Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Exactly. Without a password manager, every single service you have reuses your password on is a security risk, because any one of them will compromise the rest. And it has repeatedly been demonstrated that even large software companies don’t follow best practices regarding passwords. So any one of them being compromised is a risk. With a password manager, as long as it is properly encrypted and secured with a strong master password, the only point of attack will be your master password.
It’s less about keeping all your eggs in one basket, and more about reducing attack vectors that hackers have access to. With reused passwords, every single individual service is a potential vector of attack.
Several of the larger password managers have started requiring MFA on new accounts. Bitwarden, for example, now requires at least an email verification. They encourage you to use other MFA methods instead, like an Authenticator app. But they at least have the email as a last-ditch “fucking fine, you really don’t want to install an Authenticator app? Here, we’re forcing you to use this as the bare minimum” backup.
Nah a lot of those services are ripe for abuse… The correct answer is to just use your own… keepass for “offline” on a USB stick type of thing… or host your own vaultwarden.
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Exactly. Without a password manager, every single service you have reuses your password on is a security risk, because any one of them will compromise the rest. And it has repeatedly been demonstrated that even large software companies don’t follow best practices regarding passwords. So any one of them being compromised is a risk. With a password manager, as long as it is properly encrypted and secured with a strong master password, the only point of attack will be your master password.
It’s less about keeping all your eggs in one basket, and more about reducing attack vectors that hackers have access to. With reused passwords, every single individual service is a potential vector of attack.
And do yourself a favor and get MFA on that password manager. That dramatically increases the skill level needed to hack your master pass.
Several of the larger password managers have started requiring MFA on new accounts. Bitwarden, for example, now requires at least an email verification. They encourage you to use other MFA methods instead, like an Authenticator app. But they at least have the email as a last-ditch “fucking fine, you really don’t want to install an Authenticator app? Here, we’re forcing you to use this as the bare minimum” backup.
And that’s how it should be. In fact, I switched banks to the only one I could find that had MFA, because I value security as an option.
Nah a lot of those services are ripe for abuse… The correct answer is to just use your own… keepass for “offline” on a USB stick type of thing… or host your own vaultwarden.
Either way is much safer than using the same password for everything. Same password >> Retail password manager >> self hosted offline password manager