Comment on Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data
JDubbleu@programming.dev 3 months agoBecause by not using a password manager I guarantee you are duplicating passwords between services. This means the second one service you use is compromised, every single service you use with that same email/password combination is compromised. Even if every one of your passwords had a slight deviation malicious actors know people do this and will likely be able to write a program that attempts those deviations on other services. You’re effectively leaving your security up to weakest link in services you sign up for, and security is rarely implemented well.
By using a password manager you generate a long as fuck, 20+ character long password that is unique to each services you use. These passwords being random and unique to each service protects you from rainbow tables and other hash table based attacks. In the event Bitwarden or another password manager you use is breached anything they get will be worthless as long as your master password is not compromised (which should only ever exist in your head) due to the data being encrypted at rest.
It is a similar concept to using a secure, trusted middleman for processing payments instead of giving your credit card to every single site that asks for it.
Tier1BuildABear@lemmy.world 3 months ago
Just curious, how do you know they’re secure? Like how do you know it’s only local and not being uploaded somewhere? I’m not about to tear through the code of open source password manager apps to make sure it’s “safe” when I can keep track of them myself, but yes, I do see your point about that not being as safe as them being completely randomly generated for each account
JDubbleu@programming.dev 3 months ago
The great thing about open source is that anyone can read the code. Even if you don’t read every line yourself there are others who are. In popular projects it’s pretty much a guarantee any suspicious or malicious changes get caught almost immediately due to the visibility of everything.
As for local-only I trust Bitwarden and their encryption schemes enough that I use their cloud sync, but you can always self host it in a Docker container with no Internet access if you’re concerned about it.