for those here who use password managers, do you store important passwords like for your email account in the pw manager? I'm asking because I'm thinking about starting to use a pw manager, but I don't know if it is generally considered safe to put email etc. into there.I read one comment on a website saying that you can let the pw manager remember half of a password (16+ characters of random letters and digits, so very strong), and then you also have a memorized password, in itself strong, which you add on top of the randomized password that is in the pw manager. gives you only one more password to remember, while it gives you much more safety in case someone should be able to hack into your pw manager.it seems like a great system, but after a fair bit of reading about pw managers I've only seen one comment that mentioned something like this. and the system is so simple that if it was truly a good system, you would think more people would recommend it? so I feel a bit unsure if this system isn't really as foolproof as it seems.do anyone here use this system? or do you think it seems unnecessary?
>>107915101just boils down to how paranoid you are, but tbqh what you're describing mostly sounds like security theater assuming you're using a well-secured local password manageranything that would compromise your password manager (malicious browser plugin, keylogger, CIA mind reading beams) would also compromise you manually typing in half of your email password or whatever
>>107915144yeah, the system described doesn't protect against malware. I'm not sure if anything does if the malware has enough access? anyway, I was thinking in terms of protection against the use of the password manager in itself. like, there was a couple years ago when many passwords leaked from one pw manager called LastPass. if you add a memorized password to the important accounts, they won't be taken over in such an eventuality.
>>107915144also the pw manager I'm thinking of going with was Bitwarden, which stores the passwords in their cloud. this manager is open source and allows you to sync the database to your own private server instead of the company's servers (thought I won't be making use of that stuff, but it feels confidence-inspiring).do you use a local only pw manager yourself? or think the colud-based ones are generally insecure?
>>107915144fpbpalso, half the benefit of a good pw manager like keepassxc is that you can set up advanced autocomplete and autofill. Mine handles totp codes on 90% of websites, extra form fields like aws parent account id, associations and patterns for arbitrary gui window titles where I need to log in, terminal password entries like ssh, passkeys...I recognize it's a single point of failure for my entire digital life, but the near total integration, trivial crossplatform sync (and since recently crossplatform passkey support), and flawless and easy operation are worth it. Any alternative would either be a different SPOF, prohibitively impractical, less secure, or shortlived/unmaintained/stale. It's not anyone could just pull the plug out of the project and leave me stuck, the db formats are open spec and the software works offline and without any kind of expiration
>>107915101Buy a yubikey. Anything important at all (like your email provider) Will support hardware keys. I personally have emails with yahoo, Google, and my own domain using fastmail and i cant login to any of them without my yubikey. I have 3 because I have massive autism but you could get away with 2 incase one of them breaks.
>>107915264(cont) keepassxc works offline, use syncthing to have your db file synced between devices. Lock the db with a password plus keyfile that you place somewhere on each device outside of syncthing.Cloud pw managers can be secure in theory but reality isn't so kind
>>107915268I used a yubikey for a few years, but the hassle of always having to get your keychain out ruined it for me and didn't weigh up against the fact that the friggin nsa isn't after me (or you).
I have all on bitwarden but I hate typing my master password so I devised a totally secureĀ® autohotkey script that when I select a particular file on my desktop and then press Ctrl+Home it will send the path of that file to a script that will be executed, it will do some totally secureĀ® calculations on the data of that file and then deposit the password in my clipboardseems retarded and it is but it's quite faster than typing 12 characters
>>107915101>you would think more people would recommend it?The masses are goycattle when it comes to this stuff.
Honeypot marketer thread
>>107915442how come
>>107915304I use them for email and cloud services. Login to emails once every 6 months or so not really a big deal, just to authorize devices. Im too paranoid of some Russian logging into my aws or gcp account and racking up $100,000 overnight
Hot mega tip from my grandpa Use the same password for everything. But add the first letters of that website or app to the end of the password. That way you'll never forget and theyll all be unique.
>>107915101>password managers
>>107915101I use proton pass.
>>107915101>>107915144The system that OP describes does protect against one type of attack:>unlock password manager extension>walk away from computer for a few seconds>attacker walks up to pc and quickly checks the plaintext password in managerIn this scenario, the attacker gets only half the real password.
>>107915489Great idea because that's not at the top of things that people will try when one of those passwords inevitably
>>107915101the services that you use are less secure than just writing a password on a post-it note next to your pc.so the weakest link is not re-enforceable so why bother making another link in the chain strong?
Really depends on your OpSec. If it's low risk just use a 5 word passphrase. Gallon-Funky1-explosion-Barnyard -Crashout etc Keepass is solid and can store it on your network or carry it with you with other data using a micro SD card and a covert coin and get a USB-C SD card reader for your phone. So you only pull it out of the coin and load it up when needed and put it back. Yes a keyfile on your device and on the SD card might be good enough or put them everywhere depending on opsec. There is a lot that can be done to crazy extents but honestly cloud stuff if not hosted with you physically isn't as safe. I can go on a long rant but yeah just go off your OpSec.
>>107915101Just don't use online password managers, they're the biggest scam and do a shit job at protecting your data. Don't story any sensitive data online really. Completely offline ones have existed for over 20 years now and have all the bells and whistles features one would ever need.
I got a Trezor crypto wallet recently, which doubles as a FIDO2/Webauthn authenticator. I also discovered that Android itself can use passkeys, so I've been using those on like the 2 websites that support them.The whole password manager thing seems like such a dumb legacy stopgap in comparison. I should probably set up an offline one on both my PC and phone.Also, what OP is saying about memorising a partial password isn't too bad, but the password should be different for every service, in a memorable but not obvious way, otherwise a single leak makes it pointless.
>>107915489i do something very similar, only nowhere near as obvious. my password would have to leak from 2 different websites for someone to be able to figure out my scheme.
>>107915407>The masses are goycattle when it comes to this stuff.Sure, but we're also in a transitional period. Windows 10 and Linux do not support platform passkeys and plenty of websites don't support passkeys at all yet. The fact there's so many different services with different methods also doesn't help the confusion.If I were to set up a website with user accounts today, I'd only offer FIDO2/Webauthn. If you're on Win10/Linux and don't have a hardware passkey, then I'd let you sign in with a PGP challenge. This whole thing will become more feasible once people move away from Win10 and once Linux implements platform passkeys, but that's still some years away.
>>107915246the default apple oneits built in, supports both passwords and totp tokens, autofills really nicely, allows for easy sharing of passwords, and is synchronised using a cloud encrypted with a key i own
>>107915268yubikeys are inherently insecure because they dont require proof of identityits fine for anything that doesnt store sensitive information and the goal is just to protect a device or server against outside threats, but for something critical you ideally want biometrics
>>107919348from what I've seen, apple & google have done a decent job at getting people to use biometrics to authenticate, generating a regular password in case the target service doesn't support passkeys. so things are already fairly straightforward from the user perspective.
>>107919391isn't there anything similar out there but with biometrics?
has anyone here tried Passbolt yet and can recommend it?
>>107915523This. Even if someone breaks into your house they're not gonna check every random notebook.
>>107915101>and then you also have a memorized password, in itself strong, which you add on top of the randomized password that is in the pw manager.This is a decent idea if your manager gets compromised, but any situation where this happens is usually one where you have bigger problems.>if it was truly a good system, you would think more people would recommend it?People do recommend it, Bitwarden alone has over 10mill users according to an article I looked at from 2024. They're as safe as the account is, meaning you use a single very strong (but memorable) password, something long like TectonicHallelujah107955304, and other security aspects like two-factor authentication. From there, you use it to generate passwords like pGJ2rcUL!M6d@H&$$Vfl6y83IC% at random. I literally could not tell you my password for anything but the manager.One other feature is that they auto-fill login boxes, which provides a resistance to phishing sites. If I was to get phished into going to m1crosoft.com, my password manager wouldn't recognize the domain and not auto-fill any login boxes.To those already using password managers: Consider this a reminder to back up your vault.
>>107919413yes, security keys with fingerprint scanners existbut theyre not very good
>>107919487so what i'm hearing is all this yubikey bs is gonna be deprecated once every OS supports platform passkeys
>>107919501pretty much, theyre nothing more than hardware passkeys their biggest problem is that theyre ridiculously overpriced, you can achieve exactly the same thing (and more) with a $5 microcontroller
>>107915101Just use digital ID with biometrics, anon.
>>107919391How are biometrics safer? Can't someone lift my fingerprints and make a mold of my finger? The same cannot be done with hardware keys
>>107920143i think anon means the key itself should have an authentication mechanism (such as biometrics). it shouldn't just allow anyone in possession of the key in, especially since stealing a physical key is generally easier and more likely to happen than stealing someone's fingerprints. also, the fingerprint by itself isn't what authenticates you to the service, so you would still need to steal the device.
>>107920100I've had a finger print reader on the phone since 2020 but I've never even tried it. I don't know how it works, and I think I heard a long time ago about a phone fingerprint reader that allowed strangers to log in successfully on the phone. after that I just didn't trust those things. face scan seems even more suspect.
>>107919454they'll check the one next to your PC, though.
>>107920143how is any of this safe against the wrench attack vector? what if my grandmother had wheels? would she be a wheelbarrow?
>>107915101>hey /g/, i'm going to use a password manager, but i wanted to ask, should i put my passwords in it?
>>107922133nice reading comprehension bro
>>107915489Too obvious unless you have a personal cipher to decide what goes in front of the reused password
>>107922062Even nuclear launch codes are not safe if torturing someone is on the table
>>107919391Yubikeys are break glass only tier. They should be kept in safes, not on your faggot homosexual key chain.
Comfy thread.
>>107915101Werks on my machine. Still the best autofill. Not my problem you had a shit master password and did not set 600000 password iterations, you stupid faggot. No one got compromised. Crypto fags don't count. They're always getting raped of their coins lmao.
>>107922895thats my point>cant someone do xyeah someone can, they can also beat you with a wrench until you give up whatever they need, that entire argument is bad faithabsolute security is a myth, all im saying is that you shouldnt put all your eggs in one basket, conveniently marked "TOP SECRET STUFFZ" and keep that basket on your keychain, and especially dont DOUBLE the attack surface by keeping a spare one on your person or in your house
>>107923695Its 2fa. Its more than I had before, you cant disregard the first requirement (the plaintext password). The value is if the service is important enough, like email or cloud, a hardware component like an authenticator or hardware keys prevents Vladimir from getting in but not the cia
I use keepassxc for everything, can't bring myself to use online password managers.I have been using passkeys for the last few months. They are promising but buggy. I hope they replace passwords soon. I am tired of setting up 2fa, backing up the database and keeping it up to date cycle.
Obviously you have to use a password manager, imagine using the same email + password combo multiple places if one gets hacked they have access to all of those accounts. Which is the number 1 way people get hacked.The main problem with a password manager is that you need to maintain it backed up on multiple devices and synchronized so if your main device dies or is lost you dont lose everything.
>>107924591Aren't passkeys cursed? I keep hearing that they refuse to let you access the private key in any way, lest you act like the average retard user and get phished. The result is that I would never trust a passkey because unlike my passwords in keepassxc, I can't sync or export them.I like the idea of using asymmetric encryption and it works wonderfully for ssh but I can never expect anything good to happen when retarded users and lock-in obsessed platforms get involved. I would rather have passwords than that fucking mess.
>>107915101i write passwords down on a piece of paper that i keep in my ass
>>107925640>they refuse to let you access the private key in any way, lest you act like the average retard user and get phisheduse case for key reuse when you can & should just authorise another key?>lock-in obsessed platformsWebAuthn is a W3C standard and every mainstream OS has native support for it except Linux.>retarded usersstill way more retard-proof than passwords. besides, a lot of people already use biometrics to unlock their phones; Apple/Google password managers are actively encouraging biometrics, using passkeys where possible and generating passwords as a fallback.
>>107925640>unlike my passwords in keepassxc, I can't sync or export them.keepassxc supports passkeys.>I would rather have passwords than that fucking mess.way I see it the passwords are the real mess and it's getting worse. knowing your password is not enough to log in anymore. every service has de facto 2fa. not to mention phishing is getting more prevalent and 2fa does not protect against it.
>>107928917>knowing your password is not enough to log in anymore. every service has de facto 2faI got locked out of my own Yahoo Mail account because one day they just started requiring 2FA and the only recovery option I ever set was pointing to yet another Yahoo Mail account which I haven't logged into since 2007. Yes, I was a retard kid at the time, but even Yahoo themselves didn't stop me from setting it up this way at the time. I'm also pretty sure I never got any kind of warning that 2FA will become mandatory at a specific point in time. Only way to recover is to try and call some pajeet on their premium help line, which I really hope I never have to do. One weird upside is that I guess I don't have to worry about anyone getting in, lel.And yes, each random service forcing you to install their phone app just for 2FA is the gayest shit.
