Follow

general password privacy advice re: twitch hack 

you should have all of your passwords be different, randomly generated, and stored in some secure database.

for people whose threat models require offline storage (read: almost nobody), there's KeePassXC, but in most cases you should be using a third-party cloud password database since it helps ensure you don't lose it. you also should be using a browser extension to auto-fill passwords, since it's both convenient and adds an extra layer of protection by not putting passwords in the clipboard by default.

I recommend BitWarden since it's cheap, open-source (and hence easily auditable by third parties), and has pretty nice browser extensions and mobile apps, but there are also people who use 1Password and LastPass, both of which have been vouched for by security folks

if you're the kind of person who likes remembering passwords, I recommend using the built-in generator for your password DB, since most of them offer passphrase options which will be easier to type out manually if needed, but still doesn't have to be remembered. see: xkcd.com/936/

most password database tools also offer storing 2FA secrets as well, meaning that you can use it like an automatically backed-up authenticator app. in most cases, instead of scanning a QR code, you can copy the secret token for the 2FA directly and store it in these databases, while still being able to generate the numbers needed for most apps.

clarification re: password privacy advice 

I also should clarify, when I say that BitWarden is cheap, I mean that it's free for individuals with around a gig of storage (plenty for passwords, can even store some documents if you need to), and I think it even lets you create one organisation with two people so you can share things back and forth without sharing an account.

if you want to create an org with more than two people, it's like 10$ a year from the start and doesn't get too expensive. there's also the option to self-host if you're tech-savvy, but using the default hosted one is just as good

Show thread

specific clarification of keepass re: password advice 

since KeePass used to be the only option, a lot of people still use that and just back up their database file on some cloud provider.

for everyone except those who are more tech-savvy and understand the exact downsides, I highly recommend transitioning to another provider. for example, I introduced my mother to KeePass years ago when it was the only option and she managed to make this flow work, but I helped transition her to BitWarden recently since it's way easier, the apps are much more maintained, and you don't have to worry about manually tracking versions of your passwords. it's very easy to accidentally save the wrong version of the database and lose passwords, which doesn't happen if the whole database is managed for you.

I personally also migrated to BitWarden and prefer it, since it has easy KeePass import. most services will as well since they know that for a lot of people, they used to use KeePass because it was the only good provider for a while.

Show thread

general password privacy advice re: twitch hack 

@clarfonthey i use keepassxc combined with a file synchronization service (nextcloud in my case), is this a good idea?

re: general password privacy advice re: twitch hack 

@devurandom in general: not really. the apps for keepass aren't nearly as good as the alternatives, and pretty much all the alternatives offer keepass import. you still have the issue of making sure you have the right version of the database also which means in some cases you can deal with passwords lost

that said, for someone more tech-savvy, it's not as big of a deal. for someone like my mother, who I introduced to KeePass years ago, I helped transition her to BitWarden since the better user experience was 100% worth it. it's very easy to migrate over the whole database.

Sign in to participate in the conversation
Toot.Cat

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!