Follow

Random reminder to use a password manager if you aren't already! It'll help you stay safe online by using long, unique passwords for each service you use.

While LastPass or 1Password are great choices, I prefer KeePassXC

Official site: keepassxc.org/

Official quick-start guide: keepassxc.org/quickstart/

My getting-started guide: sts10.github.io/2017/06/27/kee

@schlink offline password managers present a harder target if the users are savvy in basic infosec.

Online managers run the risk of being the largest targets to go for.
pcworld.com/article/2936621/th

@schlink Would you suggest this instead of creating long password and saving them with firefox password manager?

@amastodonuser
The firefox passwordmanager is fine as long as you set a master password. Otherwise it's really bad
@schlink

More resources:

"Password Managers for Beginners" by Martin Shelton: medium.com/@mshelton/password-

And Wirecutter's write-up on their picks for managers (they like LastPass): thewirecutter.com/reviews/best

@schlink Tell me keepassxc can fill passwords in web login forms and I will switch immediately.

@schlink Another alternative over password managers is deterministic password generators: You just always generate the same password for the same site, but different passwords for different sites. Avoids having to backup a database. Solves the entire syncing problem.

Shameless plug: github.com/Midar/scrypt-pwgen

@js I’ve looked at those. I’m concerned about what you do if there’s a breach on one site. Also, I prefer dice ware passphrases in some contexts.

@schlink Well, if one site gets breached, it doesn't matter much: You have a different password everywhere. If you want to continue using that website and change your password after a breach, you can just give it a different site name, e.g. append a 2 or something. So far, I have only one instance where I actually have a 2 at the end of a site name :).

@schlink Hey, nice pinned toot. Have been using keepassX for some years now, didn't know there was another fork : keepassXC

It seems a little more up-to-date and more active, thanks for bringing it to people's attention !

Can't emphasize enough on how indispensable a password manager is nowadays.

@mh8 yeah, I made the move from X to XC after X went 12 months without an update.

XC's been good for me! Hope it works well for you.

@sproid yep, I've definitely been keeping an eye on them. I was kind of waiting for an audit to be completed, which may be soon? Do you use it?

@schlink Yes. I moved from #keepass. I found the sharing feature really handy and it syncs without needing #dropbox or #GDrive, so I don't worry about 3rd party service for synchronization.

@sproid right-- easier syncing + easier access on mobile is a big pro for me.

But I think I'm hung-up on the (at least theoretical) loss of security by moving from offline (KeePass) to any online manager... (I know I technically could self-host bitwarden but it looks too intense for me)

@schlink Previously I was using Keepass plugins and that in itself made it less secure. The https, chromepass, 3rd party/community ports for Linux and for Android. See, the risks were increasing so I figure Bitwarden was more streamlined and all apps and browser extensions are from them. They don't have an audit yet but they have a bounty program on HackerOne.

@schlink I think that when a program is really secure like a password managers, the vulnerabilities and stealing/hacking happens at the service server side, or the browser, or the OS, or a virus in your system, or an extension/plugin/add-on. So IMO trying to make it all offline might as well not use the Internet at all.

@sproid fair.

fwiw I use KeePassXC and I purposefully do not use any browser extensions. Instead I use XC's AutoType feature most of the time, though the disadvantage there is that it would happily autofills credentials on halfway decent phishing pages.

I like your all-one-system-is-better theory though. Can you speak to bitwarden's support of Linux desktop?

@schlink mostly use the browser extension on Vivaldi browser but the desktop app is written using Electron and Angular and some have a problem with that.

@schlink Also, remember that if you're not using Windows, it's very likely that you either have a built-in password manager or at least some available in your OS's official repositories.

@schlink @slightlyflightyone

Best version of this for Android is KeepassDX, I believe. iOS is either MiniKeepass or Keepass Touch, I think. Any other suggestions, paid or not welcome.

@schlink I've been using Keepass2Android on my phone and Chromebook. KeePassX or KeePassXC is great on the desktop.

Password managers are a must these days.

Another tip: Check which third-party apps have access to your accounts.

- Check third-party access to your Mastodon account: Go to Settings -> Authorized apps

- Check third-party access to your Twitter account twitter.com/settings/applicati

- Check third-party access to your Facebook account facebook.com/settings?tab=appl

- Check third-party access to your Google account: myaccount.google.com/permissio

You should also do Google's Privacy Checkup myaccount.google.com/security-

@schlink
Yep, I use pwsafe and rsync between my OpenBSD laptop and my phone. Mostly used for the pwgorilla app that installs under OpenBSD.

@plasticScript yep, I’ve been keeping an eye on it... open source and cloud-based is a strong combo, and the recent audit’s results seem encouraging! For this general advice toot I wanted to stick to really surethings.

Have you looked into self-hosting bitwarden?

@schlink Totally. I have looked into self-hosting it, but I have just learned about the self-hosting world and am very much a noob in it. However, once I am more experienced I will look into it.

Sign in to participate in the conversation
Octodon

Octodon is a nice general purpose instance. more