ForumsDesktop computingStrong random passwords, where to keep, when to change and what to do if site says has been breached?
TeaLeaf

4638 posts

Uber Geek


#281308 10-Feb-2021 10:00
Sorry I looked for an IT security type thread but couldnt find one, so apologies if this is not the right place for this. :-) Thank you.

Thanks to Geekzone for alerting me how to check if ive been "pwned".

It will take me a long time to go through my email addresses, but one I checked said has been breached twice but never pasted, not sure what that means?

So using a random password generator, they are near impossible to remember, so where is somewhere safe but easy to reach that I should store the password should I ever forget?

 1 | 2 | 3 | 4 | 5
Linux
8950 posts

Uber Geek

Trusted
Lifetime subscriber

  #2650838 10-Feb-2021 10:05
keepass is a good PW manager

Batman
Mad Scientist
27694 posts

Uber Geek

Trusted
Lifetime subscriber

  #2650839 10-Feb-2021 10:10
Following with keen interest. Exactly my issue.




xpd

xpd
A500 Mini Owner
11899 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2650845 10-Feb-2021 10:16
Breached but not pasted is most likely meaning that although a site you use has been breached, your records were not seen on sites such as pastebin.com which is/was a common dumping ground for databases.

 

I use a mix of KeePass and LastPass - KeePass mainly for my offline stuff or passwords I don't want "online" in the off chance LastPass was breached. 

 

 




SumnerBoy
1886 posts

Uber Geek

ID Verified
Subscriber

  #2650876 10-Feb-2021 10:33
I am using self-hosted Bitwarden which i have been very happy with (after being a KeePass + Nextcloud user for years)

TeaLeaf

4638 posts

Uber Geek


  #2650878 10-Feb-2021 10:40
Thanks all.

 

xpd: passwords I don't want "online" in the off chance LastPass was breached. 

 

 

This is something I worry about.
So you put all your passwords on these sites, what if that site gets hacked? Or is the threat very minimal?

If I have created a very strong password, is it ok to use that for the majority of my logins etc? Some I wont as they are shared. But makes sense to. 

 

Do these password managers automatically fill in your password or you have to go to their site, login and get your password? I ask as my samsung phone has been asking to do this for me for ages. 

Is time for me to get with 2021 and beyond, still stuck in 2005 haha.

dt

dt
1072 posts

Uber Geek


  #2650879 10-Feb-2021 10:41
I use a subscription based password manager called Dashlane, who do active dark web monitoring on the darkweb for up to 5 nominated email addresses and will alert you if any of your accounts that have been breached.

 

they have mobile app and browser extensions for auto filling in un/pw for websites, forms, credit card details etc.

 

They have integrations with some sites as well where its just a one click password change from the app which is pretty cool but not supported with that many sites yet

 

You also get a vpn included with the subscription

 

also, when you first set it up it you get it to import all your saved passwords and it gives you a security score of weak and reused passwords on a dashboard, it takes a bit of time go through and change each one but well worth the hour or two worth of effort 

Groucho
438 posts

Ultimate Geek


  #2650880 10-Feb-2021 10:41
I've been using the free version of LastPass for a couple of years.  Does everything I need it to do plus works across Mac, PC and Android which was the decider.



lxsw20
2882 posts

Uber Geek


  #2650881 10-Feb-2021 10:41
I use Bitwarden for passwords and Authy for 2fa codes. It allows me to access these from phone/laptop/browers etc. Bitwarden (same as most password tools) has a built in secure password generator too.  

 

I think Bitwarden is $10US for the premium version but the free one should do everything you want. 

 

Every account you have that supports it should have 2 Factor security enabled too. 

TeaLeaf

4638 posts

Uber Geek


  #2650882 10-Feb-2021 10:43
dt:

 

You also get a vpn included with the subscription

 

 

That sounds good, but how much are they charging? And how quick is the VPN, for streaming non local geo content?

lxsw20
2882 posts

Uber Geek


  #2650883 10-Feb-2021 10:44
TeaLeaf:

 



If I have created a very strong password, is it ok to use that for the majority of my logins etc? Some I wont as they are shared. But makes sense to. 


 

 

 

 

No, don't do that. You're still at risk of credential stuffing if you do that. Each login should have its own unique password. 

TeaLeaf

4638 posts

Uber Geek


  #2650886 10-Feb-2021 10:46
lxsw20:

 

I use Bitwarden for passwords and Authy for 2fa codes.

 



The name Bitwarden alone sounds "Staunch" ;-)

What kind of places need 2fa codes? I only ask out curiosity as I have not used one that does. Cheers

lxsw20
2882 posts

Uber Geek


  #2650890 10-Feb-2021 10:48
Everything should have 2fa codes. Email, Geekzone, social media, you name it. Anything you want to decrease the chances of someone gaining access to your account. 

Linux
8950 posts

Uber Geek

Trusted
Lifetime subscriber

  #2650891 10-Feb-2021 10:52
1pass is another good PW manager

TeaLeaf

4638 posts

Uber Geek


  #2650936 10-Feb-2021 11:58
Linux: 1pass is another good PW manager


That sounds really familiar, not sure if its the one that keeps trying to get me to sign up on my phone.

Do you use it Linux? Given your knowledge I expect you would know if its good enough for what I need, just storage of passwords, and if available extensions for my phone and web browser for passwords etc.

How does that work, does it just automatically fill the right password, or do you have to enter a central password first?

The free version should be capable for what I need?

Thanks all, I think this is a big issue that most people, even IT folk, are pretty lax on, but using these tough generated passwords is becoming a mandatory imo now, how to keep them usable and safe is very helpful information for a lot of people not currently doing so. Cheers

Batman
Mad Scientist
27694 posts

Uber Geek

Trusted
Lifetime subscriber

  #2650946 10-Feb-2021 12:01
xpd:

Breached but not pasted is most likely meaning that although a site you use has been breached, your records were not seen on sites such as pastebin.com which is/was a common dumping ground for databases.


I use a mix of KeePass and LastPass - KeePass mainly for my offline stuff or passwords I don't want "online" in the off chance LastPass was breached. 


 



Can keepass be breached?




