I was gonna ask about the biometrics part in a separate question, but its both about security, so might as well combine it in one post.
Okay so I don’t use password managers. I just try to make easy to remember passwords 3-4 random words + 3-4 random numbers. Online accounts can’t be brute forced anyways. Edit: I mean most websites have log in limits don’t they? Maybe I’ve been mistaken?
For offline accounts, I just increase the words and numbers. For mobile I don’t use biometrics, although I’ve been testing whether or not I want a pin + no biometrics or alphanumeric password + biometrics. I just can’t decide.
I use the password manager Bitwarden, but Proton Pass is looking kinda nice.
Whats the reason proton pass is looking better? I just started my switch to bitwarden, I used to use enpass offline on windows.
Same with bitwarden, I recently made my wife change from google because I don’t trust how they could be managing that kind of data.
What benefit could it be to Google for them to have access to your user and passwords?
Genuinely curious, I use bitwarden myself but can’t see Google using their password manager for nefarious reasons
Sure, probably they won’t use it for bad purposes.
But there’s nothing saying they won’t use them in any way they see fit.
Maybe they could find a way to find monetize without disclosing them and anonymized, like statistics or with the update in their policy about training their models with whatever information they can get.
Maybe you have an ad blocker and AdSense can’t build a profile from you, but the google already know what sites you were interested enough to make an account and could try to advertise in other ways.
And then the biggest issue: there’s no mention of encryption, so who knows how they store them and where. Could an attacker read them? How are google employees prevented from reading them?
I write my passwords down using a diamond-point scriber on a tablet of solid gold, which I keep in a secure location.
Would strongly recommend a password manager. I use bitwarden, you can use self host it or not. If you don’t like bitwarden there are plenty of free options. Random password generation and sync is going to be a better practice than much else I can think of, so I’d encourage you to go for it! 😬
I have been a paying costumer for bitwarden for couple years, but now I am planning to switch to proton pass soon. $1 for unlimited email alias is simply too good.
Do you know how long this $1 promo will last? I’m unlucky this month and can’t afford it until next month.
I use Bitwarden and I have 2FA where it’s implemented. Why do you say that online accounts cannot be brute forced?
Most online logins have limits. You can’t just try a million passwords in a second.
In theory that is correct. In practice, not always the case. Up until 8 years ago you could brute force iCloud passwords: https://www.intego.com/mac-security-blog/apple-patches-brute-force-password-cracking-security-hole-in-icloud
Nobody will try to brute force your account on a login form unless you are a high value target. Databases get leaked and password hashes with them. There are tools like haveibeenpwned which check your email against known database dumps that are available to everyone on the dark web.
This is true, but if their password database gets compromised and they’re using insecure storage then they can brute force all day. There are server farms dedicated to doing just that and the vast majority of users are using simple, easy to guess passwords. The most common password? “password” [source: https://nordpass.com/most-common-passwords-list/]. Yes, we are a stupid species.
