I was gonna ask about the biometrics part in a separate question, but its both about security, so might as well combine it in one post.

Okay so I don’t use password managers. I just try to make easy to remember passwords 3-4 random words + 3-4 random numbers. Online accounts can’t be brute forced anyways. For offline accounts, I just increase the words and numbers. For mobile I don’t use biometrics, although I’ve been testing whether or not I want a pin + no biometrics or alphanumeric password + biometrics. I just can’t decide.

  • LetMeEatCake@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    This may be a dumb question and I see here as well as elsewhere that a password manager is the best option. What makes a password manager safer than managing passwords yourself? I see the efficiency and ease of us aspects, but I’m less clear on the security portion. Thank you!

    • frustbox@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Several points

      They generate strong passwords - completely random with no scheme or method to guess. They are long and use many different characters. These won’t be easy to memorize, but that’s the point of a password manager, isn’t it? Much stronger than “google-monkey123”, “lemmy-monkey123” etc.

      They generate unique passwords - different passwords for every login. When, inevitably, one website had their database breached and it turns out that they stored the passwords too (you never store the passwords, only a “hash”, a scrambled version of it), that password of yours can’t be used on other websites. Or any scheme be detected “hey that guy just appends ‘monkey123’ to the name of the site!”

      They protect you from phishing - consider this scenario: you get a message with a link, you click on it and the site asks you to log in, so you type in your login and password, but that was a phishing site, it looked like the real website, but really it wasn’t. And now the attacker knows your username and password. A password manager that automatically fills your login details will only do so if the domain name is exactly correct, on a phishing site it will not auto-fill, giving you a moment to stop and think.

        • frustbox@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          That depends on the password manager.

          There are password managers that work on your computer and the data never leaves your hardware. KeepassXC for example. The database is just a file on your computer - you are in charge of backing it up, synchronizing it to your other devices (i.e. phone) etc. The database file is fully encrypted so you could share it with a cloud provider like google drive or dropbox, or you could use syncthing which synchronizes files between your devices without cloud storage. If you use cloud storage there’s a small risk that the encrypted file gets into the wrong hands (but it is encrypted so it’s most likely worthless to any would be hacker).

          Some other password managers offer a web service where you can log into a website to see your passwords, and they have mobile apps and browser extensions. These do store your passwords in their cloud - the risk that those get breached is considerably higher. But even there it depends on the implementation details. Bitwarden for example kind of does something similar to keepass, where your “vault” is encrypted locally and then stored on their servers. Even if they get breached, the data would be useless. Lastpass had a breach recently and it turned out that they didn’t encrypt everything - so someone with access to the data could determine some details such as which sites a user had accounts on. And apparently some vaults used a weaker encryption so those might be decrypted eventually.

          And a lot of password managers are closed source so there’s no telling what they may do, just “trust me bro”.

          If I had to give a recommendation it would be bitwarden - it’s open source, it’s free although there is a paid plan if you need it and want to support them. It’s really easy to use. If you have extreme paranoia (no judgement) then keepassxc - it’s also open source and free, it’s just a little more effort to set it all up so it doesn’t get my first choice.

          • LetMeEatCake@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Wow—thank you for such a detailed response! This definitely gives me a better idea of the differences and how they work. I’ll give Bitwarden a try. I see it recommended several times in other responses and your detailed description gives me confidence you know what you’re talking about. Thank you again!

        • ∟⊔⊤∦∣≶@lemmy.nz
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          No, or, it shouldn’t be if you’re using a good one. The only way to decrypt your passwords is with your master key. If your master key is safe, then your passwords are too.

    • unknowing8343@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      The idea is to use a different password in every different place so if some password gets leaked, they will only be able to harm you there.

      Imagine, if you use the same password for everything, then site A leaks your password and now the bad people could look you up in many other sites and see if they can do some harm there.

      Also not having to remember passwords allow for very obscure passwords very hard to bruteforce.

      • LetMeEatCake@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Thank you! I asked the other commenter this question as well, but would it be possible for the password to the manager to be breached?

        • unknowing8343@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Of course, but the chances are a lot smaller with unique passwords due to what I explained, and also there’s the fact that a password manager probably handles security way better than your local burger place website.

    • frustbox@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Several points

      They generate strong passwords - completely random with no scheme or method to guess. They are long and use many different characters. These won’t be easy to memorize, but that’s the point of a password manager, isn’t it? Much stronger than “google-monkey123”, “lemmy-monkey123” etc.

      They generate unique passwords - different passwords for every login. When, inevitably, one website had their database breached and it turns out that they stored the passwords too (you never store the passwords, only a “hash”, a scrambled version of it), that password of yours can’t be used on other websites. Or any scheme be detected “hey that guy just appends ‘monkey123’ to the name of the site!”

      They protect you from phishing - consider this scenario: you get a message with a link, you click on it and the site asks you to log in, so you type in your login and password, but that was a phishing site, it looked like the real website, but really it wasn’t. And now the attacker knows your username and password. A password manager that automatically fills your login details will only do so if the domain name is exactly correct, on a phishing site it will not auto-fill, giving you a moment to stop and think.