I ocasionally back it up to a USB device so that I always have an offline copy available.
Still, one of these days I was logged out of my proton pass on Android and couldn’t connect to the internet. I was locked down.
so I’m thinking of exporting my passwords to another safe place for such cases.
I’m also using ProtonPass, and I agree it’s a game changer. I love the interface, the Android app is amazing and well integrated.
To not be locked in into ProtonPass in case of real disaster, once a month I export the ProtonPass data and import to KeepassXC in my local machine. It’s pretty easy, you just have to export to CSV, and import into KeepassXC, the interface will help you to map the CSV fields accordingly, and you will have a local accessible backup in case of disaster. Don’t forget to remove the CSV from your computer after importing to KeepassXC.
But the bad aspects of cloud services worry me a little about this
KeePassXC is entirely local.
Which creates issue with having to synchronize it between devices. There is always something to worry about :)
Don’t let perfect be the enemy of good.
Exactly, so use Proton :P
that’s nice soundbite, i am just saying you have to be realistic. if you are aiming at people who up until now had their passwords on post-it on the monitor, switching to tool where you need to come up with some synchronization system on your own might not be what convinces them.
I know , but won’t that affect my storage if I added +1000 password ?
Passwords don’t take up much space.
It shouldn’t take up too much space. My personal password file is under 2 KB, so for you it may be 1 MB at most.
unless your storage is a floppy disk, won’t be a problem
I actually considered sticking it on a floppy disk I have. It really is a wonder how Linux is able to recognize floppy disks immediately…
I’ve been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton’s best service.
It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.
Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.
Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I’m told Keepass is fantastic but having it sync across all her devices would be challenging for her.
Most Proton services feel kinda underbaked but Proton Pass is excellent.
I’m a little miffed that 2FA support is a paid feature.
I’m using KeePassXC and have no intention of switching, plus I’m paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn’t be locked behind a paywall.If that wasn’t a scripted ad, you should go into sales.
I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.
I am very “passionate” about Proton Pass but don’t take me for a Proton chill, I have a lot of criticism about their other products.
I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can’t see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton’s suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.
I always recommend Proton Pass. A) because they have a forever free version and B) because hopefully they start looking into the whole suite in general and even if they don’t subscribe, they are more aware afterwards (hopefully).
i dont understand this post. like every browser has a password manager, why install some 3rd party you can even trust less?! am i missing something? doesnt safari have a password manager? is keepasscx really safe (CVE-2023-32784)? or bitwarden (https://blog.redteam-pentesting.de/2024/bitwarden-heist/)?
Bitwarden exploit was already patched. And required a domain joined PC with Windows Hello active, and the attackers already had access to the DC. Not exactly a large vector. Also enterprise PCs shouldn’t be using windows hello to begin with, IMO. Now if we look at CVEs affecting browser password managers, there are literally exploits for download on GitHub.
In-built password managers for browsers are straightforward to crack. Like… Terrifyingly easy. It’s much better to use something like Bitwarden, Vaultwarden if you don’t trust Bitwarden, 1Password if you really want the reassurance of paying someone for trust, or KeePass if you don’t trust anyone at all (I, personally, fit into this category).
show me an example of the firefox password manager being “cracked”. i mean i still sync them into my local nextcloud. @Dyskolos@lemmy.zip suggests it is cool to have your passwords in a file?!
doubt there is a scenario where using MORE services makes anything safer. Well maybe for Windows Users…but thats a dying species with the win11 crap.
so no. third party corpos…the worst.
With keepasscx YOU have the password-file. Period. You know what’s been done with it: Nothing, as it doesn’t phone home except update-checks. Which you can also disable.
With the browser-addon you’ll get the same result but with control.
