It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.
It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.
Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.
One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,
To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.
My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.
My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.
My webhost allows passwords of all length and complexities in the password set field, but will strip $ and & on the login mask on their main website, like in the top right corner.
A failed login will automatically bring you to a dedicated login.xxx.yyy subdomain and prompt a password reset, but if you use the login mask there instead, the exact same password works.
Login and password set/reset forms being out of sync is a classic. 😆
I haven’t seen that one in a while luckily.
Clarification: They reuse the same password (such as “Password”) and whenever they create an account they have to add special characters (like “Password1&” if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don’t know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.
But yes, there is an unrelated frustration where password requirements aren’t presented upfront.
But yes, there is an unrelated frustration where password requirements aren’t presented upfront.
And pinnacle of this frustration is “password too long”… Talk about security
which doesn’t make sense as a requirement, as the passwords themselves are not even (supposed to be) stored
limits of 128+ characters? Sure.
Limits of 30, 20, 18, or 16 as I’ve seen in many places? I suddenly don’t trust your website.
Do you want to know the kicker? There are banks (yes, you heard me right) that straight up don’t allow more than 20 chars. 20!!! And they say you got to use the app for X things because it’s secure and shit (e.g.: use the app to 2FA credit card transactions). Meanwhile, does not allow you to add a yubikey for Fido authentication
I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn’t use password managers at work. Nor were you allowed to bring them in.
Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.
Plus, the computers themselves had a custom-configured OS and you couldn’t install any software on them that wasn’t on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.
I didn’t get to mess around with password managers until I retired a couple years ago, and they’ve been a game changer! In the military, we needed unique complex passwords for everything, can’t reuse passwords, can’t write down passwords, and you had to change them every 60 days.
Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it’s been wonderful.
I don’t know why the military doesn’t get some sort of password manager approved for use. This is far more secure than what they’ve been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I’d forget them (and again, we weren’t allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don’t even need to remember it. I love it!
The DoD actually did a study I thought “recently” on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.
Don’t think they changed their policy though.
I work at a university IT department. It’s been a struggle with our auditors to loosen up the password expiration requirements. At least with the students they let anyone with 2FA to go without password expiration, which acts as a nice little carrot-and-stick. But for staff it’s two years (2FA always required), regardless of password quality. I’d rather be able to base password expiration on password quality, personality.
2 years seems perfectly reasonable. I thought you were gonna say every 30-60-90 days.
This is crazy to read, thanks for sharing! How did you store/remember all the passwords?
My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.
But I get where people have an issue. It’s one point of failure vs. many, but they don’t realize It’s easier to well secure the one than it is to not spread the same vulnerability everywhere.
Honestly as someone who has helped family members set up a password manager one person felt this way and the rest are just not tech savvy. All the simple straightforward stuff took ages because they had never done it before.
Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.
people who use a password manager but store the master password on Discord
???
Marginally better than using discord itself as your password manager (also a true story!)
How does this work? Do they ask other people to remember their passwords?
Some people keep journal servers where it’s just them in a server alone, could be that
yes, it’s that.
Yeah, true story. Really weird.
I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.
I do that too.
- Its not like people are gonna steal book
- the password crackin people are not the breakin people
I actually combine a password manager with a password book, don’t like storing data for sensitive accounts on servers that can be breached and I’m too lazy to self host 😬 and I can remember my password phrases for sensitive accounts I use normally.
I’ve been using Firefoxs integrated password manager for lots of unimportant logins, KeePass for everything else.
But I wanna tell people my master password to my pw manager. It’s such a fantastic password that no one could ever possibly guess I would have. I wanna gloat.
Personally, I use PassWord123! for everything. It says its a strong and secure password so why wouldn’t I use it for everything?
Its the best one to use, all password hacking tools avoid this one when they’re attacking.
It is truly upsetting to see how complicated for use password managers are.
I grow up around computers and I can barely mange them. Other people just don’t understand how to use them, it is complicated and inconvenient. Even after I set them up and show them multiple times, friends don’t manage.
In browser password managers cover 90%, but I guess web sites and apps need to start testing UX for password managers. Some of them introduce stupid flows that brake all of them.
Android is complete shit show.
It is not users, but applications and UX that doesn’t care about security.
Bitwarden on Android, particularly if you have biometric unlock enabled, is extremely simple to setup and use.
Sorta. I find it doesn’t always pop up Bitwarden to select an autofill. Then I unlock it manually, and sometimes it then gives me the button for autofill. Sometimes not and I have to manually copy and paste.
And sometimes there’s a broken ass app that blocks you pasting passwords. People need to be fired for this.
Same thing happened to me on Last Pass, so I’m pretty sure it’s an Android issue.
Quick question - what are your opinions on using Firefox’s inbuilt password manager? I’ve installed Bitwarden as an extension, but I find Firefox to be more convenient.
I mostly use FF on Linux, Windows, and Android and have no issues with using FF cross platforms.
While it’s so convenient, anyone gaining access to your browser while your laptop is open can gain access to everything. Bitwarden usually add an extra step to unlock it (which you could disable if you want) when you want to use the extension. By the way, it has an extension for Firefox, so just hitting Ctrl + Shift + L it auto-fills the login/password fields of your login page just like firefox would. But with the extra step that gaining access to the browser doesn’t straight away unlock all your passwords for anyone to see.
I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.
Is there risk in keeping all your passwords in one place, whether it’s on your hardware or someone else’s? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use ‘pencil’ for all your passwords because you can’t be arsed to memorize anything more complex? OH HELL YES.
Sure, if you’re defending against nation state level agressors, maybe using a password manager isn’ the wisest choice, but for easily 99% of computer users, we’re at the level of “keeping people from drooling on their shoes”. So password managers are probably a GREAT idea.
So password managers are probably a GREAT idea.
That is, when they can manage to use it.
I feel like password managers are more targeted to companies where sharing and controlling login data shouldnt be logged on some table in an excel sheet.
It just so happens that a manager is also god damn convenient for the private individualI don’t think that’s always the case. 1Password started out as a personal password manager and only added the corporate/teams/families features later.
I don’t even understand why I need to make a password for some sites anymore. They send a code to my phone everytime.to make.sure it’s me so it seems like there’s practically no point.
2FA really stands for
2 FUCKING ANNOYING !!!
You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don’t know about bitwarden. I usually recommend bitwarden or proton pass. (I’m self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I’m waiting for proton pass self-hosting option).
whats missing, since the proton pass source code is available?
I have only found the source code for the Android and iOS application, but not for the server.
but bitwarden, keepassxc don’t pay them… RHEEEE
