It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.

It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.

Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.

  • AbidanYre@lemmy.worldEnglish
    2·
    1 month ago

    One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,

    To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

    • floofloof@lemmy.caEnglish
      0·
      1 month ago

      My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.

      • Preflight_Tomato@lemm.ee
        1·
        1 month ago

        My favorite was the password set screen allowing up to 64 characters, but login fails if the password is over 32 chars.

  • cobysev@lemmy.worldEnglish
    1·
    1 month ago

    I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn’t use password managers at work. Nor were you allowed to bring them in.

    Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.

    Plus, the computers themselves had a custom-configured OS and you couldn’t install any software on them that wasn’t on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.

    I didn’t get to mess around with password managers until I retired a couple years ago, and they’ve been a game changer! In the military, we needed unique complex passwords for everything, can’t reuse passwords, can’t write down passwords, and you had to change them every 60 days.

    Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it’s been wonderful.

    I don’t know why the military doesn’t get some sort of password manager approved for use. This is far more secure than what they’ve been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I’d forget them (and again, we weren’t allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don’t even need to remember it. I love it!

    • JustEnoughDucks@feddit.nl
      1·
      1 month ago

      The DoD actually did a study I thought “recently” on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.

      Don’t think they changed their policy though.

  • Echo5@lemmy.world
    1·
    28 days ago

    I actually combine a password manager with a password book, don’t like storing data for sensitive accounts on servers that can be breached and I’m too lazy to self host 😬 and I can remember my password phrases for sensitive accounts I use normally.

  • feoh@lemmy.ml
    0·
    1 month ago

    I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.

    Is there risk in keeping all your passwords in one place, whether it’s on your hardware or someone else’s? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use ‘pencil’ for all your passwords because you can’t be arsed to memorize anything more complex? OH HELL YES.

    Sure, if you’re defending against nation state level agressors, maybe using a password manager isn’ the wisest choice, but for easily 99% of computer users, we’re at the level of “keeping people from drooling on their shoes”. So password managers are probably a GREAT idea.

    • Appoxo@lemmy.dbzer0.com
      0·
      1 month ago

      I feel like password managers are more targeted to companies where sharing and controlling login data shouldnt be logged on some table in an excel sheet.
      It just so happens that a manager is also god damn convenient for the private individual

      • feoh@lemmy.ml
        1·
        29 days ago

        I don’t think that’s always the case. 1Password started out as a personal password manager and only added the corporate/teams/families features later.

    • The Cuuuuube@beehaw.orgEnglish
      0·
      1 month ago

      In-built password managers for browsers are straightforward to crack. Like… Terrifyingly easy. It’s much better to use something like Bitwarden, Vaultwarden if you don’t trust Bitwarden, 1Password if you really want the reassurance of paying someone for trust, or KeePass if you don’t trust anyone at all (I, personally, fit into this category).

      • zeh_ahoi@lemmy.mlEnglish
        1·
        28 days ago

        show me an example of the firefox password manager being “cracked”. i mean i still sync them into my local nextcloud. @Dyskolos@lemmy.zip suggests it is cool to have your passwords in a file?!

        doubt there is a scenario where using MORE services makes anything safer. Well maybe for Windows Users…but thats a dying species with the win11 crap.

        so no. third party corpos…the worst.

        • The Cuuuuube@beehaw.orgEnglish
          1·
          28 days ago

          Sure yeah. I think corpos suck, too. That’s why I don’t prefer 1password. But Firefox puts their passwords into a file, too (two actually). Key3.db and Logins.json, both with known locations, and encrypted using AES-256-GCM which is… Decent but I prefer to go a little more hardened. The thing with keepass is the following:

          1. Its open source, no corpo
          2. The file encryption you select can be as hardened as you want
          3. No one but you need know the location of your file
          4. It offers 2fa which Firefox password manager doesn’t
          5. Firefox password manager is more susceptible to social engineering attacks is mainly what I was worried about but it seems like you’ve got a good handle on it.
          6. You don’t have to integrate keepass with the browser to use it

          But I want to make it abundantly clear. @Dyskolos@lemmy.zip has not recommended storing your passwords in a file. They have suggested storing your passwords in a mechanism that can be as secure as your hardware is capable of securing and keeping the location of that up to your own decision making.

          But also. Promise me this. If you’re going to keep using Firefox as your password manager:

          1. Don’t use sync. That’s run by Firefox’s corporate arm, Mozilla PBC
          2. Use a primary password of at least 32 characters
          3. Consider rotating your password on a regular interval, like on your birthday
    • Dyskolos@lemmy.zip
      11·
      1 month ago

      With keepasscx YOU have the password-file. Period. You know what’s been done with it: Nothing, as it doesn’t phone home except update-checks. Which you can also disable.

      With the browser-addon you’ll get the same result but with control.

  • SocialMediaRefugee@lemmy.ml
    0·
    1 month ago

    I’d be open to using a pw manager then I read the comments here and everyone is suggesting different apps, arguing over how inconvenient one or the other it, various issues, etc. It doesn’t make me feel like taking action if everything feels sketchy.

    • Kaiserschmarrn@feddit.org
      1·
      1 month ago

      I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.