Ah yes, Lastpass. You’ll never find a more wretched hive of scum and villainy. Come. We must be cautious.
No way to prevent this says only password manager where this regularly happens.
KeePass2 on Desktops and Keepass2Android on Android.
And sync the database via syncthing, have a keyfile on each of your devices ans password protect it all
Hey look, it’s me
I’ve been a faithful BitWarden subscriber since almost he beginning, but read up on them. They’ve Been making some moves lately that point in a bad direction. Proceed with caution.
VC funding is the enemy. I’m beginning to think it matters as much as the libre/proprietary software distinction.
Any alternatives? Might jump ship before they fully enshitify and hope their users are too entrenched too leave
Currently, there’s no entrenchment, as the apps are open source and there are self-hostable servers. You can easily get your data out and even continue using the apps indefinitely (the whole database stays locally in the app, offline; you just loose sync unless you self host a server).
I say that because that is the minimum bar for any alternative. I use them and am not panicking yet, but if I was starting from scratch, I would be cautious about choosing them.
Use a vaultwarden instance. It’s bitwarden api compatible.
I think I may be too dumb for that…instance?..
https://vault.tchncs.de/ https://github.com/dani-garcia/vaultwarden
You can use the bitwarden app/extension with this. It’s basically a custom backend for bitwarden.
Bitwarden seems to be pretty clearly on the path of enshittification. They’ve been going towards closing off the self-hosted versions for a while, and moving their app out of repos that check licenses, with the likely aim of taking it closed source.
The usualy will surely follow.Not sure how soon, but I definitely wouldn’t newly go to them at this point.
VaultWarden will probably become what people who care about these things turn to for a cloud-based easy sync solution
What’s the point over keepass with syncthing?
Convenient app UX, password sharing between users and in groups, and the ability for passwords to be updated on multiple devices simultaneously or while offline without collisions. It has a few other features that are probably rarely used, like secure send, that some people may use.
that would be a non-cloudbased non-easy solution. personally, that’s what i’m doing, but i don’t anticipate most computer users wanting to go through the effort when so many people are still running windows 10 rather than switching to linux
Funny thing I switched from bitwarden to keepassxc + synchthing just yesterday.
And my best friend got interested in doing that as well (mostly syncthing, so she can backup her photos and stop relying on the apple ecosystem). I also convinced her to switch to Linux a while ago.
There’s a lot of regular non-techy users that yearn for things like that. They just need some support.
Bitwarden’s the only “cloud-based” password manager I trust, since their entire stack is open-source.
For self-hosting, they recently released Bitwarden Lite, which is a lot simpler to host than their regular server. One Docker image and you can use SQLite for the database. Different design decisions compared to the regular server which is designed to scale up to handle businesses with tens or hundreds of thousands of employees.
There’s also Vaultwarden, which is an unofficial third-party server implementation.
and ProtonPass. they’re both great.
Proton’s server is closed source so I don’t trust it as much as Bitwarden.
understandable.
proton pass comes with a subscription to the drive, email, and everything else, so its very easy to use.
Dumped them when they completely mismanaged their first breach.
which was either 7 or 4 years ago now (can’t remember)
Ah this point, it’s more secure to keep your passwords in a clear text excel spreadsheet. They’ve had sooooo many breaches. How they’re still in business is anyone’s guess
i wonder how many of their customers forgot to unsubscribe
😂 anyone still there deserves what they got
Edit: oh, okay it’s not as bad as last time…
The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
Sales-related data
So credit card numbers?
Maybe?
Use your brain. Literally. It’s the only safe way to store passwords.
I have over 300 different passwords for different accounts. I’m not remembering that many passwords.
Well, good luck when it’s your turn in the barrel.
Not very safe passwords.
Oh really? What is it? Please tell.
Plenty of research on the topic. Humans cannot remember a unique, high bit random password for each service. Using your brain means one of the following. Low bit passwords that can be cracked, memorable passwords that can be guessed via social engineering, and/or password reuse where one breached service breaches many accounts.
The only known solutions are all based on some sort of actually random generation of passwords, combined with storage of some sort for all but a very small number of extremely important examples (typically just your password manager vaults password). I actually think a paper notebook and dice or card system is an under appreciated option for a lot of people, which falls under the above.
There is one weird alternative, and that is deterministically generated high bit passwords (via a cryptographic hash function). Unfortunately it doesn’t work well with stupid snowflake sites that have their own “good password” rules, and falls completely flat when you have to change passwords for just a single or few sites for whatever reason.
I probably have around 100 accounts that I’d need to remember the passwords to, that’s not possible while keeping them actually decent and unique.
It is possible. I have 78 unique passphrases. You only need to train your brain and not turn it over to a machine.
What composition though? I’ve got well over 100 that are 20+ characters including special characters. I can’t believe this is possible without use of words or something easily guessed.
I do have a few passwords I keep to myself, and even with my method of taking the first letter from a key phrase or set of song lyrics and switching most to leet speak, I still don’t think I could possibly remember more than a dozen reliably.
You can actually generate high entropy passphrases by chaining random words together. You just need to make sure the phrases are actually random and not just whatever comes to your head at the moment.
Naturally, words help with memorization, but memorizing hundreds of these is impractical at best, especially because long-term memory for infrequently used accounts is subject to “bit rot”.
How many characters are we talking, though? I’ve had passwords as limiting as 16 characters for some services (unfortunately)… that seems small to me for generating real randomness with passphrases.
That said, fair enough, but as someone who has administered a network before, I would never, ever want my users relying on their brain… the security from a pass manager is practically going to be way better than the standard practices of an average user without one. IMO.
But hey, color me impressed, honestly.
The entropy stems from the words, not characters. With random words and no repetition, you have
C(n, k)combinationsP(n, k)permutations (orn^kwith repetition), wherenis your dictionary size andkis the number of words you chain together. These passwords tend to be longer, but not by much. A big enough dictionary can yield some pretty high entropy with only a few words.I’ve had passwords as limiting as 16 characters for some services (unfortunately)…
16 characters is hardly enough for random characters unless you include Unicode (which rarely works for those same services that usually have shitty implementations).
Not much can be done there, sadly. You’re lucky if they even hash their passwords anyway - you’ll probably just get your password emailed to you if you click “forgot password” like it’s 2003.
I would never, ever want my users relying on their brain…
I never would either. People should just use a password manager. I was just mentioning an alternative that generated more memorable passphrases, but I wouldn’t advocate for it over random high-entropy strings saved in a password manager.
Yeah, I was particularly irked by that 16 limit I encountered the other day.
And I stand corrected, then, and color me impressed. I’ll look into doing this for those passwords I need to remember, like masters.
Sure if it’s possible for you then it must be possible for everyone 😐. I’m sure that this will work for my ass. It’s not like I know from experience that I will forget anything of importance if I don’t write it down.
I keep a journal and a commonplace book (and a self hosted password manager) to remember anything of importance for no reason at all, silly me should have just remembered it. I just need to pull myself up by my bootstraps and stop being lazy duh.
You can do it. That’s my point. Yes it takes time. Yes it takes patience. Yes it takes practice. Your brain is an incredible machine capable of so many things, much more by far than a computer. Computers are chunks of silicon. They do basic addition. They just do it so much quicker is all. Yours is superior. Keep it exercised.
I do keep a cheat sheet of clues. Things that I write to remind me of the actual phrase, but I rarely need it. Make a point to memorize 10 a week. Custom photo screensavers (I use jpeg Saver 5.3 by Goat 1000) are great for flash cards. I find writing it out to be the best way to learn, but reading is my second, and listening is third (but rather poor considering I lose focus and miss bits). Try to learn how you learn best and exploit that. I used to have an old braintest that was incredibly accurate. It would tell you whether you were more inclined for audio or visual learning. It also defined your brains inclination to be left hemispheric or right hemispheric in its dominance. It was called brainworks. I think it ran on windows 95. For sure Windows 98SE.
Honestly, a lot of the ones I ended up needing to lookup or reset were the ones that are restricted with a maximum length and I cant use an entire phrase. That just jambs up my plumbing, if you know what I mean.
I can’t tell if you are self deluded or really are an interesting case. I do question using a screensaver to help memorise a password rather than a password manager.
Flashcards. Write down your credentials and memorize them. Throw them away willy nilly when you’re done.
Hey, don’t use a password manager like KeePass, because brain is the only safe place to store passwords. In order to do that, WRITE THEM ON FLASH CARDS to memorize them and then THROW THEM AWAY
Tell me it was a joke
Flashcards are your brains friend. They are no joke.
A paper notebook is basically the same fundamental as a password manager but with a different tradeoff. You trade cryptographic security for a reliance on physical security. Its probably a great option for a lot of older people who only log into things from home. But its just a password manager. An analogue one.
Flashcards are dumb for this. If you are going to write it down, just secure it. Don’t have them out all the time to try to memorise it. Jese. The worst of both.
Writing down your password is breaking the very first rule ever made about passwords. A cliche. Only appears in fiction
Write clues to your passphrase, not the actual passphrase. I spend a fair amount of time making my username and password. I choose something that I’m going to remember.
As an example, I was asked to attend a meeting to check out a point maker, a box that bombards objects with photons to collect the reflections, generating a 3d point cloud model that can be measured in cad. This particular one was fairly awful. Bottom of the barrel effort. The salesman was a complete slob, he was late, he took forever to set it up and had much difficulty getting it to actually work. When it did, it measured a 12.75" brick at 14.5". I knew right away it was shit.
They forced us to create an new account on the laptop with the software as it was too advanced and proprietary (pukes) for me to run it on my cad workstation. So, my password begrudgingly became a stylized derivation of “This Guys Balls Smell Like Cheese”. I still remember that password to this day 12 years later.
Not only that, but when we would have the guy out to troubleshoot, I would sometimes have to log in for him to repeat our steps. The salesman was always impressed with my typing speed and ability to remember my password. He probably never even knew my password was a total insult at him. My clue for the pass phrase was “Lynard Skynard”.
You should try KeePass or VaultWarden. A new account is just a few clicks away. You can do the mind tricks with the main password.
That would work, if I had like ten or twenty of them to remember.
No amount of studying is gonna make me remember almost a hundred strings of 24 random characters, and what string goes to what account
It was supposed to be joke 😔
Damn, I see that now. The heat wave is making me stupid, my brain isn’t made for 35C
That’s your new password friend! For everything! “My-brain-isnt-made-for-35c” I solved internet security. /s
That is actually quite effective, though I would likely spell out the 35 and allow sylization to create numerics.
You can likely now remember that phrase “My-brain-isnt-made-for-35c” forever if you just reinforce the memory from time to time. Creating an absurd image in your head or even using a real image to associate is another good way of remembering something. For this, I would leave myself a clue of ‘I thought 36 was OK’.
Maybe not for everything though.
Look, the amount of negativity I’m generating for myself just trying to encourage a simple alternative and self reliance is really irking me. I’ve used this method for twenty years or so, and found it to be extremely effective. Consider it a door. Use it if you want. It is possible. You are better and smarter than a machine or software. Last post about it.
Don’t use random characters. Use absurd phrases that mean something to you.
