Random reminder to use a password manager if you aren't already! It'll help you stay safe online by using long, unique passwords for each service you use.
While LastPass or 1Password are great choices, I prefer KeePassXC
Official site: https://keepassxc.org/
Official quick-start guide: https://keepassxc.org/quickstart/
My getting-started guide: https://sts10.github.io/2017/06/27/keepassxc-setup-guide.html
"Password Managers for Beginners" by Martin Shelton: https://medium.com/@mshelton/password-managers-for-beginners-d1f49866f80f
And Wirecutter's write-up on their picks for managers (they like LastPass): https://thewirecutter.com/reviews/best-password-managers/
Another tip: Check which third-party apps have access to your accounts.
- Check third-party access to your Mastodon account: Go to Settings -> Authorized apps
- Check third-party access to your Twitter account https://twitter.com/settings/applications
- Check third-party access to your Facebook account https://www.facebook.com/settings?tab=applications
- Check third-party access to your Google account: https://myaccount.google.com/permissions
You should also do Google's Privacy Checkup https://myaccount.google.com/security-checkup
@schlink offline password managers present a harder target if the users are savvy in basic infosec.
Online managers run the risk of being the largest targets to go for.
@schlink At least Lastpass has good practices.
@schlink Would you suggest this instead of creating long password and saving them with firefox password manager?
@schlink Tell me keepassxc can fill passwords in web login forms and I will switch immediately.
@schlink Another alternative over password managers is deterministic password generators: You just always generate the same password for the same site, but different passwords for different sites. Avoids having to backup a database. Solves the entire syncing problem.
Shameless plug: https://github.com/Midar/scrypt-pwgen
@js I’ve looked at those. I’m concerned about what you do if there’s a breach on one site. Also, I prefer dice ware passphrases in some contexts.
@schlink Well, if one site gets breached, it doesn't matter much: You have a different password everywhere. If you want to continue using that website and change your password after a breach, you can just give it a different site name, e.g. append a 2 or something. So far, I have only one instance where I actually have a 2 at the end of a site name :).
@schlink Hey, nice pinned toot. Have been using keepassX for some years now, didn't know there was another fork : keepassXC
It seems a little more up-to-date and more active, thanks for bringing it to people's attention !
Can't emphasize enough on how indispensable a password manager is nowadays.
@mh8 yeah, I made the move from X to XC after X went 12 months without an update.
XC's been good for me! Hope it works well for you.
@sproid yep, I've definitely been keeping an eye on them. I was kind of waiting for an audit to be completed, which may be soon? Do you use it?
@sproid right-- easier syncing + easier access on mobile is a big pro for me.
But I think I'm hung-up on the (at least theoretical) loss of security by moving from offline (KeePass) to any online manager... (I know I technically could self-host bitwarden but it looks too intense for me)
@schlink Previously I was using Keepass plugins and that in itself made it less secure. The https, chromepass, 3rd party/community ports for Linux and for Android. See, the risks were increasing so I figure Bitwarden was more streamlined and all apps and browser extensions are from them. They don't have an audit yet but they have a bounty program on HackerOne.
@schlink I think that when a program is really secure like a password managers, the vulnerabilities and stealing/hacking happens at the service server side, or the browser, or the OS, or a virus in your system, or an extension/plugin/add-on. So IMO trying to make it all offline might as well not use the Internet at all.
fwiw I use KeePassXC and I purposefully do not use any browser extensions. Instead I use XC's AutoType feature most of the time, though the disadvantage there is that it would happily autofills credentials on halfway decent phishing pages.
I like your all-one-system-is-better theory though. Can you speak to bitwarden's support of Linux desktop?
@schlink mostly use the browser extension on Vivaldi browser but the desktop app is written using Electron and Angular and some have a problem with that.
@schlink Also, remember that if you're not using Windows, it's very likely that you either have a built-in password manager or at least some available in your OS's official repositories.
@schlink I've been using Keepass2Android on my phone and Chromebook. KeePassX or KeePassXC is great on the desktop.
Password managers are a must these days.
Yep, I use pwsafe and rsync between my OpenBSD laptop and my phone. Mostly used for the pwgorilla app that installs under OpenBSD.
@schlink Bitwarden is a good option as well
@plasticScript yep, I’ve been keeping an eye on it... open source and cloud-based is a strong combo, and the recent audit’s results seem encouraging! For this general advice toot I wanted to stick to really surethings.
Have you looked into self-hosting bitwarden?
@schlink Totally. I have looked into self-hosting it, but I have just learned about the self-hosting world and am very much a noob in it. However, once I am more experienced I will look into it.