< Index

Use a Password Manager!

Please use a password manager! I know many people don't use one, and I wonder how do they not get hacked daily. Some people (including me in the past) even reuse the same password on every website!

I know why that happens. People are lazy. They don't want to keep track of all of the different passwords they have, so they keep a single one. Some services have different password requirements, on some services they get hacked - and the service forces them to use a different password. They end up having around five different password variations - why further complicate things by keeping a separate password for every site - it would be impossible to remember!

Well, consider a simple situation. It's not that rare you have to register an account on a new website, right? So, what if the site you registered on had an Evil owner that logged your password in their database? Even if they aren't evil - if they store it insecurely, a hacker might get access to that database and crack your password from a hash, or worse, the hacker will simply not have to do anything extra as your password will be stored in plaintext. That happens fairly often, you can check out Have I Been Pwned to see if your passwords are in the database. There are paid services that can show you the exact password, and password databases are easy to find online - even if your password isn't there yet, if you keep reusing the same password, it's just a matter of time until it ends up there.

So, how do you solve it? That's easy - use a password manager. It can keep track of your passwords, it can generate new long and secure passwords for you (don't worry, you won't have to enter them manually), it can keep track of your 2FA codes, it can store your ssh keys and other information used for authentication, it can integrate with your browser to enter passwords automatically, it can let you keep track of the passwords you had been given by other people, or help you pass your passwords on to other people after you die. There's no reason not to use one!

"I'm convinced! So, which password manager do I use? There's so many!"

As a rule of thumb, if a security/privacy-focused product isn't open-source, it isn't even worth trying. With that in mind, consider one of the following password managers:

Bitwarden - an online service that you can self-host, but don't have to - they offer free personal accounts! They offer desktop, mobile and web apps, as well as a CLI tool. Despite the fact your passwords are stored in the cloud, they are encrypted with a "master password", so rest assured! This is the best option if you simply want to start using a password manager without too much hassle, and keep all of your passwords synchronized across devices.
KeePassXC - this password manager doesn't utilize a cloud service, instead, it works with a common .kdbx password database format, and you can decide where to store the file for yourself! Just like with Bitwarden, the database is encrypted, you have to enter your master password to access it. That's the application I personally use - it has advanced features like freedesktop.org Secret Service and SSH agent integration too, so you might be interested in it if you want to have more flexibility in how you use your password manager.
- There are mobile apps for opening .kdbx databases too, like KeePassDX (Android) and KeePassium (iOS).
- You will have to find a way to sync passwords across devices - whether it's a proprietary SaaS like Google Drive or Dropbox, or a self-hosted solution like Nextcloud or Syncthing.

No matter which one you pick, as long as your master password stays safe, your chances of getting hacked will drastically decrease!

But there are other attack vectors - for example, if an attacker gets access to your Email account or phone number, they can simply reset your password. Make sure to enable 2FA wherever possible. If the attacker is physically near you, they can simply capture you entering your master password on video - in that case, using a physical key such as NitroKey, SoloKeys or OnlyKey may be useful - even simply using a USB drive with a keyfile on it might be beneficial. Know your threat model and act accordingly!

Have any comments, questions, feedback? You can click here to leave it, publicly or privately!

Your name? (Leave empty to stay anonymous).

Want pseudo-authentification?

Optional tripcodes are supported: if your nickname contains the # symbol followed by a code (example: AzureDiamond#hunter2), the code will be hashed and appended after your username to ensure some kind of authenticity (example: the previous example will turn into AzureDiamond#3N3HRQJ4); make sure not to reuse your real password as the code (In fact, never reuse passwords at all, not just on this site).

Private message to me:

Public comment:

What is my email? Hint: it's written on the homepage.