this post was submitted on 14 Aug 2024
15 points (100.0% liked)

Privacy

32111 readers
839 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can't remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn't tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don't just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They're not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser's password storage is better than nothing. Don't reuse passwords, use long randomly generated ones.

It's free, it's convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I'm preaching to the choir, but if even one of you decides to use a password manager after this then it's an easy win.

Please, don't wait. If you aren't using a password manager right now, take a few minutes. You'll thank yourself later.

top 50 comments
sorted by: hot top controversial new old
[–] AbidanYre@lemmy.world 6 points 3 months ago (2 children)

One person even told me they were upset that websites wouldn't tell you password requirements after you create your account,

To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

[–] Charger8232@lemmy.ml 2 points 3 months ago (1 children)

Clarification: They reuse the same password (such as "Password") and whenever they create an account they have to add special characters (like "Password1&" if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don't know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.

But yes, there is an unrelated frustration where password requirements aren't presented upfront.

[–] 14th_cylon@lemm.ee 2 points 3 months ago (1 children)

But yes, there is an unrelated frustration where password requirements aren't presented upfront.

And pinnacle of this frustration is "password too long"... Talk about security

[–] eager_eagle@lemmy.world 2 points 3 months ago (1 children)

which doesn't make sense as a requirement, as the passwords themselves are not even (supposed to be) stored

limits of 128+ characters? Sure.

Limits of 30, 20, 18, or 16 as I've seen in many places? I suddenly don't trust your website.

load more comments (1 replies)
[–] floofloof@lemmy.ca 2 points 3 months ago (4 children)

My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn't help unless you realize they're doing this and use a short one.

[–] Preflight_Tomato@lemm.ee 3 points 3 months ago (1 children)

My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.

load more comments (1 replies)
load more comments (2 replies)
[–] Ilandar@aussie.zone 6 points 3 months ago (2 children)

people who use a password manager but store the master password on Discord

??????????

[–] Charger8232@lemmy.ml 4 points 3 months ago

Yeah, true story. Really weird.

[–] renzev@lemmy.world 1 points 3 months ago* (last edited 3 months ago) (3 children)

Marginally better than using discord itself as your password manager (also a true story!)

load more comments (3 replies)
[–] wuphysics87@lemmy.ml 3 points 3 months ago (1 children)

My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.

But I get where people have an issue. It's one point of failure vs. many, but they don't realize It's easier to well secure the one than it is to not spread the same vulnerability everywhere.

[–] icedcoffee@lemm.ee 3 points 3 months ago

Honestly as someone who has helped family members set up a password manager one person felt this way and the rest are just not tech savvy. All the simple straightforward stuff took ages because they had never done it before.

[–] purplemonkeymad@programming.dev 3 points 3 months ago (1 children)

I tell non techy people to use a physical book that they can secure. People know how to do hide things or put them in a safe. Digital security is harder to understand and I would say a book in a safe place is way better than reusing passwords they find hard to remember.

[–] tootnbuns@lemmy.dbzer0.com 2 points 3 months ago

I do that too.

  1. Its not like people are gonna steal book
  2. the password crackin people are not the breakin people
[–] sudoroot@lemmy.zip 2 points 3 months ago (2 children)

In my experience preaching this same thing to many users at work and just personal friends, they won't change their ways. Because "omg not another password to remember" and "that's too much work to login just to get a password".

I've just stopped trying to educate people at this point. That's on them when their info gets leaked or accounts drained.

[–] JustEnoughDucks@feddit.nl 2 points 3 months ago

I am fighting this with people at work.

No, it is not "one more password to remember"

You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don't care. Use a passphrase if you have troubles with passwords.

I even generated a sample password from bitwarden and drew them a picture of how to remember it lol

Still about 10% of people forgot their password in the first 2 months.

[–] zephorah@lemm.ee 2 points 3 months ago

People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.

[–] SocialMediaRefugee@lemmy.ml 2 points 3 months ago (2 children)

I'd be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn't make me feel like taking action if everything feels sketchy.

[–] sheogorath@lemmy.world 2 points 3 months ago (1 children)

I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.

[–] maniac@lemmy.world 2 points 3 months ago (1 children)

What happened with Authy? (As someone who uses it)

[–] sheogorath@lemmy.world 2 points 3 months ago

Couple of things happened, this and this. I got soured and needed to find a better alternatives for my TOTP.

[–] Kaiserschmarrn@feddit.org 1 points 3 months ago* (last edited 3 months ago)

I'm paying for Bitwarden's Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it's in my opinion the best bang for your buck. But try out their free option and form your own opinion.

[–] orca@orcas.enjoying.yachts 2 points 3 months ago

Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.

[–] cobysev@lemmy.world 2 points 3 months ago (2 children)

I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn't use password managers at work. Nor were you allowed to bring them in.

Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.

Plus, the computers themselves had a custom-configured OS and you couldn't install any software on them that wasn't on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.

I didn't get to mess around with password managers until I retired a couple years ago, and they've been a game changer! In the military, we needed unique complex passwords for everything, can't reuse passwords, can't write down passwords, and you had to change them every 60 days.

Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it's been wonderful.

I don't know why the military doesn't get some sort of password manager approved for use. This is far more secure than what they've been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I'd forget them (and again, we weren't allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don't even need to remember it. I love it!

[–] JustEnoughDucks@feddit.nl 2 points 3 months ago (2 children)

The DoD actually did a study I thought "recently" on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.

Don't think they changed their policy though.

load more comments (2 replies)
load more comments (1 replies)
[–] monobot@lemmy.ml 1 points 3 months ago (2 children)

It is truly upsetting to see how complicated for use password managers are.

I grow up around computers and I can barely mange them. Other people just don't understand how to use them, it is complicated and inconvenient. Even after I set them up and show them multiple times, friends don't manage.

In browser password managers cover 90%, but I guess web sites and apps need to start testing UX for password managers. Some of them introduce stupid flows that brake all of them.

Android is complete shit show.

It is not users, but applications and UX that doesn't care about security.

load more comments (2 replies)
[–] Procapra@hexbear.net 1 points 3 months ago* (last edited 3 months ago) (1 children)

Personally, I use PassWord123! for everything. It says its a strong and secure password so why wouldn't I use it for everything?

[–] dumbass@leminal.space 2 points 3 months ago* (last edited 3 months ago)

Its the best one to use, all password hacking tools avoid this one when they're attacking.

[–] Mio@feddit.nu 1 points 3 months ago* (last edited 3 months ago) (2 children)

I have the need to have different accounts to everything. Hate to perform the sign up process over and over again. They really need to standardize this.

Passkeys is one step forward but far from enough.

I hate the idea of having to login again and again with just a minute interval that I see BankID requires as it is for different things. Like I constantly have to prove it is still me here. BankID is the app in my country that gives you access to your Bank account, government stuff and so on. It connects to your personal number and ID you in real life.

So the issues you describe is just the result of how bad designed the web is today. It is simple for every company but hard for the user.

load more comments (2 replies)
[–] Interstellar_1@lemmy.blahaj.zone 1 points 3 months ago (3 children)

My dad somehow believes that that password managers are very insecure ( he got that from some sort of 'reputable source', so me telling him bitwarden is secure doesn't help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.

[–] renzev@lemmy.world 2 points 3 months ago

I mean he's not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)

[–] superkret@feddit.org 2 points 3 months ago (1 children)

He's doing something right.
You can't hack a paper note over the internet.

[–] thirteene@lemmy.world 1 points 3 months ago (1 children)

You can't grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.

[–] NateNate60@lemmy.world 2 points 3 months ago

It's not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans

load more comments (1 replies)
[–] Ovata@lemm.ee 1 points 3 months ago

Been using Bitwarden for a couple years now…

No regrets

[–] unrushed233@lemmings.world 1 points 3 months ago* (last edited 3 months ago) (3 children)

Using 2FA on all accounts that offer it is just as important. And make sure to use a good, open-source TOTP client like Aegis on Android or Tofu on iOS.

Definitely make sure to backup your seeds in an encrypted format (e.g. Veracrypt container or GPG-encrypted files). If you lose your seeds, you lose access to your accounts.
I like to use the automatic backup feature in Aegis, which syncs my encrypted vault to my Nextcloud server. You can also enable compatibility with Android's backup API and use that if your ROM includes a backup solution like Seedvault.

load more comments (3 replies)
load more comments
view more: next ›