Do All The Data Breaches Make You Nervous about Your Password Managers?

BendBridge on 02/12/2022 - 10:43

Optus, Medibank, … and now LastPass password manager is rumoured to have been hacked as well.

Putting all passwords in one place on the cloud seems like a great temptation for the hackers to attack. Also, it's like putting all eggs in one basket, once you lose it you lose them all. This is the main reason I can't convince myself to use a cloud based password manager. Instead I only use a local based password manager on my phone and computers. I would like to hear the different opinions from the password manager users or non-users out there.

I also include a poll about which type of password managers everyone is using.

Poll Options

  • 221
    I use a cloud based password manager
  • 58
    I use a local (non-cloud) password manager
  • 50
    I don't use password manager at all
  • 16
    I only use the good old paper and pen
  • 14
    I just remember everything
Internet Password Manager

Comments

  • freefall101 on 02/12/2022 - 10:57
    +8

    So long as you're using a decent password for lastpass, it shouldn't matter if they get hacked. Assuming they're not just flat out lying about how they store data, it's all encrypted so even they can't access it (and therefore a hacker can't either).

    The concern is that if someone does get your encrypted password file, they have infinite time to try crack it. So if your password is somewhat weak as we see GPU power continue to ramp up they might be able to crack it a few years from now (which is why it's good to change passwords on important accounts regularly).

    I use a cloud one, although I probably should move to a security through obscurity move of a 'local' one that I host myself on OneDrive or AWS or something.

    • BendBridge on 02/12/2022 - 11:49

      Good explanation.

      I use local password managers on all my local devices. No automatic sync beween them. I just sync them through manual file transfer from my phone. It's not the most convenient way but I feel more secure this way. Of course people can break in and steal my computers :)

      I used to spent some time doing security testings for a network device company. Whenever we connected our devices on to the Internet with a public IP and monitored the traffic, there were a lot of login attempts from foreign countries. The hackers out there must have automated their attacks. We also carried out tests with network penetration test suites. At the time, we just followed instructions and I often wonder if what we had done were sufficient.

      • 7ekn00 on 02/12/2022 - 12:55
        +3

        Local is far easy to get for a hacker because it can be scripted via exploit, much harder to break into a commercial operation ;)

        • ESEMCE on 02/12/2022 - 13:14
          +4

          Meh, once a bad actor has direct access to your device you're stuffed no matter what methodology you're using.

          I see minimal (to the point of none) actual security advantage in manually syncing and a massive downside that you'll get caught out at some stage needing a new password on a device that you haven't synced and there's no way to access that password when you need it.

    • [Deactivated] on 03/12/2022 - 17:47
      +2

      Add to that turning on 2FA for everything, including your password manager and I have zero issues with storing everything on a cloud password manager.

  • CyberMurning on 02/12/2022 - 10:57
    +22

    im not nervous because i use bitwarden
    https://bitwarden.com/help/security-faqs/

    • pegaxs on 02/12/2022 - 12:25
      +3

      Mmmm, salted hash…

      • CyberMurning on 02/12/2022 - 12:38
        +1

        Yummy right? Just like Singapore salted egg fish skin crackers

    • rbrb on 02/12/2022 - 20:42
      +1

      +1 for Bitwarden. I’ve been self hosting it for years via nginx proxy manager, have a 20 character master password and 2fa enabled. Not worried at all.

      • CyberMurning on 02/12/2022 - 20:56

        Do you know if i can self hosting from synology nas, and then what happen if i am not at home? I dont set my syno to be accessible from outside

        • Void on 03/12/2022 - 23:01
          +1

          If it has Docker then yes. Vaultwarden is an open source server software (shows as Bitwarden and works with Bitwarden extension) with all features unlocked.

          When not home you can't add passwords but you can read them from your computer or phone's cache. I use OpenVPN to get into my network if I need to add a password.

          • CyberMurning on 03/12/2022 - 23:10

            @Void: Can we switch between vaultwarden and the official bitwarden anytime without need to add all the pass manually etc basically just click few buttons (just in case i dont like the own hosting way)

            • Void on 03/12/2022 - 23:12

              @CyberMurning: Yeah you can export and import vault. It's called Vaultwarden but aside from the admin page it's identical to Bitwarden, and even display itself as it.

  • pharkurnell on 02/12/2022 - 11:00
    +2

    This is the main reason I can't convince myself to use a cloud based password manager.

    Im with you.

    I've been looking at these things for 2yrs now… I just cant get my head around if someone DOES hack your account, they have your everything…

    The only secure PC is a stand alone one turned off… once on any network they can be vulnerable.

    Reminds me, need to order some more post-it-notes..

    • tomtom88 on 04/12/2022 - 07:35
      +2

      I just cant get my head around if someone DOES hack your account, they have your everything…

      This is the issue. I've used a locally hosted password manager for years and been very security conscious but the threat that I hadn't considered was my own family. One night I stayed at my uncles house and the piece of shit made a backup of my phone while I was asleep. He was looking for my cryto and didn't find it but as a bonus he got to read 15 years of my emails.

      • rarelyscene on 04/12/2022 - 10:50
        +1

        How did he do that? Which phone was it?

        • tomtom88 on 22/12/2022 - 01:24

          It was a Samsung Galaxy S4 with an unlocked bootloader. It's really easy to do a backup and then just restore it to a different phone of the same model.

    • Chandler on 05/12/2022 - 13:56

      The only secure PC is a stand alone one turned off

      Not if wake-on-lan is enabled…

  • Xistn on 02/12/2022 - 11:07
    +2

    Pats el trusty postit note

  • Davo1111 on 02/12/2022 - 11:07
    +2

    password123

    • geek001 on 02/12/2022 - 11:45
      +6

      Password123!

      Fixed it for you. :)

      • tabz on 02/12/2022 - 12:53
        +4

        hunter2

      • StraightGuy on 02/12/2022 - 15:38

        P@55\/\/0RD123!

        Is this too much?

  • grips on 02/12/2022 - 11:08
    +1

    I use my little brown index book. Can be used for all systems.

    • BendBridge on 02/12/2022 - 11:27

      True. Same as my wife :)

      • skid on 02/12/2022 - 12:33
        +7

        Your wife can be used for all systems?

    • pegaxs on 02/12/2022 - 12:32
      +1

      And I bet you still have crap passwords in the "brown book" like plain worded with a number "Grips3972" or the name of a pet "f1dob0y" because you don't want to type out "a$7hJ$?hQ#9kZ(3" every time you use the brown book.

      My parents run an excel file, that isn't encrypted and is just plain text that they keep on their desktop that is full of the same passwords used over and over and over OR are just variations on that same password.

  • c64 on 02/12/2022 - 11:13
    +1

    text file for me. contains all details every site knows about me

    • [Deactivated] on 02/12/2022 - 11:40
      +4

      Any rogue app on your computer can read it, right?

  • [Deactivated] on 02/12/2022 - 11:25
    +1

    KeepassXC as my main offline passwords storage. Can store/generate TOTP secrets too.
    iCloud Keychain for frequently used passwords (with a copy in KeepassXC). This autofills my passwords on MacOS and iOS.

    So I cannot tick both first poll options.

    • CyberMurning on 02/12/2022 - 12:41

      How that offline thing works? So if i am at the hotel overseas i can access them? So cannot even open my gmail then…

      • [Deactivated] on 02/12/2022 - 12:49

        If you have your laptop with you, KeepassXC app and database are both files on your laptop. No internet needed.

        On Mobile, If you once used Strongbox (Keepassium) to open database, a copy is still on your mobile in iCloud files (Dropbox … ), and will open without internet.

  • scotty on 02/12/2022 - 11:27

    LastPass password manager is rumoured to have been hacked as well

    LastPass has actually acknowledged the security incident. See Wikipedia entry which has links to related blog posts / articles. Also GoTo's response to security incident in November. GoTo is the parent company of LastPass.

  • misfitt1911 on 02/12/2022 - 11:47
    +1

    I used different passwords for different websites/services. All my passwords are stored locally using KeepassXC, which I backup onto an external HDD.

    I also try to avoid using mobile apps that require logins/passwords. If I have to install an app, then depending on the app, I use fake information.

  • AdosHouse on 02/12/2022 - 11:58

    I use 1Password and I'm not concerned. You would have to get my 13 character password AND my 34 character secret key to get in. So even knowing how many character they are, and knowing what sort of character they can be, so that means 4.473650959253981e+25 multiplied by 8.2089012e+52 in possible passwords. Yeah I feel pretty safe. Even the latest quantum computers would take way too long to get that one.

  • [Deactivated] on 02/12/2022 - 12:08
    +1

    I use a cloud based password manager

    Does that include just going to websites containing data breach dumps to get your username and password info as you need it?

    Also, the poll needs an option "password123 is easy to remember and I use it everywhere"

  • dcep on 02/12/2022 - 12:15

    Hey @mokr , aside from your plain 'code' , please consider some Uppercase , numbers & special character symbols.

    Just so you don't have to remove your comment after revealing your password here.

  • ESEMCE on 02/12/2022 - 12:16
    +3

    Not worried in the slightest..
    I know the data is encrypted on my device before it's stored in the cloud.
    And I know my Encryption key is stupidly long, non-dictionary and therefore virtually impossible to be brute forced using foreseeable technology.

    • [Deactivated] on 02/12/2022 - 12:39

      1Password removed the local storage option with latest version, and forced subscription.

      "1Password 7 and earlier supported standalone vaults, which stored information locally on your device outside of a 1Password account. 1Password 8 requires a 1Password membership. " source

      • SteveBuscemi on 03/12/2022 - 22:36

        That is true, but it also irrelevant to the point.

        • [Deactivated] on 03/12/2022 - 22:46

          post i was replying to was edited.

          • ESEMCE on 05/12/2022 - 11:43

            @[Deactivated]: I think maybe you replied to the wrong post as I don't believe my comment was edited.
            And if it was, I certainly never mentioned 1Password in the original version.
            I've never used 1Password or even considered using it.

            • [Deactivated] on 05/12/2022 - 11:45
              +1

              @ESEMCE: yea, likely my mistake, peace brother

  • Ghost47 on 02/12/2022 - 12:21

    Are password managers free?

    I use a handful of passwords across different apps and sites but after the reaches I think I should make much more complex passwords but there’s no way I’d remember 10 x 50 alphanumeric passwords.

    I’m definitely paranoid about my accounts being hacked, if a hacker can breach my email and bank accounts they could easily change my details and steal my money.

    • Mokr on 02/12/2022 - 12:26
      +1

      Are password managers free?

      Yep Keepass (may want XC) is free, all you need is a dropbox/google drive and you can access it from your mobile.

      • Ghost47 on 02/12/2022 - 12:26

        I see, might have to look into using one finally…

      • CyberMurning on 02/12/2022 - 12:42

        Huh why need gdrive? Then what if someone hack our gdrive?

      • [Deactivated] on 02/12/2022 - 12:42
        +1

        i recommend Strongbox as mobile app. On desktop it is vanilla KeepassXC, and database shared via any file sharing apps you have, like iCloud included in iOS.

    • pegaxs on 02/12/2022 - 12:40
      +5

      Bitwarden is also free for single user, personal use.

    • trapper on 02/12/2022 - 13:20
      +4

      Bitwarden is free.

      Signup now and go through every random online account you have and add into Bitwarden, changing to a newly generated randomised password.

      For email and bank accounts you can keep doing it the old way but make sure you are using a strong password - will be easier to just remember one or two of these though, and let Bitwarden worry about the rest for you.

      There is a browser extension so it can literally just fill in the password for you when you go to log into a website, it's great.

  • franco cozzo on 02/12/2022 - 12:48
    +1

    this digital id and economy thing is going great hey?
    cant wait to see what the future has in store!!!

  • TheMindsetTraveller on 02/12/2022 - 12:52
    +3

    Nah not worried. I write down all my passwords on paper and lock them up in a commercial-grade safe. I then place that safe inside a weatherproof box, buried at least a metre below the ground in my backyard. To make it harder, I placed a mat over the area and put my green, recycle and rubbish bin on top. #nevereverbetoocareful wahaha

  • Switchblade88 on 02/12/2022 - 13:08
    +4

    It won't be the cloud-side that'll leak your passwords from your manager.

    It'll be the fact that you're still signed into Chrome on your PC whenever it eventually gets hacked and someone remotely logs in, or your PC is stolen, or similar. The weakest link in the security chain is almost always the user.

    Relevant XKCD

    • trapper on 02/12/2022 - 13:15

      Hackers in Russia will have trouble kidnapping and torturing you though, especially without being caught.

      • Switchblade88 on 02/12/2022 - 13:21

        But they won't need to, they'll just utilise our laziness.

        What's the use of a password that's 36 characters long for your banking, when your 10-year-old router still uses the default 'Telstra' username and password as a gateway to your entire network?

        Little point having a massive lock on your front door when your lounge window is open for the breeze.

        • trapper on 02/12/2022 - 13:23

          Was just responding to your XKDC.

          I agree password managers are the best route for most people.

        • banana365 on 04/12/2022 - 10:59

          What's the use of a password that's 36 characters long for your banking, when your 10-year-old router still uses the default 'Telstra' username and password as a gateway to your entire network?

          I get what you're saying but that's a terrible example. Admin access to almost every consumer modem/router is only available on the LAN side (at least as default). It would need some sort of unpatched vulnerability to be able to log in from the internet side. FAR more likely to be breached from a device inside the network due to insecure practices by users of the network.

          • Switchblade88 on 04/12/2022 - 11:28
            +1

            @banana365: Yeah, definitely an inaccurate example - I was just trying to give a broad example that most people would be familiar with.

            Just trying to make the point that the password manager itself won't be the attack surface that the OP is worried about!

    • [Deactivated] on 02/12/2022 - 13:57

      All true. I switched to incognito /Private browsing as default. When you close tabs, all cookies and tokens gone. Logging back in is easy with autofilled passwords.

  • 7ekn00 on 02/12/2022 - 13:08
    +1

    Cyber attacks are the next COVID: https://www.weforum.org/videos/a-cyber-attack-with-covid-lik…

    It's a fear campaign designed to trick the whole world into a global digital ID to track your carbon emissions as part of a social credit score ;)

    • franco cozzo on 02/12/2022 - 13:24

      …hey! that sounds like it would be handy for future pandemics too!!!

  • trapper on 02/12/2022 - 13:13
    +2

    Even if you don't 100% trust cloud based password managers, do yourself a favor and start using one for every online account that is non-critical. Bitwarden is great.

    You can keep doing your banking, gmail, facebook etc the old way

    But man it makes life so much easier to have all the rest in one secure and easy to access place.

  • AustriaBargain on 02/12/2022 - 13:33
    +1

    If all of iCloud gets hacked then my passwords will be the least of my worries while society collapses.

  • payless69 on 02/12/2022 - 13:33

    With CBA now touting a credit report for any bot that asks for.
    So all banks know all about you and can tease you and send you bankrupt.

    Please fill out the consent form and place in recyle bin. We had all your info anyway we just had to make it legal!

  • Tomhaigh1 on 02/12/2022 - 15:44

    there should be one more poll option: "I use same password everywhere" :D

  • shaybisc on 02/12/2022 - 16:32

    If the dimwits in charge of security at Optus, Medibank Private etc had designed my password manager I'd be worried.

  • Shoocat on 02/12/2022 - 16:57

    Needs another poll option: I'm not worried because I use a password manager with a ubikey, so I won't be the weak link.

    As others have said, if the password manager company gets hacked, they should have controls in place to make use of hacked password data extremely difficult to use.

    • st1ng on 02/12/2022 - 19:38

      You'd hope all (I know Lastpass and Bitwarden do) do not have any unencrypted password information. Both platforms do client side encryption of data, so the only thing the hackers get is your general account information.

      As for the Optus / Mydeal / Medibank hacks, these were all done by infiltrating the company, not the end user. Whether you have the same password for all sites, have a little black book or use a password manager, you're as likely to be victim as much as the next person.

      The greatest thing a password manager does is make it (nearly) impossible to fill in credentials for a forged website. That, and not using 'correct horse battery stable' as the password for every site you have an account on.

      • banana365 on 04/12/2022 - 11:02

        That, and not using 'correct horse battery stable' as the password for every site you have an account on.

        But, but, I was told that was secure! I know, I'll stick '99' on the end and she'll be right.

  • Mcuser on 03/12/2022 - 06:31

    Been using keeper for years

  • lew380 on 03/12/2022 - 09:12
    -2

    It's not hard to keep one or two complex passwords in your head(or on paper) that you use for banking and email, they need to be rock solid and changed frequently. 99% of everything else can be just that password you used when you were 10, with some variations.

    And don't store any bank card details on browsers, once it's out of your hands it's vulnerable.

  • witsa on 03/12/2022 - 17:09
    +1

    Anyone know the pros and cons of a dedicated password manager or just using the one that's just what Google offers?

    The Google one basically works off any app on my phone via the Google keyboard and obviously any chrome browsers. Seems safer to me than having to install extra apps for another password manager everywhere?

    • Herbse on 03/12/2022 - 18:15

      People will say they don't trust the Google one, because google. But it's no different to any other one. As long as your Google account is secure with 2fa and your recovery methods can't be hacked into as well.

  • zzyss on 03/12/2022 - 17:39

    I'm keen to gain a better understanding. When people say "cloud-based" they're referring to a service like Lastpass where they maintain a copy of your (encrypted) password file, which is then synchronised and decrypted on whatever client device you're using, right?

    I've heard some mention using their own self-hosted password file e.g. using Bitwarden, on yet another service like Dropbox or OneDrive. (How) is that more secure?

    I'm willing to give up a little security for the sake of convenience, but would like to know what the compromises and risks are.

    • RotundPolarBear on 04/12/2022 - 11:54
      +1

      My understanding is that if it's stored on Bitwarden's cloud, then attackers have a single point to try and compromise, where everyone's password files, including yours, is kept.

      But if you self-host, then they won't know where your encrypted file is. But it's a lot more hassle. Even I can't be bothered with this, and I use to work in web hosting.

      • zzyss on 04/12/2022 - 17:31

        Thanks.

  • leeroys_dad on 03/12/2022 - 19:42

    What do people think of android apps having access to your clipboard, for example if you copy paste passwords on your phone?

    • rarelyscene on 04/12/2022 - 10:57

      Apple gives you a prompt when an app is trying to paste from the clipboard. Handy when you were clearly going to do that anyway but sometime it pops up when just opening an app which makes you feel suss on that given app.

  • Bluto Mindpretzel on 03/12/2022 - 20:00
    +1

    None of the breaches make me nervous because I don't publish my password manager to the cloud: https://www.passwordstore.org/

  • WhyThingsCostMoney on 04/12/2022 - 00:35

    Cloud based or stored locally. What matters the most is how you secure your password vault. I’d highly recommend securing your vault and any other service that accepts it with U2F (e.g. a yubikey). Note this method works in conjunction with a password.

    It’s would not be feasible to decrypt anything without the physical key and password.

    If you’re super keen you can get a biometric yubikey.

  • Morphio25 on 04/12/2022 - 06:13

    I don't use a password manager so I'm not concerned about it at all.

  • tolchok on 04/12/2022 - 07:31

    I was using Lastpass, but moved to Keychain when I moved from LineAgeOS to iOS. I’ll likely be moving from passwords to passkeys when they are more widely accepted on websites.

  • aliam on 04/12/2022 - 08:34

    I'm more likely to forget a password, than get hacked. But i know both may happen so I have 2FA on for all bank accounts etc.

    Im using vaultwarden, after using Roboform for years. I thought I may as well host it myself, and it's free too.

    It's a balance between paranoia and usability…

  • RotundPolarBear on 04/12/2022 - 12:05
    +2

    I used to be like you, OP, and only used a local password manager, which was KeePass, as I was paranoid.

    But after doing a lot of research I've recently switched to Bitwarden, mainly for convenience, a nicer interface and user experience. Though I still keep my banking credentials in KeePass. I feel that's a good compromise.

    • BendBridge on 05/12/2022 - 14:36
      +1

      Good to hear I am not alone :) I guess we should just do what we feel is safe after sufficient research.

      The poll so far shows more than 50% use a cloud based password manager…

  • pharkurnell on 06/09/2023 - 15:29

    Diggity….

    People still happy with BitWarden??

Login or Join to leave a comment
Login Join