Use the "passwords" feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They'll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
I was thinking about this earlier. The password manager browser plugin I use (Proton Pass) defaults to staying unlocked for the entire browser session. If someone physically gained access to my PC while my password manager was unlocked, they'd be able to access absolutely every password I have. I changed the behavior to auto-lock and ask for a 6-digit PIN, but I'm guessing it wouldn't take an impractical amount of time to brute-force a 6-digit PIN.
Before I started use a password manager, I'd use maybe 3-4 passwords for different "risks," (bank, email, shopping, stupid shit that made me sign up, etc). Not really sure if a password manager is better (guess it depends on the "threat" you're worried about).
Edit: Also on my phone, it just unlocks with a fingerprint, and I think law enforcement are allowed to force you to biometrically unlock stuff (or can unlock with fingerprints they have on file).
If someone can gain physical access to your PC you are done anyway, he van simply copy the file or do whatwver he want
Yes, it is better. The likelihood that someone will physically access your device is incredibly low, the likelihood that one of the services in your bucket gets leaked and jeopardizes your other accounts is way higher.
I set mine to require my password after a period of time on certain devices (the ones I'm likely to lose), and all of them require it when restarting the browser.
True, but it's also highly unlikely that LE will steal your passwords.
My phone requires a PIN after X hours or after a few failed fingerprint attempts, and it's easy to fail without being sus. In my country, I cannot be forced to reveal a PIN. If I travel to a sketchy country or something, i switch it to a password unlock.
I use a "password pattern", rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
So when someone figures out your rule he has all the passwords
That is assuming that someone will sit there and try to decrypt password rules for that specific person. Chances of that happening are basically 0, unless they are some sort of a high interest person.
If there's a leak with multiple services, it's possible some script kiddie will flag it as having a pattern. I'm guessing the rule is simple enough that an unsophisticated attacker could figure it out with several examples.
It's way better than reusing passwords, but I don't think it's better than a password manager, and it takes way more effort esp given all the various password rules companies have (no special characters, must have special character, special character must be one of...). If you're paranoid, use something like keypassxc that's just a file.
figure out the rule
figure out the services
figure out the usernames
What's more likely, a password manager gets a breach or someone targets only me and manages to find out multiple passwords across multiple services and cross compares them works out what the random numbers and letters mean...
I don't know your rule, but when I hear this, usually it includes the name of the service or something, so a script kiddie armed with a levenstein distance algo could probably detect it.
That said, the "safer than the person next to you" rule applies here. You're probably far enough down that list to not matter.
As for password manager breaches, the impact really depends on what data the password manager stores. If all decryption is done client-side and the server never gets the password, an attacker would need to break your password regardless. That's how Bitwarden works, so the only things a breach could reveal are my email, encrypted data, and any extra info I provided, like payment info. The most likely attack would need to compromise one of the clients. That's possible, but requires a bit more effort than a database dump.
No you are right, your method is stronger than using a password manager hahaha of course there will never be a targeted attack or anything like it
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don't know a single other password. Can someone correct me if I'm wrong?
As always, the most secure password is the least convenient and accessible. It's a trade off, but you want fewer dictionary words and patterns overall. Preferably with a physical component for the master password.
Longer is better...giggitty.
You are mostly correct it is length * (possible char values).
See passphrase generator.
https://www.keepersecurity.com/features/passphrase-generator
You are mostly correct it's (possible char values) ^ length.
I've found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.
If your password manager has a password recovery mechanism, that means your key is stored on the server and would be compromised in a breach. If that's the case, I highly recommend changing password managers.
The ideal way a password manager works is by having all encryption done client-side and never sending the password to the server. If the server cannot decrypt your password data, neither can an attacker. That's how my password manager works (Bitwarden), and I highly recommend restricting your options only to password managers with that property.
If you need a backup, write it in a notebook and keep it in a safe. If your house gets broken into, change your password immediately before the thief has a chance to rifle through the stuff they stole. My SO and I have shared passwords to all important credentials, so that's out backup mechanism.
Okay, but hackers don’t have to know whether I used special character or just lowercase? Or am I stoopid?
Also 2FA. You'll still want to change passwords but it buys you time.
And an email alias.
I hate how many places don't allow for + aliases. I want to know who leaked my email.
+aliases are convenience aliases only. They are often stripped from ID datasets. Better to use a real alias.At the same time, it is trivially easy to strip a + alias, so I'd not trust it to do anything much at all.
If you use aliases for all services, it makes it slightly harder to automate trying one leaked email on another site, since the hacker needs to add the new alias on the other service.
No one is going through of all these credentials manually, so any extra obscurity can actually bring you security in a pinch. Although if you have different passwords this shouldn't matter much...
No, you just run a simple Regex on both combolists and are done. It literally takes seconds
No + required. There are hundreds of companies offering aliases using their shared domain. You can also just generate a temporary email address if you don't require any ongoing communication and the account is not super important.
Even if your alias is leaked they can remove the + part and it'll lead to your original email without aliases. They probably do some data formatting on emails to no get caught so easily and obviously.
Catch-all address 😎
Don't forget unique email addresses. I've had two spam emails in the last 6 months, I could trace them to exactly which company I gave that email address to (one data breach, one I'm pretty sure was the company selling my data). I can block those addresses and move on with my life.
My old email address from before I started doing this still receives 10+ spam emails a day.