Great post. Just switched from Free LastPass to paid 1Password, happy with it so far. I know I looked at Bitwarden as well, not sure why I passed on it. But like @FestiveKnight has said, pick one and use it.
Can someone comment on which is better/stronger for a master password - either a random password of letters, numbers, and symbols like this: 4Z!YFYQ4kT+ or a string of random words like this: heliport-seafarer-youthful-wrinkle-engine
Usually 64 or even 128 characters would take trillions of years...500+, now that's flexing it. Usually max is set in forum settings so that is a question for the admin for sure. Longer than that and there are concerns over a long password DoS, Denial of Service Attack.Is there a limit on number of characters? Could someone use a paragraph from one of their favorite books with 500+ characters?
Good write up! Worked in financial institution cybersecurity for years and free Keepass works great. After 20 years of effort we've successfully made passwords harder to remember but easy for computers to guess. (that makes me laugh from the cartoon above). Using a long pass phrase will be better than complexity, even if relying on simpler words and no special characters, it will take longer to crack and require more computational resources than a shorter one with special characters and numbers. Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password.
View attachment 836432
View attachment 836435
Did I just guess anyone's password?
Rate limiting can be implemented, or already is.Usually 64 or even 128 characters would take trillions of years...500+, now that's flexing it. Usually max is set in forum settings so that is a question for the admin for sure. Longer than that and there are concerns over a long password DoS, Denial of Service Attack.
Sow, Peepel hoo spel badlee hav gud parsswerdz? Good point on dictionary, some testers do that too). I'm no mathematician, but it would still take nation-state resources to crack even a long enough spelled correctly sentence (5 words or more) as long as it wasn't a common phrase or quote (more random the better). Not advocating the not mispelling or special characters as that is just another layer, but the point is length should be most important (5 words should be sufficient). Most 'dictionary' attacks are just with lists of the most commonly used/breached passwords (phrases and special characters in all along with special ch@racter $ubstitutions). If you want to know if your password has been breached checkout https://haveibeenpwned.com/Passwords which is the same site other password checkers check against and others (along with the FBI) feed hundreds of millions of common passwords to.Pretty sure this "password strength tester" doesn't take dictionary attacks into account.
Also, while "Paulson" probably doesn't appear in a regular dictionary, if you know that the person's password is from a chip head site, you can add a custom dictionary using milieu terms.
It’s better than nothing but leaves a lot to be desired. One big difference is that Google password manager doesn’t encrypt your passwords unless you change some settings but doing so breaks all the sync features. Because of this, Google could (if they wanted) go read any of your passwords right now. No one at Bitwarden could. (Somewhat a personal risk appetite question, how far do you trust Google?)
Similarly, BW is open source and Google PM is well, owned by Google, there are tons of benefits of open source software (as @Nex mentions above) but this is a big benefit to me of BW or KeePass over other options.
Lastly, BW also has a bunch of great QOL features not present in Google PM:
-customizable password generation
-notes and attachments
-storing items not tied to a website
Yup, one of the reasons I stopped using LP quite a while ago. Several breaches, plus the cost.
NiceI downloaded bitwarden a couple of months ago but couldn't bring myself to set it all up. I finally got around to it, and now feel alot better about managing passwords.
My previous method was only working about 80% of time, which was to forward an email to myself and move it to a special folder. Some times it would be there...sometimes not.
I believe I run a relatively simple life but it turns out I put about 80 entries in it!!!
Overall I'm thinking we are better off now.