Does using a password manager make sense?

[Action_Johnson]

I had a friend get their instagram account hacked recently, and it got me thinking about my own security. 

 

I have alot of accounts I use for work, and they all have 2FA set up. Would it make sense for me to use a password manager like Lastpass, in addition to this? Many of them share the same password, but still require 2FA to get in. 

 

The only way I can imagine this being compromised, is if both the site and my phone get hacked. Is 2FA alone enough?

[TetraSky]

Don't use lastpass, they went to shit after limiting things up for free users earlier this year.

Bitwarden would be a better choice if you need the same functionality of Lastpass, while it still being free.

Or if you want something that you manage yourself, Keepass is my personal favorite. 

 

But yes. A password manager does makes sense. With the number of services we are asked to sign up to these days, there's no one someone can remember a very long, complicated password for all of them, as such they would likely have maybe a handful of passwords they reuse in multiple places, this is not secure. A unique 20+ characters long password for all services, websites and what not, is a LOT better for your online security, than you using insecure passwords that are barely 8 characters long, just enough for you to remember them or reuse them in many places.

2FA has also been shown to be possible to bypass by some more crafty hackers.

 

[LIGISTX]

17 minutes ago, Action_Johnson said:

I had a friend get their instagram account hacked recently, and it got me thinking about my own security. 

 

I have alot of accounts I use for work, and they all have 2FA set up. Would it make sense for me to use a password manager like Lastpass, in addition to this? Many of them share the same password, but still require 2FA to get in. 

 

The only way I can imagine this being compromised, is if both the site and my phone get hacked. Is 2FA alone enough?

You should definitely use a password manager. It increases security my a massive amount since every site can have its own unique password. This way when a single site is compromised, your likely 1 of 3 or 4 passwords thats used for all of your sites isn't published in a huge dump of passwords and usernames....

 

 

I use lastpass still, but that is because I have it for my entire family - its just not worth me switching away from lastpass, too hard to get others to switch. If I was starting fresh, bitwarden would be high on my consideration list.

[1518]

I personally don't use a password as you are just putting all of your eggs in one basket. I use a small number of password and sort them in categories (not important, sort of important,important, really important) and turn on two step verification.

[Chris Pratt]

A password manager is not a replacement for 2FA and vice versa. They're completely unrelated. The purpose of a password manager is allow the usage of very secure and totally unique passwords for every account, which would be impossible for you remember without a password manager. 2FA is an extra layer of security on top of that.

[YoungBlade]

You should certainly have 2FA for all your accounts, but sadly it's often not implemented well. For example, Twitch insists on using your phone number and texting you. This is a terrible system, because as Linus himself found out, someone else can get their hands on your phone's number, even if they can't get your phone itself.

 

And some sites do 2FA via e-mail codes, which is even more stupid. If your password for your email is the same as for the site, and your login name for that site is your email address, then one data breach and all your data is compromised, despite 2FA.

 

So you should really have both a password manager that lets you have a different password for each site and also 2FA.

[JP!]

As others have mentioned, i too vote yes for password manager, no for lastpass.

 

Additionally, you can use a password manager to store your OTP / 2FA as well.

 

Use a password manager to have completely random and strong passwords + 2FA whenever possible, then you have a very secure access control to your accounts.

 

Obviosly, your password manager's master password has to be very secure, ohterwise it will be the weak link.

 

JP

[Action_Johnson]

Everything that's really important to my work already uses 2FA, so i'm not terribly worried about that. It's something like if the host server for LTT forum gets hacked..

 

[chrono76]

On 8/19/2021 at 2:52 PM, aeliasov9 said:

I personally don't use a password as you are just putting all of your eggs in one basket. I use a small number of password and sort them in categories (not important, sort of important,important, really important) and turn on two step verification.

If you have a proper master password, which should be a pass phrase of 5 or more words you should be good to go. Words are faster to type anyways.
If you already use a small selection of different, categorized passwords. I recommend giving keepass a go. It allows you to create multiple local databases, which means you can have a different password per database, and you can also have a different password per account in each database! Even more secure than ever.
You could do the same with Bitwarden by having multiple accounts, but I find it harder to manage.

 

On 8/19/2021 at 5:07 PM, Action_Johnson said:

Everything that's really important to my work already uses 2FA, so i'm not terribly worried about that. It's something like if the host server for LTT forum gets hacked.

2FA is really secure, but it might be still hackable, I would still consider to use a password manager, as I said, I like keepass for maximum security and ease of use.
I personally use pass because its pretty easy to use on Linux, and uses OpenGPG, but its harder to get going on Windows, so keepass is the way to go.