You should use a password manager (2 Viewers)

FestiveKnight

Flush
Supporter
Joined
May 7, 2021
Messages
2,177
Reaction score
3,783
Location
United States
In light of account hacking going on and everything being discussed about 2FA and account security, @buffalojim and I mentioned password managers in another thread and I thought I’d do a bit of a write up for those looking to start using one.​

Who this thread is for

Anyone who interacts even remotely with modern society in pretty much any way and doesn’t yet use a password manager (PM).​

@FestiveKnight, this looks like a pretty long post, do I need to read it all?

No, the next few sections are about password managers and theory behind them. If you’re just interested in getting started with Bitwarden, skip down a bunch.​

What is a Password Manager?

At its core, a password manager is simply a software that allows you to store your passwords.​
But that’s only the very very beginning. Well-made password managers usually also have a bunch of other features like:​
  • Password generators
  • Exposed password reports
  • Secure notes
  • Securing sharing of credentials
  • Automatically filling credentials into forms

Why is a password manager important?

There are a bunch of really critical risks you can avoid by using a PM including:​

  • Falling into the habit of repeatedly using the same or a similar password
  • Using a simple password
  • Using a password that has been previously exposed
  • Writing down or storing passwords in a less safe way (pieces of paper, etc)
  • Accidentally typing passwords in the wrong place

How does a password manager work?

In general password managers are built on three main components. More detail on each component is below.​
Note: at this point some of the terms I am going to use may be a bit Bitwarden (BW) specific but only to make it easier for me and as a reader transitions to next sections.​
  1. Master password: you will use a single password to access the password manager. This needs to be complex, long, completely unrelated to anything in your life (no dog names!), and something you absolutely memorize.

  2. Vault: the main section of the software is just a list of accounts you have saved in the tool. Each will have a name, the username on the account, the password, etc.
    My entry for PCF looks like this (in dark mode):
    1640312302428.png


  3. A password generator: a tool to create password that are random combinations of words, letters, numbers, etc. to help you avoid some of the problems mentioned above.
    The Bitwarden password generator:
    1640312343584.png

Why you need generated passwords
In this day an age you may need to access dozens of systems during a week and it’s only natural that you’ll tend towards a bunch of bad habits if you’re memorizing these or not randomly generating them.​
And by bad habits I mean things such as:​

Using words or names that would be easy to guess if someone knew details about your life
anecdote: a friend of mine who is a professional in the cyber security world (we’ll call her Jane) and I were staying at another friend’s grandparent’s house and didn’t know the wifi password. Jane had a tool that could get around routers giving you a problem with repeated failed password and that could guess 1000s of times per minute, but with no direction you could never feasibly brute force anything but the weakest passwords. So she had us walk around and look for any ideas for what they might have based a weak password on. We put in a text file things like family, pet, sports team, and street names. Within 8 minutes her program brute forced the password. It was: <street name><dog name><year they moved>​

People share a ton of personal stuff on here, you should feel safe doing that without potentially compromising your passwords.​
If you create passwords like this, you need a password manager.


Using passwords repeatedly

The risk here should be obvious, if a “bad actor” (someone malicious) figures out your credentials once, they may very well go try to see what else they can get into. Oh, you posted a comment on PCF about how much BofA has been annoying you? Let’s see if your login is the same. Honestly, past the annoyance at @Nanook getting scammed today, I also have been thinking about @Fokker210 and hoping the same scammer didn’t try to brute force other things.​
If you repeatedly use the same password or variants on a theme, you need a password manager.

Using weak passwords that are easy to brute force.

This should be clear from some of the things above, but aside from passwords that are easy to guess from personal details, passwords can also just be weak in general. “Strawberry!pickl3#to4st” is going to be almost impossible for someone to just guess (even with a computer making millions of guesses, see the chart below). “Password123” will be guessed faster than you can blink. Jane (the friend from above) has also showed me these huge databases of the most frequently used passwords or even exposed password lists you can buy. There’s no thought that goes into guessing easy passwords. 1) buy list, 2) use program to guess passwords, 3) profit???​
If your passwords are short, low on symbols and numbers, you need a password manager.

If you're interested in more on the topic of secure passwords security.org is great and this may be a fun place to start: https://www.security.org/how-secure-is-my-password/
You may also find this chart illuminating:​
1640312683943.png

How to get started with Bitwarden

Go to: https://bitwarden.com/download/ create an account, install, get started!​
I’m not going to write up a walkthrough of creating an account, installing BW etc., there’s tons of those out there and this post is already too long. In this section I’ll just share some thoughts on what you can do to start off on the right foot using BW:​
Master password
Create a really really secure password. Read all the things above on some things to avoid. You would need to run a computer for an incredibly long amount of time to brute force my master password. Jane uses 17 random numbers and symbols she memorized.​
But, one of the risks with a PM is that if you forget the master password you have to start all over again and it can be really annoying recovering all your credentials. If you’re concerned about losing your master password, there are numerous tricks people use such as writing it down and keeping it in a lockbox at the bank (don’t write anything like “master password,” just the password!). Some people do the same and keep a copy in their wallet. Etc.​
Getting started
Start slow, but make the transition steadily and completely. As soon as you get Bitwarden setup, put just one account in (you can start with PCF!) and then, if you’re ready to make the transition to a PM, from now on, every time you setup a new account, go to BW and use it to generate the password and save the credentials.​
Then, over the next few weeks, work on moving all your accounts over into BW. As you do so, you should also generate new passwords. Next time you login to your bank, open Bitwarden, add the account, then go to the settings menu in your bank and reset the password with one you generate and save in BW.​
If you keep using your old system, you may feel compelled to fall on bad habits just for ease. To do this right you should be using a PM for everything, as you integrate it into your life it will become natural.​
Accessing Bitwarden:
One of the things I love about BW is that it syncs across all devices and has amazing browser plugins. I 100% recommend installing the plug-in and the phone app. At least on IOS it works really seamlessly to pull open BW when you need to enter credentials.​
Advanced features
Bitwarden has a bunch of cool things in it like secure notes, secure sharing of credentials, etc. I think these things are really helpful and encourage everyone to explore them but for now just focus on the basics. Save items in the vault, generate secure passwords, etc.​
Feel free to ask any questions and if possible I’d love to help. I benefited a lot from knowledge of others on this and this community has been incredibly welcoming and forthcoming with info so I’m happy to give back how I can.​
 
Last edited:
I used 1Password for over a decade but recently moved over to Bitwarden and haven’t looked back. It’s great and works everywhere I need it.
I stopped at 1P v.6 because at v.7 they turned it into a Subscription based license which I can’t stand, but 6 was starting to show its age……so I started looking elsewhere.
So glad I found Bitwarden
Well stated post above too :tup:
 
I’m all in on last pass. I pay for the family membership and have a work account as well. Password managers saved my mental health and probably many accounts. I don’t know passwords anymore!
 
I’m all in on last pass. I pay for the family membership and have a work account as well. Password managers saved my mental health and probably many accounts. I don’t know passwords anymore!
I used LastPass for some years and though it was a great deal when it was $12 a year. Within a couple years the company sold a couple times and the cost skyrocketed up to almost $50 a year. Not to mention they had a security breach and didn't tell their customers for months, maybe longer, until somebody else outed them. I got fed up with their bullshit. I will say though, as a password manager itself, the software is good, but Bitwarden can do just about everything LastPass can do, and it's free. As long as your using a manager and your happy with it is all that really matters. Just something to think about.
 
In light of account hacking going on and everything being discussed about 2FA and account security, @buffalojim and I mentioned password managers in another thread and I thought I’d do a bit of a write up for those looking to start using one.​

Who this thread is for

Anyone who interacts even remotely with modern society in pretty much any way and doesn’t yet use a password manager (PM).​

@FestiveKnight, this looks like a pretty long post, do I need to read it all?

No, the next few sections are about password managers and theory behind them. If you’re just interested in getting started with Bitwarden, skip down a bunch.​

What is a Password Manager?

At its core, a password manager is simply a software that allows you to store your passwords.​
But that’s only the very very beginning. Well-made password managers usually also have a bunch of other features like:​
  • Password generators
  • Exposed password reports
  • Secure notes
  • Securing sharing of credentials
  • Automatically filling credentials into forms

Why is a password manager important?

There are a bunch of really critical risks you can avoid by using a PM including:​

  • Falling into the habit of repeatedly using the same or a similar password
  • Using a simple password
  • Using a password that has been previously exposed
  • Writing down or storing passwords in a less safe way (pieces of paper, etc)
  • Accidentally typing passwords in the wrong place

How does a password manager work?

In general password managers are built on three main components. More detail on each component is below.​
Note: at this point some of the terms I am going to use may be a bit Bitwarden (BW) specific but only to make it easier for me and as a reader transitions to next sections.​
  1. Master password: you will use a single password to access the password manager. This needs to be complex, long, completely unrelated to anything in your life (no dog names!), and something you absolutely memorize.

  2. Vault: the main section of the software is just a list of accounts you have saved in the tool. Each will have a name, the username on the account, the password, etc.
    My entry for PCF looks like this (in dark mode):
    View attachment 834561

  3. A password generator: a tool to create password that are random combinations of words, letters, numbers, etc. to help you avoid some of the problems mentioned above.
    The Bitwarden password generator:
    View attachment 834562

Why you need generated passwords
In this day an age you may need to access dozens of systems during a week and it’s only natural that you’ll tend towards a bunch of bad habits if you’re memorizing these or not randomly generating them.​
And by bad habits I mean things such as:​

Using words or names that would be easy to guess if someone knew details about your life
anecdote: a friend of mine who is a professional in the cyber security world (we’ll call her Jane) and I were staying at another friend’s grandparent’s house and didn’t know the wifi password. Jane had a tool that could get around routers giving you a problem with repeated failed password and that could guess 1000s of times per minute, but with no direction you could never feasibly brute force anything but the weakest passwords. So she had us walk around and look for any ideas for what they might have based a weak password on. We put in a text file things like family, pet, sports team, and street names. Within 8 minutes her program brute forced the password. It was: <street name><dog name><year they moved>​

People share a ton of personal stuff on here, you should feel safe doing that without potentially compromising your passwords.​
If you create passwords like this, you need a password manager.


Using passwords repeatedly

The risk here should be obvious, if a “bad actor” (someone malicious) figures out your credentials once, they may very well go try to see what else they can get into. Oh, you posted a comment on PCF about how much BofA has been annoying you? Let’s see if your login is the same. Honestly, past the annoyance at @Nanook getting scammed today, I also have been thinking about @Fokker210 and hoping the same scammer didn’t try to brute force other things.​
If you repeatedly use the same password or variants on a theme, you need a password manager.

Using weak passwords that are easy to brute force.

This should be clear from some of the things above, but aside from passwords that are easy to guess from personal details, passwords can also just be weak in general. “Strawberry!pickl3#to4st” is going to be almost impossible for someone to just guess (even with a computer making millions of guesses, see the chart below). “Password123” will be guessed faster than you can blink. Jane (the friend from above) has also showed me these huge databases of the most frequently used passwords or even exposed password lists you can buy. There’s no thought that goes into guessing easy passwords. 1) buy list, 2) use program to guess passwords, 3) profit???​
If your passwords are short, low on symbols and numbers, you need a password manager.

If you're interested in more on the topic of secure passwords security.org is great and this may be a fun place to start: https://www.security.org/how-secure-is-my-password/
You may also find this chart illuminating:​

How to get started with Bitwarden

Go to: https://bitwarden.com/download/ create an account, install, get started!​
I’m not going to write up a walkthrough of creating an account, installing BW etc., there’s tons of those out there and this post is already too long. In this section I’ll just share some thoughts on what you can do to start off on the right foot using BW:​
Master password
Create a really really secure password. Read all the things above on some things to avoid. You would need to run a computer for an incredibly long amount of time to brute force my master password. Jane uses 17 random numbers and symbols she memorized.​
But, one of the risks with a PM is that if you forget the master password you have to start all over again and it can be really annoying recovering all your credentials. If you’re concerned about losing your master password, there are numerous tricks people use such as writing it down and keeping it in a lockbox at the bank (don’t write anything like “master password,” just the password!). Some people do the same and keep a copy in their wallet. Etc.​
Getting started
Start slow, but make the transition steadily and completely. As soon as you get Bitwarden setup, put just one account in (you can start with PCF!) and then, if you’re ready to make the transition to a PM, from now on, every time you setup a new account, go to BW and use it to generate the password and save the credentials.​
Then, over the next few weeks, work on moving all your accounts over into BW. As you do so, you should also generate new passwords. Next time you login to your bank, open Bitwarden, add the account, then go to the settings menu in your bank and reset the password with one you generate and save in BW.​
If you keep using your old system, you may feel compelled to fall on bad habits just for ease. To do this right you should be using a PM for everything, as you integrate it into your life it will become natural.​
Accessing Bitwarden:
One of the things I love about BW is that it syncs across all devices and has amazing browser plugins. I 100% recommend installing the plug-in and the phone app. At least on IOS it works really seamlessly to pull open BW when you need to enter credentials.​
Advanced features
Bitwarden has a bunch of cool things in it like secure notes, secure sharing of credentials, etc. I think these things are really helpful and encourage everyone to explore them but for now just focus on the basics. Save items in the vault, generate secure passwords, etc.​
Feel free to ask any questions and if possible I’d love to help. I benefited a lot from knowledge of others on this and this community has been incredibly welcoming and forthcoming with info so I’m happy to give back how I can.​
I just also wanted to say that this is very well written and clear. Thank you for going through the process of writing this. The transition seems daunting at first but once you actually use it every day and get the hang of it you'll wonder how you ever went without it.
 
Question - Is the google chrome password manager an acceptable alternativ?
 
Question: Wouldn’t Bitwarden be a natural target for hackers? Hack that database, get everyone’s passwords at once?
 
Question: Wouldn’t Bitwarden be a natural target for hackers? Hack that database, get everyone’s passwords at once?
It is. The key there is responsible encryption. If the software is written simply and the encryption is strong it's almost (but not entirely) secure from hack. In the case of a password manager, their database should be encrypted, and then your vault is also encrypted with your master password. Again, not impossible to hack but very difficult.
 
I went to haveibeenpwned.com and saw that my credentials had been compromised a few different mass hacks throughout the years. I was basically using a variation of the same password on every site, was lucky nothing ever happened.

I started using bitwarden about 18 months ago and haven't looked back.
 
I need to add one thing to that "how long does it take to bruteforce a password" chart.

Unless someone is specifically targeting YOU as an individual (which is rare), no hacker is going to waste more than a minute or so of compute time to try and bruteforce YOUR password, and even that is generous.

Usually hackers get a hashed version of the passwords of a shitload of people at once when some website gets hacked. "Hashed" means one-way-encrypted - you can not directly compute the original text from the hash; the only thing you can do is guess a password, then hash it using the same algorithm, and compare the result to what you got from the hack.

People have precomputed hashes for any given string of characters up to I don't know how many characters already, and in the past used those to speed up the process of mass-bruteforcing passwords. But this strategy has been countered already. If the site you have an account with is at least halfway up-to-date with password security measures, they will use a so-called "salt": They generate a long random string of characters, a different one for every account, and will append that to your password before they hash and save it. They of course need to save the salt in clear text right next to your password hash, so since that part will be known to an attacker it does not effectively lengthen your password - but it makes these databases of precomputed hashes I mentioned before unfeasible because the passwords plus the respective salt are way too long.

What they will do is try a different type of bruteforcing: only testing the most common insecure passwords like "123456" and "password" and common variations of these, but this they do for ALL the accounts. If they have the data from millions of accounts, there will always be a good load of them that can be cracked that way. They will then try the same found combinations of username or email plus the password on other popular sites where they can make money with abusing that information, e.g. online shopping, payment services, banking etc. and the likes.

So yeah, do use a completely different password for each site. That alone will already strongly limit the fallout from a data breach, even if the passwords you use aren't that long or complicated.

I'd recommend going for an open source password manager like KeePass instead of a commercial software. There's many ways you can fuck up implementing encryption as a software developer and not notice it, and since the source code of commercial software usually isn't freely available, the only people who review the code will be the company's employees and those don't necessarily notice these hard-to-see errors. Open-source software however can be reviewed by anyone, and particularly the more popular stuff is reviewed thoroughly by all kinds of people - including encryption professionals. It's not a guarantee, but strongly favors open source. There's also mobile apps out there that can open and manipulate Keepass databases.

I would also NOT recommend using any kind of service to sync your password database where the data gets transferred over the internet, or even worse, stored "in the cloud". That creates a super high value target for hackers. Only sync using offline methods, i.e. transferring the data using portable storage media or an USB cable or the likes. It is more tedious than using such a fancy service, but you massively compromise security if you use them.
 
Question - Is the google chrome password manager an acceptable alternativ?

It’s better than nothing but leaves a lot to be desired. One big difference is that Google password manager doesn’t encrypt your passwords unless you change some settings but doing so breaks all the sync features. Because of this, Google could (if they wanted) go read any of your passwords right now. No one at Bitwarden could. (Somewhat a personal risk appetite question, how far do you trust Google?)

Similarly, BW is open source and Google PM is well, owned by Google, there are tons of benefits of open source software (as @Nex mentions above) but this is a big benefit to me of BW or KeePass over other options.

Lastly, BW also has a bunch of great QOL features not present in Google PM:

-customizable password generation
-notes and attachments
-storing items not tied to a website
 
  • Like
Reactions: JWC
Sorry that one became another long post lol, I convinced my mom to switch from Google PM to BW last year so I was ready for this one
 
Question: Wouldn’t Bitwarden be a natural target for hackers? Hack that database, get everyone’s passwords at once?
Nope, everything stored on Bitwarden’s servers is encrypted, there’s nothing there to get without individual peoples’ master passwords.

For more: https://bitwarden.com/help/article/what-encryption-is-used/

Now in your personal life it does become a risk that if someone knows that master password they know everything but I think that’s a risk you take with most other methods (a notebook of passwords or repeated passwords are similar risk)
 
Even if the stuff is stored there in encrypted form, it is still a super high value target for hackers. Crack one master password, get access to tons of accounts at once. And people are lazy. Many use super weak passwords as the master password for their database. But even if the password is a bit stronger, it can be a value investment for hackers to try and bruteforce it.

Simply don't use such online services. Password database leaving your own hardware which is fully under your control = no bueno.
 
Safari has it built it.

I’ve used a non-subscription version of 1Password forever, and it works like a champ- save for the 2FA friction on this site that I’m hoping will be fixed.
 
Even if the stuff is stored there in encrypted form, it is still a super high value target for hackers. Crack one master password, get access to tons of accounts at once. And people are lazy. Many use super weak passwords as the master password for their database. But even if the password is a bit stronger, it can be a value investment for hackers to try and bruteforce it.

Simply don't use such online services. Password database leaving your own hardware which is fully under your control = no bueno.

Disclaimer: I’m certainly no cyber security professional, so take anything I say with a grain of salt (though I have tried to educate myself a lot on this topic).


Everyone has their own risk appetite and you have to find the balance that works right for you. In a vacuum/theory you’re completely correct, but in my opinion, for most people, the small marginal amount of confidentiality you gain by avoiding cloud-based password managers is not worth the much larger loss to availability such a decision incurs.

I don’t think anyone should allow themselves to be exposed to the risks created by not using a password manager at all.

I think from there it’s personal decision about the trade-offs of different platforms and potential risks incurred. I personally have chosen to trust the cloud components of BW because I know the desktop-only aspect of KeePass would create a significant barrier to me being able to consistently use a password manager.

What do you think about potential behavior issues from people not using KeePass as religiously as Bitwarden because it lacks so much ease of use?
 
Safari has it built it.

I’ve used a non-subscription version of 1Password forever, and it works like a champ- save for the 2FA friction on this site that I’m hoping will be fixed.
1Password is also a great option. Safari/Keychain is going to suffer from a lot of the same issues I pointed out above about Chrome.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account and join our community. It's easy!

Log in

Already have an account? Log in here.

Back
Top Bottom