Questions about internet security. (Bitwarden, Google Authenticator, etc.)

I've been thinking lately about how my internet/account security isn't up to par. I do have decent passwords for some of the platforms that matter like banking and my google account since I use a Pixel phone. I know there's a bunch of websites that don't matter, like Chili's to go when I was ordering from them like 8 years ago, that share a less secure password. I know that less secure password has been leaked at various points over the last 12 years or something.

I started looking at Google Authenticator to cover me for some websites but then came upon password managers like Last Pass and Bit Warden.

All that said I've been starting to look at upping my security game.

How well do these password manager programs work when using phones/a computer. I'd love to be one of those guys who has a random 25 character string mix of letters and numbers for my passwords with a password manager but not if it's a pain when you're working on your phone or laptop.

If it doesn't work all that well, how easy is it to go in and see your password in whatever software/app I use?

And something else I have been thinking about. My parents forget their passwords. I've told them numerous times to write down their passwords when they sign up for something or change it and they do sometimes. But whenever I have to go over there to tech support/troubleshoot an issue it's always a hassle and usually involves a password reset to get logged in. Some of these companies, like BitWarden, offer a family plan for a few bucks a month. Are these password manager programs too complicated for senior citizens with little knowledge of technology.

Last Pass leaks like a sieve and has had so many breaches that anyone using them still is playing Russian Roulette with their account security.

Bitwarden is supposed to be an excellent, open-source, multi-device solution. It gets recommended a lot, but I don't know how hard it's been tested.

My philosophy towards password managers is this:

Rule #1-infinite: Don't share your password with anyone.

So my reaction to password managers is, why the FUCK am I going to be giving this random ass service all my passwords? That's just asking for trouble. It's nothing but another loose end.

Yeah I remember the LastPass leak. That was the one I had always heard about and then when the leak happened it scared me off a bit. I see most people saying to stay away from it now.

I saw a lot of recommendations for BitWarden and that's why I'm looking at that one.

Also, if you want to up your security game, the EFF has a password list called Diceware.

You generate your passwords by rolling 5d6 and arranging the words as you like. And it's way more secure than random strings of numbers and characters. For reasons I don't totally understand, but I'll trust, because EFF.

Also, I know XKCD explained it once, too. Google "battery horse staple correct" to learn more.

MatzoTov posted...

So my reaction to password managers is, why the FUCK am I going to be giving this random ass service all my passwords? That's just asking for trouble.

This has always been mine too. Isn't it all encrypted though? I don't know that they can actually read the passwords at BitWarden HQ or something. At least that was my understanding and what made me look at this more seriously.

MatzoTov posted...

So my reaction to password managers is, why the f*** am I going to be giving this random ass service all my passwords?

Bitwarden has a local client installation that doesn't have to be connected to their service, is my understanding.

I haven't bothered looking at it, but the idea is appealing. Password vault that literally only I can get at.

I use 1Password for work and it's fantastic. Going to get a personal account for my wife and I. The generate password function works really well and I love that it basically functions as a favorites toolbar. Click the site in your 1Password browser extension and it will open that site and autofill your login info. Don't have experience using the mobile app though.

From an easy to use for the elderly standpoint, it might be a challenge. I know with 1Password, you can have multiple vaults so you can manage their password vault for them which might help while keeping your vault and passwords separate.

MatzoTov posted...

My philosophy towards password managers is this:

Rule #1-infinite: Don't share your password with anyone.

So my reaction to password managers is, why the FUCK am I going to be giving this random ass service all my passwords? That's just asking for trouble. It's nothing but another loose end.

Because your passwords are encrypted with an end to end encryption. The password manager companies can't see your passwords. You should look up how password manager security works.

https://support.1password.com/1password-security/

BlazinBlue88 posted...

Thanks. I was looking for this type of info.

Federal Government recommendation is that it's okay to use a password manager for your own passwords, but definitely do NOT use one for any government passwords. That should tell you something.

tankboy posted...

Federal Government recommendation is that it's okay to use a password manager for your own passwords, but definitely do NOT use one for any government passwords. That should tell you something.

Source? I have not seen where the NIST recommends that.

If you want the convience of cloud storage of your pw manager, bitwarden is good but me personally I go the inconvenience route and use keepass and keep my databases offline and just manually sync them between devices.

BlazinBlue88 posted...

Source? I have not seen where the NIST recommends that.

Source is broadcast emails from our ISSO and internal training materials. I'm not saying the agency.

I use Bitwarden. It's pretty great. I like that I can also have it on my phone to autofill my logins when I need.

1Password is excellent. BitWarden is fine, Dashlane is good, and Keeper is decent (but I didnt really like how it was implanted on Android). Do not use Last Pass. I prefer 1Password because I like its password generator. It also works with passkeys for websites that support them. I use it on Mac, iOS, Android, Windows, Linux, and multiple browsers.

I use Duo for multi factor authentication. Its fine.

CommonStar posted...

I like that I can also have it on my phone to autofill my logins when I need.

This is the main thing I was wondering about and you just answered it. Ideally I'd like to have the "c*2jna218@ma!(nd2*3A" type of random passwords but there's no god damn way I would remember them. And if I had to look on my PC any time I wanted to log into something on my phone I wouldn't do this because that would annoy the piss out of me.

WrkHrdPlayHrdr posted...

This is the main thing I was wondering about and you just answered it. Ideally I'd like to have the "c*2jna218@ma!(nd2*3A" type of random passwords but there's no god damn way I would remember them. And if I had to look on my PC any time I wanted to log into something on my phone I wouldn't do this because that would annoy the piss out of me.

IIRC, something like "ljlg2@2#Rja6&" is less secure than a password like "1 Water Pumpkin Railroad Track"

Jupiter posted...

IIRC, something like "ljlg2@2#Rja6&" is less secure than a password like "1 Water Pumpkin Railroad Track"

1Password password generator can create passwords in both formats which is a really nice feature.

Jupiter posted...

IIRC, something like "ljlg2@2#Rja6&" is less secure than a password like "1 Water Pumpkin Railroad Track"

it's the length of the password that matters most. Even something like 64 w's in a row followed by the word elephant is way stronger than those examples. But not all websites/apps allow an unlimited amount of characters for a password. There are still some sites in 2024 that limit you to like 12-16 characters. So in those cases, ljlg2@2#Rja6& is the best option.

BlazinBlue88 posted...

Because your passwords are encrypted with an end to end encryption. The password manager companies can't see your passwords. You should look up how password manager security works.

https://support.1password.com/1password-security/

And just like any sealed vault, it's completely impregnable. Until it isn't.

Yeah I've been in software development long enough to know that there are plenty of developers who are too stupid to be trusted with anything. I've seen my fair share of unencrypted user credentials in databases where the login function is "SELECT * FROM Users WHERE Username = '" + user + "' AND Password = ' + pass + '"

Can't hack a notebook in my desk. If someone has physical access they could just steal the computer anyways.

And yeah the query wasn't parameterized. We absolutely will see more SQL injection attacks on big names in the year of our lord 2024

Bitwarden encrypts your data on your device locally before it uploads to its cloud server.