It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
Say, what are the chances either
or
These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.
Make sure that you are regularly typing your master password for the first bit. After that you’ll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.
This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can’t be hacked (as it doesn’t have access to your passwords).
Well, what if they somehow manage to get into my password manager account? I mean, it has a login, like any other account. The way to prevent it would be to have a strong enough password. Regardless, if they somehow got my main password, they’d have free access to all my credentials everywhere, and would be able to log into them as easily as I can. I mean, it is easier to secure one account well vs. however many others that the password manager can take care of. But still, a centralised hub with easy access to all my accounts feels like a one-stop shop for taking over my online life
I mean, to myself, I can deal with the consequences of my choices (as much as they can suck sometimes). But recommending stuff to other people I find complicated. I mean, I’ve gotten locked out of accounts due to 2fa (some being old and lost to time, others due to an unlucky series of events and a last minute half-assed backup) and even had to troubleshoot and/or reinstall (Linux) operating systems on my laptop (one instance of which relates to the aforementioned 2fa incident). To recommend something to someone and risk something like that, and be responsible for it… I mean, I once had to help troubleshoot a non-booting Linux machine via messages and photos during lunch out, and I myself am not an expert, so I had to online research from my phone and relay the information
These are all good points. This is why it is important to match your recommendations to the person. For example if I know they have Chrome and a Google account I might just recommend using that. Yes, it isn’t end-to-end encrypted and Google isn’t great for privacy but at least they are already managing logins over all of their devices.
In many cases perfect is the enemy of better. I would rather them use any password manager and unique passwords (even “a text file on their desktop”) than them sticking to one password anywhere because other solutions are too complicated.
Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It’s automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.
KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.
That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I’d love an decent alternative if anyone has one).
For Android I like KeepassDX and Keepass2Android.
Realistically, if you’re the specific target of a hacker going specificaly after your database files you’re best off freezing your credit and bank accounts.
If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.
First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.
Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won’t lose the emails that let you reset everything else. If the email gets cracked, they won’t have a convient list of accounts to go mess with. Also make sure the emails have all the security and recovery options available setup.
3, bonus round Finally for fincial security, don’t have your credit card saved on every site. I don’t let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a “1-time use” card for anythibg irregular.
Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won’t work. I’ll get an email and can just cancel the privacy card for amazon (I’d probably kill them all to be safe) and then work on resecuring everything.
To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.
For privacy.com:
On credit freezes:
I was talking about the individual card limits that can be set, those definatly work.
Edit, looking my account, I too have 250daily and 1000 monthy limit. The next paragraph might be be outdated?
I know the total daily limit is “adaptive” or something set based on your spending habits. I’d prefer setting the limit myself, but it is what it is.It at least used to be adaptive because at one point it went to 500$ for me, then changed back down a couple months later.
As Kramer said. Levels. If tou layer your security 2 becomes a non issue. What you have, what you know, and who you are. Which plays into 1. The 3-2-1 of backup. 3 copies of the data. 2 different media. At least 1 off site. Suprising as it might be, writing a great backup is to write your password down. I have a piece of paper with my password in a lock box in my apartment, in a safety deposit box at my bank, and at my parent’s house