• Holzkohlen@feddit.de
    link
    fedilink
    arrow-up
    109
    arrow-down
    2
    ·
    1 year ago

    The only good passwords are those you don’t know yourself because they are randomly generated and all stored in your password manager of choice.

      • zalgotext@sh.itjust.works
        link
        fedilink
        arrow-up
        62
        arrow-down
        3
        ·
        1 year ago

        Then you look up the random string of 36 characters once, think “why did I make this one 36 characters” as you painstakingly type it in with a TV remote, then immediately forget it as soon as you’re logged in.

        • Lt_Cdr_Data@discuss.tchncs.de
          link
          fedilink
          arrow-up
          22
          arrow-down
          2
          ·
          1 year ago

          Then repeat this process every few months the device decides it needs to ask the password of you again. Not playing this game

          • Johanno@feddit.de
            link
            fedilink
            arrow-up
            10
            arrow-down
            1
            ·
            1 year ago

            Take the TV throw it out of the window.

            Buy a minipc and plugin a cheap Monitor via hdmi.

            Setup kodi or similar on your minipc and you won’t even have ads anymore because you will of course install pihole too.

          • ClamDrinker@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            If it’s a fairly inconsequential service (no payment/personal info, nothing lost if it gets hacked), you can just generate a far shorter password. Even randomly generated passwords can be remembered eventually if you have to type it enough times, and that’s still better than the same one.

            If it’s not inconsequential, I’d be questioning if my money is well spent on a sadistic service that makes my life hell trying to have a minimum level of security. I would say that even if it wasn’t a generated password that you have to type over.

          • Damage@slrpnk.net
            link
            fedilink
            arrow-up
            7
            ·
            1 year ago

            I have a keyboard connected to my TV and some apps still refuse to accept its input, forcing me to use the stupid remote keyboard

          • Wogi@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            Device recognition instead of passwords, using your phone. A number of apps already do this and logging in is painless even with a shitty old remote.

            • Empricorn@feddit.nl
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              That sounds… even less secure, but admittedly I know nothing about it. How does it work? MAC address? Device type? OS? I think all of those can be spoofed…

        • PieMePlenty@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Not write it down on a post it and recycle it with the rest of paper products only for the gmen to go through your thrash and find it?

      • vsis@feddit.cl
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        I use an off-line libre password manager for several bad designed goverment stuff that only accept numbers as passwords or don’t allow to paste it.

        It’s not that hard and I easily get used to it. I read it, type it and forget it again.

      • kratoz29@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I hate this shit so much, even when I can do semi okay because I use a Shield TV the logins are still a pain in the ass.

      • Fermion@feddit.nl
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Some password managers support generating random passphrases like “correctbatteryhorsestaple.” They’re still a pain to punch in on a remote, but much easier to keep track of where you are in the password and avoid transcription errors.

      • clb92@feddit.dk
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        1 year ago

        Well that’s on you then.

        1. Keep encrypted backups of your password database, so that you can migrate to something else if you need to.

        B. Make sure to have your password database synced to your phone or accessible in some other way when you’re out and about.

        III. If purely offline and local password manager with no syncing, have a way for a trusted person to be able to access it, if you need them to.

        • Lastly, attempt to not suffer memory loss and forget your main credentials to the password manager.

    • tilcica@lemm.ee
      link
      fedilink
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      depends on the password manager…

      also, the length of the password is WAY more important than it being randomly generated as long as it’s not in a password dictionary somewhere. I use 20+ character passphrases that i can easily remember everywhere for instance

      • MrVilliam@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        My strategy is to have a persistent short passphrase that’s within every password I use, and pair it with a silly bastardization of the service I have an account for. So, for example, if my passphrase were hunter2 (lol) and I had an account on Netflix, my password for Netflix might be something like hunter2NutFlex. Because of this, I can manage my own passwords in basic text as “code NutFlex” because the “code” portion is encrypted in my own fucking brain. If Netflix gets hacked, somebody has a password that only works with Netflix, and they’d need my text file as a Rosetta Stone to acquire my other passwords. Not impossible, but who the fuck am I and why would anybody dig that deep to do that to me?

        I’m no IT expert, so somebody tell me if this is a stupid and overly vulnerable strategy. I thought I was pretty brilliant for coming up with this and rolling it out several years ago.

        • tilcica@lemm.ee
          link
          fedilink
          arrow-up
          7
          ·
          1 year ago

          i am an IT person (wouldnt say expert) and i do this. password cracking time is based on the number of characters, not the type of char so you can do “abcdefghijk” and it will be more secure than “_a;” (both are still weak but my point stands)

          all of this can be broken if you just use common passwords or plain english words since those are broken with dictionary attacks

        • Paradoxvoid@aussie.zone
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          It’s not the worst strategy (and is actually referred to as ‘peppering’ your password)… but if your primary use-case is websites and mobile apps, using a password manager like Bitwarden and randomly generated strong passwords is still a better strategy (and probably faster too, since you don’t need to type it out manually anymore, and/or remember which flex you used when creating your ‘peppered’ password).

          This is a good approach if you have to login to services that aren’t via a web browser though - e.g. Remote desktops etc.

        • drathvedro@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          11 months ago

          I’d say the approach is potentially vulnerable, but the tech isn’t quite there. The modern approach to password cracking is to take a huge dictionary, and run permutations on it, like change a’s to @'s, capitalizing first letters or adding numbers in the end. Any cracker worth their salt will have something like “add _netflix” as a permutation, too. I don’t think that anyone would have “NutFlex” in there, yet, but it’s possible if one of them stumbles on your leaked password from somewhere else.

          As for “basic text”, do you mean like .txt’s? And do you store the entire password there? We do have viruses that scan for crypto wallets and it’s seed phrases already. It’s not too far fetched to imagine one that would cross-match any txt’s contents in the system with browser’s saved logins.

          The most glaring issue I see is that the bastardization is effectively part of your password. With 1000+ passwords it’s going to be easy to forget (was it nutflix, sneedtflex, nyetflex or something?) and it’s going to be hard to find it if you don’t manage the codes properly. I recently had to scan over every single of my password manager entries (forgot a 100% random login, password and domain), and let me tell ya, It wasn’t fun.

          You could possibly switch to a “client-side salting” approach, having a strong consistent password in you head, and storing a short but truly random suffixes for each service. e.g. text file named “Netflix” containing something like “T3M#f” and the final password would be something like “hunter2T3M#f”. At least that’s what responsible sites do to protect people who have simple/matching passwords. You could even store those suffixes somewhere semi-openly, like in a messenger as messages to yourself. But at that point, it’s probably easier to go with a password manager. Though that’s an option if you don’t trust those.

          • MrVilliam@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            You could possibly switch to a “client-side salting” approach, having a strong consistent password in you head, and storing a short but truly random suffixes for each service. e.g. text file named “Netflix” containing something like “T3M#f” and the final password would be something like “hunter2T3M#f”.

            I guess I’m not understanding how this is functionally different from what I already am doing. Why would your 12 character solution be more secure than my 14 character example? Is it just because NutFlex is two actual words, so a dictionary attack could crack that more easily? Or is it because it’s kinda close to the domain the account is associated with? Would I be significantly better off replacing those bastardizations with other random words?

            Edit: and also, they’re saved as notes in my phone, and no I don’t type the whole password in. That would defeat the purpose of having a persistent master phrase as part of the password.

            • drathvedro@lemm.ee
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              they’re saved as notes in my phone, and no I don’t type the whole password in

              Then I must have misunderstood your approach. Is it like a single note with all the keywords only, then?

              I guess I’m not understanding how this is functionally different from what I already am doing. Why would your 12 character solution be more secure than my 14 character example

              Yeah, it’s because it’s close to the associated domain. The way I see it, this bastardization adds little entropy (there’s only so much possible variations) but also rather easy to forget. And a huge problem, in my opinion, is it’s using your mental capacity for per-site suffixes rather than master password.

              A possible attack I see, is if I set up a site, say a forum called MyLittlePony.su with no password protection whatsoever, and lure you to register on it. If I scroll through the accounts and notice your password to be “hunter2MyLittlePenis”, I might go to paypal and give it a shot with “hunter2PenisPal”. Or, somebody whom I sold the database to, might. It’s extremely rare that anyone would even look at your password specifically unless you are some kind of celebrity, but it’s still a possibility. Maybe some future AI tech would be able to crack your strategy (I’ve tried, ChatGPT told me to fuck right off and FreedomGPT is not good enough yet)

              Though you’ve said you also keep notes, which deals with the easy-to-forget part of the problem, so my first thought was to get rid of bastardization and add fuck-all amount of entropy by using a truly random suffix. That’d deal with the above problem. But, that’d mean that it’s your master password that is the suffix now, and you wouldn’t be able to access sites without the notes at all, hence it’d be easier to go with password manager at that point.

    • UnspecificGravity@discuss.tchncs.de
      link
      fedilink
      arrow-up
      3
      arrow-down
      3
      ·
      1 year ago

      Except you DO know the password to your password manager, which makes it about as secure as just writing them down and keeping them in the house.

  • kamen@lemmy.world
    link
    fedilink
    arrow-up
    37
    ·
    1 year ago

    Imagine a site telling you “Sorry, you can’t use asdf123 as your password: you’ve already used it on that other site”.

    • A_Very_Big_Fan@lemmy.world
      link
      fedilink
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      That’s not as far fetched as it sounds. Any website worth its salt will store your password as a hash, so if they started sharing the hashes with each other they could prevent you from reusing passwords without changing much security-wise

    • FakinUpCountryDegen@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      It would be better if you had a local tool telling you that - one that you control and only exists on your personal devices, kind of like secure messaging platforms such as Signal.

      Another great later would be for all compromised passwords found in breaches to never be usable anywhere ever again, thus helping to thwart the most common form of breach we see today: credential stuffing.

  • Kedly@lemm.ee
    link
    fedilink
    arrow-up
    42
    arrow-down
    6
    ·
    edit-2
    1 year ago

    Counterpoint: Password Manager = One point of failure

    Multiple Strong Passwords that have to be changed every 3 months even to sign on to your cornerstore rewards program without a password manager? Guess you’re never accessing any account older than 3 months because you’ve forgotten th3 b1lli0n$ oF s+r0ng p4s5w0rds Y0u h4Ve cr3atEd!

      • Kedly@lemm.ee
        link
        fedilink
        arrow-up
        8
        arrow-down
        1
        ·
        1 year ago

        I mean yeah, the security benefit from being un-notable isnt negligible

    • FakinUpCountryDegen@lemmy.world
      link
      fedilink
      arrow-up
      20
      arrow-down
      6
      ·
      1 year ago

      That’s…not a counterpoint.

      You can have strong authentication on your central password manager, and have an encrypted container protecting it.

      There is no logical argument against password vaults as a concept. There are bad implementations of specific password vaults, but a password vault is the answer for the highest possible password based security available in 2023.

      • Kedly@lemm.ee
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        And figuring out which password managers to use is not a task which a lot of people know where to start, and it is STILL a single point of failure

      • RedditRefugee69@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        What makes it completely unusable for me is that I don’t have a single work computer I use. I have to bounce around computers at work, my personal phone, computer, work iPad, etc.

      • Comment105@lemm.ee
        link
        fedilink
        arrow-up
        1
        arrow-down
        2
        ·
        edit-2
        1 year ago

        I have no idea about how to protect a password manager with an encrypted container.

        And to be honest with you, it’s not something I’m likely to do even if you do attempt to explain the 60 minute long $10 18-step process to me. Or however long it takes and whatever it costs.

        And really, for all my ignorant ass knows you could’ve just as well been encouraging me to get malware and I’d be none the wiser.

    • 0xD@infosec.pub
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Okay and now let’s get into threat modelling and risk management.

      What is the purpose of a password manager? What are the possible threats against them, and what are those against singular passwords for services? What is the risk of each of those?

      • Kedly@lemm.ee
        link
        fedilink
        arrow-up
        9
        arrow-down
        2
        ·
        1 year ago

        Guys, before you argue with me, password security is something that EVERYONE in the 1st world has to deal with, not just tech nerds. If you need to grow up around computers or take a class for it to be a good form of security, its a shit form of security for the general public

        • 0xD@infosec.pub
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          But you don’t?

          Password managers really are not hard to use. Also there’s stuff like the password manager built into iOS, for example, which you don’t even have to think about.

          My comment about threat modelling was that you do not seem to understand the purpose of password managers. A way bigger problem for the average person online is password reuse, not targeted attacks against password vaults. That is the problem they solve.

          • wewbull@iusearchlinux.fyi
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            The weird trope I’ve seen now is “don’t use the password manager in your browser”. For the life of me, I can’t think why some think a browser plugin to a commercial password manager is safer than the built in version.

            • Gestrid@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              They probably think it’s safer somehow. But I don’t really get how.

              Most built-in password managers allow for you to setup a master password of sorts if you try to sync everything to a new device, and most also require you to use your computer’s native verification to view a single password in plaintext or export all of them as plaintext. (For browsers on Windows, they use Windows Hello; for browsers on Android, they use the fingerprint scanner or the lock screen pin.)

        • Comment105@lemm.ee
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          1 year ago

          I’ve had security fatigue for years now. I’m sure most of you have. I’ve written down so many usernames and passwords and it’s still not half of what I have, and to top it off, several of the written passwords are now wrong after obligatory password changes and I don’t remember the new ones.

  • GissaMittJobb@lemmy.ml
    link
    fedilink
    arrow-up
    24
    arrow-down
    3
    ·
    1 year ago

    Just use a password manager, then you get the benefits of having a single password to remember without the security-related downsides.

    • Rubanski@lemm.ee
      link
      fedilink
      arrow-up
      25
      arrow-down
      6
      ·
      1 year ago

      I never got over the fact that I somehow need to trust to an absurdly high degree a proprietary software to store ALL my passwords. Is this really a good idea?

      • aicse@lemmy.world
        link
        fedilink
        arrow-up
        25
        arrow-down
        1
        ·
        1 year ago

        You can use KeePass, but you’ll have to figure out a way to have your password vault available on other devices (can do it by using any cloud shares, i.e. GDrive). This way you’ll be in charge of almost every aspect of your passwords. But you’ll have to take care of backups and keep everything in sync.

      • vsis@feddit.cl
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        1 year ago

        There are libre off-line password managers. Variants of Keepass for example.

        Indeed it’s a bad idea to store passwords in a propietary system. Specially a cloud based one being hacked time to time, like 1password.

      • ClamDrinker@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        It’s the choice between trusting one company (or if you self host, trusting yourself) to have their security all in order and properly encrypt the password vault. Using one password for every site you use means that you have to trust each of those sites equally, because if one leaks your password because they have atrocious password policies (eg. storing it in plain text), it’s leaked everywhere and you need to remember every place you used it before.

        Good password managers allow audits, and do at times still get hacked naturally (which isn’t 100% preventable). Yet neither of these should result in passwords being leaked. Why? Because they properly secure your master password so it can’t be reverse engineered to plain text, and without the master password your encrypted password vault is just a bunch of random bytes. And even in the extreme situation it did, you know to switch to a better password manager, and you have a nice big list of all the places where you need to change your password rather than trying to remember them all.

        Human memory is fallible and we want the least amount of effort, because of that we usually make bad passwords. Your average site does not have their password security up to date (There’s almost a 0% chance not one of your passwords can be found here). If you data is encrypted accordingly, it doesn’t matter if it gets leaked in any way or stolen by some rogue employee, so long as they do not have your master password. So yes, I’d say that’s a good idea.

    • Mr_Dr_Oink@lemmy.world
      link
      fedilink
      arrow-up
      13
      arrow-down
      4
      ·
      1 year ago

      So all my passwords are locked behind a single password? Isnt this essentially the same as using the same password for every site. In that they only need to cracl o e password to have access to everything?

      • Pfnic@feddit.ch
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        In theory, yes but if you use a good password manager and have a strong master password the encryption should be practically impossible to break. The fact that you only have to remember one password means that this password can and should be a very strong one. 20+ characters with upper and lowercase letters, numbers and symbols should take centuries to crack.

      • baatliwala@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        1 year ago

        You should be safe as long as your master password isn’t small, less than 15 characters. The longer the password, the better. Personally what I do is use a pass phrase to make it easily memorable, and then use it as a base to inflate security somewhat artificially.

        Wrap the pass phrase around in brackets or symbols; mix lower/upper case; replace (or add to) a word in your pass phrase with one from a random other language, so instead of hello you type bonjour. Bonus points if you are able to replace even a few letters in your pass phrase with fancy diacritics, or fuck it add an emoji or two.

        Then again there are a LOT of other factors which go into security. Theoretically the lyrics of song are decent as a pass phrase but there’s not much point if everyone knows what your favourite song is, or if you are learning Spanish then you’ll replace the English words with Spanish.

        Unless you’re in a position where you’re targeted by nations or are working extremely high profile jobs like CEO or digital security you should be safe really with all these but as I said there’s a lot to keep in mind.

          • baatliwala@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            2FA is in the name, 2 factor authentication. A “factor” can be considered as proof that you are who you are. The more the factors provided, the more concrete proof the system has that the user is legitimate.

            What a factor is is a more complicated. It can be broadly put in 3 categories (there’s more but we’ll ignore for now) :

            • something you know, like a PIN/password
            • something you are, like biometrics/eye scanning
            • something you have, like an ATM card or phone

            The 2FA you are thinking of is probably the 1st (a password you know) + a PIN sent to or generated by something you have (a phone). If the 2nd pin was some you had created by memory like a password rather than a remote system generated one then it would be considered same as the first factor, it wouldn’t be multi factor.

            So yeah it’s important that you keep both factors as secure as possible. A good password + a phone to generate TOTPs. I mean theoretically you can keep a password of ABC and keep 2FA on so hackers wouldn’t be able to get into your system but let’s follow best practices yeah? Use a password generator to make complex passwords for a login and enable 2FA.

      • Honytawk@lemmy.zip
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        Just don’t use your master password anywhere else than your password manager.

        If your password manager only works offline, then it is impossible to leak on the internet.

      • qqq@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        This is not necessarily true.

        For example, consider the case of a 1Password vault falling into the hands of an attacker. They do not have the option to just crack your password, as the password is mixed with a randomly generated value to ultimately derive the key. They would need to simultaneously brute force your password and that random value. This should almost be impossible. However, given access to a client that already has knowledge of the secret value, it would fall back to brute forcing the password.

    • kratoz29@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I have been wondering as of lately, I’m an old Bitwarden user and I use their generated passwords which are just a random mess for my eye, anyway when a leak occurs I usually tend to type my known passwords to match it with the leak lists, but now all this being auto generated and I be totally clueless of which is which, how would I ever notice if one of those more secure passwords are leaked?

      Does Bitwarden let you know of leaked passwords as Chrome and I think Firefox does? Because I don’t recall having this info in hand.

      • smrtprts@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        You can go into your vault and choose a password to see if it’s been exposed on the web. It’s a little check mark by the password.

  • Goku@lemmy.world
    link
    fedilink
    arrow-up
    17
    ·
    1 year ago

    It was literally a battle for me to have a strong unique password for our baby monitor… Wife was not happy about that but I came out on top.

  • Paradachshund@lemmy.today
    link
    fedilink
    arrow-up
    20
    arrow-down
    3
    ·
    1 year ago

    Everyone talks about password managers these days, but isn’t that telling the hackers exactly where to go to get all your passwords? Seems like a much higher chance of catastrophic failure to me if you have a single point of entry.

    • moonmeow@lemmy.ml
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      Yes that’s definitely a concern to keep in mind.

      The problem is that if someone doesn’t use a password manager they’re morenlikely to reuse weak ones.

      Using a password manager is a better path, as long as there is awareness on how to keep it secured.

      • Browning@lemmings.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        I use the same password for every site, but I put the name of the site at the end of the password.
        For example:
        NotmypassB3ta.
        NotmypassGoogle.
        NotnypassLemmy. Etc.
        I figure it might stop the most lazy of attacks.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          8
          ·
          1 year ago

          It will stop a lot of attacks but if someone figures it out, you’re screwed. So I don’t recommend it.

          But years ago I used the same password everywhere except with a few differences due to different requirements (like special characters) and the weakest passwords I used got leaked on pastebin (or similar). And sure enough many accounts got compromised, not a huge deal and I didn’t lose anything I cared about.

          The interesting part is that no-one seemed to try the leaked password + 1234 or a capital letter in the beginning.

        • Droechai@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I had something similar but ran into issues with sites requiring specific symbols, disallowing certain symbols and limiting lengths or similar

          • wewbull@iusearchlinux.fyi
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            That annoys me so much. Especially when the randomly generated line noise password I’m using doesn’t happen to include one of the three punctuation characters they need to be “secure”.

        • moonmeow@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          That sounds not ya I’m sure it stops a , as long as the actual password is also strong. IMO there’s still some vulnerability. If someone finds out your password and notices thepattern ‘pass+Site’, then they mighttryyon another site.

          Also why it’s a good idea to have a few emails yo use across multiple sites.

    • Hexarei@programming.dev
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      1 year ago

      Only if you’re using a third-party password manager, rather than something stored/managed locally.

        • itslilith@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          I’m using KeepassXC, which has a browser integration that is quite good, and a local database. I synchronize it to my devices (using Syncthing, so it’s p2p). The database is encrypted with a pretty good password, and a key file. the key file has never and will hopefully never be transported via internet. The database is synced to a server I’ve rented as well, but never the key.

          It’s not perfect, but potential attackers would need to

          a) have access to one of my daily devices (the server won’t be enough, since they need the key file)

          b) crack my password

          Obviously, for someone dedicated this is still quite reasonable, but then again, I don’t think that’s my threat profile. The chance of getting caught up in a larger breach is a basically zero once you use your own solution, and it should be reasonably safe, if you don’t do anything stupid.

          • Piemanding@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            They would also need to know what you are using in the first place. Since fewer people do this it does make it a bit safer.

            • itslilith@lemmy.blahaj.zone
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Exactly. As long as you don’t have someone really determined or some three letter agency after you, it’s going to be pretty safe

          • Paradachshund@lemmy.today
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Oof, I barely understand most of that so definitely over my head I think. It sounds like you’ve made a good system for yourself though, nice job!

            • itslilith@lemmy.blahaj.zone
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              I could’ve phrased some things simpler, haha

              But yeah, I’m quite happy with it. KeepassXC is a local password manager, and Syncthing lets you synchronize files and folders across devices, and it uses Peer-to-Peer (p2p) technology, so unlike something like Google drive you’re not relying on some could server, it just transfers between your devices directly.

              It’s not plug and play to install, but not that hard either. But still, I can see that commercial options are a lot easier for many people c:

        • Hexarei@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I store mine in a selfhosted Nextcloud instance, KeepassDX on Android supports accessing it directly. Works perfectly and even provides an autofill service for Android. Very easy and very convenient.

        • Rodeo@lemmy.ca
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          That’s the neat part, you don’t.

          Security and convenience are opposites. You have to decide if you want a local-only manager that is more secure, a sync service like syncthing that you can set up yourself, or a third-party cloud app like LastPass (which has been compromised at least once that I know of).

          Personally I just do all my email and banking on my desktop at home, and it’s actually only inconvenienced me a few times over the years.

          • Hexarei@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I store mine in a selfhosted Nextcloud instance accessible only via a Nebula overlay network (alternative to tailscale) and it’s both convenient and secure.

          • Paradachshund@lemmy.today
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Sticking to desktop only wouldn’t be realistic for me unfortunately. Sounds like the solutions aren’t quite there yet for an average user.

            • 0xD@infosec.pub
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              1 year ago

              They are, just use a normal one (I use bitwarden) that you can access from everywhere and protect it with 2FA.

              The goal is to have varied, secure passwords across everything.

          • itslilith@lemmy.blahaj.zone
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            the only thing that gets less secure is more devices potentially compromised, but the act of syncing shouldn’t make it more dangerous by itself (if using a key file or a master password too long to be reasonably cracked), right?

            or am I missing something?

    • FiveMacs@lemmy.ca
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      I just use a password manager for my password managers password manager. 2fa on all of em. Takes me forever to login

    • gornius@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      1 year ago

      The main argument to use password managers to prevent password leaks to all of your services (that you use with the same login/email). You can’t trust any service to store your password securely, therefore you should use different ones everywhere.

      Using a password manager gives you the convenience of using one, strong password that’s being used very securely, and mitigating risk of password leaks spreading further.

      If you abstract it that way, it by no means eliminates the risk of someone breaking into your database, but makes it harder and from a single entry point, instead of any service that uses your password.

      Plus many of those password managers give you an option to use YubiKey for additional security.

      Oh and also you won’t ever need to press “forgot password” ever again due to the arbitrary requirements that your password doesn’t pass, so you modify it slightly so it would.

    • wewbull@iusearchlinux.fyi
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      The greatest threat is password databases being leaked from the services you use. Not your phone or laptop. Physical access to a device is a pretty high security bar.

      If you don’t let people make notes of passwords they use one crap memorable password for everything. Let them store it, and advise them to do it somewhere encrypted. Ta da! Password manager.

      • Nintendo@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        you literally described the exact use case for password managers. in security, it’s not about IF you get breached, it’s WHEN and how to recover from it. this includes cloud password managers. you can hack all the data you want from these companies but any reputable password manager company will employ a Zero Trust model where your data is stored encrypted. they can completely upend the company and destroy their whole infrastructure, but they still can’t do shit unless they have your master pass or a time machine.

  • Agent641@lemmy.world
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I’ve actually come up with a way to have a complex and unique password for each service which is also resilient againt forced password changes, doenst require a password manager, and if Im being tortured I still wont be able to tell them what it is because I dont know it unless Im at the login screen. If the service changes the layout of their login screen though, Im fucked.

        • ours@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          ·
          1 year ago

          If they change/rebrand the login he’s screwed. Just use a password manager people.

          • TheBERFA@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            I’ve been thinking of starting to use one more and more, is there any you would recommend? Are all the good ones a paid service? And my biggest concern is someone getting into the password manager itself, is that something that I should worry about?

            • JustARegularNerd@aussie.zone
              link
              fedilink
              English
              arrow-up
              6
              ·
              edit-2
              1 year ago

              I’ll second the other comment suggesting KeePass, but the biggest issue I had with it was syncing the database across devices. Ultimately I stored it in OneDrive, but it occurred to me that at that point it wasn’t much different to a cloud password manager, which I especially didn’t trust.

              I now self host a Vaultwarden instance from my Raspberry Pi, and that works perfectly for me, but it does require a bit of Linux experience and a spare device to run the server.

              • itslilith@lemmy.blahaj.zone
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                I’m using KeepassXC and sync with Syncthing (which is P2P), and I’m quite happy with it. Seems like you got your setup figured out, but this is a bit simpler for someone looking into password managers

                KeepassXC also has a great browser integration c:

            • ours@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              edit-2
              1 year ago

              I don’t trust a service for my passwords so I’d rather trust an open-source software.

              Try KeePass, it runs both on a PC as well as a phone so just carry your encrypted passwords with you.

              Edit: And passwords aren’t enough, use multi-factor for services that offer it. Preferably via an app instead of SMS.

            • Zink@programming.dev
              link
              fedilink
              arrow-up
              3
              ·
              1 year ago

              Bitwarden has been working well for me, and it’s open source and free to use. I started using it when it was clear that using LastPass was not a long term solution.

            • qqq@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              1Password is a solid service if you’re OK with the proprietary aspect. I use it personally and we use it at work (I’m an infosec consultant)

  • clanginator@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 year ago

    I came up with a formula for my passwords - as easy to remember as a single password and makes a unique login for every site feasible without a password manager. Can be updated as often as you like and all you gotta do is remember the latest version of the formula. At the very least, the hashes will be different and it’d take someone having more than two of my passwords to figure out the pattern.

    I also use over 100 email aliases with my own domain name so that my most important accounts have a separate login that isn’t a common domain that wouldn’t be easy for someone to guess.

    It would take a lot of concentrated effort for someone to get at any of my important accounts, and even my less important ones would be pretty difficult to get into even if multiple accounts are compromised, due to using a smaller pool of aliases under common domains for less important accounts.

    Someone got into half a dozen of my accounts a few years ago and I finally started taking security seriously.

  • newIdentity@sh.itjust.works
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    1 year ago

    Not really though. Once the password has been leaked, it needs to be cracked. And that usually doesn’t happen when the password is strong enough.

    Except the password wasn’t hashed but then the company belongs to get sued to bankruptcy

    • randombullet@feddit.de
      link
      fedilink
      arrow-up
      16
      ·
      1 year ago

      That’s also assuming they used proper salts and a strong hashing algorithm.

      Also MITM and or phishing attacks are not super common but can also depreciate your common password very quickly.

      Always layered defense. If it’s not 1 thing, it could be another.

      Unique passwords are just one facet on a multi-layered security defense.

      • Blackmist@feddit.uk
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        I think phishing is by far the most common way to get passwords.

        I saw a guy at work fall victim to one. Looks like it’s from some customer he knows, links to document on Office365 or similar, enter username and password and swearing because it’s “lost them”.

        I went, “What URL is that?”

        He looked at his screen for a second. “Fuck.”

        “How many passwords have you given it?”

        “My work ones and my bank ones.”

        “Better change those then, hadn’t you?”

    • Aurix@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      Since you can never now for sure how a company handles hashing, always assume the worst. You will fare better.

    • Tartas1995@discuss.tchncs.de
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      That is a really bad take.

      The meme is expressing that a strong password is a lot worse when reused.

      Even if one agrees with your take, the meme is accurate.

      But your take is really bad because “it needs to be leaked and cracked” ignores so many alternative ways to steal passwords. Xxs keylogger, mitm, phishing… And some of these attacks are making it really difficult or unlikely to succeed. E.g. the chance of a phishing email for your bank or apple icloud is much more likely than a phishing email about e.g. your babyphone. Segregation of accounts is also important because obviously if you use the same password 30 times, then there are 30 places to leak your password and some might use md5.

      • newIdentity@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        But a strong password doesn’t help you with phishing attacks and such attacks. It really only protects you against database breaches and direct password Bruteforce.

        Reusing a password doesn’t destroy the whole security aspect you get from a strong password like the meme implies. Just some of it.

        Of course you should both not reuse passwords and use strong passwords

        • Tartas1995@discuss.tchncs.de
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          You have successfully missed my point, and apparently your own???

          I am not saying strong passwords are protecting you from phishing. I never did.

          The meme is saying reusing the password “ruins” a lot of the security benefits of a strong password. And it does. Like you agree.

          So for you, reusing passwords… That is what I am taking about, as you expressed the reusing passwords is fine because it has to be cracked and with strong password that is difficult. So I was criticizing your statement. I don’t know how you manage to understand anything else from it honestly. And yes!!! Reusing passwords makes phishing attacks easier and more successful.

  • ReaperWithASniper@lemmy.world
    link
    fedilink
    arrow-up
    8
    arrow-down
    2
    ·
    1 year ago

    This meme couldn’t explain it better - a strong password crumbles like a cardboard castle when used across multiple sites. Nails the message to the T.

  • BigBlackCockroach@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    i use this on all sites:

    3 lower case 3 uppercase 3 special chars and 3 numbers, (pseudo) randomly arranged, (pseudo) randomly generated.

    • kase@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      How do you keep track of your passwords, if you don’t mind me asking? That’s where I get stuck

      • flerp@lemm.ee
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        I’m sure I’ll get shredded for this, but I keep my passwords in a notebook. Every once in a while I go through and change them all into other random nonsense and reorganize to keep it neat. I am a bit of a notebook fanatic and a have a whole shelf full of them. If someone ever broke into my house there’s no way they’re going through all of them to find anything like that. If the house burned down, maybe a bit of a problem, but as long as I have my phone I can get my email back, and between my phone and email I can get any of the important ones back as well.

        If I had corporate or government secrets and was the target of espionage I’d probably rethink, but the danger of anything is so minuscule.

        • orangeboats@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          To be fair: A notebook with a bunch of strong passwords is probably more secure than a human brain memorising a bunch of weak passwords.

      • LolaCat@lemmy.ca
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        If you’re alright with an online password manager Bitwarden is the best one there is. If you prefer having an offline password manager KeePassXC is a great option as well :)

      • meliaesc@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        A password manager. I personally use 1Password, I’ve seen a lot of recommendations for BitWarden, and my workplace uses KeePass.

      • maniacal_gaff@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        Derive the pseudorandom parts somehow from the url domain and you’ll always be able to figure it out.

        • Zink@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I’ve done this and it has been convenient, but using a password manager is still the way to go IMO. The personal password algorithm approach starts to be a pain when you need to follow a different set of character rules or change a password. With a password manager there’s no hesitation or friction when considering a password change.

        • noride@lemm.ee
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Yeah, if you use your own password cipher, you never have to memorize a password again. Just derive it based on some common input value, like the company name or url. Makes password rotation tricky, though, and it’s a pain when a website won’t allow a special character you generally use, creating “one offs” that are hard to track.

          • atx_aquarian@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            1 year ago

            I did this for years. Yep, it works enoughish, but I’m so much happier on a password manager now, and it’s pretty fun to see the managed passwords having so much more entropy than even the most obscure things I was algorithmically generating. Also, the speed of using a manager is great. Somehow I ended up with multiple Ticketmaster accounts (from using a different email address for some one-off season tickets that migrated into TM later). I think the moment I realized I wanted to change to a manager was when I was walking up to a concert and realized I hadn’t downloaded my ticket. I got into TM and realized I needed to switch accounts. So then I’m trying to walk and type my big fucky nerd-assed brain-generated password on mobile, fat-fingering the touchscreen keyboard, almost locking myself out of the account when I just want to get into the venue and relax. Later, that first moment trying an integrated pass manager and effortlessly switching between accounts, each with far stronger passes than I would have remembered, limited only by the loading speed of the site and with virtually zero chance of locking myself out… that really made me feel like fancy Pooh meme.