Use the "passwords" feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They'll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
For me, if this happens, it has no impact since almost every page i sign up to has a unique password. The most important ones has mfa as well.
Use a password manager. Simple.
Right answer. In fact, the only viable answer.
I think its almost a crime that browsers havent evolved to make users generate unique, secure passwords by default. Its just another huge sign that these browser companies dont care about security or privacy, despite their marketing departement rabbling those words.
I dont think there has been any evolution at all in this area. Browsers can save passwords but they dont help the user generate secure, unique ones, and dont encourage users to have separate accounts. Instead the web is trying to make users use something like Google or Facebook logins, so they are completely dependent on those tech companies.
Firefox generates random passwords for you by default. You have to disable it in the settings if you want to use another password manager besides Firefox's built in one.
You can right click any password field in Chrome and the first option is "generate random password".
2 Issues are the they (1) it is unreadable by humans instead of being a passphrase, and (2) The generator does not read any rules off the page so you might have to add a special character.
But the functionality has existed for over a decade
@Rooster326 @1984 it also asks if you would like to generate a secure password, rather than it just being on right-click, in most "new password" fields.
Google password manager also warns you if you have duplicated passwords saved in it and prompts you to create new, unique ones.
I don't like Google but they do ok with password management I think.
I use a password manager in my personal life but my job doesn't allow it so I have to keep the 10 or so passwords I have for various vendor sites in my notes. All my passwords are the same thing with slight variations to meet the different asinine password policies the different sites use. It's fucking stupid but I don't care if they're not going to give me a good way to keep all this shit straight.
Totally fair. I also dont care if company blocks things i need to do it right.
Same, but I do have some level of worry regarding portability. My solution isn't local or self hosted, as I was looking for easy and works across Linux/Windows/Mac/Android/iOS. I do not look forward to needing to change to a new password manager in the future, but given the way everything seems to be going it seems likely that I'll have to at some point.
It takes a little more effort to setup, but the alternative to syncing a local keystore db like KeePassXC would be vaultwarden, which is a self hosted open source Bitwarden server that gives you all the features of Bitwarden and has full compatibility with all the clients.
Spinning it up is actually very easy, you just have to decide if you want to integrate SSL via a reverse proxy setup or just use the builtin webserver for HTTPS.
KeePass and syncthing. I use Keepass2 on a Linux desktop and laptop, KeePassDX on Android, and use syncthing to keep everything synchronized and up to date, also using an old raspberry pi to act as a central server for syncthing.
Modifying the database on one device seamlessly updates the other devices once they're visible on the network, everything works beautifully and is very easy to set up on a local network.
Pretty much default configuration all the way around, just gotta make sure syncthing starts on boot. Just did a brief search, syncthing seems to have a MacOS fork, and iOS will need Möbius Sync, which is paid but the free tier offers 20MB storage sync which is overkill for KeePass.
1Password and Bitwarden both work across multiple devices, os's and browsers. Work uses 1Password which i have on work computer and work phone. i use bitwarden across home desktop, laptop, phone, homelab, testing phones
That would be great if I only used one browser on one device with one operating system. Between my work laptop, my Macbook, my phone, and my gaming PC nothing syncs and it's very difficult to share storage between all of them.
You can install bitwarden on all those devices. Maybe im not fully understanding...
I also dont use just one computer and platform.
Yeah, just tell your work IT staff that you need admin rights to your workstation so you can "install the software you want to" (that they don't supply or support or update).
See how well that works. /s
Ah right. Sorry, I just always used Linux with admin rights since I work in IT.
Didn't mean to offend you (or anyone else).
I work in IT too (Windows) and have admin rights on my workstation. Even though I have the power to install any software, it's against policy to do so (and technically that's a good policy).
Also, I don't like the idea of anyone/anything but me having my passwords. I go with 2FA if something is important/certified based 2FA if it's really important.
I share my Bitwarden account among 4 browser profiles on 2 PC-s.
I don't think anyone just uses one device anymore, pretty sure there are workarounds.
How unique do passwords have to be in order to be considered safe? If they follow a pattern are they still safe or do these bots try alterations to the leaked passwords as well?
Like if your password to Reddit was reddit1234 and your password to Google was google1234, if the Reddit password leaked is your Google one still okay?
Probably not if it's a human but bots shouldn't be able to figure that out ya?
They are completely random strings for each site, so having one will not help crack the other.
But if people pick their own passwords, it tends to be some word like you wrote, and then a hacker could try and crack the others by guessing similar words.