With today's hubbub over Twitch being hacked and their information being leaked, I'd like to bring up BitWarden, which is one of the better free password managers, and has been extremely useful today in securing my various accounts (because I'm a dumb-dumb who used the same password everywhere, so one leak and I had to change everything...). It was super easy to install and add everything to, and now I'm annoyed that I hadn't done it sooner.
Agreed. Anti-encryption people scare me. I also really hate that argument of "if you have nothing to hide, you have nothing to worry about". We use the Internet for SO MUCH SHIT. We store SO MUCH information on our computers, tablets, and phones. I like to protect my personal information. (Plus, I store all my passwords in LastPass so I can generate random 30-character passwords that I would NEVER be able to memorize. If they successfully weaken encryption--unlikely--my passwords are pretty fucked)
>Verwende einen Passwort Manager wie Enpass oder 1Passwort
Lol, beide bezeichnen sich selbst als "best password manager". Statt solcher kommerzieller Produkte kann man auch ein offenes, komplett kostenfreies empfehlen: KeePass https://de.wikipedia.org/wiki/KeePass | https://keepass.info/
Never ever reuse the same password on two or more different sites!
Here's what you need to do:
If you do this, you'll be protected from current & future data breaches, and put yourself in a safer position that you shouldn't be targeted in the future.
I wouldn't pay them - they probably only have your password and if it's a common one, maybe they have a few random pieces of data on you. It's unlikely though, they're probably bluffing. It's useless to pay them - nothing stops them from collecting the Bitcoin and immediately releasing whatever stuff they have on your, or continuing to exploit you and shake you down monthly or yearly.
If you have LastPass, they scan through your passwords and tell you which sites were vulnerable. Took me five minutes to change them.
EDIT: LastPass is free, if you didn't know. https://lastpass.com/
Ultraprotip: Use Lastpass. You won't know your password, so you can't give it away by accident - and if Lastpass doesn't fill it in for you, then you know it's not the real site.
I like bitwarden - https://bitwarden.com/
Ignore the pricing spam, the basic version is free and completely functional. You can pay extra to be able to add 2fa and a few other things. Browser extensions, apple/android comaptibility, desktop client.
This! Set up a password manager (Bitwarden is free and open-source), turn on 2FA everywhere you can (not SMS 2FA if you can avoid it), and stop using the same password everywhere.
> They don’t have any pictures of you, there’s no keylogger, etc. they got your password and are using that to scare you into thinking they have more.
I second all of this 100%
> Don’t reply, block his email address, and ignore.
Don't forget to change that password they shared with you anywhere & everywhere it was used. I highly recommend switching to https://1password.com to generate secure/unique passwords for every site. It will also tell you where you have duplicate passwords and which passwords have been seen in data breaches.
I just want to reply to say, if you choose to use a cloud-based password manager, then you should be utilising two factor authentication (e.g. Google Authenticator). LastPass supports Google Authenticator on both free and premium accounts.
They also support:
All of this on the free accounts.
It's worth noting that it's not a good idea to change your passwords for websites until after they have patched their SSL and revoked and been reissued their certifications.
After Lastpass got acquired by LogMeIn last year I decided to start looking elsewhere. Being a software developer myself, I turned toward open source solutions but it immediately became apparent that nothing existed that was as convenient and as user friendly as Lastpass. I also realized that everyone seemed to charge money for these closed-source solutions (and rightfully so I suppose, a password manager is essential!).
bitwarden was born from this search and I have been developing on it every night since. This week marks the complete 1.0.0 release of bitwarden! There are apps for iOS and Android on the stores, browser extensions for Chrome, Firefox, and Opera, and a convenient website vault. It's free, open source, and cross platform.
Feel free to let me know any feedback that you may have or if you are interested in contributing in any way. You can check out the main product website at https://bitwarden.com/
An important distinction:
From the article I think they hash 100k times to make it computationally expensive to brute force the hashes.
For online backups of sensitive information you can use a dedicated password management application like KeyPass. Even if your PC is hacked the passwords, and any other information in it, are still protected by encryption requiring a second password. I have it on Windows, Linux, and my iPhone with my database on Dropbox so I can easily access it from wherever I'm working.
What you should never do is keep your sensitive information online in a way that just anyone who uses your logon or computer can read or use. Letting your browser store passwords for automatic logins for example, or keeping them in a spreadsheet or document.
Little known fact: Computer security is rated by how long it takes to crack (difficulty), not whether or not it can ever be cracked. Anything man-made can be man-hacked. What you want is something that can't be hacked in at least the next few years.
(Don't kill the messenger. This explanation is too short and simple to cover all technical security possibilities, but it is a good enough place to start and it is what I tell family members.)
Kudos for using KeePass :)
KeePass HTTP is usually OK, but is deemed a security risk. When you have KeepassXC (a fork of a fork of KeePass) and its official browser integration, why look elsewhere.
> Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.
I really like Bitwarden and it was easy to import passwords from Lastpass. I have tried to set up KeePass several times but it always ends with me frustrated about something isn't working the way I want and I delete it.
Always treat these 'security questions' as additional passwords. I do that, then store them in my password manager (KeePass2). That way a) no one that knows you would be able to know the answer and b) you don't need to remember them.
And that my friends, is why you use a different password for every site you visit. Me, I recommend BitWarden, which takes care of this.
Open source, works well in browser and on mobile.
Use something like LastPass to store all your logins and passwords. This way you can pick random login names for most accounts and your password can be 20+ random characters. Turn on google authenticator and you just need your email address, passphrase, and phone to log into everything.
KeePass2 ist genial. Läuft auf Windows und Android. Ich habe die (verschlüsselte) Datei auf einem owncloud liegen und kann von allen geräten per WebDav drauf.
Android gibt es zwei Versionen im Google-Shop.
LastPass extension. Secure passwords that you never have to remember (except for the master one). For mobile use you have to pay for a premium version but its something around $1/month.
Practical Advice -- Change your passwords. If you're like most people and are re-using names/passwords, you're vulnerable if just one of them fails.
Use a program like Keepass (https://keepass.info/). It can randomly generate passwords for you, and you then only have to remember the one password that unlocks your database.
Fido2 is one of the more secure types of 2FA with a security key and up until now it wasn't supported on mobile. Not sure about the other
https://bitwarden.com/help/article/setup-two-step-login-fido/
The data stored on your local device is encrypted with your master password. It is only decrypted when you unlock your vault and then it resides in RAM, not local storage.
https://bitwarden.com/help/article/data-storage/
That said, hacker with access to your device could capture you master password. So only install software from trusted sources, don't click on links, etc.
Time to export your data
You can go to your LastPass Icon > More Options > Advanced > Export in order to export your usernames and passwords to a .csv file (comma separated value)
Lastpass uses 256-bit AES encryption. Here's a thread on how long it would take to crack. And that's just one part of its security.
I've used it for five years and whole heartedly recommend it.
Really? Their FAQ says there is a small buffer period.
>Q: When is the new Premium price going into effect?
>A: The new price for LastPass Premium will go into effect for new customers starting August 3rd. For existing LastPass Premium customers, the new price is effective September 1st and you will receive a renewal notification via email in advance of your renewal date.
I'm using Bitwarden and it's awesome.
And if you want a subscription, it's very cheap and it gives you 1GB encrypted file storage and some other stuff for $10 a year.
edit: formatting
> I know we all default to the same three or four passwords.
If what you're saying actually is true then it's about time to get with the times and get yourself a password manager.
There are plenty password managers out there which works great on mobile and desktop, but those two are in the very top and rightly so. Try them out, find out which works best for you, and never look back again.
+1 for KeePass. It's compatible with basically anything (though I'm currently having trouble getting auto-type to pass through to a Hyper-V VM), and has some QoL features that make it usable. It's not as nice as, say, 1Password browser integration, but auto-type with window context works quite well. Clients are available for all the major desktop and mobile OSes.
Bitwarden.com used for years and never looking back to 1password or selfhosted bitwarden_rs. If you go selfhosted solution, remember to donate to bitwarden.
(dont have any relation to bitwarden)
Damn, they really must be getting desperate if they're stooping to that level
If anyone wants any recommendations for password managers, Bitwarden is pretty good, has a free tier, and for those who are into that is also open source
to clarify for readers that's https://1password.com/ and not one single password. i personally prefer keypass, but these are all good. my only recommendation is that for anything extra important, mislabel it, use 2fa, and change the pass a bit from what is there.
I personally recommend KeePassXC, it's a fork of another (basically dead) fork of KeePass.
The main features are full UNIX support (KeePass only runs on Windows) and as of recently a proper browser plugin, there were some security concerns about KeePassHTTP.
Link: https://keepassxc.org/project/ (The link to the extensions is there)
It's also available as a trusted chocolatey app if you are on Windows.
Yes your vault is stored locally so if Bitwarden exploded you would still have access to your data in the app / extension etc. You can also periodically do exports. Finally, it’s open source so subject to being forked or maintained by the community in the event the company went under or something however unlikely it is
Yes if you self host you will utilize docker containers. Deployment instructions here - https://bitwarden.com/help/article/install-on-premise-linux/ No support for raspberry pi currently but believe that is something they’re supposed to be releasing.
I remind folks self hosting is a privacy feature not a security feature. Unless you’re a very talented IT professional, letting Bitwarden & Azure handle securing the servers etc is prob the best :-) I self host a test instance for learning / practice etc. but “daily drive” the cloud offering
This easy: https://bitwarden.com/help/article/import-from-chrome/#export-from-chrome
I prefer Bitwarden as it's better and has much more features than any browser-based password manager, and it works on any browser or device.
We're paying for 1Password Business - https://1password.com/teams/pricing/
There's desktop apps, browser plugins, and a website.
For us being able to share some passwords was a huge requirement. We've got ~240 different hosting providers, most of whom don't allow team accounts. So we needed a good way of handling those credentials. Adding people to vaults and taking them away is pretty easy (we do that for the vault containing corporate credit cards for people who don't have one).
I wish they had a real linux application, but their browser plugin for FF on linux does the job there.
I use KeePass and a USB stick. That still requires me to trust that KeePass doesn't have a backdoor, but given that it's open source and has received a security audit I'm much more comfortable with that than a black-box web service that could have compromised servers or be vulnerable to an XSS attack of some sort.
I know some people who use a text file encrypted with openssl's command line tools; it's just less convenient and not as easily portable.
If your worried about security just use Keepass son - Hosted locally not in the cloud.
A local based PW manager is less convenient than a cloud hosted one but that's the trade off between security and convenience
that sounds all cool and stuff but the 1password client and server code are still proprietary/closed source
so you can't actually verify that they are promising
local AES-CBC 256 bit encryption and PBKDF2 SHA-256 hash for master password / secret key with TLS encryption is actually pretty standard for password manager
Bitwarden for example does it too
> automatically generated so it’s more random and secure than your local device password.
this is actually an attack vector for the cost of usability
truly randomization is actually a little bit harder than people think
Cloudflare did a blog post on how they use for example lava lamps as one randomization source because of that
keepassxc fits the bill. It’s entirely offline and there are apps for every platform (on the page linked it just lists desktop but if you google “keepassxc android” you’ll get some options). If you want to keep things in sync offline try syncthing or resilio sync
Wow, this post has downvotes. Incredible.
Thanks for your efforts on this front, and I look forward to the OpenSSL TLS 1.3 audit.
Any interest in performing an audit on KeePassXC (github, site) and the latest KDBX format? It would be great to have an open audit of an open source, cross-platform password manager.
For all those posting here about LastPass... I highly suggest a switch to BitWarden. It is open source, a free app although you can pay in order to get syncing (which seems fair). You can self-host the syncing server if you are ultra-paranoid but their service is cheap enough.
Most importantly... because they are open source the code is available for all to see and understand and has been independently verified as secure.
I used LastPass for quite a while but to me, BitWarden is better in every way. The killer feature for me was that you can put your MFA tokens into it and it will automatically copy the current generated # to your clipboard ready to paste once the page comes up.
If OP has good 2FA on the vault (like a Yubikey), I would argue that it's ok to use Bitwarden for your TOTP seeds.
And I do strongly encourage 2FA on the Bitwarden account. SMS has known weaknesses, email relies on the security of the email account, and TOTP means relying on another app, since you obviously can't use Bitwarden for THAT.
You might also appreciate this Bitwarden blog post.
No, because it's all client-side (happens in the browser) and isn't necessarily sent over the network. It will be sent when the form is submitted, but filling a field with JS is no more or less secure than typing into the field manually.
There is a security concern with the way it's stored (e.g. storing credentials in a bookmarklet wouldn't be good) and I'd massively recommend using something like LastPass that's a bit more hardcore when it comes to security.
Source: Web developer
> He just texted me to let me know a password. He keeps a spreadsheet of them for me.
That's not very safe. You should get a password manager, that way you can store all your passwords and just have to remember a single one, also there's autofill, password generation and cloud sync. I use KeePassXC
I posted this to /r/programming the other day and figured I would share it with the awesome /r/webdev community as well since there are many web development components.
>After Lastpass got acquired by LogMeIn last year I decided to start looking elsewhere. Being a software developer myself, I turned toward open source solutions but it immediately became apparent that nothing existed that was as convenient and as user friendly as Lastpass. I also realized that everyone seemed to charge money for these closed-source solutions (and rightfully so I suppose, a password manager is essential!). > >bitwarden was born from this search and I have been developing on it every night since. This week marks the complete 1.0.0 release of bitwarden! There are apps for iOS and Android on the stores, browser extensions for Chrome, Firefox, and Opera, and a convenient website vault. It's free, open source, and cross platform. > >Feel free to let me know any feedback that you may have or if you are interested in contributing in any way. You can check out the main product website at https://bitwarden.com/
To stay secure, you should use a password manager, and generate a different random password for each site you use. The passwords should be as long and complex (e.g., including symbols) as the given site allows. The advantage of password managers is that you won't need to remember. Also, turn on 2FA on all your important accounts, and wherever it's possible, prefer app based 2FA over text-based (hackers regularly trick mobile providers into reassigning your account to a different SIM) I work for LastPass, so I'm obviously biased when it comes to selecting a product (but it's free so no risk to try). From the security point of view, you should prefer products that guarantee zero knowledge, which means that it encrypts your password vault (saved credentials) on your computer or phone, before it uploads to the cloud. So even if there's a breach, if you use a strong master password, you're safe. UI and UX are also important. Ideally, you will be using your password manager all the time and across multiple devices, so it has to work really well for you. Otherwise, you'll quickly fall back to bad password practices :)
Apple evaluated it and think it's safe enough for their 120k employees and Troy Hunt appears to be a fan.
If you don't trust them the whitepaper is publicly available https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf
Hi there! If you'd like to continue using 1Password standalone, 1Password 7 (release coming soon) will be available from our website as well, and from there you'll be able to be purchase a license and sync your data with iCloud, Dropbox, WiFi Sync, or even not at all.
I'm always over on r/1Password if you have any more questions!
- Henry from AgileBits (makers of 1Password)
1Password is now VC controlled. I have no faith that they have the users’ best interests at heart anymore. Let’s face it, they serve their investors first. That’s how VC funded companies work.
BitWarden has been extensively audited using SOC 3, which means the audit hasn’t just been done by third parties but the reports are also available publicly. 1Password is only SOC 2 compliant. Moreover BitWarden is HIPAA compliant too. Every way you look at it, BitWarden is just better.
It’s end to end encrypted. Your device encrypts the cloud payload and only your device can decrypt it. https://1password.com/security/. The key for the end to end encryption is automatically generated so it’s more random and secure than your local device password.
Hey all,
I believe this compilation of passwords is from a leak that occurred quite awhile ago. We have not stored passwords in plaintext since I've worked on HoN (more than 2 years), and the leak that I do know happened with plaintext we announced and forced password resets.
If anyone has questions or concerns regarding this, please feel free to reply and I'll do my best to answer.
As a side note, it doesn't hurt to change your password every so often anyway, so while I don't think its strictly necessary, you can change it here: https://www.heroesofnewerth.com/support/
Finally, I've used https://lastpass.com/ for quite awhile now, and would highly recommend it, it's helped me be a lot less concerned about these sorts of things purely from a user standpoint.
>Reading through this thread has also inspired me to create a brand new, totally unique password. I guess I'm guilty of the "It'll never happen to me" mentality, seeing some people here with accounts that look like they may have been compromised, kinda hit home.
Just a recommendation, but look into Lastpass or Keepass. They manage your passwords so you can have completely unique passwords for everything and never forget anything. I prefer Lastpass, but they're both good and both free. Lastpass is stored in the cloud (the folks over there have been pretty good with keeping your passwords secure) and is very convenient. You can always access everything from anywhere, and there's a fantastic browser plugin with auto-fill functionality that is much more secure than Firefox's remembering of passwords (which is NOT secure). Keepass is offline so you have to manage your password database file manually (don't worry, it's all encrypted so you keep a master password). Keepass is a little less convenient but you can store your database file in something like Dropbox and get a similar effect to Lastpass without disclosing your unencrypted passwords to a third party.
And I'm completely with you on the $60 as an Aussie, +respect for anyone who sells a AAA game here without charging +50%.
KeePass can perform synchronization between different versions of a single database.
Syncthing keeps all of the conflicting versions accessible, so you just sync them all on any device and you're good.
First of all: Use a password manager. Just go download something like this. AND DO NOT REUSE PASSWORDS, PLEASE. What makes it hard for me is that the email you got is something so many people get. It is not specified to a person, so this hints to either the password being slightly similar to any older one or you have a keylogger on your device. The later is really, really unlikely. The best thing to do is update websites where you used the same/similar password and replace them with a generated password. Yes, for each site. Most importantly: we do not know the hashing algorythm. SHA1? MD5? Hell, the may have used the caesar cipher \s.
For peoplet that want to learn about proper password storage: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
LastPass is pretty good, but I recently switched to bitwarden because it has pretty much all the same features, has a browser extension available for pretty much every browser (and yes, it's compatible with Firefox 57), can be self-hosted, and is also libre-free and open-source.
LastPass is known for severe performance issues. You might want to consider switching to Bitwarden (but maybe it's better to try disabling it first, before you do the effort to switch)
uBlock Origin is also a lot more economic on resources than ABP, so it probably pays to switch your ad blocker too.
I don't know of the other add-ons, try disabling them to see if it makes a difference.
Oh, and check if multi-process is enabled :) You can do that in about:support
.
<strong>Password card</strong> and <strong>1password</strong> are my go-to generator/managers.
1password for most everything and passwordcard + sticky note ~~under my keyboard~~ in my wallet (with vague interpretations of the coordinates of the password) for places where I don't have access to 1password.
To anyone putting website logins and/or passwords on paper anywhere: stop. Inevitably, the question will turn from "what would you do if your notebook was lost?" to "what do I do now since my notebook was lost?" You can be the most cautious person in the world, but I can guarantee you'll either misplace your notebook someday or someone will snoop around and get all this info easily.
I would highly recommend investing in a password manager like 1Password or LastPass for this purpose.
Edit: Just to touch on the security aspect of it, it's basically as strong as you make it. To gain access to your passwords you use a master password, the stronger it is, the safer you are (as they are simply storing an encrypted blob on their servers for you). They also have several methods of two factor authentication you can use.
Consider KeePass (open-source, Windows, audited by EU) or KeePassXC (open-source, cross-platform, community version of KeePass, not audited but potentially more eyes on it in day-to-day development).
It's certainly not as pretty, but if you care enough to use a password manager, it makes no sense to use a proprietary one.
If you are looking for a password safe that is offline, I've used Keepass for years without issue. It has tagging, a decent organisational system, plugin support, and a built in password generator. It also supports usbkeys and other hardware encryption tools. For better cross-platform support there is KeepassXC, and for Android there are a few apps which you can use.
The biggest caveat is having to personally handle backups, though there are plugins to assist that. While I usually use Syncthing to sync the database on my machines, you can also make a key + password combo for your database, sync the key on one cloud database and the database on the other. That way, even if both cloud services are compromised and fall into the hands of the same group, they would still need to figure out the master password.
> Kuten jo totesitkin, älä käytä samoja salasanoja sellaisissa palveluissa joita pidät tärkeänä.
Tätä ei voi riittävästi korostaa, varsinkaan nykyään, kun kaikki palvelut ovat usein linkitetty keskenään (yhden emailin salasananpalautus menee toiseen, jonka palautus menee kolmanteen, jonka palautus ensimmäiseen, jne.). Itse käytän KeePass:ia, jolla generoin 20-30 -merkkisen satunnaisen salasanan jokaiseen palveluun, ja missä myös säilytän salasanoja vahvan master-salasanan takana. Ohjelma on open source, eikä siinä ole mitään keskuspalvelinta, minne salasanat tallennetaan, vaan ne pidetään salatussa tiedostossa omalla koneella (tietysti varmuuskopioituna n+1:een paikkaan).
Here you go: https://bitwarden.com/blog/building-a-strong-security-stack/
While there are some great recommendations in there I wouldn’t suggest you ever go 100% off of one resource, it’s usually good to poke around and see what others say about these.
whoops, that was our mistake. It should be gone soon. The best way is to follow our github repos (for the absolute most granular info) - and then checking out the release notes mentioned above on bitwarden.com/help. You can also subscribe to status.bitwarden.com via RSS and get notified of any issues/updates/releases, etc.
Bitwarden uses zero-knowledge protocol, all the data is encrypted before it leaves your computer. You don't need to care at all if all data is public while in transit as it is encrypted. Nobody can read your data.
Check this:
This ^ u/carrotcakegal!!! If you haven’t done so yet, change your email, google, social media, and all other sensitive account passwords, IMMEDIATELY! Good time to start using a password manager like Bitwarden or 1Password and make sure you setup 2FA at the very least on your password manager and email accounts!
Congrats on your newfound freedom and dodging the sociopath bullet! Take care now. Bye bye then.
You probably have a lot of different accounts online for things like shopping, banking, subscriptions, etc. Each of those accounts needs a password. Most people will come up with one password that they can remember and use the same password for every account
But, sometimes the companies that you have accounts with don’t do a great job of keeping your password secret. And if one of them messes up, now the password for all of your accounts isn’t a secret anymore!
Most people will make up passwords that aren’t very strong either, because weak passwords are usually easier to remember. If you use your birthday or the name of a family member, these passwords aren’t very hard to guess, especially for a computer who can make lots of guesses very quickly
A password manager helps you to fix both of these problems. With a password manager you can come up new strong passwords that are different for each account you have and you don’t have to worry about remembering them. So you can have a password that looks like this: !DzWifTKNkrNJN$&Y5M%
for one website and this HXf^N52S5S@up*@L9Z8!
for another website
The only password you need to remember is for your password manager. And luckily there is a neat trick to have a password that is easy to remember but still pretty hard to guess. It’s called Dice Word and it looks like this: flyable-bootie-overrule-boots-easing
Also, you can use 2 factor authentication to keep your password manager secure, which is a fancy way of saying that in addition to your password, you also need to have access to something you own to log in like your phone or a special USB key
I use a different password manager from One Password, but I find they have some of the best communication on what a password manager does, why it’s important to have one, and other ways to understand digital security. So I would recommend checking out their website if you want to read more: https://1password.com/password-manager/
Still my go-to password manager. Funny thing is the EU gave this project a free security audit and besides using a weaker rand function it came out with flying colours! They also fixed that issue almost instantly. See all of its accolades. It really is the true libre alternative, and it's so powerful.
I recommend keepass its open source, you are in charge of your password file and there are a lot of different apps for nearly all devices.
I personaly use keepassxc on windows and linux and there is also KeeWeb witch run in a browser either localy, self hosted, or on their site.
Yes, me, too!
8mVZDvyD!uaCLQ#oHc^%LT7eNo2gz3z2uZ@7r6T!k
Literally just made it up on-the-spot thanks to a Bitwarden. If I were to use it (which I won't), I wouldn't have to remember it.
In case that's not obvious: change your password right now. If you can, enable two-step verification. Check your PC for malware, or just reinstall Windows entirely (or go for Ubuntu if that floats your boat).
edit If you want to go for even better security to prevent this in the future, I recommend you start using either an open source program like KeePass to store generated, random and most important, separate passwords for all your sites in an encrypted database. If you lose one site, no other site is compromised. You can put your KeePass database file on Dropbox, or you could use an integrated browser solution like LastPass (I prefer LastPass, but it's not as open).
Bitwarden has a self-hosting version.
https://bitwarden.com/pricing/business/
I can't provide experience with the self-hosted version, but I use bitwarden for 3 years now and I would never change. It works!
Depends on what you mean by support.
If you mean complete synchronisation, then no, there is no app that can do that.
If you want to ditch Google Password and use a better alternative, then you can export all of your data from there and import it into Bitwarden.
> 1. Does free version of BW support 2FA (Authenticator or similar, not harware device)
Free supports TOTP and email for 2FA.
>1. Does free version of BW have password challenge (security checkup) to check for duplicate account passwords, weak passwords, etc?
That's only at the premium level.
>1. Are you able to subscribe to Premium 1 month at a time or only for the full year?
No, it's a full year for $10. When you factor in the per-transaction costs for a monthly payment and how cheap it is, I think that's fair.
>1. Are you able to share usernames/passwords on free version or is that only premium?
Not entirely sure what you're asking? At the free level you and your partner can share a single "collection". Read this and see if this is what you want. If it's more than two of you, or if you need more than one collection, you'll need a paying plan.
>1. What is the purpose of the 'Free org' account? What is sharing a collection mean?
See the previous answer.
>1. How do you export passwords from Lastpass if you are locked into the mobile app?
I just saw someone else answer this! Sign up for their premium trial, export your vault, and then cancel the trial.
Are you asking about how to make the switch? Start here.
I don't understand your question about $36/year. That's the LastPass price. Bitwarden has a $10/year premium subscription, but there's no need to buy that right away.
Here's 1 year of LastPass for any new users.
Edit: Someone redeemed it. Thanks for playing!
Keepass works with local databases [Bitwarden](bitwarden.com/) stores encrypted muddle on its servers. You can self host it, then you store encrypted muddle.
Just use one like those two and you're protected against that
Why not keep the 6 other passwords in your password manager on your phone?
If that's not an option, length is more important than complexity. It can be something easy to type (think sentence, multiple dictionary words, etc).
Anything outside my password manager gets a sentence with some capitals, numbers, and punctuation. Something like "MyRedditUsernameIsColtman151." scores as taking centuries to crack by Bitwarden and is very easy to remember and type both. If you make it something personal, it'll be even more impossible to guess.
https://bitwarden.com/password-strength/ if you want to play around with it.
Why not just use 1Password, as you seem to like it more, and if they ever increase the price to the point that you can't justify it (I have never had a price increase, but I guess your one will increase if you are no longer a student) then just switch to bitwarden?
Blur, my preference generates unlimited masked (forwarding emails you can use for account creation and contact forms. Their browser extension allows you to create email addresses without leaving the webpage you're using it on.
Blur is another “freemium” service. The paid version offers additional features and Blur is one of at least two privacy services offered by a company called Abine.
The benefit of masked email addresses is that it makes it difficult for your accounts to be linked to each other, either by data miners or hackers, should multiple services you use be breached. (It's a matter of time.) It also protects you from people who might learn of your email address some way; your email address is often your username and, therefore, half of the information needed to access one of your accounts.
https://1password.com/pricing/
Looks like there is a one time version as well, and the $5 version actually is a family plan for up too 5 users. That seems reasonable for something that needs to be actively patched and product support (apps/os version etc), but you know developers don't need food.
If you want to be cheap just use keepass and sync it via btsync or something, and stop complaining about someone charging for a product of convenience.
Ok, security stuff first:
Change your passwords again. I suggest checking out Last Pass, it creates highly encrypted passwords then gives you 1 easy password to access them. If you have any personal device such as that laptop, make sure there's a password on it, and if you have security questions for email or Facebook with anything like a pet's name/mother's maiden name etc. change it! That would be the easiest way for him to access your accounts.
Catching him:
When someone sends you an email they have to send it from the IP address of their computer. When he logged in to your account the same IP address was registered. So, assuming it hasn't changed, ask him to email you something and compare the IP address using this tutorial, and the one on your "recently logged in" email section. If they match, then he's the one who logged in.
Even if it wasn't him or you can't prove that it was, it sounds like it's best to remove him from your life. You shouldn't have to feel afraid of him visiting. If you can prove it was him you can even get a restraining order if you want. Hope I helped, good luck out there!♥
LastPass, it's free for the desktop, costs if you want mobile ($20/yr when bundled with xmarks). Advantage: if you have internet, you can find your passwords, Disadvantage: if you have a weak master password it's even worse than writing your passwords down.
For events like these i'd like to recommend last pass. The last password you'll ever need :) After my old hotmail account got hacked i considered it but did nothing, but then gawker was hacked i finally said enough and installed it. The inital time was a little boring, generating passwords and such but after that it just makes everything so easy. If you are logged into the browser extension it just fills out everything for you. They store their stuff extremely well and know what they're doing. And for like 10$ a year you can get the mobile app and additional features. Supports all major OSes and Browers.
Use a local password manager, like KeePass and ensure you take regular backups of the password database somewhere.
It's one thing to store procedures in a web document on how to do things, but credentials should be stored separately and much more securely.
Bitwarden is open source, runs on every OS, can be self hosted on your own server, and has an easy to use migration assistant to move your passwords from other password manager apps.
Se il proprietario del sito puo' ottenere la mia password in qualche modo, vuol dire che non è stata salvata correttamente.
Ti rimando alle FAQ di Bitwarden dove spiegano come loro salvano le tue password in modo sicuro (è il primo esempio che mi viene in mente): encryption.
Here is an article from their site for where on the system is stored - https://bitwarden.com/help/article/data-storage/ You can delete these files & directories for your respective system and clients
As others have said though , the data is encrypted and useless without your master password.
Regardless of the actual encryption / volatility of the leaked data, it's still probably a good idea to change your password, very much so if you do something silly like using the same or similar passwords on multiple sites.
EDIT: Ebay apparently pulled the same garbage as PayPal where they won't let you copy-paste your passwords from a password database (hilariously enough it works on the login page, but not the change form). This does nothing but encourage bad password practices. Unless you're actively using Ebay for anything, you might want to think about closing your account.
EDIT 2: "Unfortunately, we can't close your account yet, because it has been suspended, restricted, or is otherwise not meeting minimum seller standards." I haven't used the account in more than a year and it has nothing but positive feedback and no restrictions or outstanding fees. Oh boy, this sounds like it's going to be fun.
Obligatory pitch for LastPass.
Seriously, use a password manager (doesn't have to be LastPass in particular, I just like that one) and generate random passwords for every site. I don't even know what my RPS forum password was, and I don't care at all that it's compromised, it won't give access to anything else.
A keylogger is the first thing an abusive hacker boyfriend would install, which makes changing passwords futile. Besides threatening with contacting employers and authorities, wiping or replacing PC and phone should be the first step. Backed up personal files should be virus tested just to be sure. AFTER THAT you should change passwords. If you have current evidence of a breached account, change the password immediately. Use a phone as keylogging them is not as easy.
Remembering too many unique passwords can be exhausting but your password security relies on you NOT giving out your default phrase to anyone. Use a password manager like https://keepassxc.org/ which stores your password as encrypted file on your pc instead on someone elses computer (e.g. cloud). With a sufficient passphrase even the best haxor can't breach the file without years of computing time, making it "save" to back it up on your personal cloud. This enables you to give out unique passwords for every account making the inevitable breach of one account far less dangerous. (just make sure to never lose that file >.< )
> other ports are unofficial.
you mean they are forks, which is basically the whole idea of being open source: to allow anybody to adapt the original source and make changes.
I highly recommend this version: https://keepassxc.org/. It's in under active development, and available for most desktops. The password DB is compatible with any other KeePass based software.
Keepass/KeepassXC have this. They use the same db file type so you can try both without having to export your passwords. The only differences I've experienced in my normal usage is that Keepass has a sync feature which makes it a bit easier to keep backups, and KeepassXC has better browser support through the extension.
How can Firefox without TMP be unusable, but not Chrome? Firefox's default tab management is not good, but Chrome's is even worse (by far). And unfixable.
But TMP works totally fine for me, so I wouldn't worry about that too much. XMarks is not e10s-compatible, so that add-on is probably disabling multiprocess for you. Also, Lastpass has known performance issues in its Firefox add-on, and recently, quite a few security issues in their add-ons in general. You might want to try Bitwarden, it's FOSS. I don't know about Tab Menu, uBlock Origin is definitely fine.