If you're on this comm, you've heard this before. You've probably been putting it off. It's time to stop being lazy and just do it.

Pick one. There's Lastpass, KeepassXC, Dashlane, and Bitwarden.

Lastpass, Dashlane and Bitwarden all keep your passwords online, and allow you to easily login to sites with autofill. KeepassXC is the most secure option, and keeps your passwords locally on your device so they aren't stored anywhere else. I don't recommend KeepassXC unless you're really paranoid or need extreme levels of security, since the usability of having to sync your passwords manually is a hassle that's just not worth it for most people. Those first 3 are good, secure options. Take a look, and then pick one. Your password for your password manager needs to be unique, used nowhere else, and LONG. These are all non-negotiable requirements.

AND THEN ENABLE MFA (MULTI-FACTOR AUTHENTICATION]

This makes you need both your password and a second token, like a one-time code on your phone, to login. It's mandatory. Any important accounts that you have NEED to have MFA enabled.

Cool, now it's setup. Put in all the passwords that you remember, add the extension to your browser, and let sites accumulate in the password manager for a while. Then, go and change all the accumulated passwords to long, random strings generated by your password manager. None of your accounts should use any of your old, long reused passwords. None. It's very likely that they're compromised, and they shouldn't be considered secure.

Here's an example of why this shit is important.

  • soufatlantasanta [any]
    ·
    4 years ago

    I know this is some dumb techno nerd shit but I have an older machine where I keep my passwords on txt file on an offline encrypted netbook with SELinux running on it. Can't access any of them without the master and I change my passwords every 6 months so there's way more incentive for me to memorize them all since running to the password laptop gets annoying. I know it's way more cumbersome but the idea of having all my passwords in the cloud makes me very uncomfortable

    • captcha [any]
      ·
      4 years ago

      I was doing this with a gpg encrypted CSV, then I discovered the standard Unix password manager pass. Its only a gpg+git script.

    • dpg [he/him]
      ·
      4 years ago

      you can use https://www.passwordstore.org/ to make this more sane.

    • invalidusernamelol [he/him]
      ·
      4 years ago

      Memorizing your passwords is bad opsec. Like I don't think you're gonna be tortured for your chacha password, but if you're doing anything else that needs security, not knowing is much more secure. Really long random character passwords that you never see is best. Also, enable a panic mode on your password manager so you can scuttle it if need be. An online one can be scuttled from anywhere. But a local one can't.

      • LibsEatPoop2 [he/him]
        ·
        4 years ago

        or be like me and have a long ass random password you type constantly that you never remember cuz it's all muscle memory at this point. like, that's the shit with my phone - i literally don't know what the password is.