It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can’t remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn’t tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don’t just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They’re not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser’s password storage is better than nothing. Don’t reuse passwords, use long randomly generated ones.

It’s free, it’s convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I’m preaching to the choir, but if even one of you decides to use a password manager after this then it’s an easy win.

Please, don’t wait. If you aren’t using a password manager right now, take a few minutes. You’ll thank yourself later.

  • @[email protected]
    link
    fedilink
    13 months ago

    Hyptothetically, couldnt an attacker clone the smart card and retry on the copies?
    I would believe a salted and hashed 0-knowledge password vault is more secure than a US-company which could be forced to surrender private keys used for the encryption

    • Korthrun
      link
      fedilink
      1
      edit-2
      3 months ago

      How would any company, regardless of geography have the secret I generated? This is a stand alone hardware device. They seller is not involved at all once I’ve received my package.

      Could a sophisticated/well resourced actor clone the smart card they stole or you lost? Sure, brute force attacks are brute force attacks. At least you’d know your device and card are stolen. Now you’re in a race to reset your passwords before they finish making 500 clones of the smart card they stole.

      Hypothetically I could blackmail someone at LastPass and have a backdoor is installed for me.

      Someone could bust down my door while I have it connected and unlocked and just login to all my things. ¯\_(ツ)_/¯

      • @[email protected]
        link
        fedilink
        13 months ago

        You lost an arm. Remember to use the \ to escape the markdown ;)

        I don’t know much of smart cards and the whole hardware based authentication beyond knowing they exist at all so please take my questions for what they are.

        I was thinking the encryption on those cards are done with a private key and a writer/reader by the manufacturer (like HID). So if the NSA busts down the door and demands the key you could technically decrypt it.
        So if you generate your own private key that vector is obviously mitigated, assuming they are providing the tool with a non-reversible hashing process or a guide on how to generate the key so it wouldn’t aid in the brure forces decryption.

        Thank you for the info :)

        • Korthrun
          link
          fedilink
          English
          2
          edit-2
          3 months ago

          I saw the lack of arm and facepalmed but I was half asleep poo posting so got over it :p (fixed now!)

          I’ve been using this device for ~5 years now, so my memory is a little hazy on it, but I’m pretty sure for the particular device I prefer (which is to say, I have nfc what the setup is for other vendors, which could be greatly superior) the AES-256 key used for encryption isn’t generated until you setup your first card.