Questions and options for password managers

[Liberty610]

Hi all. I've recently been diving into the world of online security. A friend of mine who is somewhat tech savvy had a major breach occur along the way, which lead to a rabbit hole of his online accounts getting hacked.

So I have been looking into more security options to not only help him out, but also expend on my own knowledge and practices. I am a NordVPN user, and they have their password manager offerings. And I have done a little bit of research and I am just not sure if I should expand on my Nord account and take on their PW manager or not. I currently do not use one, mostly because to me, the idea of putting all your passwords in one place and then shooting up to someone else's server just seems absurd. I know there is usually encryption involved, and Nord touts itself as one of the standard encryption methods being used, but again... I am not really cozy to the idea of putting my entire online identity in one place; encrypted or not. And a lot of videos I have watched online  all seem to come from the same people, so that tells me they are being paid by Nord to sell the product.

I have also just stumbled on passkeys devices such as yubikeys and what not, but they don't seem to be widly supported on everything yet.

I have decent online practices. I never leave accounts logged in on any browser (even on my home desktops), I always clear out cache, history, and cookies, and I use NordVPM regularly. I have Bitlocker encryption on some hard drives as well, so I consider myself pretty solid digitally. But again, looking for ways top help out not only myself, but friends and relatives who are not very online savvy,

Thoughts, suggestions? Thanks.

[lieder1987]

Honestly, my password manager is a godsend. I can see the concern, but for me the convenience is worth it. My passwords are the longest possible based on the individual website, I can store passkeys, I can use biometrics to log in. Highly recommend.

[Liberty610]

19 minutes ago, lieder1987 said:

Honestly, my password manager is a godsend. I can see the concern, but for me the convenience is worth it. My passwords are the longest possible based on the individual website, I can store passkeys, I can use biometrics to log in. Highly recommend.

I'm just not 100% sold on this idea just yet. Storing all your passwords on an external server that is controlled by unknown just seems absurd to me. However, I could get behind the idea if a physical hardware key is required for logins to go along with it.

I know there is no 100% secured way to do thing in an online world, but I just can't fathom the idea of all my online accounts getting hacked on someone else's server who didn't have proper security or encryption involved in the process. I hardly trust people I know, let alone major corporations who are known for selling data for bottom lines.

[Eigenvektor]

If you don't want to go with a third party, you can either use an offline password manager or host your own (e.g. Vaultwarden).

 

Of course that comes with some caveats of its own. In both cases your should have a solid backup strategy. And in the second case you should also have some understanding of how to operate and secure a web server.

 

Though the chance that someone will find an exploit it is lower than a big provider, which is a more attractive target.

[Liberty610]

On 11/4/2023 at 11:20 AM, Eigenvektor said:

If you don't want to go with a third party, you can either use an offline password manager or host your own (e.g. Vaultwarden).

 

Of course that comes with some caveats of its own. In both cases your should have a solid backup strategy. And in the second case you should also have some understanding of how to operate and secure a web server.

 

Though the chance that someone will find an exploit it is lower than a big provider, which is a more attractive target.

I practice some solid back up methods. I have a good amount of offline encrypted drives I use for backups. But I do need to be able to access passwords on the go a lot, and I just don't like the idea of using cloud based ordeals for security. Especially one that lands my entire online login profiles in one location. I don't care what type of encryption or security measures these places tout. I am not one to trust many in bog tech.

[Eigenvektor]

1 hour ago, Liberty610 said:

But I do need to be able to access passwords on the go a lot,…

In that case you need to go with the second option: host your own. Personally, I host a Vaultwarden instance on a small VPS for that.

 

It's an open source re-implementation of Bitwarden. That means its compatible with the official Bitwarden browser plugin, as well as their Android and iOS clients. But all the passwords are stored on your own server.

 

You'll definitely want to include that server in your backup strategy, since losing your stored passwords and OTP etc. is going to suck. A lot. For example, my server creates an encrypted incremental backup on a volume provided by the hoster. Additionally a local machine periodically pulls a copy. Then creates an incremental backup on a second drive for good measure. So that's one off-site backup, and two at home.