Password Security Catch-All Thread

DeThroned wrote:

What's the reason to have a paid Bitwarden account? Seems like the free would work for me (Currently on free LastPass and while it seems ok, I don't mind change either)

Convenience, to support the creator.

Or you could setup self-hosted.

I switched to BitWarden back when LastPass really sh*t the bed on Firefox support and it was essentially broken for months and their customer service was awful.

Even having a paid subscription to LastPass I made the switch and haven't looked back. They've just gotten progressively worse since they were acquired (by Logmein, I think?)

I remember one truly frustrating "feature" for LastPass was if you used two-factor, it didn't "fallback" to another method like almost any other sane implementation. Which baffles me why they let you setup multiple 2fa methods, but whatever.

The one feature I wish Bitwarden had is syncing your settings. If I install it on a new device/reinstall the browser extension I always have to go in and change the clear clipboard setting to 5 minutes instead of "never". I can't be the only person who finds never having their clipboard cleared uncomfortable.

*Legion* wrote:

Today I switched to a self-hosted Bitwarden environment, and it's pretty great so far. I appreciate how easily the browser extensions and desktop apps allow you to switch to a self-hosted environment, and how transparent it is once it is done.

That's good to hear! I haven't taken this leap yet.

What do y'all do for awful apps that still require you to manually type out passwords?

Whenever I have to relogin to Netflix, for example on a new device, sometimes it's such a f*cking hassle I temporarily change my password to something simple, login, then change it back.

How have these huge companies not switched to something more user friendly like just visiting a website and typing in a code?

I guess you could also use application specific or one-time passwords...

PaladinTom wrote:

Doing some searching I came across Authy. Anyone have experience with it? The thing I like is being able to use two devices instead of just one, although that seems like it would be another vector for attack.

Authy is arguably less secure because of the cloud syncing, but in actual real-world use it makes 2fa much, much, much, MUCH less annoying.

As someone who had to use 2fa on everything for work, the convenience was worth it, and one time when I accidentally wiped my phone (I was transferring to a new one and got careless) it really saved my ass from a world of hassle/pain.

I consider it like those awful IT department policies that make you change your password every six months. I have never worked a job like that where people didn't start putting their passwords on Post-It notes, infinitely less secure than just, well, keeping a good password longterm.

So with Authy, using 2fa is tolerable, and myself (and other folks/employees) were much more likely to actually enable it whenever possible.

So I guess it comes down to what your "threat model" is. For me, smaller individuals/groups of hackers/spammers/thieves are more of a concern than nations/states, so I consider it worth the extra vectors, so to speak.

You have an external attack vector in Authy, in that the encryption in their cloud storage could be flawed in some way, or they could be subject to a FISA order requiring them to share all your secret authentication keys with the government.

But, in exchange, you have the easy ability to have multiple devices. For instance, I'm using it on both my phone and my desktop. I can use my phone to take a picture of a QR code, add the account, and then it instantly shows up in the desktop version. Presumably, it would work in reverse, too, though since the desktop doesn't have a camera, I haven't bothered. If I lose either of them, AFAIK I can remotely de-authenticate it and render it incapable of authenticating anymore, and I still have a working authentication program that I can use to talk to my existing providers to change keys or whatever.

If you have a printer and the physical space, an even better approach is to print out each new QR code as you receive it, and store it in a secure place. This will let you use any authentication program, enrolling it even years later. Downside: don't lose those papers.

I just use Authy, personally, but if I were in a high-threat environment (like being a sysadmin in any kind of substantial company), I'd probably be using the printout backup approach instead, and sticking with an entirely self-contained authenticator.

Malor wrote:

Presumably, it would work in reverse, too, though since the desktop doesn't have a camera, I haven't bothered.

The vast majority of 2fa services I've used seem to offer a text-based alternative to QR codes you can use to add entries via the Desktop app. Then it just syncs back to your phone/other devices.

Which is extremely useful if you have to setup accounts for work, because you can do it while you're multitasking on your desktop.

Kind of a tangent, but something I really dig about the YubiKey software is you can actually take a screenshot to grab QR codes via the app.

Something I wish any of these authenticator apps did was sort your logins. It's completely nonsensical to have them in the order they're added.

With Authy you can re-arrange them but it's annoying to do manually. Why not just have the option to sort alphabetically by default? I've never understood why such a simple usability feature seems to be abhorred by YubiKey, Google, and Authy.

1Password does alphabetical and it has a very frictionless search. It lets you setup categories and favorites too I think but I never bothered since the search is easiest.

I've only added three things to Authy so far, and at least in the desktop version, they're alpha-sorted. I didn't add them in alpha order, either.

But on the phone version, they're just in order added across the bottom.