Strong random passwords, where to keep, when to change and what to do if site says has been breached?

Forums › Desktop computing › Strong random passwords, where to keep, when to change and what to do if site says has been breached?

TeaLeaf

6436 posts

Uber Geek
+1 received by user: 1241

#281308 10-Feb-2021 10:00

Sorry I looked for an IT security type thread but couldnt find one, so apologies if this is not the right place for this. :-) Thank you.

Thanks to Geekzone for alerting me how to check if ive been "pwned".

It will take me a long time to go through my email addresses, but one I checked said has been breached twice but never pasted, not sure what that means?

So using a random password generator, they are near impossible to remember, so where is somewhere safe but easy to reach that I should store the password should I ever forget?

1 | 2 | 3 | 4 | 5

12182 posts

Uber Geek
+1 received by user: 8475

Trusted

Lifetime subscriber

#2650838 10-Feb-2021 10:05

keepass is a good PW manager

Batman

Mad Scientist
30013 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#2650839 10-Feb-2021 10:10

Following with keen interest. Exactly my issue.

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4578

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2650845 10-Feb-2021 10:16

Breached but not pasted is most likely meaning that although a site you use has been breached, your records were not seen on sites such as pastebin.com which is/was a common dumping ground for databases.

I use a mix of KeePass and LastPass - KeePass mainly for my offline stuff or passwords I don't want "online" in the off chance LastPass was breached.

XPD / Gavin

LinkTree

SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified

Lifetime subscriber

#2650876 10-Feb-2021 10:33

I am using self-hosted Bitwarden which i have been very happy with (after being a KeePass + Nextcloud user for years)

TeaLeaf

6436 posts

Uber Geek
+1 received by user: 1241

#2650878 10-Feb-2021 10:40

Thanks all.

xpd: passwords I don't want "online" in the off chance LastPass was breached.

This is something I worry about.
So you put all your passwords on these sites, what if that site gets hacked? Or is the threat very minimal?

If I have created a very strong password, is it ok to use that for the majority of my logins etc? Some I wont as they are shared. But makes sense to.

Do these password managers automatically fill in your password or you have to go to their site, login and get your password? I ask as my samsung phone has been asking to do this for me for ages.

Is time for me to get with 2021 and beyond, still stuck in 2005 haha.

dt

1152 posts

Uber Geek
+1 received by user: 371
Inactive user

#2650879 10-Feb-2021 10:41

I use a subscription based password manager called Dashlane, who do active dark web monitoring on the darkweb for up to 5 nominated email addresses and will alert you if any of your accounts that have been breached.

they have mobile app and browser extensions for auto filling in un/pw for websites, forms, credit card details etc.

They have integrations with some sites as well where its just a one click password change from the app which is pretty cool but not supported with that many sites yet

You also get a vpn included with the subscription

also, when you first set it up it you get it to import all your saved passwords and it gives you a security score of weak and reused passwords on a dashboard, it takes a bit of time go through and change each one but well worth the hour or two worth of effort

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

Groucho

542 posts

Ultimate Geek
+1 received by user: 216

#2650880 10-Feb-2021 10:41

I've been using the free version of LastPass for a couple of years. Does everything I need it to do plus works across Mac, PC and Android which was the decider.

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#2650881 10-Feb-2021 10:41

I use Bitwarden for passwords and Authy for 2fa codes. It allows me to access these from phone/laptop/browers etc. Bitwarden (same as most password tools) has a built in secure password generator too.

I think Bitwarden is $10US for the premium version but the free one should do everything you want.

Every account you have that supports it should have 2 Factor security enabled too.

TeaLeaf

6436 posts

Uber Geek
+1 received by user: 1241

#2650882 10-Feb-2021 10:43

dt:

You also get a vpn included with the subscription

That sounds good, but how much are they charging? And how quick is the VPN, for streaming non local geo content?

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#2650883 10-Feb-2021 10:44

TeaLeaf:

If I have created a very strong password, is it ok to use that for the majority of my logins etc? Some I wont as they are shared. But makes sense to.

No, don't do that. You're still at risk of credential stuffing if you do that. Each login should have its own unique password.

TeaLeaf

6436 posts

Uber Geek
+1 received by user: 1241

#2650886 10-Feb-2021 10:46

lxsw20:

I use Bitwarden for passwords and Authy for 2fa codes.

The name Bitwarden alone sounds "Staunch" ;-)

What kind of places need 2fa codes? I only ask out curiosity as I have not used one that does. Cheers

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

lxsw20

3689 posts

Uber Geek
+1 received by user: 2174

Subscriber

#2650890 10-Feb-2021 10:48

Everything should have 2fa codes. Email, Geekzone, social media, you name it. Anything you want to decrease the chances of someone gaining access to your account.

Linux

12182 posts

Uber Geek
+1 received by user: 8475

Trusted

Lifetime subscriber

#2650891 10-Feb-2021 10:52

1pass is another good PW manager

TeaLeaf

6436 posts

Uber Geek
+1 received by user: 1241

#2650936 10-Feb-2021 11:58

Linux: 1pass is another good PW manager

That sounds really familiar, not sure if its the one that keeps trying to get me to sign up on my phone.

Do you use it Linux? Given your knowledge I expect you would know if its good enough for what I need, just storage of passwords, and if available extensions for my phone and web browser for passwords etc.

How does that work, does it just automatically fill the right password, or do you have to enter a central password first?

The free version should be capable for what I need?

Thanks all, I think this is a big issue that most people, even IT folk, are pretty lax on, but using these tough generated passwords is becoming a mandatory imo now, how to keep them usable and safe is very helpful information for a lot of people not currently doing so. Cheers

Batman

Mad Scientist
30013 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#2650946 10-Feb-2021 12:01

xpd:
Breached but not pasted is most likely meaning that although a site you use has been breached, your records were not seen on sites such as pastebin.com which is/was a common dumping ground for databases.

I use a mix of KeePass and LastPass - KeePass mainly for my offline stuff or passwords I don't want "online" in the off chance LastPass was breached.

Can keepass be breached?

1 | 2 | 3 | 4 | 5