GM’s only fault here is not allowing 2FA: use different password for different sites folks
Bitwarden is dead simple, once set up and explained, my 90 YO aunt uses it daily no issues.
Just pick a password manager and use it. I don’t even know my passwords and they’re all different.
Plus non-SMS 2FA if possible
LOL, that’s exactly how I ‘sold’ it to her…‘you don’t have to remember a bunch of crap, just one password.’
Most of the time just a finger print
Yep…until your 90. Then the screen won’t even detect your finger anymore. Damnedest thing.
Finger prints wearing off is God’s way of telling you to start criming
Now you tell me…
I have to look into this. I have never heard of it until your mention. I use a hardware authentication device but still manually enter complex passwords from my list (stored in a safe). I need something simple. I have never used a password manager after reading one (or two perhaps) of the largest was/were hacked? I do not know if I remember that correctly.
An off-topic question, but how are passwords for phones handled?
You’re not wrong, several have been hacked over the years
This is the Off Ramp so off topic is relative, but it’s a lot like leasing, it comes down to personal trade-offs.
I use several pw managers, I prefer ones where the password vault is in my custody (not a SaaS), even if I store the vault on a cloud provider of my choosing. Wherever I choose to store the vault supports both data at-rest and transport encryption, in addition to whatever the password manager uses to encrypt its vault. Any device I sync the vault to uses DAR (FileVault, Bitlocker, etc), is patched regularly and backed up. Passwords inside the vault are rotated at some interval, are as large as possible, some are line noise like
and some are dictionary concats
Password manager itself preferably supports 3FA (+biometrics), things the passwords are for use 2FA where possible (I go back and forth about combining the 2FA tokens into pw manager): hardware keys > app keys > sms
You can easily make yourself crazy with layers of transport encryption (e.g. if not my wifi/dns, what vpn/dns do I use?) and what algorithms gets used, key size, etc.
Like any security technology, you can build a fortress and still leave the side open by mistake. Auto locking and automation can help, dilligence is essential. But if some freeware running on your computer managers to ship your password vault off to Bulgarian teenagers, you still lose.
My last uninvited guest visited through BlueStacks, which luckily was chroot jailed from everything else. I still burned down my computer afterwards and rekeyed everything. Slightly more extreme drill of what happens when anything goes in for service.
I appreciate your time in helping. While I do not reuse passwords, and my passwords are robust, I do not change them as often as I should. My paid credit monitoring alerted me to one of my email addresses (with credit card links) on the dark web and its password. I do not know how it happened as I have it linked to a physical security key, and I never click links (of any kind). I honestly have lagged on moving to a password manager solely out of fear of the hacks. I will reread your detailed reply as often as it takes to feel comfortable with the idea. I have already read the first link and find it extremely helpful.
You did not have to be so helpful, but that is the great thing about this community. I needed a breakdown (Google links and searches only made me leery). Thank you for giving that to me.