Why is Cloudflare monitoring/recording our passwords on the sites they are supposed to be protecting?
Because Cloudflare users enable the feature?
It’s literally opt-in.
Gross
Oh no, a toggle switch! Whatever will we do?!
Indeed… And from the eyes of a potential service who’s looking at this feature.
“Ew, a toggle that could potentially save me from liability because they’ll detect shitty passwords when I don’t have the manpower/developer time to implement that check in my server itself! Or pay for access to HIBP/other service for millions of requests a month.”…
This is low hanging fruit… And while I’m not the biggest fan of Cloudflare (I do use it only because it’s the “best option” I have for what I need). This isn’t it… This isn’t what you get mad about. Checking and disabling known compromised passwords is literally best practice… While this isn’t the “best” implementation. It is one that gets us closer to best practice with minimal effort, which means it’s more likely to actually be implemented. High barrier security features are simply ones that will never get implemented. Does this have it’s own risk? Sure… But I’d rather a known risk with a well known company that can be actively sued should they fail, vs “anonymous” who can dox, steal, harass, etc… with virtually no repercussion.
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible. And some of these password managers seem shady themselves. And if said manager needs a password that means someone only needs the one password which puts us back at square one.
These days I’ve resorted to physically writing my passwords down because I straight up don’t trust anything that connects to the internet anymore for this kind of information. Like some lame puzzle in a video game where you have to look around the room for the password. But it still feels safer than anything that’s connected to the internet.
How about KeePass then? It’s an encrypted local database file you can sync/backup how and where you want. There are clients to open/edit it for Android, Linux and even Windows. The Android version can use fingerprint, if your phone has this hardware.
My main issue is that it doesn’t solve the “borrowing someone’s computer” problem. With a hosted password manager, you can login to an online vault to get your passwords, but that’s not an option with keepass.
That’s a pretty rare use case though, but it is something I run into periodically.
that’s a bit risky. the foreign computer could capture passwords.
however, in that use case, you could either display the password on the phone and manually enter it or use a portable keepass on a usb stick
Linux: How to run: https://docs.appimage.org/introduction/quickstart.html#ref-how-to-run-appimage Download: https://keepassxc.org/download/#linux
Windows only: https://keepass.info/help/v2/setup.html#portable
It’s absolutely risky, but sometimes the risk is low enough that it makes sense, like you’re at a relative’s house and setting up access to some self hosted stuff. I use it sometimes on a new install/work computer where I don’t want to set up the password manager long term.
The USB drive works in all those cases, but I rarely bring USB drives with me, especially since I only need to access it like 1-2x/year.
This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.
That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.
I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:
While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible.
The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.
BitWarden
Yeah, the level of effort required is extremely low, and it’s really nice for things like sharing passwords with an SO for things where separate logins don’t work.
So yeah, I use Bitwarden. I plan to self-host soon (vaultwarden), I’m just figuring out how password sharing works before I go and switch my SO’s stuff over. But it’s audited, FOSS, and generally the dev makes decent decisions (though I hate the new UX overhaul).
I self-host a bunch of stuff too. I am transitioning from Nextcloud to OwnCloud Infinite Scale now that I posixfs is in experimental status (I only use file hosting from Nextcloud anyway). However, my password manager has been very far down the list for me, because the level of effort required exceeds the value I’d get from it, especially compared to other things I can set up.
The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are.
Exactly. Use literally any password manager that uses MFA, and set up MFA (Google Authenticator works, I personally use Aegis). I also recommend BitWarden, but there are several decent options available.
The most important thing for them to know is that passwords should be different between services, and you can and should automate that.
I use lastpass and have my vault on my phone.
But I have a hard time using someone else’s browser these days . … too many custom plugins.
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Exactly. Without a password manager, every single service you have reuses your password on is a security risk, because any one of them will compromise the rest. And it has repeatedly been demonstrated that even large software companies don’t follow best practices regarding passwords. So any one of them being compromised is a risk. With a password manager, as long as it is properly encrypted and secured with a strong master password, the only point of attack will be your master password.
It’s less about keeping all your eggs in one basket, and more about reducing attack vectors that hackers have access to. With reused passwords, every single individual service is a potential vector of attack.
And do yourself a favor and get MFA on that password manager. That dramatically increases the skill level needed to hack your master pass.
Several of the larger password managers have started requiring MFA on new accounts. Bitwarden, for example, now requires at least an email verification. They encourage you to use other MFA methods instead, like an Authenticator app. But they at least have the email as a last-ditch “fucking fine, you really don’t want to install an Authenticator app? Here, we’re forcing you to use this as the bare minimum” backup.
And that’s how it should be. In fact, I switched banks to the only one I could find that had MFA, because I value security as an option.
This feels a little too tinfoil-hat for me.
Nah a lot of those services are ripe for abuse… The correct answer is to just use your own… keepass for “offline” on a USB stick type of thing… or host your own vaultwarden.
