Recently, after watching an episode of DLN and @MichaelTunnell 's TWIL, I asked myself, Why the Bitwarden Sponsor spots never cover an issue that plagues most basic users? Password hygine !
Recently, I went to Have I been Pwned to check up on old emails and some emails of people I know. I always ask my firends, Do you use different passwords for your accounts?
The startling and most common answer, is when people sign up for services, they use the email and password combination as they do to log in to those email accounts. This should be terrifying, but it’s an afterthought to most people. Utilities, and Banking, Job, Business related, 2FA emails and personal correspondence are all now delivered and handles through emails. It’s a vulnerability vector people fail to realize.
I also came across a service provided by PIA VPN called Identity guard . Similar to Have I been Pwned, Identity Guard allows you to set up an alert for your email accounts and show where the breach could have happened.
So where does The Bitwarden Sponsor Spot come in on? CHANGE YOUR PASSWORDS REGULARLY ! ! ! I personally do not use Bitwarden, I need my Kees to Pass some requirements and the solution works for me, but I feel people need to learn to consistently change passwords on email accounts and Password Managers are just for that purpose.
Phrases, Numbers, Random Letters & Numbers and always choosing the max allowable characters should be talked about when encouraging this practice.
Password hygiene is maybe what I preach the most to my colleagues these days. I personally don’t regularly change password if it’s unique and strong, I don’t see the point
Firefox is also offering the same kind of service, Firefox Monitor. I was using 1password some years ago and they offered that as well.
The only “gotcha” with Unique and Strong passwords, is that if your email was in a hack / data breach it doesn’t matter what the password was, that password should be retired / flagged for expiration. There are a number of companies that have finally started to hash passwords in data tables, no not many salt them. So rotating passwords is the best way to mitigate that.
Granted, utilizing a service like Have I been Pwned, Identity Guard & Firefox Monitor is just another good tool in Password Hygine.
There seems some irony here. As someone who learned good security many years ago, I’ve simply never used the same password for anything. Which is probably why I’ve never had the following thought before now:
wouldn’t a good feature for a password manager be to point out which entries have the same password?
I’ve long used KeePass but I’ve never even thought to see if it offers that as a feature. Perhaps obviously, because it was my using different passwords for things that led me to use a password manager in the first place. FWIW prior to that I kept them in a Sharp organizer (in a password protected mode).
That said, as far as I can tell, it still seems very difficult to get them to take their passwords seriously - at all. My impression is that they expect it’s “the computer’s job” not theirs so most seem to rely on their web browser to auto-manage them. This quickly becomes apparent when they’re away from the browser instance that “knows” their password for this or that. With people who use a phone and a computer you’ll see them needing to go to the right one of those to use a given service. Almost comically, very few have setup browser profiles so that those are shared across platforms.
When all else fails, they do the round of getting/resetting a new password via their email - and this is the most frequent reason their passwords might change.
Ironically, the only email I’ve ever had get pwned was through the LinuxForums.org website (vBulletin breach in 2018). BitWarden has been a godsend for generating unique randomized passwords for each of my accounts and keeping track of them all. Cannot recommend enough.
I think the next step in all this will be for sites to bake in these features to their password requirements (some already do) to make their sites more safe. Also, I think reaching out to sites with low username & password requirements is important.
We do frequently talk about having a different password for every single account on every website which is a strong element of password hygiene. We do not talk about rotating much because its not as important if every password is different as only the single site is affected. Yes this could be a problem if a critical site is compromised but in those cases the sites usually force a password change.
As for why we dont cover these things in the segments is because they can only be so long and there is a TON of things to talk about in regards to Bitwarden that we simply dont have time for.
I think this is a reasonable approach. sometimes changing passwords is a good thing but for the most part it isnt needed unless something bad happens to a service or something like that. If all the passwords are unique then they are isolated away from overuse flaw.
I am not sure what you mean. If your email is in a data breach that doesnt mean your email itself is affected. If people use the same email in a lot of places but passwords are unique then getting the password for that particular site that was breached doesn’t suggest to me that passwords need rotation. Sure the password for that particular site would need that but not the email itself. I think the only accounts that need addressing is whatever is affected by the breach.
Yes, which Bitwarden does offer this.
The vault health reports provide helpful tools and info about your passwords if you choose to use them such as Exposed Passwords Report and Data Breach Report which is essentially a monitoring method.
You can check for duplicates in the Reused Passwords Report. You can also check for password strength of your whole vault with the Weak Passwords Report. You can scan your vault for passwords made on Unsecured Websites since some people may have an account that has existed for a while like myself and there might be some lingering in there from back in the day that only used http not https.
Then there is also an Inactive 2FA Report to let you know if there are any unused 2FA connections still hanging around.
Bitwarden is my favorite because they take security very seriously as of course they should but they also consider conveniences as well because balancing security and convenience is how you get average users willing to use a service like this. The open source code part is also freaking awesome!
by the way, Private Internet Access was purchased some time last year by a company that has a bit of sketch attached to them so I stopped recommending them when the company was sold. All of the good will that was created by the original owners now mean nothing in my opinion because we don’t have evidence for their opinions on topics of privacy and security. All the court cases that proved what they did and didnt do are all during the era of the original owners and now the current owners, we have no idea what they are doing so in my opinion, they have to earn trust all over again.