- May 7, 2021
- Reaction score
- United States
In light of account hacking going on and everything being discussed about 2FA and account security, @buffalojim and I mentioned password managers in another thread and I thought I’d do a bit of a write up for those looking to start using one.
Who this thread is for
Anyone who interacts even remotely with modern society in pretty much any way and doesn’t yet use a password manager (PM).
@FestiveKnight, this looks like a pretty long post, do I need to read it all?
No, the next few sections are about password managers and theory behind them. If you’re just interested in getting started with Bitwarden, skip down a bunch.
What is a Password Manager?
At its core, a password manager is simply a software that allows you to store your passwords.
But that’s only the very very beginning. Well-made password managers usually also have a bunch of other features like:
- Password generators
- Exposed password reports
- Secure notes
- Securing sharing of credentials
- Automatically filling credentials into forms
Why is a password manager important?
There are a bunch of really critical risks you can avoid by using a PM including:
- Falling into the habit of repeatedly using the same or a similar password
- Using a simple password
- Using a password that has been previously exposed
- Writing down or storing passwords in a less safe way (pieces of paper, etc)
- Accidentally typing passwords in the wrong place
How does a password manager work?
In general password managers are built on three main components. More detail on each component is below.
Note: at this point some of the terms I am going to use may be a bit Bitwarden (BW) specific but only to make it easier for me and as a reader transitions to next sections.
- Master password: you will use a single password to access the password manager. This needs to be complex, long, completely unrelated to anything in your life (no dog names!), and something you absolutely memorize.
- Vault: the main section of the software is just a list of accounts you have saved in the tool. Each will have a name, the username on the account, the password, etc.
My entry for PCF looks like this (in dark mode):
- A password generator: a tool to create password that are random combinations of words, letters, numbers, etc. to help you avoid some of the problems mentioned above.
The Bitwarden password generator:
Why you need generated passwords
In this day an age you may need to access dozens of systems during a week and it’s only natural that you’ll tend towards a bunch of bad habits if you’re memorizing these or not randomly generating them.
And by bad habits I mean things such as:
Using words or names that would be easy to guess if someone knew details about your life
anecdote: a friend of mine who is a professional in the cyber security world (we’ll call her Jane) and I were staying at another friend’s grandparent’s house and didn’t know the wifi password. Jane had a tool that could get around routers giving you a problem with repeated failed password and that could guess 1000s of times per minute, but with no direction you could never feasibly brute force anything but the weakest passwords. So she had us walk around and look for any ideas for what they might have based a weak password on. We put in a text file things like family, pet, sports team, and street names. Within 8 minutes her program brute forced the password. It was: <street name><dog name><year they moved>
People share a ton of personal stuff on here, you should feel safe doing that without potentially compromising your passwords.
If you create passwords like this, you need a password manager.
Using passwords repeatedly
The risk here should be obvious, if a “bad actor” (someone malicious) figures out your credentials once, they may very well go try to see what else they can get into. Oh, you posted a comment on PCF about how much BofA has been annoying you? Let’s see if your login is the same. Honestly, past the annoyance at @Nanook getting scammed today, I also have been thinking about @Fokker210 and hoping the same scammer didn’t try to brute force other things.
If you repeatedly use the same password or variants on a theme, you need a password manager.
Using weak passwords that are easy to brute force.
This should be clear from some of the things above, but aside from passwords that are easy to guess from personal details, passwords can also just be weak in general. “Strawberry!pickl3#to4st” is going to be almost impossible for someone to just guess (even with a computer making millions of guesses, see the chart below). “Password123” will be guessed faster than you can blink. Jane (the friend from above) has also showed me these huge databases of the most frequently used passwords or even exposed password lists you can buy. There’s no thought that goes into guessing easy passwords. 1) buy list, 2) use program to guess passwords, 3) profit???
If your passwords are short, low on symbols and numbers, you need a password manager.
If you're interested in more on the topic of secure passwords security.org is great and this may be a fun place to start: https://www.security.org/how-secure-is-my-password/
You may also find this chart illuminating:
How to get started with Bitwarden
Go to: https://bitwarden.com/download/ create an account, install, get started!
I’m not going to write up a walkthrough of creating an account, installing BW etc., there’s tons of those out there and this post is already too long. In this section I’ll just share some thoughts on what you can do to start off on the right foot using BW:
Create a really really secure password. Read all the things above on some things to avoid. You would need to run a computer for an incredibly long amount of time to brute force my master password. Jane uses 17 random numbers and symbols she memorized.
But, one of the risks with a PM is that if you forget the master password you have to start all over again and it can be really annoying recovering all your credentials. If you’re concerned about losing your master password, there are numerous tricks people use such as writing it down and keeping it in a lockbox at the bank (don’t write anything like “master password,” just the password!). Some people do the same and keep a copy in their wallet. Etc.
Start slow, but make the transition steadily and completely. As soon as you get Bitwarden setup, put just one account in (you can start with PCF!) and then, if you’re ready to make the transition to a PM, from now on, every time you setup a new account, go to BW and use it to generate the password and save the credentials.
Then, over the next few weeks, work on moving all your accounts over into BW. As you do so, you should also generate new passwords. Next time you login to your bank, open Bitwarden, add the account, then go to the settings menu in your bank and reset the password with one you generate and save in BW.
If you keep using your old system, you may feel compelled to fall on bad habits just for ease. To do this right you should be using a PM for everything, as you integrate it into your life it will become natural.
One of the things I love about BW is that it syncs across all devices and has amazing browser plugins. I 100% recommend installing the plug-in and the phone app. At least on IOS it works really seamlessly to pull open BW when you need to enter credentials.
Bitwarden has a bunch of cool things in it like secure notes, secure sharing of credentials, etc. I think these things are really helpful and encourage everyone to explore them but for now just focus on the basics. Save items in the vault, generate secure passwords, etc.
Feel free to ask any questions and if possible I’d love to help. I benefited a lot from knowledge of others on this and this community has been incredibly welcoming and forthcoming with info so I’m happy to give back how I can.