Alright. You remember 169 unique account usernames and passwords.
The best password managers
- Thread starter Ivan Franco
- Start date
- Status
"And if you don’t want to store anything on Bitwarden servers (cloud), you can host your own Bitwarden instance."
LastPass has been hacked, had outages, and other major issues pop up at least a half dozen times over the last ten years, including very recently, but I'm sure LP is not the only one and others have also been hacked and/or had major issues, I'm just not aware of them or forgot because it did not affect me. I would think a quick search would turn up more instances.
Passwords usually aren't stored in plaintext. For example, even if you choose not to use the sync passphrase feature on Chrome (not using the sync passphrase is the default setting for Chrome), your passwords are encrypted before they are stored in your synced devices or Google servers.
There are two major downfall for this approach, compare to standalone PMs. One of them is (possibly) weak encryption key. It will use your Google username and password as an encryption key. Since your Google username/password is definitely one of the prime phishing targets and you probably use your Google account often (thus you probably don't want to use something like 98 letters password which has 500-ish bits of entropy), it's not good idea to encrypt your whole password database with your google username/password. However, you can (somewhat) tackle this problem with the sync passphrase feature (or master password feature for FireFox).
Another downfall is that, there is an alternative way to view or recover the stored passwords without the actual encryption key itself. If an attacker know the account/password of your host (or hijacking your-already-logged-in-sessions of your host computer), the attacker can view the password regardless of your host OS. Hence, if your hosts have been compromised, your passwords are also compromised. But your standalone password managers are not that ahead in this regard. Because if you have a compromised host, it usually means all bets are off. (For example, as soon as you access the password database on your compromised host, every contents of your database are no longer yours).
Last time I checked, Chrome, Firefox and Safari w/Keychain all have built-in password generator, and most of them will tell you how strong your passwords are, and how many times you've used the same password. It's true that you'll have somewhat limited features with your browsers. For example, if you use the sync passphrase on Chrome, you only have a password generator and lose the ability to check password reuses (or weak passwords) since you cannot access to the Google's password manager (passwords.google.com) which provides you those features.
A quick search reveals LastPass has had breaches, hacks, outages, lockouts, etc occur at some point in 2011, 2014, 2015, 2016, 2017, 2018, 2019, and a major outage Jan 20, 2020 as well as the Chrome Browser extension not working just a couple of days ago. To be fair they are the not the only ones, but I found more for LP than any other PM by far. Also LP claimed no data was compromised in most cases, but they recommended users to change their passwords "just to be sure". They also denied an outage just last week until it was widely reported on the web by so many users. I did not read the details of each occurrence but the articles still exist online. I had a paid LP account until 2015 when my master password no longer worked and I lost all of my data. Their customer support is almost nonexistent, unfriendly, and unhelpful. I now use BitWarden for my family and could not be happier. YMMV
It's not like that. You gain some with a password manager while you lose some, and the convenience is not the only thing you gain. You gain some in respect of SECURITY, even though you still lose some in repsect of SECURITY. Usually, you gain more security than you lose with a password manager, and that's the reason why many people recommend a password manager.
The single worst thing you can do is password reuse, because your password (either in plaintext or hash) is almost guaranteed to be leaked somewhere. FYI, big players like Adobe, Dropbox, LinkedIn, MySpace, tumblr and Zynga have leaked anywhere from 65 million to 359 million accounts and password (hash)s. Once your reused password is leaked in plaintext (or recovered from leaked hash), you have whole bunch of compromised accounts.
You can deal with this issues probably in three different ways.
1. Tiered password reusing structure (such as pswd1234 for weak websites which can't cause you any harm to you even if it's leaked, lrfebjdbwhwz for medium websites which can cause you some harm but not grave harm, oIiskIFoy8@uHmOl%k&!%w@Vg for emails and bankings)
2. Salting the strong base password for each websites (For example, if your base password is P@V0sYz$@%9ufMEOZI|1I|jIljl|iIlI|ljIjii|Ii|li1jlI, TcSoP@V0sYz$@%9ufMEOZI.com|1I|jIljl|iIlI|ljIjii|Ii|li1jlIeHpT for techspot.com, GoLP@V0sYz$@%9ufMEOZI.com|1I|jIljl|iIlI|ljIjii|Ii|li1jlIoGe for google.com)
3. Creating unique passwords using certain easy-to-memorize and easy-to-lookup methods (For example, google.com is consist of 7, 15, 15, 7, 12, 5, ., 3, 15, 13th alphabet, hence using the last word on page 7, 15, 15, 7, 12, 5, ., 3, 15 and page 13 of the book Harry Potter and the Prisoner of Azkaban as your password), or using randomly created unique passwords and write these things down in your diary
All of above have significant disadvantage compare to a decent password manager.
For method #1, there are two major problems. One of them is a leakage of high tier passwords, since big players are not immuned to those password leaks. The other problem is you can't remember everything. For example, how many accounts have you accumulated over the last few decades? Is it 397 or 401? If you can't answer the question correctly to the last digit, you don't know your password distribution. In other words, you can't figure out which has been compromised or not, even if you have the real time knowledge of every leaks in the globe. Also, even if you do remember everything, it's definitely no easy feat to change the passwords of hundreds or thousands of accounts.
In case of method #2, you need to develop a strong salting methodology, because otherwise your salting is useless. For example, if an attacker knows you've used TcSoP@V0sYz$@%9ufMEOZI.com|1I|jIljl|iIlI|ljIjii|Ii|li1jlIeHpT for techspot.com, it's no hard to guess your salting method, hence all of your accounts become vulnerable.
The problem is that it's very difficult to develop a strong salting methodology that works all the time, due to all kind of password restrictions enforced on each websites. For example, some websites only accept 12 letters passwords. Which means, if you're using above mentioned salting mechanism, you have all salt no password for abcdefgh.com, and you have broken salt for abcdefghi.com.
For #3, most password creation methods (especially if it's an easy-to-memorize and easy-to-lookup method) usually give you a lot weaker, low entropy passwords compare to what random password generator can offer, and plaintext password written in your diary (or encrypted in your way) is usually a lot weaker than encrypted password manager database stored in offline devices (anyone who lives in your house probably can easily hack into your accounts using your plaintext diary, but cracking the encrypted database is no easy task even for the FBI with a search warrant).
Of course it's true that those password managers are anothher weak point which you can lose many accounts and passwords at once, but like you've said, you can't lose accounts which you haven't registered to that password manager.
Just adding minor accounts to the weaker, cloud-based, easy-to-access password managers and add serious accounts to the stronger, offline, hard-to-access password managers. In this way, you can benefit increased security as well as convenience while minimizing the risk.
I used to use 1password, but didn't like it enough that I swapped after much cringing (changing is a pain). I changed to Lastpass, and like it. I haven't had a single problem with it, despite the listed 'major outages' listed above, which I had to read about after the fact, because they had no effect on me. I'm still wondering what the definition of 'major' is. Not even the hack, of which I'm only aware of one, which had no consequence. It does everything that's listed above, and does it well enough that I use it on my phone, tablet and 3 computers.
I like Keepass, too, and have been using that for even longer, but it's not my primary manager.
I like Keepass, too, and have been using that for even longer, but it's not my primary manager.
D
DelJo63
Very verbose but not convincing. As stated at the beginning (and incontrovertible imo) once the password manager is breached, all your accounts are at risk and it has happened. I'll go quietly on my own, thank you.
ZedRM
Posts: 1,804 +1,207
The average person doesn't come anywhere near that number of accounts. Try again.
Michael Baker
Posts: 9 +13
At least you are honest that you are not open to any evidence or arguments to the contrary.
Michael Baker
Posts: 9 +13
I might not be average, but yes I did.
I have over 200 myself. I bet most people would be shocked at how many accounts they have created over the years if they just added them up. Think about how many online bills you have, how many games you've had to create an account for just to play the game, or how many social media accounts you have. I've got over thirty accounts just for different bills and services I pay for.
Last edited:
How much work is it to export all passwords, secure notes, etc, from Lastpass and import it into BitWarden?
- Status
Similar threads
Latest posts
-
Microsoft is rolling out new Start menu ads to all Windows 11 users despite backlash- ericlikeseatin replied
-
Asus releases firmware update to address game crashes on Intel CPUs- MSIGamer replied
