You can go with Bitwarden. Been using it for 6 months now and I think it's perfect! You have an Android and iOS app, as well as a multiplatform desktop apps and a Chrome extension.
Also, if you are concerned about privacy, it has a self-hosted option, so if you want you can install it on your own server.
>The main features I really want is: >Sync across devices (Windows, Linux, Android)
I recommend Bitwarden.
>but then I've seen people say you don't want a cloud platform PW manager
If you trust AES to secure your online banking transactions, then you can trust it to encrypt your vault before sharing it on cloud servers.
>so is that achievable if it's all local?
Some 3rd party utilities can make this doable with managers like KeePassXC. Syncthing, Dropbox, Google Drive, etc.
>Able to import my passwords from google >Auto fill forms (address, etc) >Auto fill passwords
https://bitwarden.com/help/article/import-from-chrome/ might be able to help with me previous recommendation of Bitwarden.
>Bonus would be able to like create folders where passwords for different things are in
Yes, most password managers support this.
>And could someone explain the whole local vs cloud bit to me a bit better?
Password managers will encrypt your vault before they are stored to disk, regardless if that's your local hard drive, or an online sever. Almost ubiquitously, this will be encrypted with AES. Another popular choice is ChaCha20, with some scattering of other algorithms like Twofish.
The symmetric key is either derived directly from your master password, or generated randomly, and encrypted with a key built from your master password. Either way, your master password is the weak link. If it can be guessed, the vault can be decrypted.
However, AES is not the weakness here. If AES was not secure, then the communication between your computer and the server is a bigger vulnerability. This isn't just password managers, but banking, email, and everything else that relies on TLS.
Again, if you can trust AES to encrypt your TLS connections, then you can trust it to encrypt your vault.
A free BitWarden account would probably be a better solution than a paper notebook. Definitely write the master password for your BitWarden account in the paper notebook though, in case you ever forget it.
There's almost nothing wrong with writing down your master password, if you are that forgetful. Store it in a safe, if you are afraid that somebody will find it. The threat of somebody finding a piece of paper in your house is minimal, compared to the threat of somebody getting their hands on the one password that you use on every site, and breaking into every one of your accounts.
I'm assuming you're not a high-profile celebrity target, and your biggest threats are drive-by hackers that use databases of compromised accounts, like the ones listed here: https://haveibeenpwned.com/PwnedWebsites
Open Source is better for security. If a vulnerability with the software is discovered, it's easier to find and repair with open code. Then there is the flexibility of sharing code with other users. You can port keepass to any platform. See the Unofficial KeePass Ports as an example.
>How come everyone likes biwarden?
>Does it even have data breach scan?
https://bitwarden.com/help/article/reports/
>Also how come everyone hates nord pass?
I haven't seen this personally.
1Password I think is the most user friendly. Granted I haven't tried BitWarden, but I got my dad using 1Password and he manages ok. My mom never did quite figure it out though.
Honestly, consider something like this: https://www.amazon.com/Internet-Password-Logbook-Cognac-Leatherette/dp/1631061941
Hear me out. I know these are the butt end of every joke people can make. However, the same people committing cyber crime and breaking into bank accounts are not the same ones that will rob a house and go looking for that book. The more important part is getting them into good habits around using unique passwords/not reusing passwords, using 2FA, and generating complex passwords (I love this: https://makemeapassword.ligos.net/generate/readablepassphrase). These practices are all more important than specifically where the password's are stored (as long as they aren't stored in pastebin or something). I feel like the biggest risk with a physical book is that if your house burns down or something, there is no backup/redundancy.
Sometimes randall says really stupid stuff, and he throws out some figures and math concepts to make it look like he has considered the issue in depth. This is one of those times.
If a large number of peoples' passwords where comprised of only common dictionary words, then cracking techniques would evolve to match. Each word essentially becomes a character in a normal password--he only has four. Guess what? In an evolved dictionary attack randall's passphrase wouldn't stand up for as long as he says, indeed it would stand at around 39 bits of entropy if the dictionary of common words was about 1500 words long.
The ideal personal password generation method is to make an acronym of a phrase you remember, then diversify the character set via random or known alterations/additions. This allows you to remember the password better, and it also lets you remain strong against cracking attempts, past/present/near-future.
Here is a graph of the entropy function with two free variables, with x/y ranges as in randall's suggestion (starting at simple wordlists, going to more complex). Here is a similar graph, again with two free variables, but with ranges of a num password going up to an alpha/num/sym password, generated as I described in the last paragraph.
If you examine the contour plots, you can see that the amount of additional entropy generated decreases the further you increase the size of the character/word pool. Importantly, when you increase the number of characters or words, it generates much more entropy than increasing the size of the pool.
Which is easier to remember? A 10 character password or a ten word passphrase, both with the appearance of being randomly chosen?
Almost all password managers encrypt your passwords in your device and upload to their cloud. However, once your login credential are compromised, your passwords can be hacked.
C2 Password is free, you can not only enable 2FA to log into their service, but also require you to enter an additional passphrase to decrypt your passwords.
You could do this a lot more simply with a safe deposit box or a lockbox.
I try to encourage people to use physical security for backups: offline, replicated, multiple copies, multiple locations, multiple media.
When you try to create a digital solution you have many more moving parts and you create additional threat surfaces as a result.
Consider your threat model. Is the risk of your parents busting open your lockbox really greater than an organized crime ring in Russian Georgia defeating your online setup? The nature of threat remediation is to address the highest risks first, and I am unconvinced your concern is near the top.
Even when it comes to physical theft, burglars who dabble in online theft are, well, quite rare. They tend to be houseless, drug addicted, and living marginal lives. Except for your parents? Again, everyone has to create their own threat model, and there really is no totally wrong answer.
Look, another possibility could be to use a deadman's switch like https://www.deadmansswitch.net/. By leaving the encryption key online and the physical media offline in your lockbox I think you would be pretty safe from either physical or digital attacks.
Start out with two Bitwarden free plans and experiment with sharing between two of you. Whether or not you think the autofill support and other features are good enough will depend on your phone and the apps involved, so just try it out.
Similarly, at the free level and one other person can have an "organization". Some people don't like the way it works. You will just have to put an entry in the organization and see if you can get it to work the way you want.
Paying members have an emergency access feature. I think it does everything you want.
The "family plan" is $40/year for up to six users, so this is still within your budget.
Anyway, try it out at the free level, and good luck.
I pay for the Bitwarden families org plan. Per the pricing, for $40/year, I can setup unlimited collections in the organization, and have up to 6 family members in the organization accessing those collections.
The free organization plan allows up to 2 collections with up to 2 family members accessing those collections.
Bitwarden offers a premium version for $10 annually for individuals or $40 annually for families. Wikipedia also has an article comparing password manager features which may be helpful.
There are a lot of sources. He lists all of them on his other website. https://haveibeenpwned.com/PwnedWebsites
As far as where to download these. You got to do some searching. There are a few forums that maintain links for the larger dumps like Exploit.in and AntiPublic. Smaller ones can be found here https://publicdbhost.dmca.gripe/
>what kinda passwords am I supposed to use nowdays
Long ones. Words, letters, numbers, the most important thing is that they're long. 4 words, or >16 random characters, either will do.
>2FA such as SMS with a pin is a scam that doesn't work
2FA is great. SMS 2FA is still better than no 2FA at all. If your accounts have the option for it, enable it. SMS can be hacked, but that's one more step that needs to be hacked.
>if I make simple 8-symbol passwords for all accounts...
8 is probably too short. I do 16-20 character passwords for all my accounts, and only change them if there's a leak. But, most importantly, MAKE SURE THEY'RE ALL DIFFERENT. For this, a password manager is essential. I use 1Password, but to be honest I recommend Bitwarden. If you're single, it does everything useful that 1Password does, but for free.
Your Master Password for your manager needs to be memorable, so 4 random (like actually random, not just chosen by you at random) words is best. You can go to https://bitwarden.com/password-generator/ and pick passphrase to make one.
>Bitwarden also monitors for breaches and let's you know if you have been breached?
Yes, via the "Data Breach Report".
>are you able to update passwords via Bitwarden? Or do I need to go to the sites manually to do it?
We'll, Bitwarden isn't logging into your sites, so you'll have to update the password there. But Bitwarden can autofill the password form, and the built-in generator will suggest a secure random password to fill. But you'll still have to manually update it. There is no "Go update Google's password for me and save in my vault. kthxbye" option.
Usually users do not pay much attention for creating strong passwords while registering on a new website. This can be one of the many reasons that a data breach happens. Cyber criminals take advantage of such practices to gain access into an organizations data. The cyber criminals often send phishing mails to customers to gain login credentials of their account. They might also use other methods like brute force attack or man in the middle attack etc for the same. Hence it is very important for any organisations to set its parameters for password generation such that the customers create strong passwords and change them periodically.
I read an article about some of the worst passwords, which I believe might be helpful for avoiding the bad passwords:
https://www.loginradius.com/blog/2019/12/worst-passwords-list-2019/
Myki (https://myki.com) Its completely free. Stores the data offline and seamlessly syncs it in a P2P manner to other devices that you own. Autofill 2fa. Looks great and has fantastic chat support.
Check it out, I've become a big fan. + fully support Linux and has a Linux desktop app in public beta.
Actually check out their FAQ. Here is what it says: Myki securely stores your passwords and sensitive data offline, on your smartphone. The Myki app acts as a vault that stores and encrypted copy of your passwords and sensitive data. Your passwords are not stored in the cloud which prevents hackers from gaining access to your accounts in case our servers get compromised.
Filevault can definitely be attacked using optimized tools such as JTR(JohnTheRipper). This will allow you to guess many more passwords in a fraction of the time as well as apply dictionaries/rules to increase the chances of getting it. Have a look here: http://www.openwall.com/john/
Hi Selykg! Full disclosure: I currently work at Dashlane.
First and foremost, the only personal information we have on a user is their email address, and their mobile phone number if they chose to give it to us for security purposes when they created their account. This is what we use to communicate with you about your account. This information will NEVER be shared unless you explicitly ask for it.
Secondly, we collect technical and usage data to analyze how our product performs for our users, and for us to improve the quality of Dashlane. This data is completely anonymous, except for gender, birth year, and zip code. This information cannot IN ANY WAY be linked to your individual personal information – not even the email address you registered with us. I highly recommend taking a look at our Privacy Policies here: https://www.dashlane.com/privacy. If you have any additional questions, feel free to message me at community at dashlane dot com. Thanks!
There were also loads of duplicates. I assume that the passwords are very old. I believe the credentials were stolen from haveibeenpwnd, so no clue from when the passwords are.
Keepass XC is free and open source and it auto-types. You can also define the auto type sequence. It provides browser extensions etc. etc.
For syncing between devices you put you container file into a cloud storage or such.
Yep, this is great - thanks for the extra detail! And here's that entry in the KeePassXC FAQ in case anyone is interested - https://keepassxc.org/docs/#faq-security-totp
Isn't it curious that you say everyone will evolve their own way of doing this? I largely agree that that seems to be what happens, but I don't think it should be that way. Isn't this the very thing that you'd like to be standardised and to have many eyes on the process?
I like Roboform. I've never used it with Linux but it does support it. It's actually on sale right now for $29.99 for a 5-year plan here.
With Netflix I tried to log in after a few months but the password was changed, I managed to get it back with the support and found all my account info to have changed, it became a family account with many Spanish sounding Profile names watching primarily Spanish TV Shows.
With NordVPN I received an E-Mail from someone warning me that my username and password have been leaked (both shown in the E-Mail as well) urging me to change my password, I logged into NordVPN and received the message that my info had been leaked and I need to change my password as well. I checked Outlook and indeed had a lot of failed log-in attempts in the past 2 days (I use the same username/e-mail but an entirely different password there).
So Netflix I would assume was sold to someone, NordVPN appears to have been made public on a hacker-forum or something similar. Surprisingly NordVPN themselves, despite apparently knowing that my credentials have been leaked, did not contact me about it.
Would this work? I also have a hard drive docking station ..
I think the phone is probably a dead end to be fully honest
> Could they be mounted to a Windows machine? Or would the files only be readable on another Mac?
Probably best would be to get an external drive enclosure that connects via USB, install the drive in that, then connect it to another Mac that you have access to. From there, your Mac should see the drive, automatically mount it, and make it possible to browse the data.
> Yeah I spoke to a few people today and short of getting onto OnePlus themselves there's not many that would fancy tackling it, it's locked with a password not a pin
Ah, yeah. Then things are going to be difficult indeed. Not sure what to tell you here. Maybe the Android password is stored somewhere on the Mac? Dunno.
I agree with the fact that password managers are essential, it becomes a single source for managing all your passwords.
One of my main concerns has been the safety data that is being stored at the server side. There have been numerous cases of data breaches in the past and I can't help but think we might just see a few more in the years to come. That being said this app does keep your passwords offline and ensures security and usability QUILA (https://play.google.com/store/apps/details?id=com.quila2) have a crack at it and let me know what you think about it.
I would also like to know any other password managers that you might have come across that manage data locally. At the end of the day I think its really a toss up between convenience and safety and I think safety is clearly more important hands down!!!
Yeah, I do exactly that with ProtonVPN. I'm paying extra for ProtonMail features that I don't need just to support them. Question stands though - how do Bitwarden make money? Their product, at least from my perspective (I'm on 1Password and didn't try Bitwarden yet), seems just too good to be free.