Submitted 8 months ago by ComicalMayhem@lemmy.world to nostupidquestions@lemmy.world
I keep seeing people highly recommend them, but I’ve always thought it wasn’t very secure.
Use KeePassXC on the computer, and KeePassDX on Android. Yeah, you need to manually sync the database (.kdbx) file, but it’s 1000x safer than any paid crap. Why? Their only motive is profit. FOSS nerds? Making a strong, good program.
Yupp, just away from Lastpass. 🤮
Bitwarden and keepass are. Don’t use lastpass or the other bullshit youtube sponsors.
Any password manager is a good and secure alternative because they do not have any interest in knowing or exposing your password. They will run out of business very quick if they allow it! Passwords are just a method to identify you as you in the internet so they can sell you stuff! Even google will go to great extents to guarantee you is you because is at its core business. For sites where you do not trust passwords you can use 2FA of a secondary provider. For sites that are really important you probably will have a dedicated app (government ids, work…) as they do have invested interest on nobody else knowing your password. So yes, they are as secure as technically possible.
Special note about file based PM: the only person interested on that file to be secret is you! So those are great source of discomfort for me as files are heavily analyzed by systems and platforms. And any file can be brute forced open given enough processing power or enough tech (AI, Quantum computing…) So don’t lie yourself: going lone wolf do not make it safer.
They will run out of business very quick if they allow it!
I wouldn’t be so naive. Even applications advertised as “secure” may be subject to surveillance laws of various nations. Or even just plainly lying for other malicious reasons while keeping it “hidden”.
And any file can be brute forced open given enough processing power or enough tech
Which, depending on the encryption and password, may take more time than the age of the universe. Even with quantum computers, afaik. There are already a bunch of new encryption technologies undergoing standardization that are also not vulnerable to quantum computers.
I like to keep all my eggs in one basket, that way you can really keep an eye on them.
The only big danger of a good password manager is the fact all your passwords are stored under one.
To mitigate the risk, follow these practices:
Together, these measures should save you from any trouble.
Now, why they are good:
Generally, using a password manager is considered a superior option in terms of security and availability compared to keeping your password elsewhere, including your head.
Remember to think about your backup strategy if you use locally managed password software. I’ve helped (and been unable to help) some non-technical folks who relied on popular magazine/new site articles for software selection without good knowledge of how to properly backup their data.
I do SyncThing and KeePass.
Their URLs at time of writing are syncthing.net and keepass.info
I don’t remember which KeePass UI for Android I use. I think I use Syncthing Fork on Android
That gives me the benefits of a cloud password manager, but the only cloud infrastructure is whatever SyncThing uses to do its peer-to-peer tricks. The password database is encrypted on disk with my root password, and then it’s encrypted end-to-end in transit because every SyncThing node knows the public keys of my other nodes.
I almost never upgrade KeePass because I’m afraid of losing access to my passwords on my phone. SyncThing I do upgrade because that’s easier to fix.
If you upgrade regularly, you’re vulnerable to the project being compromised. If you never upgrade, you’re vulnerable to whatever old code is vulnerable to. Personally I err on the side of not upgrading often.
I also have my own implementation of diceware www.eff.org/dice
I think, based on the question asked, this is a bit more complicated than OP is interested in. Just saying. But bravo for your dedication to keeping info out of corporate hands.
Can’t believe noone mentioned this yet:
Any good password manager encrypts and decrypts your password file client side. The server should not even have the ability to read your passwords.
Even in the case of a leak of all of the server’s data, as long as your password for the manager was good, you’ve got nothing to worry about.
I’d say pick a PW manager where both client and server are open source. Pick a strong passphrase. Enjoy.
I like using Keepassxc with a file that is on a storage provider. Keeping the task of storing my file and decrypting it completely and utterly distinct. Don’t have to audit that the total solution is keeping things separate like they claim when there’s no risky interop in the first place.
With the arrival of near infinite phonebooks, the drive and know-how to remember 100s of phone numbers is lost to humanity.
Passwords present added complexity to those of phone numbers. On top of a name to number (allowing a few collisions) passwords are required to be of certain length, contain an upper case letter, lower case letter, number, special character, and more importantly, a preset lifetime.
Password managers seem to be a safer and low stress bet for the vast majority. There will always a few exceptions who can do it all in their head. They don’t tend to advertise their presence.
It’s a balance of probabilities, like everything in security. Which is more likely? A. People are careful, using good, strong passwords, and maintain vigilance, but are targetted by an advanced attacker who will hack the protonpass system to get their database and the necessary keys to open it? Or B. People get lazy, use the same password for everything because remembering stuff is hard, and everything they own ends up protected by the modern equivalent of combo 1, 2, 3, 4, 5?
If you are truly capable of generating and memorizing enough good passwords to handle all of your accounts, that is technically more secure, because a password manager can create a single point of failure for all accounts. However, most people aren’t able to do that and will resort to crap passwords or using the same single crap password for every site.
It’s better than using the same few passwords everywhere. Passwords are being phased out though. The future is passkeys.
Remembering (and inevitably) forgetting passwords for all your different accounts is inconvenient, frustrating, and arguably less secure than a randomly generated password unique to each account.
Additionally, it can be tempting to reuse passwords for multiple accounts, which is trouble when a less-than-reputable service that you used that password on is breached, since that password wasn’t unique.
If you use an open-source, tried and true password manager (Bitwarden, Vaultwarden, KeePassXC) and keep a passphrase unique to that password manager only, you avoid the problems above which are way more likely to occur than Bitwarden passwords getting breached in plaintext, or a security vulnerability to the KeePass database.
Plus, most password managers offer support for passkeys, which are easier to register/use than passwords. They usually only require a “verify with passkey” button on a given website.
Bottom line, password managers are probably (definitely) more secure than any other reasonable solution that anyone has come up with.
To oversimplify:
Very secure passwords written on paper and stored safely > Local password manager using secure passwords > cloud/synced password manager with secure passwords > anything with insecure passwords.
The trick is, will you actually maintian these security practices or will you start getting lazy if its too inconvenient (such as using a long password, and having to manually type it out).
Very secure passwords written on a piece
Well yeah key-stretching can’t do much for weak passwords
And that’s the point, a password vault is literally all your eggs in one basket. It only gives security if you are secure across the board.
I use a Keepass database that I save on my nas so I can access it from any device.
Explain to me this nas. I also use Keepass and currently I manually copy my DB file between devices
Most NAS (network attached storage device) have cloud capabilities. Its kinda like one drive only you host it yourself. Synology has Drive for example and even has apps for android and iOS.
You can just save anything to it. A keepass file I just an encrypted database file. If you save it on a NAS then you can access it anywhere.
Obviously you can also use One drive or google drive (or whatever its called nowadays). But I don’t trust Microsoft or Google with my data.
You should look into syncthing. It can be used to run in the background and sync files super easily and it’s peer to peer so it’s free
It’s more secure than not using one (if it’s open source and offline), so just do it.
I let Chrome deal with it, but wonder what happens if someone steals %appdata% these days.
/s ?
I’ve always thought it wasn’t very secure
Why? They are way better than you anyway (to generate random stuff, to recognize URLs, to store data encrypted, etc.)
I don’t trust the online one, I only use pwsafe.org
I don't see how anyone can get by without one nowadays. Now online vs something local is a big deal. I use online for unimportant passwords and local for important passwords. With important being financial mostly but some other things. Unimportant are things that if I lost access to and ended up never using again would not like ruin my life.
They are less secure than a notebook but more secure than anything else
There are weaknesses and attack vectors, but they are in my opinion more secure than almost all realistic alternatives. If you think you’ve come up with a better system, by all means, implement it. I commend your skepticism of following the herd and may it serve you well. But beware of pursuing security through obscurity. People recommend password managers because they are one of the best solutions available for navigating this complex threat environment we live in and they are appropriate for most people’s situations.
It means that you can use more secure passwords rather than using easy to guess passwords. Using cloud based ones like Bitwarden means you have to trust the company hosting your passwords to not screw up and suffer from a data leak. I think Bitwarden is pretty trustworthy, but I might be wrong on that one.
Alternatively, you could selfhost (with something like Vaultwarden) or just use something local like KeePass. For the latter, you can choose to sync with SyncThing if you want.
I personally use KeePass, but don’t use SyncThing.
I don’t trust SaaS ones not because I don’t think they’re not doing all due diligence, but because a SaaS password manager is the juiciest of juicy targets and eventually someone will succeed in cracking one.
I personally use KeepassXC, which is a local password manager. Most of the benefits of a SaaS one with some extra work handling sync and backup yourself.
Risk assessment is a big part of this. Risk when reusing passwords is very high. Risk of forgetting passwords or using weaker/guessable passwords when they’re unique, is high. Password manager mitigates these risks. A good one will also bark at you when you try to use a password in a website that isn’t the one you saved it in (ie phishing warning)
The risk of your PW manager somehow leaking passwords is worth considering. So we ask: How are the passwords stored? Where are they stored? How are they accessed? Different tools work differently; some keep the storage local but others sync in the cloud. Local storage can also mean “in my Dropbox folder”. If it’s a secure format with a strong password (or perhaps Yubikey), that’s fine, but if it’s an excel sheet, you’re leaking to Dropbox. But is that really a problem for you? Think of the steps between an adversary and your password file.
1Password has some white papers published about how they secure the data you entrust them with.
It is my strong opinion, and that of most security experts, that using a password manager to create unique, long, and secure passwords is a lot better than the alternative. It’s usually the opinion that a password notebook in a reasonably secure location (in your desk at home) is better than recycling weak passwords.
I think your question has been answered by other pretty well but I’ll add: If you decide a password manager is overall beneficial and choose one that looks secure, don’t assume it will stay that way. LastPass taught us that a couple decisions that valid one day can turn into huge liabilities in a few years as threats escalate. You to have to periodically check in on what sevops pros are saying about your manager and make sure they haven’t been resting on their laurels.
hahattpro@lemmy.world 8 months ago
More secure than write to your notepad or text file, for sure.
If you can keep password from your computer (best: just remember it without reuse 1 for everywhere, second best: write in your notebook, don’t reuse password).