28
Password reuse is rampant: nearly half of observed user logins are compromised
(blog.cloudflare.com)
this post was submitted on 19 Mar 2025
28 points (100.0% liked)
Cybersecurity
6732 readers
213 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
My main issue is that it doesn't solve the "borrowing someone's computer" problem. With a hosted password manager, you can login to an online vault to get your passwords, but that's not an option with keepass.
That's a pretty rare use case though, but it is something I run into periodically.
that's a bit risky. the foreign computer could capture passwords.
however, in that use case, you could either display the password on the phone and manually enter it or use a portable keepass on a usb stick
Linux: How to run: https://docs.appimage.org/introduction/quickstart.html#ref-how-to-run-appimage Download: https://keepassxc.org/download/#linux
Windows only: https://keepass.info/help/v2/setup.html#portable
It's absolutely risky, but sometimes the risk is low enough that it makes sense, like you're at a relative's house and setting up access to some self hosted stuff. I use it sometimes on a new install/work computer where I don't want to set up the password manager long term.
The USB drive works in all those cases, but I rarely bring USB drives with me, especially since I only need to access it like 1-2x/year.
This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else's computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It'd be a PITA (and there are some caveats around this process), but it's certainly possible.
That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole "KeePass and manual sync" answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I'm the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.
I think the most important thing to convince people of is "use a password manager". The problem TommySoda brought up is very real:
The hard thing to teach people is that, you don't actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won't care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That's bad, m'kay.
Yeah, the level of effort required is extremely low, and it's really nice for things like sharing passwords with an SO for things where separate logins don't work.
So yeah, I use Bitwarden. I plan to self-host soon (vaultwarden), I'm just figuring out how password sharing works before I go and switch my SO's stuff over. But it's audited, FOSS, and generally the dev makes decent decisions (though I hate the new UX overhaul).
I self-host a bunch of stuff too. I am transitioning from Nextcloud to OwnCloud Infinite Scale now that I posixfs is in experimental status (I only use file hosting from Nextcloud anyway). However, my password manager has been very far down the list for me, because the level of effort required exceeds the value I'd get from it, especially compared to other things I can set up.
Exactly. Use literally any password manager that uses MFA, and set up MFA (Google Authenticator works, I personally use Aegis). I also recommend BitWarden, but there are several decent options available.
The most important thing for them to know is that passwords should be different between services, and you can and should automate that.
I use lastpass and have my vault on my phone.
But I have a hard time using someone else's browser these days . .. too many custom plugins.