Password Manager - How Secure?

With the recent wave of hacking activity in Australia and around the globe, am I better off just using Chrome or sticking to the likes of LastPass

Comments

  • +5

    For me, using Google to store your passwords is too many eggs in one basket.

    • Its bad because when you go to toilet someone can just login to your bank (assuming no 2fa)

      Lastpass etc will ask password before filling your details

      • Like at work or home? Do you not lock your computer or phone?

        I only have a few accounts where I actually keep cash and those passwords and usernames I commit to memory.

        • Still you have few now but more later and all become too late. 2 sites with the same password isnt good doesnt matter what kind of website

  • +3

    But yes i cant imagine if bitwarden got hacked…. i will be crying… maybe impossible?

    • +7

      your blob on the cloud is very well encrypted
      use a decent master password on bitwarden, and enable 2fa

      Noting that this doesnt prevent most of the recent data breach issues, as username/password info is only going to prevent someone logging in with your credentials.

      Hackers accessing back end systems will exfiltrate your information (eg Optus, Medibank) regardless of how secure your username and password is

      • And bitwarden has a setting to prevemt new device to login

      • +4

        This is the key difference, Bitwarden doesn't have access to the unencrypted data whereas Optus/Medibank do. Once you get into the backend of Bitwarden, all you have access to is the encrypted password file, which is still useless. With Optus/Medibank everything was there for the taking.

        • Generally, you would hope that the servers aren't storing passwords in plain text, and are salted and hashed.
          Using unique password all sites solves that worry even if they dont (but again, wouldn't have stopped Russia knowing your Medibank history or an API exposing the ID information you have to Optus).

  • +6

    Bitwarden

    • +3

      Bitwarden plus Yubikey authentication for new device logons is very secure.

  • Use KeyChain. Have a very strong password on your iCloud account. Use two factor.

    • Unfortunately if your phone is compromised via fishing scams, which is very common, the hacker can wait until you unlock your keychain to obtain your passwords. They can also intercept your phone one time passcodes of MFA/2FA.

      Physical security keys like those from Yubico are the only fail safe way to protect your data. Services that support it will charge you a premium to use it like 1password, lastpass, bitwarden etc.

  • +1

    Password Manager - How Secure?

    I just let Optus manage all my passwords but considering moving to an Excel spreadsheet.

    That way I can print off some copies for backups and store offsite….

    • Excel is awesome because when they screw up, they just get the rest of the world to change instead so that their screwup isn't a screwup anymore. (Exhibit A, and Exhibit B.)

  • I trust google 😉

    • +1

      I just Googled one of my passwords and it came up with 112,458 matches. So it is really good at storing them.

      • +2

        Was it Abc124?

  • +1

    While tempting dont use Chrome. Have seen people get totally owned for every saved password in Chrome. Eg stuff like Redline.

  • +1

    how good is Last Pass these days guys? asking for a friend :)

    • +5

      Last Pass is ok. I'd say look into Bitwarden as the free version vastly outcompetes LastPass free in every way.

    • and Lastpass was hacked again https://blog.lastpass.com/2022/08/notice-of-recent-security-…

      Better to go with Bitwarden

      • +3

        Their dev environ was breached and parts of their source code etc obtained

        The entire idea behind a password manager is that it doesn't matter if the cloud or storage hosting your blob is taken. It should be encrypted enough to be effectively worthless, assuming you used a good vault password

        I would still use (and do) bitwarden though. Open source, not owned my LogMeIn, and even the free tier offers everything most people would need including the ability to share a group/folder with someone (ie husband and wife shared passwords)

  • Hackers are not even remotely interested in extremely difficult if not impossible targets like Bitwarden when there is an unlimited amount of low hanging fruit protected by dummies, corporate and private, to feast on.

    • +1

      No. If hackers were interested in lastpass then other password managers would also be of interest to hackers.

Login or Join to leave a comment