Recycling your passwords is a bad security practice ❌
Why not use a password manager to help with generating and maintaining passwords?
In this episode of the #OSINT show, host @IntelTechniques revisits password managers and #2FA 👇
Why not use a password manager to help with generating and maintaining passwords?
In this episode of the #OSINT show, host @IntelTechniques revisits password managers and #2FA 👇
Recommendations For Password Managers
Previously
🔹 Have always recommended @KeePassXC or @Bitwarden:
🔸 KeePassXC: A completely offline tool. Reserved for extreme scenarios
🔸 Bitwarden: A secure password manager that synchronizes your password database across multiple devices
Previously
🔹 Have always recommended @KeePassXC or @Bitwarden:
🔸 KeePassXC: A completely offline tool. Reserved for extreme scenarios
🔸 Bitwarden: A secure password manager that synchronizes your password database across multiple devices
Now
🔹 Online password managers have advanced quite a bit
🔹 Every reputable password manager encrypts everything on your machine before it goes into the database
🔹 Does not recommend LastPass, 1Password, Dashlane
🔹 For people new to password managers, he recommends Bitwarden
🔹 Online password managers have advanced quite a bit
🔹 Every reputable password manager encrypts everything on your machine before it goes into the database
🔹 Does not recommend LastPass, 1Password, Dashlane
🔹 For people new to password managers, he recommends Bitwarden
Usage Of A Password Manager
🔹 A password manager is used to:
🔸 Generate all your passwords
🔸 Maintain all of these passwords
🔹 If you have a weak password policy, this is a bad practice. At some point, you are going to get breached
🔹 A password manager is used to:
🔸 Generate all your passwords
🔸 Maintain all of these passwords
🔹 If you have a weak password policy, this is a bad practice. At some point, you are going to get breached
🔹 Some people have passwords that are 250 characters long. This is overkill
🔹 For him, his passwords have a minimum of 20 characters
🔹 A lot of those older financial legacy websites ignore everything over X number of characters
🔹 For him, his passwords have a minimum of 20 characters
🔹 A lot of those older financial legacy websites ignore everything over X number of characters
🔹 When these websites make a change and look at the first X number of characters of your password against what they have on file, it could cause issues
🔹 He doesn’t use special characters on a lot of his passwords. Bank accounts might not be able to read special characters
🔹 The only thing you need to remember is the master password for the password manager
🔹 The only thing you need to remember is the master password for the password manager
Benefits Of @Bitwarden
🔹 Their free package suits most new users
🔹 It has multi device sync
🔹 Works on multiple devices such as Mac, Linux, Windows, Android, etc.
🔹 It is completely open source — people are able to scrutinize their code 🧐
🔹 Their free package suits most new users
🔹 It has multi device sync
🔹 Works on multiple devices such as Mac, Linux, Windows, Android, etc.
🔹 It is completely open source — people are able to scrutinize their code 🧐
🔹 Audits from third party auditors
🔹 Their paid plan costs $10 a year. Needing a paid plan comes down to whether you need hardware token two-factor authentication
🔹 Their paid plan costs $10 a year. Needing a paid plan comes down to whether you need hardware token two-factor authentication
“I don't trust any of the companies. I trust the encryption, I trust the audits, I trust the security.”
- Michael Bazzell
- Michael Bazzell
Two-Factor Authentication (#2FA)
🔹 In the past, he said that your 2FA provider has to be separate from your password manager
🔹 In the past, he said that your 2FA provider has to be separate from your password manager
🔹 The order of 2FA are still the same:
🔸 If an online service allows you to use a hardware token, then use the hardware token first
🔸 If not, then use a software-based token that is not SMS
🔸 If an online service allows you to use a hardware token, then use the hardware token first
🔸 If not, then use a software-based token that is not SMS
Authy
🔹 @Authy is still a good product even though it’s not open source
🔹 They require a phone number
🔹 Can use a #VoIP phone number to synchronize your stuff
🔹 If you don’t like Authy, you could consider @StandardNotes
🔹 @Authy is still a good product even though it’s not open source
🔹 They require a phone number
🔹 Can use a #VoIP phone number to synchronize your stuff
🔹 If you don’t like Authy, you could consider @StandardNotes
Bitwarden
🔹 Bitwarden can handle 2FA codes within the application itself
🔹 If someone gains access to your Bitwarden account, they gain access to both your passwords and your codes. So there’s a need to properly secure it
🔹 Bitwarden can handle 2FA codes within the application itself
🔹 If someone gains access to your Bitwarden account, they gain access to both your passwords and your codes. So there’s a need to properly secure it
🔹 First, have a paid plan so that you can secure your Bitwarden account with a hardware token
🔹 Next, you have to be picky about the accounts which are not stored (e.g. primary email account) in the password manager. Could use a hardware token to secure your primary email account instead
🔹 Finally, you have to export your seed code offline
🔹 Finally, you have to export your seed code offline
Should You Use Browser Plugins?
🔹 Not a big fan of browser extensions
🔹 Recommends people to install the desktop application on their device instead of relying on the website version of the password manager
🔹 Not a big fan of browser extensions
🔹 Recommends people to install the desktop application on their device instead of relying on the website version of the password manager
Sharing Account Data
🔹 Bitwarden has the advantage over other providers
🔹 Can be split into 2 camps:
🔸 Families
🔸 Companies
🔹 Bitwarden has the advantage over other providers
🔹 Can be split into 2 camps:
🔸 Families
🔸 Companies
🔹 For families: If it’s just 2 people, the free plan should work fine. If you need the family plan, it would cost more
🔹 For companies: Can have an entire team needing certain passwords
🔹 For companies: Can have an entire team needing certain passwords
🔹 He has helped elderly clients to set up their Bitwarden accounts to automatically release their credentials X days after their death
🔹 Both parties have to have a Bitwarden account. One party has to send the other a request to be their emergency contact, with the other party approving that request
🔹 When the former dies, the latter could submit a request from their Bitwarden account to the former’s Bitwarden account to get the data
Conclusion
🔹 You have to identify the best path for yourself to take
🔹 You do not need to take the most extreme method
🔹 You have to identify the best path for yourself to take
🔹 You do not need to take the most extreme method
I hope you've found this thread helpful.
Follow us @The_ReadingApe for more.
Like/Retweet the first tweet below if you can:
Follow us @The_ReadingApe for more.
Like/Retweet the first tweet below if you can:
https://twitter.com/The_ReadingApe/status/1610305016417636352
• • •
Missing some Tweet in this thread? You can try to
force a refresh
