It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.

It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.

Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.

  • AbidanYre@lemmy.world
    link
    fedilink
    English
    arrow-up
    129
    arrow-down
    1
    ·
    3 months ago

    One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account,

    To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      60
      ·
      3 months ago

      My favorite is the sites that silently truncate your password to a maximum length only they know, before storing it. Then when you come back you have to guess which substring of your password they actually used before you can log in. Resetting doesn’t help unless you realize they’re doing this and use a short one.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      22
      ·
      3 months ago

      Clarification: They reuse the same password (such as “Password”) and whenever they create an account they have to add special characters (like “Password1&” if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don’t know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.

      But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

      • 14th_cylon@lemm.ee
        link
        fedilink
        arrow-up
        10
        ·
        3 months ago

        But yes, there is an unrelated frustration where password requirements aren’t presented upfront.

        And pinnacle of this frustration is “password too long”… Talk about security

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          14
          ·
          3 months ago

          which doesn’t make sense as a requirement, as the passwords themselves are not even (supposed to be) stored

          limits of 128+ characters? Sure.

          Limits of 30, 20, 18, or 16 as I’ve seen in many places? I suddenly don’t trust your website.

          • ZeDoTelhado@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            3 months ago

            Do you want to know the kicker? There are banks (yes, you heard me right) that straight up don’t allow more than 20 chars. 20!!! And they say you got to use the app for X things because it’s secure and shit (e.g.: use the app to 2FA credit card transactions). Meanwhile, does not allow you to add a yubikey for Fido authentication

    • Hanrahan@slrpnk.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      True but doesn’t a new password then prompt bitwarden for you to update the credentials ?

  • root@lemmy.zip
    link
    fedilink
    English
    arrow-up
    57
    arrow-down
    1
    ·
    3 months ago

    In my experience preaching this same thing to many users at work and just personal friends, they won’t change their ways. Because “omg not another password to remember” and “that’s too much work to login just to get a password”.

    I’ve just stopped trying to educate people at this point. That’s on them when their info gets leaked or accounts drained.

    • zephorah@lemm.ee
      link
      fedilink
      arrow-up
      19
      ·
      3 months ago

      People are already annoyed at base that they need any 2FA at all and don’t want to deal with more info. They just tune out.

      • Jessica@discuss.tchncs.de
        link
        fedilink
        arrow-up
        10
        ·
        3 months ago

        Tell them some password managers have TOTP support. I think I paid Bitwarden $10 for life or per year for TOTP so I don’t need to use my phone.

          • Jessica@discuss.tchncs.de
            link
            fedilink
            arrow-up
            1
            ·
            3 months ago

            Instead of opening Google authenticator or Authy or whatever your preferred 2FA is, you can take photos of the QR codes in Bitwarden mobile to store the TOTP codes in it, and then Bitwarden puts them on your clipboard to paste into websites

            • umbrella@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              3 months ago

              you might have just inadvertedly sold me on bitwarden.

              does it work with 3rd party sort of authentication apps? like when 2fa is inside the manufacturer app?

              • Jessica@discuss.tchncs.de
                link
                fedilink
                arrow-up
                2
                ·
                3 months ago

                It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.

                How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.

      • root@lemmy.zip
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 months ago

        Yup, they couldnt care less about any 2FA. But then they get the surprised Pikachu face when they get breached after being phished lol.

    • JustEnoughDucks@feddit.nl
      link
      fedilink
      arrow-up
      7
      ·
      3 months ago

      I am fighting this with people at work.

      No, it is not “one more password to remember”

      You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don’t care. Use a passphrase if you have troubles with passwords.

      I even generated a sample password from bitwarden and drew them a picture of how to remember it lol

      Still about 10% of people forgot their password in the first 2 months.

  • wuphysics87@lemmy.ml
    link
    fedilink
    arrow-up
    43
    ·
    3 months ago

    My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.

    But I get where people have an issue. It’s one point of failure vs. many, but they don’t realize It’s easier to well secure the one than it is to not spread the same vulnerability everywhere.

  • land@lemmy.ml
    link
    fedilink
    arrow-up
    35
    ·
    edit-2
    3 months ago

    You are right. However most of the mainstream YouTubers promote rubbish password managers, which is why most people I know don’t know about bitwarden. I usually recommend bitwarden or proton pass. (I’m self-hosting vaultwarden). More privacy focus YouTubers need to promote bitwarden, keepassxc etc. (I’m waiting for proton pass self-hosting option).

  • cobysev@lemmy.world
    link
    fedilink
    English
    arrow-up
    34
    ·
    3 months ago

    I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn’t use password managers at work. Nor were you allowed to bring them in.

    Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.

    Plus, the computers themselves had a custom-configured OS and you couldn’t install any software on them that wasn’t on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.

    I didn’t get to mess around with password managers until I retired a couple years ago, and they’ve been a game changer! In the military, we needed unique complex passwords for everything, can’t reuse passwords, can’t write down passwords, and you had to change them every 60 days.

    Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it’s been wonderful.

    I don’t know why the military doesn’t get some sort of password manager approved for use. This is far more secure than what they’ve been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I’d forget them (and again, we weren’t allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don’t even need to remember it. I love it!

  • Interstellar_1@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    23
    arrow-down
    1
    ·
    3 months ago

    My dad somehow believes that that password managers are very insecure ( he got that from some sort of ‘reputable source’, so me telling him bitwarden is secure doesn’t help) and he just writes down all of his completely randomly generated passwords in a notebook, which always seems really inefficient to me, especially when he writes a character down incorrectly.

      • thirteene@lemmy.world
        link
        fedilink
        arrow-up
        10
        arrow-down
        2
        ·
        3 months ago

        You can’t grep dead trees, password managers are only as secure as their infrastructure which are constantly being backdoored, socially engineered and poorly administered. Anyone that trusts a simple security solution is a fool.

        • NateNate60@lemmy.world
          link
          fedilink
          arrow-up
          7
          ·
          3 months ago

          It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          At least reputable companies do 3rd party audits and I have yet to hear about bitwarden getting pwned.
          One of the only possibilities is them and their infrastructure getting ransomed

          • thirteene@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            3 months ago

            I have yet to hear about bitwarden getting pwned

            Honestly this is the part that scares me the most. Well maybe it’s the fact we have multiple plausible scenarios… What happens when you get locked out of bitwarden? I imagine the 256 randomized salted hash passwords will be hard to call, some companies will likely be able to restore your password via phone support. During that time, informed attackers will potentially have the master keys to your entire life. Fighting ai chatbots trying to recall security questions. During that time your phone and Internet service could be shut off, secondary emails changed and validated, money transferred out of bank accounts, stocks and crypto sold. Crowdstrike was a valuable security company.

    • renzev@lemmy.world
      link
      fedilink
      English
      arrow-up
      29
      arrow-down
      1
      ·
      3 months ago

      I mean he’s not wrong about paper being more secure than password manager (provided you have good physical security and trust the people you live with)

      • NateNate60@lemmy.world
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        3 months ago

        Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.

    • SocialMediaRefugee@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      My wife does this with index cards. I have to try to figure out what she wrote down (1? l?) and she crosses out an old one and writes the new one in a random spot so I have to study the card to find the live pw.

  • orca@orcas.enjoying.yachts
    link
    fedilink
    arrow-up
    21
    ·
    3 months ago

    Been using 1Password for 6+ years and I probably won’t use anything else ever. My wife and I both use it and have a shared family vault for things we both use. I couldn’t live without a password manager.

  • ashok36@lemmy.world
    link
    fedilink
    arrow-up
    18
    ·
    3 months ago

    I have a password manager with a family plan so my wife can use it. Does she? Absolutely not. And that’s why we don’t share bank accounts.

  • lemmyknow@lemmy.today
    link
    fedilink
    Interlingua
    arrow-up
    18
    ·
    3 months ago

    Say, what are the chances either

    1. someone comes to depend on the password manager to get into their accounts, gets locked out of the password manager, and loses access to all their accounts (e.g. using the password manager to create and store passwords they might never have even seen);

    or

    1. their password manager (or account) gets hacked, somehow, and all their accounts get taken at once
  • Ovata@lemm.ee
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    3 months ago

    Been using Bitwarden for a couple years now…

    No regrets

  • feoh@lemmy.ml
    link
    fedilink
    arrow-up
    17
    arrow-down
    1
    ·
    3 months ago

    I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.

    Is there risk in keeping all your passwords in one place, whether it’s on your hardware or someone else’s? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use ‘pencil’ for all your passwords because you can’t be arsed to memorize anything more complex? OH HELL YES.

    Sure, if you’re defending against nation state level agressors, maybe using a password manager isn’ the wisest choice, but for easily 99% of computer users, we’re at the level of “keeping people from drooling on their shoes”. So password managers are probably a GREAT idea.

    • Appoxo@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      I feel like password managers are more targeted to companies where sharing and controlling login data shouldnt be logged on some table in an excel sheet.
      It just so happens that a manager is also god damn convenient for the private individual

      • feoh@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        I don’t think that’s always the case. 1Password started out as a personal password manager and only added the corporate/teams/families features later.

  • 𝚝𝚛𝚔@aussie.zone
    link
    fedilink
    English
    arrow-up
    14
    ·
    3 months ago

    On the plus side, the more people who don’t use password managers the more chance us password manager users will remain not worth the effort.

    It’s kinda like security through obscurity mixed with only having to be faster than the slowest person to outrun a lion.

    • EuroNutellaMan@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 months ago

      I disagree. Password managers are still target of threat actors, a juicy one at that, but it’s not too often you hear of breaches of good password managers. Chances are the people behind the good password managers are better at security than 99% of users (including more technical ones). Even after a breach exporting all the passwords and moving them to another service, and changing all your passwords again with more secure ones is trivially easy.

      If everyone used them sure there’d be more pressure on said password managers but hackers will find it a lot more difficult to hack anything in general and it will still not be worthwhile to hack average users who use a password manager.