I was gonna ask about the phone biometrics part in a sepatate question, but its both about security, so might as well combine it in one post.

Okay so I don’t use password managers. I just try to make easy to remember passwords 3-4 random words + 3-4 random numbers. Online accounts can’t be brute forced anyways. For offline accounts, I just increase the words and numbers. For mobile I don’t use biometrics, although I’ve been testing whether or not I want a pin + no biometrics or alphanumeric password + biometrics. I just can’t decide.

    • pe1uca@lemmy.pe1uca.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Same with bitwarden, I recently made my wife change from google because I don’t trust how they could be managing that kind of data.

      • arc@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        What benefit could it be to Google for them to have access to your user and passwords?

        Genuinely curious, I use bitwarden myself but can’t see Google using their password manager for nefarious reasons

        • pe1uca@lemmy.pe1uca.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Sure, probably they won’t use it for bad purposes.
          But there’s nothing saying they won’t use them in any way they see fit.
          Maybe they could find a way to find monetize without disclosing them and anonymized, like statistics or with the update in their policy about training their models with whatever information they can get.
          Maybe you have an ad blocker and AdSense can’t build a profile from you, but the google already know what sites you were interested enough to make an account and could try to advertise in other ways.

          And then the biggest issue: there’s no mention of encryption, so who knows how they store them and where. Could an attacker read them? How are google employees prevented from reading them?

          • kyub@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Also, what’s stored at Google is not only accessible by Google, it’s also typically accessible (probably paid for) by intelligence agencies and law enforcement. The Snowden revelations showed that. Same is true for every other big tech company. Even if you think that’s still not a problem because you’re not doing anything wrong, it could be a problem if you’re ever falsely accused of a crime. There are innocent people being thrown into jail for life. Our systems aren’t perfect, so don’t assume nothing will ever happen to you. Also, if you should find yourself living under a fascist government in the future, they could use your past data to actively target you. This is also not entirely unlikely, because the right-wing is currently quite strong again and who knows what will happen after massive socio-political changes due to climate change and more and more uninhabitable or flooded areas.

            Don’t give those data hoarders more of your data voluntarily. Only give them the least amount of data possible. Keep private things as private as possible. Everything else can only have negative consequences for you down the road. And that road could be very long, many years long. Decades, even. The data about you never goes away. Storage is cheap.

  • Saltarello@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Open sourced password manager + open source 2fa wherever available. For password managers many will suggest Bitwarden & i recommend that to my family for its ease of use, though I personally use Keepass (because it allows me to store multiple documents & have them readily available offline. Its not as straightforward to set up sync compared to Bitwarden, which does it by default).

    I would never allow a browser to store any information such as passwords, credit card info etc

    On mobile I use password in conjunction with biometrics. Sensitive apps are only ever stored inside secure folder which has no biometric access & has a different password to main area of phone.

    I absolutely refuse to use google/apple/samsung pay.

    Please consider password manager, once you wrap your head around not knowing any of your passwords except the strong master password it becomes second nature. Get out of the pen & paper habit!

    Top tip. For any new signup, once you’ve generated a strong password make a note within the password manager of the email address you used to sign up with (yep, get used to using multiple email accounts). When that site inevitability suffers a data breach it makes life easier when they send the change of password verification email

  • dog@suppo.fi
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Online accounts can’t be bruteforced

    I’m sorry, but that’s just wrong.

    Majority of sites have awful security practices, not to mention massive breaches.

    Get yourself either a password manager (Bitwarden is the best), or something like Yubikey + unique sentences.

    Biometrics do not provide security, they’re purely for convenience.

  • fubo@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I write my passwords down using a diamond-point scriber on a tablet of solid gold, which I keep in a secure location.

    • 001100 010010@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sounds good. Since I’m so amazed by your security, I’d like to volunter to act as security for your tablet of solid gold, would you mind telling me the location? 😉

  • ChatGPTAnswerBot@vlemmy.net
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    I run my own instance of vaultwarden (100% compatible fork of bitwarden) and use the standard bitwarden client on Android and browser plugin in Firefox. My master password is really long and I use 16 character passwords as standard in BW. I have biometric set up for my phone just to make it a bit less hassle.

    Edit: and I set up MFA wherever possible with a yubikey

  • jg1i@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I only pay for 2 subscriptions: 1Password for families (and Spotify)

    I have 236 logins… No way I’m gonna create secure and memorable passwords for that many sites.

    I use 1Password on Linux and Android.

  • zerbey@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Bitwarden for my personal stuff, KeePass for work (like to keep everything separated). Biometrics on devices that support it. I used to do what you did, and then Facebook got hacked and all my other online accounts fell like a house of cards, found out when my friend texted me asking WTF was going on and why was I posting links to porn sites everywhere. So, password manager and strong passwords for all the things. MFA is something that needs to become more common as well.

  • outbound@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    KeePass, synced to my VPS. The key file on exists on my phone+tablet+laptops. Its biometrically authenticated on the phone+tablet - unfortunately, its just password-protected on the Debian laptop. The VPS is automatically backed-up to a completely different cloud service every other night. In the case of catastrophe on the VPS, there’d be cached copies of the vault on my devices and I can fairly easily retrieve a timestamped copy from the cloud server.

    I also use a 2FA autheticator app on the phone+tablet. Its similarly biomentrically authenticated and backed-up to the VPS/Cloud.

  • baseless_discourse@mander.xyz
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I have been a paying costumer for bitwarden for couple years, but now I am planning to switch to proton pass soon. $1 for unlimited email alias is simply too good.

    • diskape@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Do you know how long this $1 promo will last? I’m unlucky this month and can’t afford it until next month.

  • LetMeEatCake@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This may be a dumb question and I see here as well as elsewhere that a password manager is the best option. What makes a password manager safer than managing passwords yourself? I see the efficiency and ease of us aspects, but I’m less clear on the security portion. Thank you!

    • Scrath@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Basically, they enable you to have a different, randomly generated and very long password for each service with minimal impact to your usability.

      Personally I use keepassxc with the accompanying browser addon. When I unlock my PC and need a password, I have to enter my master passwort to unlock the database. Afterwards, until I lock my PC again or manually lock the database, I can click on a single button in my browser window to automatically fill out my login information. I do not know any of my passwords beside the master passwort.

  • kyub@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Local GPG key pair + https://www.passwordstore.org/ synced peer-to-peer between devices via https://syncthing.net/

    So the key is always local but the password database is being synced between devices.

    pass on its own is great already (it’s basically just GPG encrypted text files with a good CLI frontend) but I make it even greater by using a slightly modified “passmenu” script which utilizes wofi (rofi for wayland) in dmenu mode to show a very fast popup of all your sites you have passwords stored for and by selecting it / pressing enter the pw gets copied into the clipboard.

    • 001100 010010@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Gpg? I get nervous when people say that instead of a symmetric key system. When a quantum computer powerful enough gets invented, all non-quantum resistant asymmetric encryption systems will be broken. Honestly why not just use AES 256 just in case a quantum computer gets invented?

  • zShxck@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    I manage my passwords with Bitwarden and Authy for 2FA. Another good option, is to use KeepasXC with Symcthing to have the passwords both on the pc and smartphone

  • omgnvq@feddit.nl
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Would strongly recommend a password manager. I use bitwarden, you can use self host it or not. If you don’t like bitwarden there are plenty of free options. Random password generation and sync is going to be a better practice than much else I can think of, so I’d encourage you to go for it! 😬