It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
But I wanna tell people my master password to my pw manager. It’s such a fantastic password that no one could ever possibly guess I would have. I wanna gloat.
is it possible to sync keepassxc between computers + phone?
Yes. The easiest/most reliable is syncthing. Yet there’s the online-component which is inherently vulnerable. Depends on how paranoid you are.
You can lock your password database with a key file (this is a standard feature in keepassxc) and transfer the key file once between devices via sneakernet (microsd or usb drive). That way even if someone intercepts your database file, AND knows your password, it is still virtually impossible to crack. Should be a good enough solution, unless you are quantum-tier paranoid
That is actually a good idea. I’m not using one rn as i only manually transfer it. Might be worth considering. Thanks
Syncthing has worked well for me between 3 devices(Linux, android, windows). I’ve had one conflict in 6mo and it was easy to identify the right copy to select in keepass’ prompt since the more recent one was a larger file.
Synchthing also provides optional version control which makes backing up easy.
I have it synced across 4 computers and my phone. You just need a central repository. For that I use nextcloud. I suppose you could use OneDrive, Google drive, box, sync thing, or something else though.
A long time ago, I used Syncthing to do this. Sometimes there would be file conflicts, which was a pain to resolve, so I switched to BitWarden (using their server for syncing) and have been using it ever since.
tbh i just keep the master version on my computer and physically transfer it to my phone every so often. i try to avoid using too many password-requiring services on my phone.
i used to do this, until I started using syncthing
i only add password entries on my laptop then sync the file directly to my phone using syncthing to avoid conflict
Yes, but it’s a bit involved to automate it. KeePassXC has a less technical recommendation here
I’d be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn’t make me feel like taking action if everything feels sketchy.
I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.
What happened with Authy? (As someone who uses it)
I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.
Been using Bitwarden for a couple years now…
No regrets
Is there a password manager i can use across ios and windows?
Pretty much any of them.
1password
Bitwarden
so is it bad to store my 2FA backup codes as notes in those same login’s bitwarden entries?
It depends on your threat model. It does mostly reduce the benefit from 2FA, but you are probably still very safe if you use a random password per site. I mostly use 2FA when forced (other than a few high-value accounts) so I don’t worry about it. For most people having a random password which is auto-filled so that you don’t type it into the wrong site is more than sufficient to keep themselves secure.
I do this too. I would need them if I lost my phone, so bitwarden/keepass is a good place for them to be.
I think it is less secure though since someone who somehow has the unencrypted vault without your 2FA device could get in with the codes - but if someone cracks my master password I’m screwed in a whole bunch of ways so I’m not sure it matters too much at that point.
What’s wrong with a password manager built in the browser?
Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.
- No more password reuse, per site random passwords.
- Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn’t auto-fill.
- Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.
I think these are the two biggest benefits and every browser password manager will accomplish both.
This is what I do: I use my browser to store all my randomly generated passwords. If I ever need them on my phone I either sync or go to my desktop and view the password and type it over.
That’s what I’ve resorted to, but I only use Firefox because it has a master password.
Chrome has no master password so what stops any fool from stealing your passwords while you’re taking a piss, I don’t know.
Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.
You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don’t know about bitwarden. I usually recommend bitwarden or proton pass. (I’m self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I’m waiting for proton pass self-hosting option).
whats missing, since the proton pass source code is available?
I have only found the source code for the Android and iOS application, but not for the server.
but bitwarden, keepassxc don’t pay them… RHEEEE
I migrated to Bitwarden from Firefox a few months ago and I regret it as it’s slower and inconvenient while not adding any major features. So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
How did you login to apps in your phone? Go to the computer and open Firefox? Bitwarden on the phone integrates into the apps directly.
Same as Firefox. You go to your Android settings and set Firefox as password manager. No need to go to the computer.
Ah interesting. I didn’t know that was possible!
How is it more inconventient and slower?
The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it’s equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.On android, there’s a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I’m not going to switch from Firefox anytime soon but it’s super easy to export passwords and the Firefox password manager works for any apps on Android.
I agree, but I just know that someday Mozilla is going to go down and I’m gonna lose my passwords and I won’t even be able to get into my email to reset them.
The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.
You can also test it by logging in to a new computer and getting all your passwords there too
You can (and probably should) backup your passwords. Same goes for any hosted solution.
Quick question? Since Firefox is open source couldn’t you in theory modify where the password manager is going. Syncing your passwords from the browser to your local server. Idk, I just thought of that and know that that’ll never work or it may be too much work when there’s an alternative for that anyways. Just something I thought of from what you were saying about “if Mozilla may kill their servers” which they will imo.
Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.
Personally, I use PassWord123! for everything. It says its a strong and secure password so why wouldn’t I use it for everything?
Its the best one to use, all password hacking tools avoid this one when they’re attacking.
I’m using Bitwarden, 1Password and KeePass. Works like a charme.
Why all three? Redundancy?
I started with Bitwarden as a replacement for KeePass and changed to 1Password due to the way they secure the login password (password + random string). KeePass is now my backup place for 1Password and I support Bitwarden with a subscription because I like to support their OSS way.
I used to use a plain text system, “encoded” in such a way that only I knew what the actual password was, and I kept it on Google Keep.
But that for harder and harder to manage, coupled with, if I were to get run over by a bus, no one else would be able to access my accounts.Now I’ve been using Dashlane for a few years. Not just for passwords, but secure notes as well.
Works seamlessly on all of my devices and zero complaints.
How do I convince my girlfriend to stop using her safari password manager and migrate it to bitwarden? Is the password manager in Safari so unsafe that it’s worth the additional effort she might ask.
It’s not that bad, but tell her that she can set Bitwarden as the default option for auto-fill in the settings and everything will get automatically filled in, just like with the normal Safari password manager
Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient
Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser
Thanks for the update! I will keep an eye out
My understanding is that your GF will be using Apple’s KeyChain, which is pretty good except that it’s hard to look inside and manually edit. It’s not just in Safari.
The upcoming Password app is just a nice user interface to KeyChain. So no change to the functionality as such, but I think it’ll make a big difference to how it’s used.
it’s hard to look inside and manually edit
It’s actually pretty easy when you’re on a Mac. They bundle an app called Keychain Access, which lets you look at and edit everything.
Yes, that’s true. Keychain Access helps a lot.
I have the need to have different accounts to everything. Having to perform the sign up process over and over again. They really need to standadize this.
Passkeys is one step forward but far from enough.
I hate the idea of having to login again and again with just a minute interval that I see BankID requires as it is for different things. Like I constantly have to prove it is still me here. BankID is the app in my country that gives you access to your Bank account, government stuff and so on. It connects to your personal number and ID you in real life.
So the issues you describe is just the result of how bad designed the web is today. It is simple for every company but hard for the user.
I am curious what country you’re from that they require a specific app for “official” business.
Sweden
They don’t require it, you can also go to a physical office if you don’t have BankID. Also BankID is a private company wo is problematic on several levels.
Many government agencies have started accepting multiple ways to identify yourself such as Freja.
Some politicians would prefer a standardized governmental solution to identity.https://www.dagensps.se/bors-finans/kinberg-batra-infor-statlig-bank-id/
I’m not so sure about that though.
It’s an ongoing topic. We’ll see more where it goes.
