jerryc41 Loc: Catskill Mts of NY

I was able to import everything from LastPass, but every time I go back to Bitwarden, I have to re-enter the password, which means I have to go back to my list and copy and paste. It seems like if I'm away for just a few minutes, I have to go back and find the password. It would be nice if I could have a one-letter password. : )

Using their checker, I see that thirteen of my sites were breached. MySpace was breached in 2008, and it was reported in 2016. 🤣 DropBox was 2012 and 2016.

Red6

There are several things that you could do to help make your password management easier. I have done a good bit of research on passwords and the one factor that always makes passwords stronger is length. Most of us struggle with passwords greater than 8 or 9 characters long, so most of our passwords are around that length. And we have been told that we need to incorporate random numbers, letters, and symbols to make them more difficult to crack. This is only true if we have a sufficient length in the password itself. Which makes the password difficult to remember and therefore to use. Password crackers today, using today's powerful computers and software can crack passwords of 10 characters or less in minutes.

The answer is to use passphrases. Make a phrase up such as "$Greenmonkeysflyorangefaucets7;". This phrase, around 30 characters long would take most computers thousands, if not millions of years to crack. And it is fairly easy to remember. The length is what makes it difficult to crack. Computers, despite what we see in movies do NOT crack passwords one character at a time. There is simply no way, unless you are using single words found in a dictionary, to determine a password one character at a time. The computer must try every combination of characters in a password and then try that password. A normal hacker will not spend that much time cracking a password that difficult. They will move on to easier targets with easier, more obvious passwords.

Can that passphrase be hacked? Of course it can but the average or even advanced criminal hacker probably does not have the resources, or computer power to do it. The NSA or other government agency does have these resources so it is still not 100% secure. These agencies routinely work with secure codes 128 characters and longer so 30 characters would be no challenge. But if you are interested in real security, there are encryption programs that would slow down or even hold off NSA attempts to steal your data.

The goal here is to NOT be the low-hanging fruit for the average criminal hacker. Use passphrases greater than 15 characters and DO NOT store your passphrase where it can be stolen. Most hackers are successful because they either stole your password from somewhere you wrote it down OR you used passwords such as "12345", "qwerty" or even "password".

Another alternative is to use hardware security keys. These are small hardware devices that store and carry your long, encrypted passwords that are used to unlock your computer or software. I am not familiar with these devices but they are gaining popularity for increasing the security of your data. Some, I believe even use biometrics to further secure your data.

jerryc41 Loc: Catskill Mts of NY

Thanks. Good post. I generally aim for twelve characters.

neillaubenthal

Long time IT security guy here…you’re right, length is really the o ly thing that matters anymore…so some words or a phrase you made up as opposed to stole from a quote or speech or book…and then add ar least 1 each upper case, symbols and digits and it can only be cracked by brute force. It is true that NSA and similar have faster computers and can crack them faster..but once you get to 25 or so characters…it would still take them far longer than your grandchildren’s lifetime to crack them…it’s just a matter of the number of possible passwords. For the vast majority of us…the expense of trying that hard just isn’t justified for the hacker.

kvanhook Loc: Oriental, NC

Never heard of Bitwarden but it looks interesting. I will research and see if it might help me.

Verryl

My IT guy and I are struggling to restore my entire windows directory which was jumbled up by some malware that I believe (with no proof, just opinion) was from some hacker's malware installed from an infecting ad site, probably from one of the ads of Ugly Hedgehog. I say UHH, because it is the one site I read every day, and I often fall for the ads. So I don't believe that a password cracking program was involved. I think my curiosity was responsible. I don't think that a password was involved.

I use Malwarebytes Premium, which probably sensed the malware (it had a "threat" recorded but did not stop it from acting), but it did not stop it. It only sensed it, and it was prepared to clean it out of my system when I ran Malwarebytes or it's daily automatic 3AM scan ran. Without too much thought by me, I had hoped that the protection program would not only sense a hack and isolate it to be cleaned out of memory, but would do so immediately, so it could stop or limit the damage to my directory.

I admit to being naive, but is there such protection--i.e., a malware program that will act automatically right away. By that I mean, 1) it senses the dangerous code, then 2) isolates/disables it, so that little or no damage occurs, and 3) probably notifies you with a screen warning displayed so a human operator can complete the protection by deleting or permanently disables the offending code.

For example Windows warns me if I start to install a new program, and will not continue without me typing my permission in a dialog box. Why can't Windows or Malwarebytes or some other protection program do that?

This is probably a naive wish I have. If that is possible/available to provide such protection, pray tell me what it is?

I fear there is no such wonder available, or my IT guy would have installed it for me on my 8 computer network in Arizona at 3 locations, and 2 machines in California. All these computers are tied to Dropbox, so any files are available to any computer, if that computer has the program installed on it that created the file. For instance, the business accounting program is only installed on three of the machines at two locations, so only those machines can access those files.

And that brings up the question of can a hacker read any file that he does not have the program that created it installed on his machine. In other words, does the 3 or 4 letter file-naming-appendage on all file names limit that file to its creating program, or another program that was created to read it?

Fredrick Loc: Former NYC, now San Francisco Bay Area

You can go up and down the keyboard in some manner, like “Vgygvgygvgy33?” This way you just need to remember the first letter and a couple of numbers. I’ve been doing that for years. Who the heck would be able to figure that one out?

Uh,oh … I just gave away my secret.

justthisonce Loc: Tetepare

Have you tried using a PIN instead of your password for the unlock? Take a look at Bitwarden settings and select the "Unlock with PIN" option. It should prompt you to create a pin and then when reopen Bitwarden you'll just have to enter the PIN. You'll only have to enter the password when the app is launched. That might resolve the issue.

justthisonce Loc: Tetepare

Here's a video describing the use of a PIN with Bitwarden.

https://www.youtube.com/watch?v=sdFYFgBTkBw

TheShoe Loc: Lacey, WA

Of course it is possible to read any file as a binary string, regardless of its name. That is a difficult hole to close, especially on hardware that allows applications to do their own I/O, without restriction.

justthisonce Loc: Tetepare

If a binary file is processed through an encryption algorithm before being written to whatever storage media then "reading" that stored binary data is useless unless you have the decryption algorithm (key) to restore the original binary string. That's the way Bitwarden stores passwords and all other data -- your master password is the encryption/decryption key. If you forget your Bitwarden master password then, for all reasonable purposes, the data/passwords you stored are gone forever and cannot be retrieved.

In a simple form, an application stores data in its own chosen file format and, frequently, you cannot view the contents of that file unless you have the application.

Fredrick Loc: Former NYC, now San Francisco Bay Area

FYI Jerry, I just set up a pin for my Bitwarden, and also noticed that I could do it with a Face ID, which I did. Now I don’t need to enter my password anymore.

jerryc41 Loc: Catskill Mts of NY

Thanks!

jerryc41 Loc: Catskill Mts of NY

Thanks, again.

jerryc41 Loc: Catskill Mts of NY

Thanks, but I don't want to rely on a camera working correctly to get to my passwords. Too much technology!