Hi there are many wise people on Ozbargain, so I wonder how you would manage your passwords, which is required everywhere these days.
I have been slacking and use one password for most of my websites with a small alternation for different requirements, but more and more websites require you to change password every three months or so.
How do you manage your passwords? Do you have any tips and advice? Is there anyone use a password manage website/app and how do you think about it. I suspect these webiste/app will consume much more time. How do you think?
How do you manage your password? Advice and tips
jowu15 on 18/08/2021 - 16:33
Comments
agree ^
No Dashlane users here?
I'm on Dashlane currently, I feel it's a bit better implemented than Lastpass and has some nice price tiers if you only want it on two devices.
I know I should just be using Bitwarden, but have paid for the convenience thus far.
Was on KeepassX for a few years, scared of losing my .key again..
@cydia9k: Bitwarden should be just as convenient as Dashlane?? You don't need to self-host Bitwarden if that's what you think, you can just install their apps and store all the password on their servers just like LastPass, Dashlane etc.
I use dashlane.
Free version really sucks limited to 1 app Only, using it on web browser, have to literally copy and paste passwords so many times, everytime have to see password to enter into phone.
And limited to 50 passwords only !!!
I just simply use Web browser to save frequently used passwords like for education passwords.
Bit warden seems very weirdo to me, can really understand how to use it, people say so good about it but i personally honestly can't even figure out how to make it work,
I created an account and after that its been left blank because i dont understand a sh*t about bit warden.
Dashlane on the other hand so easy to get head around, i would love dashlane to increase their device limit to 2 and password to 100 for FREE versionOtherwise i am stuck with ONE NOTE for storing passwords After that 50 passwords limit
@USER DC: Learn how to use bitwarden, it's not hard in the slightest. Try it again and see how you go.
+1 Bitwarden is great. For anyone wondering how password managers actually keep your passwords secure, this is a good watch: https://www.youtube.com/watch?v=w68BBPDAWr8
Bitwarden here too, my biggest challenge has been getting the wife onboard - that and my phone is crapful at reading my fingerprint which makes using the app a pain sometimes.
I have for all my important services updated the password to a generated password.
I had to use one of the recent leaks (IIRC LinkedIn) to convince (scare) her to not use the same user/pass everywhere. Now she’s used to using BitWarden
I know the password she uses has been compromised too, I just ninja went and changed her passwords for the ones I know store banking / payment / personal information.
Thats happens if Bitwarden been leaked/hacked?
Everything has a risk to being leaked/hacked, we can only try to minimize the risk. Being open sourced, bugs can be identified more easily by professionals and enthusiasts and hence fixed quicker.
In addition, the password vault is encrypted on the local device. Only the encrypted version is held by bitwarden. This means if they get hacked, your passwords would still be encrypted.
Turning on Multi-Factor Authentication (MFA) on your bitwarden account is vital in keeping it secure too.
They cover encryption here
The answer to that depends on what you mean by "Bitwarden gets hacked". If someone manages to guess/phish your Master password for BW, then they have access to all the accounts and passwords stored in your BW account. This is the nightmare scenario. It's very bad. However, thanks to the large number of other people who have had nightmares about it and worked on the problem, there are a couple of things you can do to protect against this:
- Make your BW password long and strong. Generate a random 6 word (or as many as you think you can remember) passphrase from BW and remember it (Don't save it in there, as it's not going to help you).
- Turn on Two Factor Authentication. Ideally you should use an app rather than email. This means that even if they manage to guess/phish your password, they won't be able to get in, unless they get access to your second factor. This gives you an extra layer of protection.
If they manage to hack the BW server, then you are not necessarily compromised, but BW will likely force you to change your master password and recommend changing the passwords in your account as well, depending on the severity of the breach.
Far better inconvenient protection is not saving the full password in bitwarden
Assuming bitwarden knows anything about security (Which I think they do), as you've mentioned if you got a super easy master password it'll be cracked within a few minutes (rainbow attack).
However, there are a few things that lot's of companies with good security implement to counteract this.
- Limit the amount of tries in a period of time.
- When hashing all passwords, they will salt it.
So honestly even if you got a really shit password (unless its like 12345678) it takes a long time for a organisation to really "guess" your password. In saying all this, having a good password is ideal.
What is a good password?
Its not always "JKJHsW7752%81", its actually better to make a password with words that are at random, for instance.
"DanielBeersGucciMoronPurpleSunnyDentist" is impossible to crack (If the website allows you to have this long of a password) but it's added benefit of doing this is you can remember this easily.
@postform: I gave you a like. You deserve more likes. But the ones that don't, their password is password1234.
I see you've posted this reply a couple of times but will only reply here! Per your point (1) I would actually recommend you do install your BW password in BW itself. I'm pretty active helping out on the BW forums and subreddit and the number of times people forget their password whilst still logged in on one of their devices is crazy. Without having access to the BW password their only course of action is to MANUALLY copy and paste all the data out, delete the account and start afresh. If only they had the BW password saved on their logged in phone they'd be fine.
@zfa: Thanks, that's actually an interesting thought. I'd been working off the premise that everything gets locked, but as you say, I can log into the mobile app via fingerprint and sounds like that's pretty common so it would be easy to get in and find your password.
I have actually stored my password in my wife's account (along with the TFA codes I think). That's more for her benefit though, in case she ever needs to get into my account. Short of a severe head injury, I'm not going to forget my master PW and I remember hers as well. I don't have my email address or even the fact that it's for BW saved with the PW, so it's not an immediately obvious risk for my account if her account is compromised.
Enable 2FA (preferably with an app, such as Duo) and choose a strong master password then you become not worth the effort for the attacker.
If Bitwarden were to dump their all their client databases tomorrow onto the web, good chance there won't be any issues. I'd even go as far to say that their encryption methods are overkill.
for people worried about Bitwarden host being hacked, definitely worthwhile to learn to self-host. Bitwarden server component is very lightweight so even the lowest level VPS will work. Both Oracle and Google's free-tier works like a charm. However as part of self-hosting you do have to learn to secure your own server (SSH, firewall,etc) and take responsibility in taking backups.
There are a few approaches that need to be considered in your selection of a robust password app. Both managing the risk of leaking or hacking as well as keeping a level of functionality & convenience, and a method of recovery if you have been hacked and denied access.
Any password system that is stored on the software providers servers are contained within a system that is just waiting to be hacked. This happens repeatedly, time and time again.
Only ever save encrypted data files of your passwords. Word, Excel etc are not good, nor is a little black book.
Your master password needs to be secure to at least 3 to 4 random 6 letter long words, Yet another recent study found this method to still be quite secure:
https://xkcd.com/936/
https://xkpasswd.net/s/
https://www.gizmodo.com.au/2021/08/three-word-password-metho…You need the app to work across all your preferred operating systems and platforms. Phone, laptop, tablet, Work PC, Work Phone etc.
You need a cloud backup of the encrypted database in case your main OS or platform fails and data is not recoverable. Dropbox, Onedrive, etc, also with strong passwords. This enables you to still have access to all your passwords and swiftly change them if you think/know you have been compromised.
Open source software has always had more eyes looking over it seeking out the bugs that inevitably occur.
Then search for a password app/tool that meets these requirements.
Assuming you have the ability and skills required, you can self-host bitwarden. Either using the official packages or a consolidated alternative such as Vaultwarden (formerly; bitwardenrs) running in docker.
I've been running bitwardenrs in docker on my synology nas for a few years now, really happy and better peace of mind. Personally I'd never store my passwords, encrypted or not, on a cloud service.
But what if you are outside country need to access your banking and something happen with your synology (or maybe blackout) ?
@CyberMurning: Put it on your own cloud aka VPS server. Both Google and Oracle free tier will work. Oracle can be located in Australia for less latency. Google's one is in Oregon so latecy is a little more noticeable
@CyberMurning: I won't go into details, but I have redundancy in place through a hybrid set up. Regardless, I think others have pointed out here that the bitwarden client caches on your local devices. Even in the event of an outage, any devices you were using will still be able to produce your passwords.
Bitwarden is what I use, you shall not (take my) pass (words)!
This is the best option by far, the only thing I'm hoping for is password expiry notifications.
This is what I use, I switched when Last pass got rid of the free plan. I have a 9 word password that doesn't make any sense, but it's easy for me to remember. Has spaces, upper case, lower case and a symbol.
For those wanting to self host, i run this version in a docker container on a home server: https://github.com/dani-garcia/vaultwarden
Much simpler to run than the official one, and usable by all the official apps.
Thanks for this! I didn't know about the renaming was happening. You've saved me some headaches down the line.
I only noticed the name changed after I pasted the URL here! Had to go back to my search and github to make sure I wasn’t going mad :-D
no more everyone goes to bitwarden
Why?
They nerfed the Free version of Lastpass earlier in February so that you could only use Lastpass on either a Mobile device or a computer, but not both at the same time.
LogMeIn (the parent company of Lastpass) also jacked up the price slowly over the years. It started off at a very reasonable $12 US/yr in 2017, then doubled to $24 in 2019.
18 months later, they increased the price again to $36 year. No additional features were added with every price increase, so consumers were basically paying more but not getting anything extra in return.
Bitwarden would give you the most important features of a password manager for completely free with no restriction on the type of devices you installed the apps on, so there was a mass digital exodus of people moving from Lastpass to Bitwarden a few months ago.
@scrimshaw: Lastpass is still free, just a cost if you want to use the app as well. Minor hassle having to log into the webpage to use it on mobile, but less hassle than switching to bitwarden for me.
@md333: Less hassle? I did an export from Lastpass, and imported it straight into Bitwarden. Took two minutes, and everything just worked.
@mjdau: Good to know it is that easy, I might give it a go.
I spent about an hour researching options and decided not to bother, never really liked the way lastpass worked on mobile either, so going back to web only as it used to be doesn't seem like much of a downgrade.
Admittedly their webpage is really crap on mobile, to the point I suspect it is deliberate.@md333: Seems quite simple https://bitwarden.com/help/article/import-from-lastpass/
I do miss having the app version of lastpass, but not enough to pay for it as I would only use it a few times per year.
@mjdau: Same, I expected to have issues after exporting/importing and that I would eventually pay for Lastpass for the convenience. Turns out the transfer was flawless and I've found Bitwarden actually works more reliably.
I use it for Android, ipad and PC, so free Lastpass wasn't an option I was interested in. I use 16 character passwords with upper case, lower case, numbers and symbols, stuffed if I'm typing those in when I need my password (some things require password every time).
Because I dont trust my passwords with people who enables remote access.
Same, free LastPass (current) works for my needs. Interesting that you got downvoted for a straightforward answer. This discussion introduced me to Bitwarden, looking forward to jumping on to it when they improve their UI.
Yeah I use LastPass. Does a great job
Honestly, I don't bother with any password management websites/apps. I don't see a need for them because I remember all my different passwords without any problem.
How?!
he must be using the trick i read long ago. for example for yahoo you will use johnkimbleyahoo
for ozbargain = johnkimbleozbargainthat is the main idea, of course you can make it complicated like instead of johnkimbleyahoo, you make it johnyahookimbleyahoo or oohayjohnelbmik
@CrispyChrispy: impossible you can remember unique random 8-10 digits password with number and special char for 15 diff. sites.
and how about the rest. same pass? then you are not managing passw properly 100%.well if you are one of the genius in the country then apologies
unique random 8-10 digits password with number and special char
Those are rookie numbers.
256 characters or GTFO (or whatever the longest password that the site allows for)
impossible you can remember unique random 8-10 digits password with number and special char for 15 diff. sites.
People can memorise the order of multiple randomised card decks, pi to loads of digits and even the entire Quran. I'm pretty sure someone can manage a measly 15 passwords.
@Scrooge McDuck: Yeah especially if it’s just a specific keyword and the numbers 1-15 tacked onto the end…
This is awesome
@dmbminaret: you want more complicated? convert the yahoo bit from my example above into number. a = 1, b =2, z =26
but yeah it will take time.
and some other way i cant remember
Lady at work does it more confusing.. hers today would be August 2021.. then changes it each month
I do something similar to this, just with a more complicated format with numbers and special characters. For anything that I am extra concerned about the security (i.e. email) I have 2FA turned on.
Then there is a bog standard password I use for things where I don't care about security (i.e. some random website that contains no personal information).
One or two breaches would potentially provide enough data points to reverse engineer your other passwords.
I do a version of this so it's easy to remember all passwords based on the site I am on. I do not use the site name itself but I have a combination of a variable prefix based on the site name, a fixed random string then a variable suffix based on the site name. Works well and I get high security scores in password checkers.
Use pass phrases that are memorable keyed off the website as a memory trigger. I use a password manager for some of the less important stuff like forums, would never do so for anything important.
He uses password, password1, password2, etc
0000000h
i s33 wh@+ y0u d1d th3r3
Bad idea. If one of the websites you use gets hacked and you used words or words with numbers in it or words with @ replacing a etc it will be easily cracked. Then if there is an easily identifiable pattern they can then get into any other website you use that pattern on. You need to use random strings of characters and numbers so even if someone hacks a website they are unlikely to crack your password (unless the site uses weak encryption), and even if they do there is no way to guess any of your other passwords. You can't possibly remember passwords of random characters and numbers so you need a password manager. And no, you don't want to store them in your email or on a notepad file. Or in your browser.
Agree, it isn't a good idea to store them anywhere, I'm aware of the potential security risks word-with-number passwords impose against passwords that are just a random string of characters. I should probably change my passwords to random strings soon.
Do you think that using random words/passphrase along with replacing letters with characters is easier to hack?
Honest question.
Depends how many words. If a couple of truly random words then it is probably fine. But replacing letters with other characters does not make your password any harder to crack, a dictionary search takes care of all typical replacement possibilities
@Cherry12: Length is really your best friend when it comes to passwords. The longer the better (with some caveats). As Quantumcat says, swapping letters for numbers etc doesn't add any practical level of security.
Please help me remember my 400+ passwords.
Not including the ones I have memorised, and not stored in a pw safe, like banking etc…You break it up into categories, While things like password safes shouldn't be used for critical stuff like banking they are fine for web forums and less important things. That way you don't have to remember 400+ passwords, just a handful of the most critical ones.
nice work dude, I can't even remember the person i just met at a party or my ozb purchase. Items just magically appear at my door :D
Congrats. Either you use weak passwords, or you are re-using passwords, both of which are less secure than having strong passwords in a decent password manager.
I used lastpass, then move to bitwarden.
Lastpass is more user friendly, but Bitwarden can do it all, you just have to dig in the settings for the same features.
I know this is bad, but I store them saved in chrome.
I am ashamed. My question on topic is while using bitwarden (or whatever) will it populate your sign in fields automatically like chrome does? I tried it out once, but seemed to be a few extra steps to log in to a site.
you need to signin to your bitwarden first then click a button and then i will populate
well yeah, more safe = more steps.
you can also have it as always logged in for bitwarden.
abit unsafe so that make it exactly the same as chrome pass.manager then? ie when you forgot to lock your pc someone can sit and have access to everything
@CyberMurning: Depends on how you use your computer. I always WINKEY+L each time I leave my desk. Good habit, always auto locks after 5mins of inactive as well.
If a hacker can hack your Bitwarden PW, am i right to assume they will have access to all your PW's?
The answer to that depends on what you mean by "Hacks Bitwarden". If they manage to guess/phish your Master BW password, then yes, they have access to all the accounts and passwords stored in your BW account. This is the nightmare scenario. It's very bad. However, thanks to the large number of other people who have had nightmares about it and worked on the problem, there are a couple of things you can do to protect against this:
- Make your BW password long and strong. Generate a random 6 word (or as many as you think you can remember) passphrase from BW and remember it (Don't save it in there, as it's not going to help you).
- Turn on Two Factor Authentication. And you should turn this on anywhere it's possible, but at the very least for your password manager and main email account. Ideally you should use an app rather than email. This means that even if they manage to guess/phish your password, they won't be able to get in, unless they get access to your second factor. This gives you an extra layer of protection.
If they manage to hack the BW server, then you are not necessarily compromised, but BW will likely force you to change your master password and recommend changing the passwords in your account as well, depending on the severity of the breach.
@Ashless: No worries! Plenty of people around Ozbargain or other places on the web who will be happy to help out if you have questions :)
@moar bargains: For Step 2 make sure you have a recovery password for your 2-factor app. If you lose access to the app (eg phone breaks), recovering all the 2-factor things won't be possible. If you have a recovery password and write it down and put it in a safe or something then you'll be able to recover it.
@Quantumcat: Yep I have them backed up. I'm thinking of starting a thread about this though to see what others do.
It will, you just have to dig in to the settings. "Enable Auto-fill on Page Load" in Settings->Options.
There's a risk of autofill password by password managers when page is loaded. It's probably better to fill in password with a trigger (mouse click, keyboard short-cut, etc).
For Bitwarden, you can also do Ctrl-Shift-L to auto-fill the password on the current page — your hands don't even need to leave the keyboard.
For Bitwarden, you can also do Ctrl-Shift-L to auto-fill the password on the current page
Mostly using mobile tho
It usually pops up the little login box when it detects a username/password field, and you just tap on it, log in with fingerprint and tap the credentials you want to use.
For desktop as scotty says, it's three keys to log in, and then you're on your way.
Ooooh this is a tip I didn't know. Cheers!
For Bitwarden, you can also do Ctrl-Shift-L to auto-fill the password on the current page — your hands don't even need to leave the keyboard.
Underrated tip right there! Scotty MVP
Don't have them saved in your browser. If someone installs a RAT on your computer through malware they could access them, same if someone accesses your computer physically while you are logged in
Random pw stored in Chrome is not the safest but better than most - as long as you have 2FA to secure your Google/Chrome account too
post it notes
.under the keyboard to keep it secure
Look up Bitwarden. It's an open source password manager with an option to use it for free. Generates and stores random passwords, has browser extensions and a mobile app too.