Don’t. It’s not in your hand is the simple reason.

My advice is keepassxc. Got a ff-addon that does basically the same. But you have your password-file under your control. And do backups!

deleted by creator

deleted by creator

I’m in the same boat. FF is just too damn convenient

Firefox password manager is brilliant, my move to Bitwarden wasn’t worth it and I regret it.

Yeah, true story. Really weird.

Marginally better than using discord itself as your password manager (also a true story!)

Yes, but it’s a bit involved to automate it. KeePassXC has a less technical recommendation here

Syncthing has worked well for me between 3 devices(Linux, android, windows). I’ve had one conflict in 6mo and it was easy to identify the right copy to select in keepass’ prompt since the more recent one was a larger file.

Synchthing also provides optional version control which makes backing up easy.

I have it synced across 4 computers and my phone. You just need a central repository. For that I use nextcloud. I suppose you could use OneDrive, Google drive, box, sync thing, or something else though.

A long time ago, I used Syncthing to do this. Sometimes there would be file conflicts, which was a pain to resolve, so I switched to BitWarden (using their server for syncing) and have been using it ever since.

tbh i just keep the master version on my computer and physically transfer it to my phone every so often. i try to avoid using too many password-requiring services on my phone.

Yes. The easiest/most reliable is syncthing. Yet there’s the online-component which is inherently vulnerable. Depends on how paranoid you are.

What’s frustrating is that most sites want your phone number. Even though it’s less secure than totp, but that sweet sweet data using your phone number as a common index is irresistible

And best case on an actual separate device.
And if the company doesnt supply one, use your own at your own discretion /shrug

Any comments on bit Warden for totp?

What happens if it gets lost stolen or broken?

Curiously enough, I never heard of those. Do you happen to know good ones so I can further check?

Same and she has the balls to ask me for passwords!

So password managers are probably a GREAT idea.

That is, when they can manage to use it.

I feel like password managers are more targeted to companies where sharing and controlling login data shouldnt be logged on some table in an excel sheet.
It just so happens that a manager is also god damn convenient for the private individual

I’m paying for Bitwarden’s Family plan and share it with three friends. It costs me ~80 cents per month and it just works. We are using it for multiple years now and migrated to their new EU servers this year. Bitwarden has everything I need and it’s in my opinion the best bang for your buck. But try out their free option and form your own opinion.

I just tried the free option (bitwarden) and then migrated to Proton to use all of their apps. TOTP support is also an added bonus for the Proton Pass since Authy has fucked off a cliff.

Is your dad Ron Swanson? /j

My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.

deleted by creator

He’s doing something right.
You can’t hack a paper note over the internet.

I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)

Its the best one to use, all password hacking tools avoid this one when they’re attacking.

That’s what I’ve resorted to, but I only use Firefox because it has a master password.

Chrome has no master password so what stops any fool from stealing your passwords while you’re taking a piss, I don’t know.

Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.

Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.

1. No more password reuse, per site random passwords.
2. Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn’t auto-fill.
3. Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.

I think these are the two biggest benefits and every browser password manager will accomplish both.

It depends on your threat model. It does mostly reduce the benefit from 2FA, but you are probably still very safe if you use a random password per site. I mostly use 2FA when forced (other than a few high-value accounts) so I don’t worry about it. For most people having a random password which is auto-filled so that you don’t type it into the wrong site is more than sufficient to keep themselves secure.

I do this too. I would need them if I lost my phone, so bitwarden/keepass is a good place for them to be.

I think it is less secure though since someone who somehow has the unencrypted vault without your 2FA device could get in with the codes - but if someone cracks my master password I’m screwed in a whole bunch of ways so I’m not sure it matters too much at that point.

Bitwarden

1password

Pretty much any of them.

As Kramer said. Levels. If tou layer your security 2 becomes a non issue. What you have, what you know, and who you are. Which plays into 1. The 3-2-1 of backup. 3 copies of the data. 2 different media. At least 1 off site. Suprising as it might be, writing a great backup is to write your password down. I have a piece of paper with my password in a lock box in my apartment, in a safety deposit box at my bank, and at my parent’s house

These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.

1. Make sure that you are regularly typing your master password for the first bit. After that you’ll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.

2. This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can’t be hacked (as it doesn’t have access to your passwords).

1. Ultimitaly its up to the user to remember the master password. I’m not familiar with how bitwarden works, but do use keepssXC. I hear bitwarden is better for less techical people due to having built in account/sync options. (You can also self-host BW if you want)

Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It’s automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.

KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.

That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I’d love an decent alternative if anyone has one).

For Android I like KeepassDX and Keepass2Android.

2. Getting hacked is a legitimate concern. However the greatest risk is still duplicate passwords. The time it will take crack an individual database is going to be less well spent than dumping a million username/password sets into a thousand sites and hoping for a match.

Realistically, if you’re the specific target of a hacker going specificaly after your database files you’re best off freezing your credit and bank accounts.

If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.

First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.

Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won’t lose the emails that let you reset everything else. If the email gets cracked, they won’t have a convient list of accounts to go mess with. Also make sure the emails have all the security and recovery options available setup.

3, bonus round Finally for fincial security, don’t have your credit card saved on every site. I don’t let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a “1-time use” card for anythibg irregular.

Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won’t work. I’ll get an email and can just cancel the privacy card for amazon (I’d probably kill them all to be safe) and then work on resecuring everything.

To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.