Are password managers secure to use?

Comments

• powermaker450@discuss.tchncs.de ⁨1⁩ ⁨hour⁩ ago

  Remembering (and inevitably) forgetting passwords for all your different accounts is inconvenient, frustrating, and arguably less secure than a randomly generated password unique to each account.

  Additionally, it can be tempting to reuse passwords for multiple accounts, which is trouble when a less-than-reputable service that you used that password on is breached, since that password wasn’t unique.

  If you use an open-source, tried and true password manager (Bitwarden, Vaultwarden, KeePassXC) and keep a passphrase unique to that password manager only, you avoid the problems above which are way more likely to occur than Bitwarden passwords getting breached in plaintext, or a security vulnerability to the KeePass database.

  Plus, most password managers offer support for passkeys, which are easier to register/use than passwords. They usually only require a “verify with passkey” button on a given website.

  Bottom line, password managers are probably (definitely) more secure than any other reasonable solution that anyone has come up with.

  source
• regedit@feddit.online ⁨6⁩ ⁨hours⁩ ago

  There's no guarantee anything is "secure," anymore. Even if you run a self-hosted password manager, it could still be compromised at the package-level or down the road through some exploit. I will say that since I started using Bitwarden as my main password manager, I have had to worry less about company data breaches and stolen passwords. I have no need to reuse passwords for any site or service. I can use the built-in 2FA with sites that require it and don't have to have multiple apps. I can share passwords with my wife if she needs to access something under my name.

  In addition to storing logins, I can store secure notes, even storing login-specific notes within the login details for things like one-time-use passwords, etc. I can store various credit/debit cards and recall them into payment systems whenever I want, without storing them in a browser. When using the phone, I can tie the biometrics to the unlocking of my vault so, with the vault locked, I can easily unlock it to find the login/info I need to submit to an app or website.

  Obviously, all this comes with their own risks, but the level of risk of a password management is far lower than the risk of reused passwords and the mismanagement of security at the corporate-level. If you're really hard-up to keep your stuff offline, other products exist that are locally stored, but you'll likely miss out on access from outside the home in the event you need that login info somewhere else.

  source
• jlow@discuss.tchncs.de ⁨4⁩ ⁨hours⁩ ago

  It’s more secure than not using one (if it’s open source and offline), so just do it.

  source
• PlzGivHugs@sh.itjust.works ⁨2⁩ ⁨hours⁩ ago

  To oversimplify:

  Very secure passwords written on paper and stored safely > Local password manager using secure passwords > cloud/synced password manager with secure passwords > anything with insecure passwords.

  The trick is, will you actually maintian these security practices or will you start getting lazy if its too inconvenient (such as using a long password, and having to manually type it out).

  source
• LambdaRX@sh.itjust.works ⁨6⁩ ⁨hours⁩ ago

  I think they can be much more secure than:

  • remembering your ( probably weak ) passwords

  • writing passwords on paper, which is slow, you can lose paper, break it, or someone can steal it

  • storing passwords in unencrypted text file

  I use KeepassXC, which is offline, encrypted password manager. Every password is stored in one file, which to access, I must enter the one password I do remember. I recommend having backups of this file.

  It has password generator included, so all my password are long, strong and unique. It also can auto fill password/login which saves time.

  To increase security of your account even further you should also use multiple factor authentication, for example app which generates one time codes on your phone offline. It will protect you, even if your password gets leaked, or cracked.

  source

  • someguy3@lemmy.world ⁨5⁩ ⁨hours⁩ ago

    If you write it in paper, include the same short word on the end of all your passwords that you don’t write down. Password is Hunter2duck but you only write down Hunter2.

    source

    • over_clox@lemmy.world ⁨5⁩ ⁨hours⁩ ago

      All I see is *******

      source

      • -> View More Comments
    • PlexSheep@infosec.pub ⁨1⁩ ⁨hour⁩ ago

      This is just a hack. If you use encryption to store passwords, that becomes just a nuisance.

      source

      • -> View More Comments
• Trihilis@ani.social ⁨3⁩ ⁨hours⁩ ago

  I use a Keepass database that I save on my nas so I can access it from any device.

  source

  • LordOfLocksley@lemmy.world ⁨2⁩ ⁨hours⁩ ago

    Explain to me this nas. I also use Keepass and currently I manually copy my DB file between devices

    source

    • Cenotaph@mander.xyz ⁨2⁩ ⁨hours⁩ ago

      You should look into syncthing. It can be used to run in the background and sync files super easily and it’s peer to peer so it’s free

      source

      • -> View More Comments
    • Trihilis@ani.social ⁨1⁩ ⁨hour⁩ ago

      Most NAS (network attached storage device) have cloud capabilities. Its kinda like one drive only you host it yourself. Synology has Drive for example and even has apps for android and iOS.

      You can just save anything to it. A keepass file I just an encrypted database file. If you save it on a NAS then you can access it anywhere.

      Obviously you can also use One drive or google drive (or whatever its called nowadays). But I don’t trust Microsoft or Google with my data.

      source
• cecilkorik@lemmy.ca ⁨5⁩ ⁨hours⁩ ago

  There are weaknesses and attack vectors, but they are in my opinion more secure than almost all realistic alternatives. If you think you’ve come up with a better system, by all means, implement it. I commend your skepticism of following the herd and may it serve you well. But beware of pursuing security through obscurity. People recommend password managers because they are one of the best solutions available for navigating this complex threat environment we live in and they are appropriate for most people’s situations.

  source
• CompactFlax@discuss.tchncs.de ⁨6⁩ ⁨hours⁩ ago

  Risk assessment is a big part of this. Risk when reusing passwords is very high. Risk of forgetting passwords or using weaker/guessable passwords when they’re unique, is high. Password manager mitigates these risks. A good one will also bark at you when you try to use a password in a website that isn’t the one you saved it in (ie phishing warning)

  The risk of your PW manager somehow leaking passwords is worth considering. So we ask: How are the passwords stored? Where are they stored? How are they accessed? Different tools work differently; some keep the storage local but others sync in the cloud. Local storage can also mean “in my Dropbox folder”. If it’s a secure format with a strong password (or perhaps Yubikey), that’s fine, but if it’s an excel sheet, you’re leaking to Dropbox. But is that really a problem for you? Think of the steps between an adversary and your password file.

  1Password has some white papers published about how they secure the data you entrust them with.

  It is my strong opinion, and that of most security experts, that using a password manager to create unique, long, and secure passwords is a lot better than the alternative. It’s usually the opinion that a password notebook in a reasonably secure location (in your desk at home) is better than recycling weak passwords.

  source
• RandomUser@lemmy.world ⁨2⁩ ⁨hours⁩ ago

  I won’t say which manager I use, but I used a ‘tool’ on it which cracked my access password in very little time revealing all my passwords. - a bit worrying.

  Do I still use that manager? Yes, it’s convenient and fits my risk profile.

  Have I upgraded my master password? Yes. Less convenient, but is all a trade off.

  If I was a higher profile target, my assessment may be different.

  source
• Bishma@discuss.tchncs.de ⁨6⁩ ⁨hours⁩ ago

  I think your question has been answered by other pretty well but I’ll add: If you decide a password manager is overall beneficial and choose one that looks secure, don’t assume it will stay that way. LastPass taught us that a couple decisions that valid one day can turn into huge liabilities in a few years as threats escalate. You to have to periodically check in on what sevops pros are saying about your manager and make sure they haven’t been resting on their laurels.

  source
• PlzGivHugs@sh.itjust.works ⁨2⁩ ⁨hours⁩ ago

  Very secure passwords written on a piece

  source
• EonNShadow@pawb.social ⁨6⁩ ⁨hours⁩ ago

  Like the other commenter said - people recommend them for peace of mind so you don’t have to think about knowing a password for the 2653rd account you set up once and are never using again.

  I’ve used Dashlane for years, personally, but I know people here will immediately shut that down for not being FOSS. Bitwarden is FOSS but requires some technical setup and has no redundancy.

  Don’t get me wrong, I love self-hosting as much as the rest of us but I’m not trusting my server from 2013 with all my passwords to everything.

  source

  • Godort@lemmy.ca ⁨6⁩ ⁨hours⁩ ago

    Bitwarden is FOSS but requires some technical setup and has no redundancy.

    Bitwarden offers a cloud-based service in addition to self-hosted options. I choose to pay $10/year to get access to store OTP codes and easy Yubikey enrollment

    source
• Magister@lemmy.world ⁨5⁩ ⁨hours⁩ ago

  I don’t trust the online one, I only use pwsafe.org

  source
• slazer2au@lemmy.world ⁨6⁩ ⁨hours⁩ ago

  What makes you think they aren’t secure?

  Most will tell you how the password is stored and assuming they implemented the encryption algorithm correctly it should be rather difficult to break the vault open.

  source
• sbeak@sopuli.xyz ⁨6⁩ ⁨hours⁩ ago

  It means that you can use more secure passwords rather than using easy to guess passwords. Using cloud based ones like Bitwarden means you have to trust the company hosting your passwords to not screw up and suffer from a data leak. I think Bitwarden is pretty trustworthy, but I might be wrong on that one.

  Alternatively, you could selfhost (with something like Vaultwarden) or just use something local like KeePass. For the latter, you can choose to sync with SyncThing if you want.

  I personally use KeePass, but don’t use SyncThing.

  source
• Spaniard@lemmy.world ⁨6⁩ ⁨hours⁩ ago

  Keepass is as secure as you make it to be.

  source
• ExtremeDullard@lemmy.sdf.org ⁨6⁩ ⁨hours⁩ ago

  I don’t use them. I make the effort to remember my passwords - or rather, my recipes to recreate any complex passwords.

  The only safe storage form for your passwords is your noggin’. The next best thing is probably a password manager - although that depends on how trustworthy whoever coded it is - but it certainly isn’t as secure as using your brain if your brain works properly.

  source
• HubertManne@piefed.social ⁨5⁩ ⁨hours⁩ ago

  I don't see how anyone can get by without one nowadays. Now online vs something local is a big deal. I use online for unimportant passwords and local for important passwords. With important being financial mostly but some other things. Unimportant are things that if I lost access to and ended up never using again would not like ruin my life.

  source
• Outwit1294@lemmy.today ⁨5⁩ ⁨hours⁩ ago

  They are less secure than a notebook but more secure than anything else

  source
• scytale@piefed.zip ⁨6⁩ ⁨hours⁩ ago

  Yes, but it depends on which one you use. Some are better than others. The ones that can be hosted locally (i.e. keepass) are the most secure because you are not relying on a third party to host your password vault for you. It would be helpful to know why you think they aren't very secure, so people can help clarify.

  source
• BagOfHeavyStones@piefed.social ⁨4⁩ ⁨hours⁩ ago

  I let Chrome deal with it, but wonder what happens if someone steals %appdata% these days.

  source

  • jlow@discuss.tchncs.de ⁨4⁩ ⁨hours⁩ ago

    /s ?

    source
• 6nk06@sh.itjust.works ⁨5⁩ ⁨hours⁩ ago

  I’ve always thought it wasn’t very secure

  Why? They are way better than you anyway (to generate random stuff, to recognize URLs, to store data encrypted, etc.)

  source
• Feyd@programming.dev ⁨6⁩ ⁨hours⁩ ago

  I don’t trust SaaS ones not because I don’t think they’re not doing all due diligence, but because a SaaS password manager is the juiciest of juicy targets and eventually someone will succeed in cracking one.

  I personally use KeepassXC, which is a local password manager. Most of the benefits of a SaaS one with some extra work handling sync and backup yourself.

  source