Viewing a single comment thread. View all comments

Dinos_12345 t1_j1nkd9k wrote

Also, password manager. I couldn't tell you any of my passwords if held at gunpoint, I couldn't even give you access to 1password because it also needs the security key which I don't remember by heart either.

37

RandyDandyHoe t1_j1npkgc wrote

I try to use pass phrases that I can remember for the most important accounts, like my main email, bank account, etc. But otherwise yeah it's just a bunch of random letters, signs and numbers with as many characters as I'm allowed to use, and there's no way I'd ever get onto any of those accounts without Bitwarden.

7

nsa_reddit_monitor t1_j1o4ln6 wrote

I use Keepass, it has a standard format for password databases so a lot of tools and apps exist to read a Keepass database. I make sure (via various methods) that all my computers and phones and backups have a copy of my password database.

I only have the Keepass password memorized, and a couple of my computers use that password for their full-disk encryption (because if you get past that, I'm screwed regardless of if you have my passwords). Basically, unless you take down my computers, my phones, and a couple backups in undisclosed locations, I won't lose any of my passwords.

So I don't even know my bank or email login. Worst case, I can just go to the bank and have them reset it in person. And my email is hosted on a private server I own (in an undisclosed location), so I could physically go to the datacenter and plug a keyboard in to regain access.

3

Robobvious t1_j1pix82 wrote

All my passwords are the titles of romcoms.

1

krkrkrkk24 t1_j1o5mi3 wrote

Password manager 😁 Lastpass literally got hacked a few days ago releasing into the wild users' passwords vaults only encrypted with the master password which can easily be brute forced if weak as well as unencrypted URLs the specific user has visited, just write all your passwords down.

5

sy029 t1_j1o9qkn wrote

I switched to keepass years ago after the first lastpass hack. It's completely offline.

3

anonynown t1_j1pbz0d wrote

> which can easily be brute forced if weak

That isn’t how password managers typically work. Your password vault is encrypted with a much longer key stored on your device. The master key is only used to decrypt the actual decryption key which is long and isn’t stored on their servers, and the master key is useless otherwise. This is why you need to approve on your existing device when enrolling a new one, or enter a very long “recovery” key — that’s how the actual decryption key gets to the new device. Even knowing your master password doesn’t enable the attacker to access your vault without extra steps, like using social engineering to get you to reveal your recovery key or approve a new login.

1

Plokmijn27 t1_j1o905q wrote

for real

ive honestly been waiting for this to happen

cant believe people think password managers are a good idea

either use the same password for everything like a normal person, or write them down in a notebook, or on a file on your PC

the chances of lastpass or whatever other company getting hacked is a million times more likely than hackers breaking into your house and stealing your notebook

−9

sy029 t1_j1o9u2z wrote

Or just use an offline password manager.

8

flyingroad t1_j1or66z wrote

And also using the same password for everything is dumb.

If one of your accounts get compromised, most likely your other accounts will get compromised.

4

redyellowblue5031 t1_j1oyuw1 wrote

Exactly. Criminals love people who do this, they even have an attack named after it; credential stuffing.

2

redyellowblue5031 t1_j1oyrrm wrote

Using the same password everywhere is a fun game if you like credential stuffing.

No system is 100% safe, but if you’re not using a weak master password and also have MFA enabled even with a stolen vault your passwords are safe by all reasonable measures.

3

krkrkrkk24 t1_j1o9ai9 wrote

Yeah, seriously just the though of password managers putting all user information in a server together is more than enough to be targeted by hackers and its crazy people think its a good idea to just hand your passwords to 3rd party vendors that will claim no responsibility in case of such event

1

redyellowblue5031 t1_j1oz61j wrote

Managing access is largely about risk vs convenience.

Every major password manager has a plethora of options to mitigate any reasonable risk even if someone got a hold of your vault.

The only way they’re getting in is if you used a weak password to begin with.

2

SpaceArf t1_j1p6zgc wrote

I really should get my self hosted bitwarden set up on my pi. Just really lazy to do it.

2