I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
If you're using #bitwarden, make sure to change the KDF algorithm to Argon2id^1 which is much more robust against GPU-powered attacks compared to its counterpart.
Primary storage ist via #bitwarden with a local #vaultwarden installation (both needs to be version 23.10 at least)
Secondary storage is a #yubikey 5 NFC which I carry with me. This one alllows me to use the passkey on my iPhone (iPad not tested yet)
Tertiary storage is another (cheaper) Yubikey which is deposited in a safe at home
Both Yubikeys are protected by a PIN which my wife knows. That way I canot lose access to my account and have taken precautions in case I become incapacitated.
But this setup requires quite some time for each web site to switch to passkeys. That's why I am so angry with companies like Paypal who make it practically unusable.
I highly recommend BitWarden as a password manager. It is free, open source, and has a great range of apps and APIs. The one thing it doesn't have is a way to sort your accounts by creation date. I now have over a thousand accounts that I've added - so I wanted to prune away […]
Same API, same features, same UI, and support for other DBs than MSSQL.
One single stand-alone application vs. Bitwarden’s 10 Docker containers. 70MB of RAM vs. 2GB. 3MB of db storage vs. 300MB.
Why was a password manager supposed to take so many resources in the first place? Just because it runs on a Microsoft-only stack and on .NET’s inefficient VM? Just because somebody thought that it was a good idea to separate everything into different containers (even icons and 2fa are modeled as separate services in Bitwarden)?
It reminds me of my recent migration from Mastodon to Akkoma. I got more features, 5GB of RAM freed up and 300GB of storage freed up almost overnight.
Writing and running inefficient software that pointlessly consumes all the resources available on a machine should be a crime in a world with limited resources.
It makes me think of how much shitty bloated software like @bitwarden, probably based on awfully inefficient languages and frameworks like Java, Ruby on Rails and .NET, is running out there, pointlessly sucking up resources for doing simple jobs that could easily be done with 99% less resources.
Today’s developers, spoiled by IDEs, powerful machines, docker-compose and shortsighted “just throw more RAM at the problem” approaches, have forgotten how to write efficient software. Time for them to learn how to write good efficient software again. Software doesn’t eat the world. Only shitty software built on shitty framework does.
Since i am not celebrating this day for some reasons, i have time to code while my family is asleep. The last hour, i implemented the wrapper functions, for setting up/logging in/unlocking accounts and saving state to the db for the #BitWarden#LinuxMobile client.
We are getting somewhere.
Some GUI stuff and decryption is still on the list before you can check out the code.
Is #bitwarden a good alternative to #1password. Or what is the best way to have a password manager on Mac, iPhone and Linux with hosting a Family support?
Somewhat inspired by @theprivacydad's most recent blog post, here's a list of privacy-friendly software that "just works" about as well as (if not better than) more invasive alternatives, even for the relatively non-tech savvy:
I notified #LastPass in early May that they have a security error on their homepage. It's still there. They don't care. They also wouldn't have the problem if they didn't have so many trackers on their homepage.
#1Password and #BitWarden are better options for password managers, among others.
Ach so, 100 Millionen Venture Capital in #Bitwarden. Muss ich meiner Schwiegermutter demnächst etwa schon wieder einen anderen Passwortmanager an die Backe labern? 🙄
Previously, you had to pay for Bitwarden’s premium plan to add 2FA for your stored logins. Bitwarden is claiming they are the only password manager to now include 2FA logins for free.
As a paying customer, I’ve long been using Bitwarden’s 2FA for logins, a ...continues
My first (very incomplete and WIP) iteration of my #MobileLinux#BitWarden client. It ia usually not ready for others to use, but i need to publish it to stay motivated.
Works with #VaultWarden aswell. You have to build it fron source though, for the time being.
My fellow fedizens, i have done it.
I have applied #BitRitter to https://nlnet.nl/propose/ in the category "Open Call". Well at least 2 features i want to implement.
Wish me luck.
If you have an awesome Mobile FOSS Project, maybe you want to apply too? Deadline is 2024-06-01 so this friday. Application process took me about half an hour, so that's doable.
Come già annunciato da diversi mesi i servizi #bitwarden per la gestione delle password ed #etherpad per la #scritturacollaborativa sono migrati alle 24 del 24/1/24 e sono ora disponibili qua:
:bitwarden: https://vaultwarden.devol.it
è sostanzialmente lo stesso software open source compatibile al 100% con bitwarden, il progetto è stato rinominato dallo sviluppatore.
Just finished helping my grandfather solve some of his issues with #thunderbird. He didn't know how to create lists of contacts. I quickly set this up and closed maybe 1000 tabs (I don't know how he opened that many). I was also surprised to see he still uses #Firefox, although all his extensions were gone. Reinstalled #Bitwarden, #uBlockOrigin and #istilldontcareaboutcookies. Now he's fully open sourced again. He even mentioned that he thought about sponsoring Thunderbird.
Każdemu komu rekomenduje założyć sejf w aplikacji #bitwarden od razu polecam kupić pendrivea za 20-30zł i robić szyfrowane kopie od czasu do czasu, a sam takich nie mam :D
Czas to zmienić! Kupiłem małego sandiska, utworzyłem szyfrowany kontener z pomoca #veracrypt i na niego zrzuciłem backup.