What password manager does everyone use?

I fully expect Bitwarden (and other password managers) to implement this, too.

Yep BitWarden are part of the working groups about using it, so at some point it’ll be in the app. It’s not widely in use by sites yet anyways, so a bit to go.

(FQDN Fully Qualified Domain Name)

Yeah but 1Password kind of ignores the subdomains.

training.mywork.com and recordkeeping.mywork.com are totally different systems but 1Password just sees mywork.com and suggests everything

This is the issue. With Bitwarden you can have separate logins defined for each subdomain with their own sets of rules.

Bitwarden may not be as pretty as 1Password but I find it far more configurable.

I could of sworn they were adamant at the time, no customer details or vault data has being compromised. A bold claim to make at the time, especially now that wasn’t true.

How is anyone still using this company, it’s defences seem to be made of Swiss cheese

Wow that’s bad.

Reading their post, it seems the only thing protectecting the encryption is the master password. That feels like a security flaw too, I do have a strong master password but a lot of people won’t, and it can only be so strong while being memorable and quickly typable. 1Password hs a secret key too - much safer - I wonder if anyone knows if Bitwarden has that?

My master password isn’t strong enough, which I feel like let’s the whole thing down, but at the same time BitWarden wants me to type it in all the time, so I want easy.

I stick with four random words separated with a space, all lower case. Easy to remember and quick to type on mobile and desktop, but still completely secure. Not that it matters too much because again with 1Password, that’s combined with the secret key

I use fingerprint auth on my phone, for laptop I have it set to work off a 4 digit PIN, so I don’t ever have to enter my master password unless I turn off the PIN option.

Haven’t used LastPass for a while after switching to Bitwarden, but never deleted my account - and my vault has contains pretty much everything (credit card numbers, mortgage account details, passport number etc). Guess I need to go and make sure that one has a very strong password…

Once you’ve logged in with your master password you can set a PIN to use instead (or use biometrics if available). That can be done with all the components (mobile app, PC/Mac/Linux apps, browser extensions).

Easy to say this now, but with sensitive & personal data, if you switch services often - delete the data in the old service once it is accessible OK in the new service. I have an active Lastpass account from years ago but there are zero entries in there, as I made sure they were deleted. I would be very nervous now if I hadn’t.

It’s too late to change the password now, in terms of the data leak. If someone has downloaded the vault, the encryption will be based on whatever the password was when the downloaded it.

I imagine last pass will contact anyone affected, but probably best to make sure all that information is changed, especially if the password wasn’t strong.

It looks like Bitwarden doesn’t have a secret key system like 1Password does. Hmmmmm. Even with a strong password that might put me off, I do really like the 1Password system in the sense of security design - knowing my data is completely safe even in the worst case they get hacked like Lastpass was is reassuring to me.

Get a Yubikey and set one of the slots to be a static password. I have mine so a quick tap is for MFA and long hold is my Bitwarden password.

I’m in exactly the same boat as you

Totally forgot about it after switching to Bitwarden but initially kept everything in there just in case I wanted to revert back.

Came across this blog post from a security researcher

Interesting read. Shocking they would be ‘securing’ some accounts with insecure master passwords only 5000 iterations in this day and age. And not securing web addresses, that’s abysmal.

Hashcat will make short work of those weak passwords unfortunately - and someone has put a lot of effort into aquiring this data so we know they are going to be cracking it.

In terms of blaming users - that isn’t something they should do, but still it’s a factor. Password managers blast you with info on how secure they are, which can be confusing but they absolutely are not a silver bullet. You still need a very secure password as the master password, generally good security practices, two factor on important accounts and email masking. And that’s an average user, if you have something that needs to be super secure (a high value crypto wallet for example) you may need to go further, like using double blind passwords stored locally only.

Poor old LastPass. Will they survive this?

Found out my brother was still using LassPass yesterday. Got him to switch to Bitwarden.