Hi there are many wise people on Ozbargain, so I wonder how you would manage your passwords, which is required everywhere these days.
I have been slacking and use one password for most of my websites with a small alternation for different requirements, but more and more websites require you to change password every three months or so.
How do you manage your passwords? Do you have any tips and advice? Is there anyone use a password manage website/app and how do you think about it. I suspect these webiste/app will consume much more time. How do you think?
How do you manage your password? Advice and tips
jowu15 on 18/08/2021 - 16:33
Comments
This could never work for me… Just too much time "decrypting" my own password. It's better to have a software for that… 😴
Bitwarden is pretty good.
That's a massive waste of effort when there is free secure software that will do an even better job
I use an app called KeePassium on my phone but it seems like Bitwarden and Lastpass are more popular!
Looks like Lastpass is losing popularity
Me too. Big fan of KeePassium!
I'm always concerned with password managers, if it gets hacked, they have everything.
nope, they said something like they only store encrypted stuffs… cant remember the correct term….
https://bitwarden.com/help/article/security-faqs/and
Bitwarden uses AES-CBC 256-bit encryption for your Vault data, and PBKDF2 SHA-256 to derive your encryption key.
Bitwarden always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. Bitwarden servers are only used for storing encrypted data. For more information, see Storage.
Vault data can only be decrypted using the key derived from your master password. Bitwarden is a zero knowledge solution, meaning you are the only party with access to your key and the ability to decrypt your Vault data.Not having seen one once you log in, are the passwords ***'ed out or are they viewable?
They are ****'ed out but there is a button you can press to see them.
The risk is the computer be hacked or used by someone else when the password manager is unlocked.
Just setting up the auto-lock after some time (and closing the browser) should reduce the risks.
Password Safe, the FBI complain that there is no back door and the encryption is too deep for Brut Force programs.
As I said in another couple of comments:
What happens depends on what you mean by "Bitwarden gets hacked". If they manage to guess/phish your Master password for BW, then yes, they have access to all the accounts and passwords stored in your BW account. This is the nightmare scenario. It's very bad. However, thanks to the large number of other people who have had nightmares about it and worked on the problem, there are a couple of things you can do to protect against this:
- Make your BW password long and strong. Generate a random 6 word (or as many as you think you can remember) passphrase from BW and remember it (Don't save it in there, as it's not going to help you).
- Turn on Two Factor Authentication(bitwarden.com). And you should turn this on anywhere it's possible, but at the very least for your password manager and main email account. Ideally you should use an app rather than email. This means that even if they manage to guess/phish your password, they won't be able to get in, unless they get access to your second factor. This gives you an extra layer of protection.
If they manage to hack the BW server, then you are not necessarily compromised, but BW will likely force you to change your master password and recommend changing the passwords in your account as well, depending on the severity of the breach.
Give you a good trick.
Allocate a word to every letter of the alphabet.
Name of the website. For month 1 use first character of website and your unique word. Scramble the word to substitute "i" with 1 or !. Second character is capital. S substitute for 5 etc.
Therefore you will have a unique password for every website. If it gets hacked you know exactly which website just looking at the password.
14unot2c
post it notes FTW!
handy for checking how good your password is… https://www.useapassphrase.com/
handy for checking if your email has been part of data breach… https://haveibeenpwned.com/I became aware that my main email address was pwned years ago. I was going to get a new one but then I thought, so what? So what?
yeah my yahoo is like that so i create a new gmail and change all the important webs pass (ie banking) to this gmail.
still keep the yahoo for unimportant stuffs
I use KeePass, open source, very light weight. Open using a Master key, everything's is encrypted with the most powerful methods currently known (AES-256, ChaCha20 and Twofish).
Highly customisable you can can get it to autofill with one click. There is a notes space in the entry where you can keep details about that login. You can merge separate databases into one, delete duplicate entries etc.
Does keepass work on android ok?
Yes. No "official" app but - I personally use Keepass2Android. To enter passwords, has both an accessibility auto-fill option or a custom keyboard.
Both myself and the missus pretty happy with it.
I did try BitWarden, and whilst there was probably some ingrained processes from KeePass, I thought that the vault management was a bit opaque for my liking. With KeePass there is a kdbx file that contains your passwords. BitWarden connects to either your own implemented server (i.e. BitWarden RS) or BitWardens cloud server which contain your vault.
I second that, Keepass2Android is awesome.
yep, with drop box sync,
doesn't have a great interface for browsers, also i think newer versions aren't as secure
Been using Keepass for years. Must be one of the best Password Managers available. Synchronises With Windows and Android using Google Drive and dropbox The Master key function is great. Can also make up a portable version which stores the password file on a memory stick… Not the most beautiful interface…. but it works so well.
+1 on keepass too
I store my master database in the cloud with a 40 character long password.
Make sure your master password is long but easy to remember. -eg "I like to drink water in the morning"
I was wondering when KeePass was going to get mentioned. I've been using it for years. Yep, the interface isn't the prettiest nor the slickest, buy at the same time, it ticks all the boxes for being open source, secure. I also control where the master database resides. I use it on all my devices. There are front ends available for every OS I've ever used.
Not what I would recommend for someone who isn't particularly tech or security minded because it might turn them off… But if that's your thing, then it's perfect.
I'm also a user of KeePass, have been happy with using it for years. Use it to store all sensitive information.
I use Google password manager for less sensitive account logins
+1 Keepass
On Android I use Keepass2Android Offline.
I store my kdbx file in google drive, so it is available across all my devices.
I have backups of the file in USB sticks, work, bunch of places.
Also using KeePass for many years, been great.
Though recently switched to KeePassXC version for better YubiKey - Challenge Response Hardware Key Support used along side a Master Password, with 2 YubiKeys setup to work (1 x NFC USB for android support//portability/flexibility and 1 Nano for local PC, having both is good just in case one fails).
For Android I use Keepass2Android synced via Dropbox, with NFC driver installed so I can Tap my NFC YubiKey.
Works great, and sync's well so far.
Now to setup YubiKey on what ever else I use that supports it, also I agree I wish banks supported YubiKey!
when yubikey price gets down a bit more, i will be getting it.
too bad banks in australia think sms code is secureI have 2 Yubikey but it only works on maybe 2% of the many sites I have passwords for and even there it's been a pain in the arse.
too bad banks in australia think sms code is secure
Absolutely this. One of my pet peeves. MyGov too. I wonder what it's going to take to get them to realise that SMS TFA is not that great!
They don't think it is great at all, It is simply the highest bar that many users are willing to accept and it is better than nothing at all.
Yeah I can understand why they do it, but it's not an either/or scenario. They could use SMS by default, and enable app based TOTP for those of us who want to use it. I imagine the reason they don't is down to cost. But surely the marginal cost of TOTP is not that much more than SMS?
At least Macquarie has a slight lead in this regard, where you can get an SMS by default or use their (separate) app to generate the codes. I don't want to have to use another app just to generate codes for one bank. Let me import it into my other TFA app! Citibank also allows you to generate codes from within their mobile banking app, which seems to me like a sensible solution if you're not going to allow importing into 3rd party apps. Pity that Citi's UI/UX is atrocious.
@moar bargains: I imagine sooner rather than later all of them will move to better MFA. However the reality is while SMS is horribly weak overall it is actually very effective for anything but advanced attacks specifically targeting you, it will actually protect the average user from the vast majority of attacks that would compromise them.
Or ING who think a 4-6 digit pin is all you need to protect online banking…
Use your close friends name and their complete street address
so we can't "necro" relevant post, but we can basically post same question later..
another vote for bitwarden
Strange. I never logged in, but I just got an email from bitwarden saying my account may be compromised. Searched the IP address to Indonesia.
I went and changed master password and enabled 2FA while logging out of all devices, but it says log ins may remain open for one hour.
Don't think I'll keep using that.
Keepass looks pretty good and the android app keepass2android seems good.
I just use the same "password$123" password everywhere. Easy to remember.
Which bank are you with? Just asking for a friend…
I change them often. Still can't find a good secure one. All my accounts at all banks I tried were hacked. Obviously banks don't do a good job at developing secure websites these days!
i dont think they hack the bank. seriously if it is then we will see it on the news.
it must be from your side.
probably get new laptop for legitimate usages :)Obviously banks don't do a good job at developing secure websites these days!
Not sure if serious…
If serious, it's not the bank being hacked - it's an site account of yours elsewhere getting credentials leaked and then guess what: you've used the same password for your bank.
@Chandler: not that i know much but my elderly parents only have email and net bank account, both passwords were differentand followed the usual safety rules, bank account still got hacked (by some guy using win 7 apparently). They seem to do it through paypal which my parents dont even know exists.
@Chandler: nah, just trolling. I'm using LastPass. Everything was fine until they've decided to charge for using it on different device types. I've got access to a free 1Password through work, but too lazy to migrate over, so still using LastPass but need to get to a laptop when I need to get a password on a phone.
1Password with Dropbox Sync
This
+1 for Bitwarden!
I have been using Bitwarden for a few months now. Despite all the security built into it, I am yet to save my online banking credentials in it. My inner voice keeps telling me not to do it. 🙂
Keen to know if others feel the same way or whether you store your banking credentials in password managers.
I am yet to save my online banking credentials in it. My inner voice keeps telling me not to do it.
Agree….
yes agree
I take the contrary view. I figure BW is not likely to be the weakpoint in the chain between me and a bank that forces me to use a 4 digit pin as a login (Looking at you ING!). Even with the others that allow regular alphanumeric (and occasionally special characters) passwords, a randomly generated one is going to be better than one I can remember.
I remember having to cover the screen like a weirdo too.
The issue is not really BW itself, it is the single point of compromise it brings in for your accounts. So for example you might unlock BW to access OzBargain, but by doing so you have unlocked it also for your bank, so a compromise of your machine exposes your banking details even though you didn't unlock to access them. for this reason I use password managers only for less critical stuff (my personal choice is keepass)
Yeah fair comment.
What's the alternative though? Given that the only secure password is one you can't remember i.e. completely random, shouldn't the most crucial accounts also have the strongest passwords, which would suggest a password manager? Also, if your machine is compromised it doesn't really matter if it's stored in a PW manager would it, because a compromised machine may have a keylogger, in which case they've got your password anyway?Not trying to be argumentative or start a flame war or anything, just genuinely interested in your perspective. It's something I've thought a lot about, and previously didn't store my banking passwords in Lastpass (as I was using at the time).
Obligatory XKCD (perhaps not the one you expect)
@moar bargains: It isn't really true that the only secure password is one you can't remember. A password just has to be secure enough that it can't be guessed from patterns or brute forced. A password manager is weaker than a good strong password that you can remember, but better than reused or weak passwords. The thing about your machine being compromised, with a password manager they get everything immediately, with remembering them they only get what you have used so you get more time to realise the compromise and less of a blast radius of impact.
For instance in the corporate world one of our recommendations is never store critical system passwords in password managers and safes (even the enterprise ones), They are written down and stored in a safe (in some cases broken up and parts stored in seperate safes), storage of the password electronically means it is open to attack or compromise via various means, for most people though this is not an issue and a password manager is better than their usual poor password hygiene. But if you can remember a good strong unique password/passphrase then you should do so for things like banks.
I use Safe In Cloud, and Firefox to remember my password. I have so many accounts and different password is difficult to remember them all.
For all the people using the same password for everything, that's not a smart decision.
why still using FF if you have pass.manager?
Password Safe, has ports for Windows, Linux (Password Gorilla) Android and Mac, can be run from a flash drive, I email myself the database file so I can easily update the devices I use it on.
Has never been amongst the password programs that were found to have a back door or were easily de-encrypted.
Use the option to create complex passwords when creating an entry.
Don't rely on your browser to store passwords, it has complicated and annoyed me too many times.
They are a complete nightmare… my now phone sets up fingerprint access.
Look into fingerprint access, where you are simply required to conduct a fingerprint scan.
This works for the Govt Check In, and all other accounts on your phone, banking, etc.
yes I agree they are nightmare. I tries to use fingerprint/FaceId, but my laptop cannot use these
I use 1password, for the stuff that needs protecting, like PayPal, Apple and the like. For any others, like OzBargain etc: I use my browser.
ING Direct dooesn't even have passwords. How does it go - account number + access code entered on a virtual keyboard. Security codes sent to your phone.
It has a client number (not account number), plus access code (like a PIN).
Ordinarily the fact that ING has only 4 digit access codes (maybe they allow a few more digits, can't remember now) would be really, really bad, but they aggressively lock out accounts that are being brute-forced (or where users have forgotten their code). https://www.troyhunt.com/banks-arbitrary-password-restrictio…
I'm always confused with these password managers. What happens if the password manager is hacked? Wouldn't they then have access to every password along with a list of where to use each password?
Yep, that's certainly one scenario. But the idea being a password manager should be far harder to crack. It should be employing class leading levels of encryption.
I suppose you could use an analogy of all your keys stored in a massive, secure bank vault. The idea is it would be very difficult to get through it.
The bank vault analogy is only partly true. It is like a bank vault that you leave the door open to half the time, hackers don't need to break the vault, they just need to wait for you to access OzBargain or whatever other item you have stored then they can ransack the vault for valuables. password managers are only as secure as the end system you are using them from so it really doesn't matter whether you have AES 256 bit encryption with a 40 character complex master password as this is not what they will be looking to break.
The alternative is using weak enough passwords to be remembered on every site. If any one site gets breached and passwords leaked then your weak password for everything is public. This way there's only one service you're worried about, not all of them.
Notepad or post it notes are much safer
I use 12345 for everything. I know I won't forget it because it's the same combination I have on my luggage.
They would only get an encrypted version of your passwords. Your data is encrypted on your device.
But with one of them mentioned on other page, you can cilck a button once logged on and all your passwords come up…
This is what I cant get my head around
I read somewhere edge is more secure than chrome, and if you feel bitwarden is bit of a job for you, i think edge is a good option. There are other secure browsers too but I prefer edge these days.
I write my passwords in a book
I take it that I'm one of the minorities using Dashlane…
Been Using Keepass for a long time. it is open source and able to sync dropbox, gdrive etc.
Bitwarden is good.
I'm a bit cagey about using randomised passwords for critical things, like banking/gmail so am happier to just remember a one off password for those.
But for everything else - password manager all the way.
It just makes life so much easier, hundreds of different accounts all over the web and they are all long uncrackable randomised passwords.
I use LastPass Premium and generate 30 character passwords for each site
Have used LastPass Premium for the last couple of years
I'm using StickyPassword.
How do you manage your passwords? Do you have any tips and advice?
Choose something simple so you don't forget…
KeePass for me. Open source, DB kept in Google Drive and automatically gets updated using an app. No one has ownership of your passwords but yourself, not even encrypted.
not even encrypted.
Google owns a copy of your encrypted DB since:
DB kept in Google Drive
True, but that's your decision as a user. You can keep it as a local copy, I know the encryption is a "good enough" solution for me to be able to sync it via mobile.
I use Passwords on my iPhone settings. It will autofill my details for saved websites using my FaceID and will also propose suggested passwords for new accounts and automatically save them and be accessible across all my devices. I also enable 2FA where possible.
Apple Keychain
KeePass + Dropbox
what dropbox for
Probably to sync desktop+mobile or for recovery.
I remember them all.
Anyone have experience in how to move from one password manager to another? I use Roboform and I don't like it very much but the 100+ passwords in it make me not want to switch.
Instructions for importing passwords into bitwarden are available here. The instructions state to export passwords from roboform into csv and import into bitwarden.
Other password managers will have similar instructions. Make sure you delete the csv file after use.That is handy, thanks!
copy paste:
Come up with a simple rule to adjust passwords to each site. No one wants to memorize dozens of unrelated passwords, but reusing the same one is even worse. One compromise is to start with one "base password," then adjust it with a rule based on account-specific info such as login name or site name.This is not secure if someone is targeting you personally, but it's an easy way to memorize passwords that should survive mass cracking attempts (when hackers are targeting the service's database).
For example, let's say your base password is RoM4,5zi,. (You can start with something easier to memorize, but that can make your "rule" more obvious if one password is compromised.)
Let's say your rule is "Add the second, fifth, and sixth letters of your login name to the front of your base."
On website 1, your login name is "MechaBob." The 2nd, 5th, and 6th letters are eaB, so your password for this site is "eaBRoM4,5zi."
On website 2, your login name is "RobertMarshall," Your password here is "ortRoM4,5zi."
hmm but how to remember the username? same for everysite? what if the user is email?
not so good