• Psythik@lemmy.world
    1·
    5 months ago

    That’s why I let Firefox make the passwords for me. It’s nice because they sync with my phone, so I don’t have to run to my PC to look up a password.

  • gedaliyah@lemmy.world
    10·
    5 months ago

    Finally can’t take it anymore

    Downloads a Password Manager

    Password Manager: “Please create a unique master password to begin”

    • rumba@lemmy.zipEnglish
      4·
      5 months ago

      That’s one password, and then use 2FA or a passkey or a yubinkey or anything to secure it so the security of the password isn’t a big deal

      Then go to every single thing you have a password for, and have the password manager set it to something random. I personally like pass phrases get it up in the teens of characters multiple words multiple numbers multiple special characters. 99.9% of the time you shouldn’t be typing any of this in. It should be injected for you. If per chance you should need to type one of them in typing in four or five words some numbers and some special characters is not really a horrible grievance.

  • SkunkWorkz@lemmy.world
    4·
    5 months ago

    If you don’t want to use a password manager it’s not that hard to create long passwords. Just create a nonsense sentence with a misspelling with a character between each word and add some obscure personal info that isn’t directly linked to you, like a phone number of an old childhood friend or pizza place you used to call often when you were young so it’s easy to remember but not info another person can find about you. Then add a special character.

    Like:

    Wideo1Pasta1Is1The1Grawy1555-22334!!!

    • prole@lemmy.blahaj.zone
      1·
      5 months ago

      I like pass phrases… if you can’t think of anything, grab a random book, open to a random page, and find a memorable phrase that catches your eye. Change some letters to numbers and/or add symbols if you think you need to.

  • scytale@lemmy.zip
    6·
    5 months ago

    I just checked my password manager vault and I currently have 311 passwords stored there.

    • henfredemars@infosec.pubEnglish
      1·
      5 months ago

      I have 401 entries, but only 384 unique passwords.

      Hmm. Most of these are junk from job applications that I really should put in a trash category. I’m so glad all those places don’t share a password with something important. I think.

        • snowsuit2654@lemmy.blahaj.zoneEnglish
          21·
          5 months ago

          Sure, I agree with you if it’s a password that I expect to have that use case (e.g. streaming service, home wifi network). Most of my passwords don’t though.

          As a side note, assuming that they’re equivalent length I would argue that a random password is more secure than a passphrase (of equal length) composed of dictionary words because it’s more resistant to dictionary-based password cracking. That said, the point is moot. As xkcd has shown us, length is the main thing that matters. There’s effectively no difference in practice. I always tell people “the longer the better” in either case and I recommend passphrases for secrets that have to be memorized or typed.

          That said, I think an acceptable medium would be to use a passphrase, like you’re suggesting, for a situation where entering it via a controller or remote is a legitimate use case. In fact, my password manager lets me pick and can generate passphrases or passwords. Not sure if that’s a feature in KeePass.

          For the rest of the time when I don’t need the use case, I’ll simply generate a long random password using my password manager. It’s a faster workflow integrated into the tool itself and theoretically more secure against some attacks.

  • cymbal_king@lemmy.world
    741·
    5 months ago

    Get a password manager. It’s a lot more secure and easier to only have to remember one strong main password and have the rest randomly generated

    • LostXOR@fedia.io
      31·
      5 months ago

      Randomly generate your master password too. It takes a bit to memorize, but becomes muscle memory pretty quickly. And since random passwords have the highest possible entropy per character you can use a shortish one, which allows for fast typing while still being impossible to brute force (I use 16 chars).

        • LostXOR@fedia.io
          2·
          5 months ago

          I’m not prone to forgetting things, but if you are, it’s easy enough to write down and store somewhere secure like a safe deposit box. If you have people you trust, you should have a backup copy anyways so they can access your password manager if you die suddenly.

      • trxxruraxvr@lemmy.world
        1·
        5 months ago

        Both Bitwarden and 1Password can also generate passphrases with high entropy that are much easier to memorize and enter. I use that for my master password.

        • LostXOR@fedia.io
          11·
          5 months ago

          The xkcd-suggested passwords have 44 bits of entropy. Assuming a weak hash like SHA1, a single 4090 could crack such a password in under 10 minutes (source).

          My 16 character password, with 70 symbols per character, has log₂70 * 16 ≈ 98 bits of entropy. That corresponds to a cracking time of over 200 billion years with the same parameters.

          xkcd’s password system is quite terrible for security. Its only advantage is that it’s relatively secure for how easy it is to remember. If you’re someone who really struggles to remember passwords and would otherwise use something even weaker, go for it, but if you want security then random characters are the way to go.

          • Scipitie@lemmy.dbzer0.com
            2·
            5 months ago

            Take a sentence with 200 characters then.

            And your opinion is exactly that and doesnt match security research:

            For the following you’re not the target group but others reading this who might want to make their lifes easier. Just from your way of writing I at least don’t expect that minor sources like okta or the NCSC will change your mind.

            ( article links with high level descriptions and links to their primary sources)

            https://www.okta.com/identity-101/password-vs-passphrase/

            https://www.4bis.com/passphrase-vs-complicated-passwords-passphrases-are-best/

            https://specopssoft.com/blog/passphrase-best-practice-guide/

            • LostXOR@fedia.io
              1·
              5 months ago

              I’m not arguing that random passwords are better for everyone, just that they’re most secure for their length. A 9 word passphrase is just as secure as a 16 character random password, but is far longer.

              A 4 word xkcd passphrase is more or less equivalent to a 7 character random password, and is secure with xkcd’s threat model (online brute force attack) but not with other threat models, like a brute force of a weak hash, which is many orders of magnitude faster.

              If you’d like to verify the math:
              4 word xkcd passphrase: 2048 (possible words) ^ 4 (number of words) = 44 bits of entropy ≈ 17.6 trillion possibilities.
              7 word password: 70 (possible characters) ^ 7 (number of characters) ≈ 42.9 bits of entropy ≈ 8.2 trillion possibilities.
              (Adding an eighth character raises the number to 576 trillion).

        • AtariDump@lemmy.world
          31·
          5 months ago

          If it’s something of vital importance, my mantra is to pay for someone else to host it.

          They can have the responsibility of security / updates / etc. because a company full of people can do that better than I ever can.

          • trxxruraxvr@lemmy.world
            2·
            5 months ago

            That’s my reasoning as well. The only drawback I currently see for bitwarden is that it’s US based and I have zero trust in their current government not going to cut off the rest of the world at some point. I’m still using it, but I make sure to make regular encrypted backups of my vaults.

    • otter@lemmy.dbzer0.comEnglish
      12·
      5 months ago

      FWIW, LastPass is bullshit. DYOR, and stay safe, citizens!

      Also, it could be taken as a positive that BitWarden is the example Wikipedia uses to define password strength. 🤌🏼

  • MrShankles@reddthat.com
    5·
    5 months ago

    Quick question friends:

    If I’m already using bitwarden and decide to switch to self-hosting it; can I import my usernames and such?

    I would most likely change all the passwords, but being able to migrate the websites (with corresponding username) would be kinda nice

  • AceFuzzLord@lemmy.zip
    10·
    5 months ago

    Has to be 16 characters

    So long as I can use more than that, I won’t complain. I don’t remember the service, but I definitely remember one where they wouldn’t allow over a certain amount of characters and that was annoying because that was when I was still using repeat passwords back in highschool. My preferred password at the time was roughly 20 characters, but apparently that was too much because who cares about security, am I right?

    • Higgs boson@dubvee.orgEnglish
      2·
      5 months ago

      It used to be a thing more often, but for a long time even when youre logging in via a website, there were (and probably still are) legacy backend systems that have limits on the password length.

    • Passerby6497@lemmy.worldEnglish
      2·
      5 months ago

      It’s even worse when they have a limit and don’t enforce it consistently. I had to submit a bug report to my bank because I made a 24 character password at account creation but the login page only allowed 16 characters.