Password Security Catch-All Thread

PaladinTom wrote:

I've been "stuck" using LastPass for years now as it was the first one I tried. It works great overall, but I kinda hate its UI. I've considered trying to move to another solution but I don't have the will to go through all of that.

I just downloaded Bitwarden this week and transferred the LastPass info over there. I haven't completely switched over, but it appears to work almost identically to LastPass. The export / import operation to move my LastPass vault info to Bitwarden was super easy.

firesloth wrote:
PaladinTom wrote:

I've been "stuck" using LastPass for years now as it was the first one I tried. It works great overall, but I kinda hate its UI. I've considered trying to move to another solution but I don't have the will to go through all of that.

I just downloaded Bitwarden this week and transferred the LastPass info over there. I haven't completely switched over, but it appears to work almost identically to LastPass. The export / import operation to move my LastPass vault info to Bitwarden was super easy.

I was about to try Bitwarden, and went to check my LastPass subscription. Apparently it auto-renewed on... 24 August. I was so convinced it lasted until November! I cancelled the auto-renewal and suddenly have just shy of a year to test & roll out Bitwarden

dejanzie wrote:
firesloth wrote:
PaladinTom wrote:

I've been "stuck" using LastPass for years now as it was the first one I tried. It works great overall, but I kinda hate its UI. I've considered trying to move to another solution but I don't have the will to go through all of that.

I just downloaded Bitwarden this week and transferred the LastPass info over there. I haven't completely switched over, but it appears to work almost identically to LastPass. The export / import operation to move my LastPass vault info to Bitwarden was super easy.

I was about to try Bitwarden, and went to check my LastPass subscription. Apparently it auto-renewed on... 24 August. I was so convinced it lasted until November! I cancelled the auto-renewal and suddenly have just shy of a year to test & roll out Bitwarden :-)

What are the benefits of BitWarden? Does it work with iOS? That's a deal-breaker for me.

dejanzie wrote:

I was about to try Bitwarden, and went to check my LastPass subscription. Apparently it auto-renewed on... 24 August. I was so convinced it lasted until November! I cancelled the auto-renewal and suddenly have just shy of a year to test & roll out Bitwarden :-)

I was in a pretty similar situation: my subscription renewed in June. I hadn't heard of BitWarden at that time!

PaladinTom wrote:

What are the benefits of BitWarden? Does it work with iOS? That's a deal-breaker for me.

Even though I have 10 months left on my LastPass subscription, I wanted to look into this. I'm with you -- if it doesn't work with iOS, it's not an option. I just swapped my password app in the settings to BitWarden to try it out. It worked seamlessly for logging into a credit card app. So, all seems well on this front.

It looks like it fully supports iOS. I'll give it a go, althought I have no idea when my LastPass sub reups.

What's the reason to have a paid Bitwarden account? Seems like the free would work for me (Currently on free LastPass and while it seems ok, I don't mind change either)

Holy carp, BitWarden is great so far. Tested on iOS (hooray thumbprint!), macOS, Safari, Firefox and Windows! Simple and clean UI - just the way I like it.

I'll try porting over my LastPass vault over the weekend to see how it goes.

I've been slowly transitioning from LastPass to Bitwarden, although I think what I will ultimately do with Bitwarden is self-host it.

PaladinTom wrote:

Holy carp, BitWarden is great so far. Tested on iOS (hooray thumbprint!), macOS, Safari, Firefox and Windows! Simple and clean UI - just the way I like it.

I'll try porting over my LastPass vault over the weekend to see how it goes.

Export/Import was flawless. It retained all of my categories and folders from LastPass. I'm really impressed with this app.

I've had Bitwarden for a couple of years now. The only issue I had with the transition from LastPass was due to the LastPass export - some special character got encoded. But it didn't take long to find which ones and fix them. It's been great so far - only a few websites that don't autofill correctly. I haven't found a feature I wanted that wasn't available.

dewalist wrote:

I've had Bitwarden for a couple of years now. The only issue I had with the transition from LastPass was due to the LastPass export - some special character got encoded. But it didn't take long to find which ones and fix them. It's been great so far - only a few websites that don't autofill correctly. I haven't found a feature I wanted that wasn't available.

This is a known bug, and apparently installing the Pocket App (desktop app for LastPass) and using its .csv export function circumvents the bug.

dejanzie wrote:
dewalist wrote:

I've had Bitwarden for a couple of years now. The only issue I had with the transition from LastPass was due to the LastPass export - some special character got encoded. But it didn't take long to find which ones and fix them. It's been great so far - only a few websites that don't autofill correctly. I haven't found a feature I wanted that wasn't available.

This is a known bug, and apparently installing the Pocket App (desktop app for LastPass) and using its .csv export function circumvents the bug.

BitWarden documents it on their help page, which is nice. But I didn’t run into it. I checked that my passwords included & and <>, which were the offenders, and they did. Maybe LastPass has fixed its bug?

I'm all set up with BitWarden for the most part. I haven't turned on two-factor yet.

The next step is getting all of my other two-factor setups off of LastPass which will be a pain. I considered keeping it, because LastPass backs up the Authenticator app in case you lose your phone

Doing some searching I came across Authy. Anyone have experience with it? The thing I like is being able to use two devices instead of just one, although that seems like it would be another vector for attack.

Authy is great. Use Authy.

Today I switched to a self-hosted Bitwarden environment, and it's pretty great so far. I appreciate how easily the browser extensions and desktop apps allow you to switch to a self-hosted environment, and how transparent it is once it is done.

Since 6/15, my MS Hotmail/Outlook/Xbox account has been seeing lots of log in attempts from all the cool places:

Russia
Malaysia
Ukraine
Viet Nam
Cambodia
China

Etc.

I'd changed the password a couple of months ago from the one I've used for years, and also use the MS Authenticator on my phone. No successful logins that aren't me show up.

Weird thing I can't understand is that I'm not getting the phone notifications via the authenticator app every time this happens. I see it on my MS account, and I'm getting emails to my backup account asking for password resets.

Not too worried about it at the moment. Not sure why I've become a target. Probably random.

I've gotten quite a few of password reset requests sent to my backup account for my Hotmail, too.

So now I've got somebody setting up a Snapchat account on my gmail account (which is my name) from Ghana. Multiple password reset attempts. Odd thing is they used a 2 digit number I've used in the past in online user ID's if I have to include a number, so it seems less random than I'd like. I would assume this is coming from some data breach somewhere. The odd thing is I rarely use my gmail account to set up any online accounts, generally funneling them through my hotmail spam catcher account that I've had since probably 1998.

I reset the password on the snapchat account they set up to a 20 digit random string. Don't know if I should just delete it or what the goal of all of this is. Having it open yet secured might prevent them from trying again.

There are no successful logons or devices associated with the account, and they've tried two separate names in an attempt to set it up. Not sure why they'd do it using my gmail account, but I think as much as I hate to I'll change that core password like I did the hotmail account. It also has been on TFA for years, but I'll just feel better having a new password.

Can't hurt. In the era of password managers, 16+ chars in a password is perfectly reasonable.

Malor wrote:

Can't hurt. In the era of password managers, 16+ chars in a password is perfectly reasonable.

Problem with being an Android user and changing the gmail password is it makes it a pain to set up new phones, etc. So I change that one less than others. Which isn't rational, just a reduction in an annoyance.

Someone made an uber account and some payment account using my email. And I haven't been able to shut them down because any attempt to login or contact support forces me to enter a code which they send to this person's phone. Apparently they paid for drugs using the payment account at least once unless they were just joking in the payment comments.

Mr GT Chris wrote:

Someone made an uber account and some payment account using my email. And I haven't been able to shut them down because any attempt to login or contact support forces me to enter a code which they send to this person's phone. Apparently they paid for drugs using the payment account at least once unless they were just joking in the payment comments.

EDIT: Nevermind. I didn't catch the code going to their phone.

If you've got control of the email, just do a password change to take the accounts over and then delete them. The account reset password will come to you.

That's what I did to take control of the account. Afterwards, I did a data download from Snap Chat and reviewed what they'd done and how long the account was open. They did make several friends, and had had a non US phone number in the account, but that phone had been removed. I assume that's how they did the original authentication.

I just didn't want to be in a identity theft situation.

I change the password but doing anything else requires authentication using a phone code. To their phone. Then they just reset the password later and keep going. Tried contacting support directly (which is surprisingly challenging without having an actual account to log into) and no response.

I figure at least living in another country keeps me relatively safe from charges. It's not actually in my name, just something that a spam generator made based on my email user id.

I just don't understand the motivation. Just use your own email made from any one of a number of free services. Weird.

Oh there's a woman in Ohio with the same first initial, last name as me that's not so much trying to do any wrong, but that loves Trump, gambling, and Foldgers Coffee from Sam's Club (I got an order is ready to pick up email). IIRC, she also tried to set up an online dating profile once, too, and flooded my inbox with a ton of unwanted request. I know it is all her, since her first name shows up in those related emails, and I don't sign up for stuff with that email account, too. I guess I should realize, it should be ok to unsubscribe to the emails, but they almost all end up in spam anyways, so I don't ever even open them.

I have at least 3 Gmail dopplegangers, people who regularly mistype their own email addresses when signing up for services. One lives in Spain, one in England, and one in Long Island, NY.

Yup. There's a high school principal in Tennessee who has the same name as me. I apparently got to gmail first, so his email address has a '1' at the end. I regularly get emails for him.

billt721 wrote:

Yup. There's a high school principal in Tennessee who has the same name as me. I apparently got to gmail first, so his email address has a '1' at the end. I regularly get emails for him.

Expel a few students via email and the problem will sort itself out.

*Legion* wrote:
billt721 wrote:

Yup. There's a high school principal in Tennessee who has the same name as me. I apparently got to gmail first, so his email address has a '1' at the end. I regularly get emails for him.

Expel a few students via email and the problem will sort itself out.

I get a bunch of emails in Slovak because of my user name.

I also get a bunch for someone named Herr Ivan Hrdina who apparently likes golf.

Glad I’m not the only one with doppelganger issues I get hardware receipts from idaho and dating app profiles from Central America.

Antichulius wrote:

Glad I’m not the only one with doppelganger issues I get hardware receipts from idaho and dating app profiles from Central America.

You're just a person of mystery. Admit it.