Too many passwords

TaurenDruid

https://www.boards.ie/discussion/comment/118497085#Comment_118497085

Yes, in 2015. No encrypted data was compromised: What Happens if LastPass Gets Hacked | LastPass

The bottom line is you need to put in the effort relative to the risk you are willing to take on.

Could I get away with being hacked? Absolutely not. Therefore I need strong passwords. Which means long passwords.

Could I get away with my browser remembering my passwords? Others have already posted links on why that's a terrible idea (for at least important/"valuable" sites). I could have gotten away with it and taken the risk on a few years ago, but I can't even do that anymore because I rely so much now on apps on my phone.

Are there serious consequences for me if some of my passwords are breached? For some sites, absolutely. That means I need unique passwords for every site (with 2FA for some of them).

That all means I need a password manager.

"What happens if they get hacked?" See the link above. All of the main players - LastPass, 1Password, Bitwarden - are much better at security than I am. They're also much better at security than most companies running websites that make you have an account! If there were to be a data breach, I would know about it very quickly - news of a suspected breach in LastPass (there wasn't one, it was a false alarm) was out in the public domain within a couple of hours earlier this month. Compare that to, say, Yahoo's data breach - two years to notify people!

I also get the benefit of the extras - all of the main players aren't just keeping passwords safe, they're also actively monitoring for data breaches. If boards were to be hacked (again!) and someone tries to sell the passwords DB on the dark web, I'll be alerted. The user using MaryHadALittleElephant100!+boa - not so much! (The customer will also be looking at that decrypted password and wondering if MaryHadALittleElephant100!+gma will work on gmail...)

banie01

https://www.boards.ie/discussion/comment/118497050#Comment_118497050

The platform changes for lastpass a couple of years ago kicked me to look into alternatives.

The migration was very straightforward, a file export from lastpass and imported into Bitwarden.

Much like lastpass the crossplatform abilities of Bitwarden via app and extension make password and security management simple and straightforward. The functionality of the free level of BitWarden for "home" users is as good if not better than the paid tier of lastpass.

TaurenDruid

https://www.boards.ie/discussion/comment/118499401#Comment_118499401

How is Bitwarden for detecting you've opened an app on your phone that's looking for a password? LastPass is hit and miss on that, it's the one thing that really annoys me about it.

AndrewJRenko

https://www.boards.ie/discussion/comment/118499415#Comment_118499415

Generally good. I was logging in to Flickr today on iPhone. It didn't prompt for Bitwarden for the username, but it did for the password.

Irish Stones

https://www.boards.ie/discussion/comment/118499140#Comment_118499140

This is what happens in the company where I work.

The user password expires every 90 days and I have to pick a new one which doesn't resemble the last one or hasn't been used in the past 18 months.

So this password for work adds to the others I have to remember, and for this reason I have it written on a post it on the monitor.

banie01

https://www.boards.ie/discussion/comment/118499415#Comment_118499415

Once you grant the permissions, to draw over other apps and to monitor other apps.

It's far better than Lastpass IMO, now I will caveat that by saying I've not used lastpass since 2019 and at time I switched, the detection of password entry was very hit and miss.

I had been a lastpass user from 2011 and was a premium user for a large portion of that time. BitWarden is not only a reliable alternative to lastpass, it is IMHO a better one.

generic_throwaway

https://www.boards.ie/discussion/comment/118498759#Comment_118498759

I would say it's sufficiently secure. Even in the linked articles, most of the concern relates to someone physically accessing your computer - if that happens, my passwords are the least of my concerns as there's an intruder in my home.

Whatever may be the case, it is still not safe to store log in details on any browser, including Chrome, as you don't always get full protection and risks are always involved. For example, if your laptop gets breached, your data may be compromised. If your Gmail account gets hacked, then the person will be able to easily log into any account or site that you have stored on Google servers. You might have noticed that once you log in to Gmail on your new device, you don't need to log in again to Play Store or Chrome or Google Photos or Drive. You can easily access everything by just logging into Gmail.

Again, if someone is able to hack my Gmail account in spite of 2FA...well, someone has a lot of time on their hands and might want to focus those skills on bigger fish than me.

So to your point, I agree it's not 100% secure, but it's secure enough for me, and I'm not sure exactly what we can say is 100% secure.

Flinty997

Had a quick look for reviews, generally the opinion is LastPass is more featured and more user friendly. Never used either so I have no idea.

AndrewJRenko

https://www.boards.ie/discussion/comment/118499628#Comment_118499628

Bitwarden paid version has a handy ‘legacy’ feature to let you pass over control to nominated people when you die. Some day , I’ll invest in that.

AndrewJRenko

https://www.boards.ie/discussion/comment/118499606#Comment_118499606

Absolutely nothing is 100% secure. If they really really want access to your stuff, they’ll break into your house and put a gun to your or your family member’s head.

But it is about not making it too easy for them . It’s not a matter of someone being out to target you personally. If they can find a vulnerability in a browser or an add in, they will be able to automatically try to access every user that has their passwords stored locally. They won’t target you specifically until they are sitting back, looking at your email and banking passwords, deciding how best to exploit you.

TaurenDruid

https://www.boards.ie/discussion/comment/118499912#Comment_118499912

"Please... please... delete my browser history!" 🤣

HBC08

https://www.boards.ie/discussion/comment/118499365#Comment_118499365

But what does that mean? The only details of my account that were apparently leaked on just one occasion is the email address itself,not the password.

I just don't see how anything has been compromised by people seeing what my email address is.Now if they had my password or access to my account obviously that would be a different story.

km991148

https://www.boards.ie/discussion/comment/118500704#Comment_118500704

There has been a data breach. When this happens, data is sold on illegally. Sometimes the companies who were breeched publish what was exposed and sometimes security researcher and the like come across the stolen data and publish it.

haveibeenpwned.com is telling you that *as far as they know* your email was leaked for one particular service. That doesn't mean the passwords weren't also leaked, its just that they don't know.

Regardless a website or service that you use was hacked and your information is available. It might be email and some basic personal info, might be passwords, who knows. Howe much of a risk yo you this is, only you can know based on how often you share these credentials and what the actual website was.

HBC08

https://www.boards.ie/discussion/comment/118500746#Comment_118500746

I appreciate the reply but I'm just not following.

On one hand you're saying there's a data breach on my email address because haveibeenpwned have said so.Then you say there may have been a (much more serious breach) with regards to my password,even though they say there hasn't been according to them.

If somebody sold on my email address then I'm not bothered in the slightest,it's not much good to anyone without the password surely.I don't get a lot of spam so where's the issue?

TaurenDruid

https://www.boards.ie/discussion/comment/118500787#Comment_118500787

even though they say there hasn't been according to them.

They don't say that.

They say your email address has been compromised, i.e., there was a data breach and as part of that breach, some of your details, including but not necessarily limited to your email address, are "out there." It could just be your email address. It could be that, and account details from the compromised site - what you were looking at, who you'd swiped right on, what you'd bought - depending on the nature of the site. It could include your password, either hashed or in plain text. They didn't say any of the latter, because they don't know. All they've seen "in the wild" is your email address.

AndrewJRenko

https://www.boards.ie/discussion/comment/118500787#Comment_118500787

They don't say 'there hasn't been a breach of your password'. They say 'they don't have any record of a breach of your password'.

The people who will breach your password don't line up at HIBP every day with lists of the passwords they've breached. Some password breaches come into the public domain, through security researchers. Some don't.

The fact that your password isn't showing as breached should not give you reassurance that it hasn't been breached. It just means there is no record that has come into the public domain that your password has been breached.

km991148

https://www.boards.ie/discussion/comment/118500787#Comment_118500787

Yeah as others say, the problem is there are two separate system. Password checking and email/phone checking.

Think of them as both being separate, and crucially, incomplete.

They might know an email is out there, but don't know what went with it.

If they say they have no record of password leaked, then that's all. They have no record.

km991148

The upshot of any of this this: security is hard. It's hard to implement and it's hard to understand.

Most people just want to "get s*it done" and that's perfectly understandable.

But that's why the advice is always to use a password manager.

Any other system you can come up truth is probably going to dangerous for reasons you don't know because all of this is hard. Good password managers generally make this easy (browser plugins, phone apps etc). They should be set up and used with 2fa.

Pissarro

I use the following for all except gmail and financial institutions- those are written down and memorises

*Think of a short expression or song title e.g. Happy Days

*add the last three letters before the .com or .ie

*add a date or time e.g. 1916 or @7.10

So boards.ie will be: HappyDaysrds1916 or HappyDaysrds@7.10 You'll only ever have to change the three letters.

The very rare site will not accept the @ or the . in a password. I had to come up with a system because I visit so many competition sites but I don't have to worry about hacking - e.g. that someone will access what I told Denny was my favourite sambo!!

riclad

I use a simple password for basic websites eg userNo14celt not my real password, if some hacker wants to see what podcasts I like to listen I don't care, for Gmail etc I use complex passwords , if it's too much get a password manager, I don't use social media or any banking finance apps. I don't care if someone knows my password or newser usanews I random website last time I checked I get maybe a few spam emails a month which I don't read

The problem is some people use 1 password on YouTube Gmail Facebook insta etc which leaves them wide open to hackers if someone can read all your banking emails or work emails they could use it to carry out I'd theft i got a email from Google last week change your password on adverts ie it may have been compromised

For banking work apps you should have 2 factor authentafication on

eg if someone trys to login in from a random pc device on a finance work app it ll send a pin code one time use to your phone by txt this pin code changes everyday randomly eg is this you login in using code sent to your phone

DeconSheridan

I came to like Enpass password manager it has a lot of features cross OS (Wins,OSX,Linux) and mobile compatible and most important for me was cloud (Google, Onedrive) connectivity to link all your devices.

Irish Stones

https://www.boards.ie/discussion/comment/118572425#Comment_118572425

I compared all the password managers thay you and other users have suggested me so far, and they all look rather good.

The only thing that keeps me from signing up with them is what would happen if the service I chose discontinues its service? Would I be locked out from all my accounts because the safe and long passwords generated are all unknown to me?

AndrewJRenko

https://www.boards.ie/discussion/comment/118574287#Comment_118574287

Almost certainly, you'd have some time to export to your passwords and switch to another service.

In a worst case scenario where it closes with no notice, you'd go through the password change facility for each account, which would be a bit of a pain, but you'd get there. Just make sure you know your email address anyway.

TaurenDruid

https://www.boards.ie/discussion/comment/118574287#Comment_118574287

As Andrew says, you'd have notice. When any sort of online service is announced as being discontinued (like eircom.net's free email or Yahoo's Groups disappearing) you get literally months of notice - and they were free services. So for a paid service, you'd get even longer. And passwords manager services aren't going anywhere - quite the opposite, they're getting more popular/needed, and generating more revenue for their shareholders. Again, agreeing with Andrew, the only other password I actually remember is my main email account's password, 'cos that's the key for one for password recovery for everything else.

DeconSheridan

https://www.boards.ie/discussion/comment/118574287#Comment_118574287

Enpass will backup / store your vault database locally to your pc as well so you always have access to your password manager and accounts. The purpose of linking to a cloud storage is to sync your devices with enpass installed and cloud synced so you don't have to manually update other devices when adding a new item to the manager.

If the cloud is unavailable the app still works as the app itself is not in or delivered from the cloud. If a machine or hard drive crashes you never lose your vault database as its accessible through the cloud or from on another device and when you repair your crashed one you just install enpass tell it where to connect to your google or icloud and all is back again in seconds.

A strong cloud storage acc password and 2FA turn on is recommended if using these features.