Technology @lemmy.world ModerateImprovement @sh.itjust.works 3mo ago

Google Says Sorry After Passwords Vanish For 15 Million Windows Users.

www.forbes.com Google Says Sorry After Passwords Vanish For 15 Million Windows Users

Google’s Chrome password manager makes security easier. Until a bug makes your passwords disappear, that is. Here’s what you need to know.

186

Google @lemmy.world GreenEngineering3475 @lemmy.world 3mo ago

Google Says Sorry After Passwords Vanish For 15 Million Windows Users.

www.forbes.com /sites/daveywinder/2024/07/28/google-says-sorry-after-passwords-vanish-for-15-million-windows-users/

19 3

186 comments

I guess now is as good a time as any for them to start using a proper password manager.

Personally, I recommend Keepass - it has multiple clients for all platforms, and you can keep the file in sync with a program of your own choosing, like Dropbox, syncthing or whatever you like.
- Bitwarden is probably a more pragmatic choice for most users, given that it's free and without having to manage the syncing yourself.
  
  Any password manager is better than the alternative, though.
  
  I'm not sure what you're comparing it to. Keepass is free too, in fact it's open source. In my opinion, local software and database that is under your control is always superior to cloud.
  
  Keepass over Bitwarden offers a lot of plugins and integrations, again, if you want more customization or automation.
  
  But, I would say you can use any online password manager as long as it's end to end encrypted, so Bitwarden is a good choice.
- Keepass XC on PC, Keepass DX on Android, Syncthing to sync database
  
  Works flawlessly!
  
  Most amazingly, this setup is also unexpectedly resilient against merge conflicts and can sync even when two copies have changed. You wouldn't expect that from tools relying on 3rd party file syncing.
  
  I still try to avoid it, but every time it accidentally happened, I could just merge the changes automatically without losing data.
  
  I store my DB in Dropbox and use KeePass2Android on phone which has built in Dropbox sync.
- Vaultwarden ftw
  
  Exactly! Self hosted FTW. Chances of a data breach.... Typically pretty minor if you are smart.
  
  +1 for a self-hosted Vaultwarden instance. If you’re technically capable and have extra hardware laying around this is the best way to go.
- Shoutouts to paper and pen.
  
  Keep the booklet in a safe place.
  
  If you never, ever need your passwords outside of your home, that's great advice - it's as secure as can be against digital theft. Less so against fire though, and backups are out of the question.
  
  Typically, the drawer just below the keyboard (in my experience)
  
  This is the first suggestion here that's actually within the technical abilities of most people, even most Lemmy users.
  
  The level of technical knowledge some of people here seem to think the general public has is absurd.
- Never trust your credentials to a private company, they could be bought out by state actors.
  
  Never trust your credentials to yourself, you can be bought out by beer, poor decisions, and tripping over the cables connected to your home server you cobbled together.
  
  The xz compromise having demonstrated that FOSS projects are totally immune to interference from state actors...
I put all my passwords in a text document, then print it on a little strip of paper and shove it up my ass. Whenever I take a crap, I dig it out from the turds and try to memorise some of them again. Then I shove it back up there where noone else can find my data and I won't lose it.
- Ah yes, KeepAss
  
  Spectacular
  
  I'm scared of downloading after that Mexican party
- sh.itjust.works
- Forgot to mention I delete the text document and set fire to the computer's hard drive. The passwords are only ever in my ass, with the rest of my personal shit.
  
  Following up your own shit post with another shit post is shit post gold.
- This tracks very close to my idea of the suppository flask stick.
- Have you ever tried anal, my beautiful gentleman?
  
  Sounds like a security risk.
  
  Maybe, but it would have to be personal and in my ass if I had or ever did.
Bitwarden here. Works well.
No $10 gift card?

Lame.
"Chrome users" or "Chrome under windows users" would be closer to the truth. Still, quite a screw up.
- Something like 2/3rds of the world uses chrome for desktop. I'd bet that number is higher for windows specifically. If you're the rare person who doesn't use chrome then you're savy enough to know this doesn't apply to you
"Here's what you need to know" - Avoid anything Google.
- And backup your password vault
No-one should be using any password manager built into any browser, neither Chromium-based nor Firefox-based. Browser password databases are almost trivially easy for malware to harvest.

Go with something external, BitWarden or 1Password, or if you are entirely within the Apple ecosystem their new password system built into iOS 18 is apparently really good.
- Go with something external, BitWarden or 1Password,
  
  When it comes to security software, I usually recommend sticking to open-source solutions, which is why I'd recommend Bitwarden over 1Password. Their whole stack (backend, frontend, and native apps) is all open-source. A premium account is well worth the $10/year.
  
  You can self-host their server, or self-host Vaultwarden which is an unofficial API-compatible reimplementation of the Bitwarden backend designed to be lighter weight. Note that Vaultwarden is unofficial and hasn't gone through the same security audits as Bitwarden has. It's a good piece of software though.
  
  Use ButWarden myself for a login-only subset of my KeePass content. I absolutely recommend it every chance I get, but some people prefer 1Password because reasons. And 1Password is pretty much the best closed-source option out there, which is why I do so… anything to give people options that keep them away from clusterf**ks like LastPass.
- I use Keepass. Free, secure, great.
  
  That's what I used before 1password. The UI is a bit finicky but it works great. Plus you can shove it into DropBox or other various cloud sync things to get a "cloud" version lol.
  
  I have that as an offline DB. Holds 100% of all creds that can go offline (no 2FA, unfortunately) and a bunch of extra stuff that most other managers aren’t flexible enough to do.
- What makes the built-in database easier to attack than a separate one?
  
  What makes the built-in database easier to attack than a separate one?
  
  For performance reasons, early versions weren’t even encrypted, and later versions were encrypted with easily-cracked encryption. Most malware broke the encryption on the password DB using the user’s own hardware resources before it was even uploaded to the mothership. And not everyone has skookum GPUs, so that bit was particularly damning.
  
  Plus, the built-in password managers operated within the context of the browser to do things like auto-fill, which meant only the browser needed to be compromised in order to expose the password DB.
  
  Modern password managers like BitWarden can be configured with truly crazy levels of encryption, such that it would be very difficult for even nation-states to break into a backed-up or offline vault.
  
  It's protected by the user's login password. If an attacker can steal that or knows it already, the passwords are all there for them to see.
  
  Bitwarden (on the other hand, for example) has 2FA options to unlock the database.
Keepass has been working with no issues
- All of them are vulnerable to bugs though. Just a matter of luck.
  
  Which bugs breaks Keepass encryption?
Recently started using Bitwarden and it works really well. You can even ditch authenticator because it has OTP built in too.

I selfhost it though because I trust nobody with this type of sensitive data, encrypted or not.
- By storing your passwords and otp in the same place it becomes 1 factor authentification
  
  Not really as you're still protected from password breaches, which is most likely to happen anyways, especially if you self host.
  
  If you're actively being targeted for your bitwarden password, you likely have bigger problems
  
  Not if you use 2 factor to access the password manager.
  
  Technically yes if my vault gets compromised I would be fucked. I have it firewalled tho and only accessible from home (or VPN to home). So should be pretty secure. I used google authenticator but found it a major pita (can't even search entries on Android, wtf?). If they make this more user friendly I'll gladly switch back to a seperate OTP store.
  
  Modern problems require modern solutions
- I was thinking about self hosting but I was worried it would be less secure. I don't really know a lot about setting that kind of thing up (I do have programming experience but don't have a lot of server hosting experience outside of doing it for games like Minecraft) and I feel like I'd mess it up and it would be a lot easier to get into than a hardened server. Especially cause the odds I get a virus or something is probably higher then the odds someone breaks into bitwarden's server. Idk if I'm wrong about this, would love to be corrected if I am, was just my initial thoughts when I switched over from a different password manager to bitwarden.
  
  If you don’t trust yourself 110%, don’t host it yourself. Too risky. I self-host everything, but I leave email and passwords to someone else because it’s just too important.
  
  I think the bigger thing to worry about is, what would happen if your server fails or is destroyed? Would you have a backup of all your passwords? And if yes, are those backups updated regularly and stored in a safe place that also won't get destroyed if the server gets destroyed (like, say, a house fire)?
  
  Then, yes, you got the cybersecurity angle too
  
  It's a lot to think about for something as important and fundamental to everything you do on the internet as passwords (and accounts)
  
  It's pretty easy to setup using docker, you do need to know that ofcourse and how to setup dns and stuff.
  
  I have it firewalled so my vault is not accessible from the internet, only from home or vpn to home.
- so no more authy? BITWARDEN HAS THAT BUILT IN???? thats AWESOME
  
  So does keepass
  
  Yep, and Vaultwarden too!
  
  Though the most secure practice is to store them separately.
  
  It is a paid feature though if you don't selfhost
  
  Yep, for only $10 per year. But just make sure to keep backups of your vault and/or make an emergency kit.
- And it can also store passkeys to effortlessly sync between desktop/Android/iOS
A friend has a notebook next to her computer with all her passwords in it. Initially I was horrified - what if you're burgled? - but actually it's genius. Much more secure than letting a browser remember them, and she doesn't even need to memorise a Bitwarden password.
- In a household it's probably not that bad. There aren't many people breaking into homes looking for account details.
  
  I've had my identity stolen several times, and every single time it was stolen from a Fortune 500 company.
- I just make all of my passwords password123 then I don't have to worry about memorizing them
  
  *********** that’s what I see
  
  Ah, my girlfriend's approach. No matter how much I show her a pwned password or set her up on my Vaultwarden, she's not interested
  
  Yeah, these newfangled password requirements ruined my life. I refuse to sign up for any website that doesn't let me use hunter2.
- Just add the same memorized bit to the end. Something simple like "123" would work. Even if the book is stolen it won't do them any good.
  
  Kind of like salting.
  
  That's an excellent idea! I'll mention it to her.
- It's a primitive password manager, primitive because unencrypted and not integrated into your devices, but far better than not having a password manager.
  
  Assuming the laptop is running bitlocker (often on by default), has a user password, and is offline, that's pretty decent.
- My mom told me that she was made fun of for having a book of hand written account credentials related to running her business (6 people total). I told her it was the best way to do it that wasn't massively overcomplicated for her situation and to keep it up. The only recommendation I made is that she use different long passwords for every site since she's already not memorizing them.
  
  Personally I'm not convinced this isn't the best way unless you're being targeted by physical bad actors
  
  Where is this book? In the office? I'd say that's absolutely horrible. If it's at home I think that's more okay.
- What if the notebook gets destroyed or lost, though? That's my biggest concern here
- feel like "aaand it's gone" would fit better here
Premium Bitwarden is so cheap and effective that I find it difficult to justify using an alternative.
- Keepass with syncthing is completely free and doesn't rely on cloud hosting
- Still. Back it up
  
  Not a bad idea to back up to a json, but every computer you've used has a local encrypted copy you can export from using the app or extension.
  
  Well sure... I have a local offline encrypted copy, rather than a whole separate password manager.
- I self host my own Vaultwarden instance (a bitwarden server written in Rust) and it's more reliable than Google's password manager.
- I use encfs and sync it to dropbox etc. Then use gopass password manager to store password in the encfs folders. Not fully auto-integrated but good enough for me.
No password manager is 100% safe. Make back-ups.
That's definitely a change from companies just leaving passwords around for anyone to find.
Me when I don't use Chrome, I don't use Windows, and I don't use browser password saving either
Switches to Proton Pass
- I switched to Pass recently after having used Bitwarden for a couple years. I'd say Bitwarden still has a slight edge in terms of features, but Pass has gotten good enough and it's included in my Proton subscription.
They didn't vanish, it's just that now only Google has them.

186 comments