Would you trust Amazon or any huge corporation with all your login and passwords ?
Kazel@lemmy.dbzer0.com
on 19 Jul 07:05
nextcollapse
No
ook@discuss.tchncs.de
on 19 Jul 07:20
nextcollapse
Valid question. But this article is a physical book in your own hands. I am not saying this is safe or anything but has nothing to do with Amazon besides that they sell it.
ExLisper@lemmy.curiana.net
on 19 Jul 07:48
nextcollapse
StrawberryPigtails@lemmy.sdf.org
on 19 Jul 07:05
nextcollapse
So… It’s a password book? Like, pen and paper?Not the best choice for storing passwords, but I’d be more willing to do that than trusting Amazon not to hold my passwords hostage with a digital service by them.
Bitwarden warns against using autofill on load for that very reason, as then simply loading a malicious page might cause it to provide passwords to such a site.
And then, a human when a site doesn’t autofill, is more likely to just go “huh, weird” and do it manually.
Darkassassin07@lemmy.ca
on 19 Jul 08:28
nextcollapse
You’ve always got the human element, bypassing security features; but extra little hurdles like a password manager refusing to autofill an unknown url is at least one more opportunity for the user to recognize that something’s wrong and back away.
If you’re already used to manually typing in the auth details, you may not even have an opportunity to notice you’re not on the site you were expecting.
gaylord_fartmaster@lemmy.world
on 20 Jul 00:17
collapse
Someone manages to maliciously sneak username and password fields onto a site that store what is entered as soon as it’s typed. They don’t even have to be visible to the user and bitwarden will fill them in as soon as the page loads.
Bitwarden will only autofill if the domain matches.
gaylord_fartmaster@lemmy.world
on 20 Jul 02:20
collapse
Right, “maliciously sneak”, as in they’ve either gained access to make changes to the site ditectly, or they’ve found a way to inject their scripts to steal creds.
And how is that any different from not having a password manager?
Yes, if someone hijacks a domain they can get credentials intended for that domain. A password manager doesn’t make a huge difference here, because why would they make the site look any different than normal?
gaylord_fartmaster@lemmy.world
on 20 Jul 02:26
collapse
They don’t even have to be visible to the user and bitwarden will fill them in as soon as the page loads.
Serinus is asking if the site in question needs to be compromised. In other words, can the attacker compromise a random site to fool your password manager into entering credentials for Gmail.com, or does the attacker have to compromise Gmail.com to do that?
Because those two attacks are very different levels of complexity.
And frankly, if someone compromises the site you’re actually trying to visit, there’s simply no defense against that at all.
Makes it harder: when I go to the wrong website, the manager simply doesn’t suggest credentials (it does not have) for it.
That causes me to wonder why.
Without a password manager, a user is never prompted to wonder.
They’d simply not notice.
Yeah, It’s actually quite a secure way to store passwords, since it requires physical access.
I knew a guy who had a drawer full of slips of paper with passwords written on. He called it the “security drawer”. Made me smile, but probably shouldn’t have been advertising it.
My mom had a nice little notebook for passwords. But when she passed, we couldn’t find it anywhere… We went through the whole apartment, everything.
Not having her passwords made a lot of things harder, closing her accounts, accessing her laptop, phone, etc. So while you shouldn’t advertise it, do tell a few people where to find it if they need to.
AnUnusualRelic@lemmy.world
on 19 Jul 14:51
nextcollapse
Please hold your password notebook in front of the laptop camera.
way less convenient to generate dozens and dozens of unique, complex passwords. which means it’s less likely to be used/updated as much as it should be.
not tied into MFA which is an additional layer of security and convenience
I’d rather people use this than reuse the same password everywhere.
undefined@lemmy.hogru.ch
on 19 Jul 07:13
nextcollapse
I would trust it more than the biometric payment method they’re pushing in Whole Foods
logicbomb@lemmy.world
on 19 Jul 07:38
nextcollapse
This isn’t even weird.
I think most security experts would recommend that you have your most important passwords written down somewhere, and then hopefully locked up in some safe or deposit box somewhere. You don’t need to buy an entire book for it, but some people like to spend money.
If this is for your less important passwords, then for the most part, writing them down is actually better. You won’t be as tempted to reuse your banking password for your social media. And some people like writing things down. A password manager is a better solution, but lots of people aren’t as good with technology and if they even let the browser remember it, they won’t know how to retrieve it later if they want to use a different computer, for example.
MonkderVierte@lemmy.zip
on 19 Jul 08:48
nextcollapse
My password-manager is a script that gpg-decrypts to XDG_RUNTIME_DIR and then opens it in editor, encrypts back on changes. Is that bad?
Huh, what for? And if i would, maybe i should switch to pass (which is the same but in fancy and with plugins). I’m planning for years now to set up a little server i’ve built already…
GreenKnight23@lemmy.world
on 19 Jul 09:13
collapse
I have a letter in my safe in the event of my death that contains all my passwords and accounts. I have also slipped in a dead man switch that she’s unaware of that will wipe out my “collection of science”.
It’s pretty safe. Competent password managers will be heavily encrypted. Having your passwords hacked is essentially unheard of. You don’t have to worry about it being on someone else’s computer as without your master password the password file is useless.
I think the biggest case was LastPass, and they did it by getting a keylogger onto a developers PC to get at their password, but afaik customer passwords were safe unless your master password was weak or reused from a breached one.
But, a notebook isn’t hackable at all. But then the people around you could potentially get into it, which is a far more likely threat for a ton of people.
Either way use 2FA at every site that will allow it.
LastPass's biggest problem was that they were almost the first in the game, and mistakes/choices they made 20 years ago bit them hard when they got hacked.
There were two major issues with LastPass's security model:
1. Non-Password data wasn't encrypted. So usernames and urls were visible by the people who stole the vaults.
2. Passwords were encrypted with a number of iterations based on when the account was created, so older accounts were only run through a single iteration. The iteration process makes it much harder to guess the master password(by making it take a longer time). So single iteration makes it pretty quick to guess the password.
So with flaw 1 you could see what vaults might have valuable passwords like banks and crypto wallets. And with flaw 2 you could reasonably quickly break into the vaults of long time users.
So aside from their lax security allowing the compromise to happen in the first place (Nothing is fool proof), they weren't providing the level of protection most people assumed.
More modern password managers like BitWarden fixed those problem a long time ago.
All the effort of inputting data into a password manager, but none of the security.
A_norny_mousse@feddit.org
on 19 Jul 12:10
collapse
It really depends what the user fills it with. “Clever” solutions like using your daughter’s birthday, or other hard-to-remember-but-easy-to-deduce strings.
It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Yeah, my in-laws have such a book and it honestly is great. They live in their own flat where nobody can access the book without breaking in. They do not save their passwords in their browser, so anyone hacking into their PC can’t grab them. If they want to login into an account, they take out their book, put in the user name and unique password and that’s it. Quite the good method and I really do not see many problems there.
tiramichu@sh.itjust.works
on 19 Jul 11:44
nextcollapse
Yep. My Dad in his late 70s uses this system and it works great for him.
People make fun of it, but for people with low tech literacy this is actually far better than having a mish-mash of solutions where some their logins end up automatically saved in iOS on their phone, some are saved in Chrome on the desktop, some are just in their head, they don’t know where anything is, and are constantly losing access and resetting credentials all the time.
And it definitely reduces the burden on me of parental tech support, when its all in the book.
My Mum died recently and my step dad is shit with tech, so their password book was invaluable in helping us gain access to her Apple account and her phone. It meant we were able to get to her iCloud passwords, so now we have access to everything.
So yeah, password books are actually pretty handy.
A_norny_mousse@feddit.org
on 19 Jul 12:00
nextcollapse
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
I disagree. Using this book will always lead to shorter passwords that are easier to type. That’s the main weakness imo.
Or in other words: it really depends what the user fills it with. It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Telodzrum@lemmy.world
on 19 Jul 12:38
nextcollapse
Not at all. It will lead to easier to type passwords, likely. But that doesn’t mean shorter. This could easily be filled with passwords that are four words long with special characters interspersed.
A_norny_mousse@feddit.org
on 19 Jul 13:16
collapse
Which you then have to type out every time. Laziness wins: they will be shorter.
The assumption is that the product is for non-savvy users. They might not even understand what you wrote up there.
Autocorrect can help here, but dictionary words are easily brute-forced guessed. And - more importantly - that hypothetical user would have to come up with that idea in the first place. But people who come up with such ideas usually already use password managers anyhow.
I’m imagining a different character on each face of each cubelet, which you would throughly scramble each time for a one-in-whatever-gagillion string? Am I getting that right?
tarknassus@lemmy.world
on 19 Jul 13:29
nextcollapse
“People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down.
We’re all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Obscure it somehow if you want added security: write “bank” instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don’t do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize.”
Eezyville@sh.itjust.works
on 19 Jul 19:52
nextcollapse
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
Watch out for that home grown script kiddie
Romkslrqusz@lemmy.zip
on 19 Jul 20:06
nextcollapse
For the majority of my clients who use this kind of system, it is totally dysfunctional.
Most of the records are incorrect, my guess is that they occasionally reset the password on mobile while the book is inaccessible and then don’t remember to update it in the book later.
Effective use relies on the user’s understanding of umbrella accounts. I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
As passwords get updated, it can become a mess of crossed out records with new ones squished into the margins. When a someone dies, anything written illegibly can be difficult for surviving family to discern.
As the book gets filled out, it can get tricky to keep things alphabetized unless the user provisioned additional empty space between records.
This system can work great for someone who is meticulous, neat, and organized.
For your average person, I’ve had better luck solving the problem with a password manager synced to an online account that is protected by MFA and has recovery options that are also protected by MFA.
I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
In fairness to them, I get a new email every month or two from Microsoft letting me know that they merged another account that I didn’t ever ask them to.
The best is when they use iPad notes or even their fucking contacts to save info lol
That’s awesome, worrying, adorable, and still more secure than using the same password everywhere.
A_norny_mousse@feddit.org
on 19 Jul 11:57
nextcollapse
My master password is physically present as a mnemonic device, but not available digitally. Anywhere.
Beyond that I really cannot recommend this book: You need to be able & willing to type your passwords out, which means simpler and shorter passwords. I use 99 character complete random ASCII-strings by default. Try typing that in even once.
But there’s a different, unspoken criticism here: don’t store your database on a 3rd party server, a.k.a. “The Cloud”. I use KeepassXC btw. - and my very own “cloud”.
I’m going back to paper for most things and I don’t know man, I think it’s more user friendly given the current tech landscape. My paper notebook never changed the interface to add a huge Copilot button.
sugar_in_your_tea@sh.itjust.works
on 19 Jul 16:59
nextcollapse
Neither did my laptop, desktop, or phone. I use Linux and GrapheneOS, so I don’t deal with most of the nonsense people have been complaining about.
Neither did my laptop, desktop, or phone. I use Linux and GrapheneOS
GrapheneOS is a significantly more complicated and less accessible option for most users compared to a simple paper notebook, which is the context of this post.
But if you want to go this deep, then yes, maybe your phone using your custom OS never introduced Gemini or Copilot without your will. It is however running a Qualcomm modem firmware you can’t control and is phoning home, regardless of your GrapheneOS settings, with your GPS coordinates and other data you can’t read, at any time. Don’t worry, with tech we can always find a malicious feature that works against the user, regardless of how deep you want to dive.
NuclearDolphin@lemmy.ml
on 19 Jul 22:07
nextcollapse
It is however running a Qualcomm modem firmware you can’t control and is phoning home, regardless of your GrapheneOS settings, with your GPS coordinates and other data you can’t read, at any time.
Can you expand upon this?
sugar_in_your_tea@sh.itjust.works
on 19 Jul 22:51
collapse
Sure, there are always things you can’t control in a mobile phone because modem manufacturers don’t like to give up that control (and I’m sure there are regulatory concerns as well).
My point is that if you don’t want Gemini, Copilot or whatever, you can make choices to avoid them. Each choice has consequences, and some just reveal issues you had ignored up to that point (e.g. your modem issue).
But why not a paper notebook? For me:
easy to lose/forget to pack on trips; can’t lose a cloud service
paper doesn’t have a good backup mechanism
can’t copy/paste into my devices from a paper notebook
I’m much less likely to use good, random passwords with a notebook
I use Bitwarden, which gives me a lot of convenience, allows me to self-host and iwny data, and encourages me to use really strong passwords.
“For most things”? Like written notes are whatever, if you don’t mind carrying it around with you everywhere you go and hoping it doesn’t rain. But definitely do not put your passwords in there…
Modern password managers are super inexpensive, easy to use, and essential security tools. You can’t store your passkeys or TOTP in your notebook either.
if you don’t mind carrying it around with you everywhere
I doubt the target demographic for a paper password notebook is logging into their accounts everywhere, as if that’s some common occurrence.
and hoping it doesn’t rain
Ah yes, famously, before the invention of laptops universities and schools didn’t work on every single rainy day, because paper notebooks and books are impossible to keep dry. As a matter of fact, the UK never had an educational system before the digital age for this very reason, it’s so sad.
You can’t store your passkeys or TOTP in your notebook either.
You shouldn’t store 2FA and recovery codes on your password manager. They offer the feature as a competitive selling point, but the entire point of having 2FA is avoiding single point of failures.
You’re not wrong either, I just think we are talking about two very different kinds of user here, and they have different levels of challenge and convenience to balance. I’m not even talking about myself: I moved everything to analog, but not my password manager - I use a password manager like yourself, a 2FA app and a physical USB key.
AppearanceBoring9229@sh.itjust.works
on 19 Jul 23:38
collapse
and hoping it doesn’t rain
Some papers resist water and are not crazy expensive. If its a notebooksl you are going to carry everywhere I guess it could be a good buy.
LogicalDrivel@sopuli.xyz
on 19 Jul 13:25
nextcollapse
Im guilty of this. I dont write out the passwords in plaintext though. Its mostly just a few letters to remind me of which version of my many “master” passwords i used and then asterisks. ~PW0****$~ kinda thing. I know its bad but I can’t bring myself to trust a password manager.
If you keep the book secure, it’s probably safer than any computer based record system - right up until someone untrustworthy gets their eyes on the book.
With a physical book, you can store it in a safe deposit box when you don’t need access, make partial copies, copies take (everyone, bad guys and good) significantly longer to make even with a photocopy process… most importantly, people intuitively understand the vulnerabilities of a physical book.
Sure, it’s a horrible idea in an open office environment but if someone wants to use this at home for all their passwords it really won’t hurt anything.
Especially when helping your parents living in the middle of nowhere.
Seeing them struggle with the changes happening in the last few decades, makes me worry what I’ll be like when i need some young whippersnapper so that I can pay via personal, irrational, conditional thinking.
makes me worry what I’ll be like when i need some young whippersnapper so that I can pay via personal, irrational, conditional thinking.
Sometimes I share this fear.
But then I think - I’m on Lemmy, so I think “I’m still hip to new jazz.”
But then I remember that Virtual Reality will (probably) be commonplace someday, and something somewhere will require it - and I know in my heart that I’ll complain loudly about it before, during, and after I (demand that my grandchild) use it (for me).
01189998819991197253@infosec.pub
on 19 Jul 16:06
nextcollapse
I see no issue with this, especially for an elderly person, for example, to keep at home. The only way this will get “breached”, is if someone breaks into her home. At that point, the password book is the least of her concerns anyway. In fact, from a cyber security point of view, this is brilliant if kept in a safe place, such as a locked safety box. You can’t really remotely hack a physical book.
flop_leash_973@lemmy.world
on 19 Jul 16:31
nextcollapse
My mother uses something similar to keep track of her passwords for everything. While I prefer a password manager like Bitwarden or Keepass. I would rather her use a note book like this over something like Google or Apples password managers.
Or even worse, the same password for everything.
_stranger_@lemmy.world
on 19 Jul 16:31
nextcollapse
Self hosted and air gapped.
finix_the_psyker@sopuli.xyz
on 19 Jul 16:48
nextcollapse
Just as the Lord intended.
paraphrand@lemmy.world
on 19 Jul 17:16
nextcollapse
Quantum proof
Newsteinleo@midwest.social
on 19 Jul 17:49
nextcollapse
As long as the notebook is in a locked draw I would pass this on an IT Audit.
I should get this for my dad, he recently got a new computer at best buy and the geek squad told him his files were all in the cloud and sent him home. Guess who got a call the next day because “all my passwords are in a word document in some fucking cloud”. Yeah that was a fun day spent setting up his computer while listening to his rant about the geek squad and “the fucking cloud”… thanks geek squad…
As a software engineer who values humanity has done a good bit of work with “the cloud”, i think your dad has the right set of feelings towards the cloud. That fucking cloud can go get bent
Oh I agree but it would be nice if he’d have listened to me years ago and started using a password manager at least. I know he’ll never go full self hosting, but come on at least use Bitwarden!
That’s exactly what I use. Chances of my house getting robbed is small. Chances of yet another data breach is very high - this year my data was breached at least 2ce that I remember.
Romkslrqusz@lemmy.zip
on 19 Jul 19:52
nextcollapse
* for the tech inclined
Managing sync between mobile and desktop is a bit more complicated than average consumers have the patience for (it’s really not very complicated, average consumers are just impatient)
For a lot of people at 60+, writing things down is easier and safer. It will also help anyone that would need to troubleshoot or in the event of death in a very simple way.
DeathByBigSad@sh.itjust.works
on 19 Jul 21:20
nextcollapse
I dropped my book and now debt collectors are after me. 0/5 would not recommend.
My password logbook caught on fire, and half my passwords were burnt. I lost the other half when I threw a bucket of water on it to put the fire out. 😟
I can’t order food. I can’t buy things. I can’t get money.
0/5. Send help.
DeathByBigSad@sh.itjust.works
on 19 Jul 23:39
collapse
You should’ve paid me a $9.99 monthly subscription so you could enjoy the privilage of me keeping your book safe 🤗
Jankatarch@lemmy.world
on 19 Jul 23:18
nextcollapse
Is it AI powered tho?
appropriateghost@lemmy.ml
on 19 Jul 23:24
nextcollapse
we might laugh at this but I think this is useful. Even though I wouldn’t use something like this and I’d just use a regular dedicated blank notebook and my password manager, it can be useful to people who have problems with computers and can’t handle a password manager, yet may give pages with good templates to show how to record sensitive information.
techdaddyproxy@pawb.social
on 20 Jul 00:25
nextcollapse
Or for folks that would be otherwise leaving logins and passwords in a clear text file on their desktop (glares at coworker). It’s still clear text, but at least it’s air gapped. It’s not for me, but it’s certainly for someone.
sugar_in_your_tea@sh.itjust.works
on 20 Jul 03:01
nextcollapse
I have hundreds of logins, the convenience of a password manager is just too nice.
Exactly this is the reason why I gifted it to someone. I’m already glad they don’t use 1 password for every website.
dejected_warp_core@lemmy.world
on 20 Jul 00:42
nextcollapse
PSA: Home use? That’s probably okay. Work use? If you’re in-office, this is a ticking time-bomb that can get you fired, one way or another. Use the company 1password or whatever you have access to, please. Thank you.
ChaoticEntropy@feddit.uk
on 20 Jul 12:01
nextcollapse
InfoSec likes nothing more than for you to tell them not to worry because you write all your passwords down and only read emails after you’ve printed them. 100% secure.
In my office I have a list that says passwords all nonsens and just as a decoy. I have a system that I use for rotation woth a visual reminder (by association, not directly) somwhere in my office
You didn’t know they were coming, didn’t tidy up, and now you feel awkward. The struggle is real.
Kellenved@sh.itjust.works
on 20 Jul 14:21
collapse
Add an extra layer of security by putting it in an envelope and stapling it to the bottom of your desk
NauticalNoodle@lemmy.ml
on 20 Jul 02:58
nextcollapse
I had one of these I got it around 15ya but I never used it. I remember liking a particular aspect of it as if I had a specific use-case in which it would be handy but I can’t remember what that was.
Anyways, I’ve been on the keepass bandwagon through multiple reboots of it’s software lineage along with Keepass2Android and I am satisfied.
This isn’t the flex you think it is, OP. 99% of cybercriminals are also cowards. Physical security of ANY kind beats even the best password managers.
If you don’t know what lattice-based encryption is and how to purchase it through NordVPN, start reading up because encryption as we know it isn’t long for this world. Pretty sure they already dragged their feet too long on Bitcoin’s algorithm but the day cracking common ciphers is within the grasp of quantum clusters is the day we all become Amish. Plan accordingly!
Cocodapuf@lemmy.world
on 20 Jul 12:03
nextcollapse
My understanding is that quantum computing has been taken into account for some modern cryptography. And that memory-hard cryptography basically defeats quantum computing solutions. There are a few methods, but one of them is just very long keys, it’s trivial to make a cryptographic key longer.
So sure, you could defeat some of that with a machine operating with 1024 entangled qbits, (which is… oh man… not an easy task), in which case, wow, congratulations. But what if I increase my key length to 100k? It might take an extra 3 seconds to check the key and log in, but it’ll take an extra 25 years for quantum computing to catch up.
Won’t longer key lengths increase the overhead for everything?
procrastitron@lemmy.world
on 20 Jul 14:30
collapse
Yes and No.
Yes, everything increases in difficulty but the increases in difficulty are asymmetrical.
The difficulty of reversing a computation (e.g. reversing a hash or decrypting an encrypted message) grows much faster than just performing the computation (e.g. hashing a message or encrypting one).
That’s the basis for encryption to begin with.
It’s also why increasing the size of the problem (e.g. the size of the hash or the size of a private key) makes it harder to crack.
The threat posed by quantum computing is that it might be feasible to reverse much larger computations than it previously was. The caveat on that, however is that they have a hard limit of what problems they can solve based on the number of qbits they have.
So for example, let’s say you use RSA for encryption and someone builds a 1024 qbit quantum computer. All you have to do is increase your key size so that it would require 1025 qbits to crack, and then that quantum computer wouldn’t provide an attacker any benefit at all.
(Of course, they’d still be able to read your old messages, but that’s also a fundamental principle of cryptography; it only protects you for a period of time)
JigglySackles@lemmy.world
on 20 Jul 17:32
collapse
Can’t wait to hand write my 32-bit passwords.
ramjambamalam@lemmy.ca
on 20 Jul 17:47
nextcollapse
You haven’t changed your password for 30 days. Reset it now.
Or Microsoft who randomly needs to verify someone’s identity before they can log into.tgeir computer but the user doesn’t have a smart phone. So they need to call someone trusted to have them log into their email from a different computer just to get the code so the user can log into their computer.
But that also means they didn’t have access to any saved passwords so a notebook helps.
I really should put Linux on her machine but then I have to show her how to do that too. It’s a lose-lose so I keep it the same.
You can still use local accounts with Windows 11. It’s just a bit fiddley. If you use Rufus to make your boot usb, there’s a bunch of deshitification options you can do.
JigglySackles@lemmy.world
on 20 Jul 17:31
collapse
Honestly, for at home personal use, it’s better than any on device password manager. It’s not hackable. Someone has to break into your home and steal it.
For an office environment though…worst way to handle it after sticky notes.
threaded - newest
Would you trust Amazon or any huge corporation with all your login and passwords ?
No
Valid question. But this article is a physical book in your own hands. I am not saying this is safe or anything but has nothing to do with Amazon besides that they sell it.
I would trust them with my Amazon password.
Surely they didn’t backdoor a notebook?
So… It’s a password book? Like, pen and paper?Not the best choice for storing passwords, but I’d be more willing to do that than trusting Amazon not to hold my passwords hostage with a digital service by them.
Here’s the thing … as crazy as a notebook with passwords sounds, it’s not accessible to someone across the internet.
Password managers check the URL before giving its data. A human being can be fooled into giving it to a fake web site.
TBF, they can be fooled too.
Bitwarden warns against using autofill on load for that very reason, as then simply loading a malicious page might cause it to provide passwords to such a site.
And then, a human when a site doesn’t autofill, is more likely to just go “huh, weird” and do it manually.
You’ve always got the human element, bypassing security features; but extra little hurdles like a password manager refusing to autofill an unknown url is at least one more opportunity for the user to recognize that something’s wrong and back away.
If you’re already used to manually typing in the auth details, you may not even have an opportunity to notice you’re not on the site you were expecting.
Wait, what? How does autofill get fooled?
Someone manages to maliciously sneak username and password fields onto a site that store what is entered as soon as it’s typed. They don’t even have to be visible to the user and bitwarden will fill them in as soon as the page loads.
Bitwarden will only autofill if the domain matches.
Right, “maliciously sneak”, as in they’ve either gained access to make changes to the site ditectly, or they’ve found a way to inject their scripts to steal creds.
And how is that any different from not having a password manager?
Yes, if someone hijacks a domain they can get credentials intended for that domain. A password manager doesn’t make a huge difference here, because why would they make the site look any different than normal?
I guess you didn’t read most of the comment.
No, be did, here’s where the confusion is.
Serinus is asking if the site in question needs to be compromised. In other words, can the attacker compromise a random site to fool your password manager into entering credentials for Gmail.com, or does the attacker have to compromise Gmail.com to do that?
Because those two attacks are very different levels of complexity.
And frankly, if someone compromises the site you’re actually trying to visit, there’s simply no defense against that at all.
Makes it harder: when I go to the wrong website, the manager simply doesn’t suggest credentials (it does not have) for it. That causes me to wonder why.
Without a password manager, a user is never prompted to wonder. They’d simply not notice.
Yeah, It’s actually quite a secure way to store passwords, since it requires physical access.
I knew a guy who had a drawer full of slips of paper with passwords written on. He called it the “security drawer”. Made me smile, but probably shouldn’t have been advertising it.
Oh I know him. What a weirdo. Fun guy tho. Did he move what’s his new address anyway?
Their Ring camera that points directly at the desk they keep this notebook on: “it’s showtime”
It depends on what the user fills it with.
Even the objectively safest solutions will be much shorter, and have less entropy, than what a pw-manager can deal with.
Just maybe don’t plaster “THESE ARE MY SECRETS” on the cover. Security through obscurity.
INTERNET PASSWORD LOGBOOK is probably a paper slip that you can remove, and then it’ll just be a blank leather journal.
Now a REALLY secure physical logbook would just have the cover of a boring, unremarkable-looking book on the outside.
My mom had a nice little notebook for passwords. But when she passed, we couldn’t find it anywhere… We went through the whole apartment, everything.
Not having her passwords made a lot of things harder, closing her accounts, accessing her laptop, phone, etc. So while you shouldn’t advertise it, do tell a few people where to find it if they need to.
Please hold your password notebook in front of the laptop camera.
but:
way less convenient to generate dozens and dozens of unique, complex passwords. which means it’s less likely to be used/updated as much as it should be.
not tied into MFA which is an additional layer of security and convenience
I’d rather people use this than reuse the same password everywhere.
I would trust it more than the biometric payment method they’re pushing in Whole Foods
This isn’t even weird.
I think most security experts would recommend that you have your most important passwords written down somewhere, and then hopefully locked up in some safe or deposit box somewhere. You don’t need to buy an entire book for it, but some people like to spend money.
If this is for your less important passwords, then for the most part, writing them down is actually better. You won’t be as tempted to reuse your banking password for your social media. And some people like writing things down. A password manager is a better solution, but lots of people aren’t as good with technology and if they even let the browser remember it, they won’t know how to retrieve it later if they want to use a different computer, for example.
My password-manager is a script that gpg-decrypts to XDG_RUNTIME_DIR and then opens it in editor, encrypts back on changes. Is that bad?
How do you syncronize it between multiple devices and operating systems?
Huh, what for? And if i would, maybe i should switch to pass (which is the same but in fancy and with plugins). I’m planning for years now to set up a little server i’ve built already…
I have a letter in my safe in the event of my death that contains all my passwords and accounts. I have also slipped in a dead man switch that she’s unaware of that will wipe out my “collection of science”.
Does anyone else know how to get into the safe?
it’s a key entry, and yes.
Best option for non techies at home.
I’ve not found anything better. Storing on my computer, or worse someone else’s computer, doesn’t seem safe.
The trick is to use code language, and don’t forget the code. Then you can use digital sources more freely, I feel.
It’s pretty safe. Competent password managers will be heavily encrypted. Having your passwords hacked is essentially unheard of. You don’t have to worry about it being on someone else’s computer as without your master password the password file is useless.
I think the biggest case was LastPass, and they did it by getting a keylogger onto a developers PC to get at their password, but afaik customer passwords were safe unless your master password was weak or reused from a breached one.
But, a notebook isn’t hackable at all. But then the people around you could potentially get into it, which is a far more likely threat for a ton of people.
Either way use 2FA at every site that will allow it.
One master password to rule them all, One server to find them, One password to bring them all, and in the darkness bind them.
Yeah I use 2FA with the master notebook.
LastPass's biggest problem was that they were almost the first in the game, and mistakes/choices they made 20 years ago bit them hard when they got hacked.
There were two major issues with LastPass's security model:
1. Non-Password data wasn't encrypted. So usernames and urls were visible by the people who stole the vaults.
2. Passwords were encrypted with a number of iterations based on when the account was created, so older accounts were only run through a single iteration. The iteration process makes it much harder to guess the master password(by making it take a longer time). So single iteration makes it pretty quick to guess the password.
So with flaw 1 you could see what vaults might have valuable passwords like banks and crypto wallets. And with flaw 2 you could reasonably quickly break into the vaults of long time users.
So aside from their lax security allowing the compromise to happen in the first place (Nothing is fool proof), they weren't providing the level of protection most people assumed.
More modern password managers like BitWarden fixed those problem a long time ago.
My ex kept her’s in an unprotected excel file. I never peeked, I was just surprised when I saw her accessing it on her laptop.
All the effort of inputting data into a password manager, but none of the security.
It really depends what the user fills it with. “Clever” solutions like using your daughter’s birthday, or other hard-to-remember-but-easy-to-deduce strings.
It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Ah yes, the keep ass
Honestly, a physical password book isn’t a bad idea.
Not accessible via the internet, and in most cases if someone has physical access to your system you’re done for anyway.
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
Don’t forget to use diceware. The human mind is not random enough www.eff.org/dice
Yeah, my in-laws have such a book and it honestly is great. They live in their own flat where nobody can access the book without breaking in. They do not save their passwords in their browser, so anyone hacking into their PC can’t grab them. If they want to login into an account, they take out their book, put in the user name and unique password and that’s it. Quite the good method and I really do not see many problems there.
Yep. My Dad in his late 70s uses this system and it works great for him.
People make fun of it, but for people with low tech literacy this is actually far better than having a mish-mash of solutions where some their logins end up automatically saved in iOS on their phone, some are saved in Chrome on the desktop, some are just in their head, they don’t know where anything is, and are constantly losing access and resetting credentials all the time.
And it definitely reduces the burden on me of parental tech support, when its all in the book.
What this book likely doesn’t suggest, is to just code the username.
I have 2FA backup codes in my go bag and nowhere do I write the usernames or even the service if it’s important.
You know your email address. If you lose this in an airport, writing “main email” makes it useless to anyone else.
My Mum died recently and my step dad is shit with tech, so their password book was invaluable in helping us gain access to her Apple account and her phone. It meant we were able to get to her iCloud passwords, so now we have access to everything.
So yeah, password books are actually pretty handy.
I disagree. Using this book will always lead to shorter passwords that are easier to type. That’s the main weakness imo.
Or in other words: it really depends what the user fills it with. It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Not at all. It will lead to easier to type passwords, likely. But that doesn’t mean shorter. This could easily be filled with passwords that are four words long with special characters interspersed.
Which you then have to type out every time. Laziness wins: they will be shorter.
The assumption is that the product is for non-savvy users. They might not even understand what you wrote up there.
Autocorrect can help here, but dictionary words are easily
brute-forcedguessed. And - more importantly - that hypothetical user would have to come up with that idea in the first place. But people who come up with such ideas usually already use password managers anyhow.Several dictionary words in series cannot be “easily brute forced.”
You’re out of you’re depth and saying stupid things.
Correct horse battery staple
Using special terms wrongly doesn’t mean I’m clueless, cryptobro.
I’m imagining a different character on each face of each cubelet, which you would throughly scramble each time for a one-in-whatever-gagillion string? Am I getting that right?
Bruce Schneier - 2005.
Watch out for that home grown script kiddie
For the majority of my clients who use this kind of system, it is totally dysfunctional.
Most of the records are incorrect, my guess is that they occasionally reset the password on mobile while the book is inaccessible and then don’t remember to update it in the book later.
Effective use relies on the user’s understanding of umbrella accounts. I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
As passwords get updated, it can become a mess of crossed out records with new ones squished into the margins. When a someone dies, anything written illegibly can be difficult for surviving family to discern. As the book gets filled out, it can get tricky to keep things alphabetized unless the user provisioned additional empty space between records.
This system can work great for someone who is meticulous, neat, and organized.
For your average person, I’ve had better luck solving the problem with a password manager synced to an online account that is protected by MFA and has recovery options that are also protected by MFA.
In fairness to them, I get a new email every month or two from Microsoft letting me know that they merged another account that I didn’t ever ask them to.
is it’s a pain in the ass.
I’m not in their target audience.
Oh yeah, this is for my in-laws. This is peak boomer tech right here.
Can confirm. I had to do a double take that I didn’t write this comment and just forget.
Of the 200 elderly I see maybe 75% still use the book or a variation of it.
The best is when they use iPad notes or even their fucking contacts to save info lol
That’s awesome, worrying, adorable, and still more secure than using the same password everywhere.
My master password is physically present as a mnemonic device, but not available digitally. Anywhere.
Beyond that I really cannot recommend this book: You need to be able & willing to type your passwords out, which means simpler and shorter passwords. I use 99 character complete random ASCII-strings by default. Try typing that in even once.
But there’s a different, unspoken criticism here: don’t store your database on a 3rd party server, a.k.a. “The Cloud”. I use KeepassXC btw. - and my very own “cloud”.
I'm sure grandma could figure out how to do all of this.
.
That Web Addresses placement is killing me.
they just centered the whole thing 🤦
It’s infuriating! 😬
this is my internet password logbook
<img alt=""sanrio spotty dotty diary"" src="https://di2ponv0v5otw.cloudfront.net/posts/2024/12/17/67623c8ad3309f252e9484c1/m_wp_67623ccbbfd9a647472885b6.webp">
That is tight as hell and I love it
you too can have it (not my listing): https://www.depop.com/products/christy19js-rare-1990-sanrio-spotty-dotty/
It’s $55 (I’m assuming USD). Or “4 interest-free payments of $13.75”. On one hand, it’s expensive. On the other hand, it’s bloody brilliant!
Hells yeah thank you for sharing :D
Silly, you just posted a picture of your key now everyone can access your passwords
True, but honestly look at that lock, you can open that with a paperclip.
I still like it.
Still better than using the same password everywhere and/or saving passwords in an unencrypted text file on your computer somewhere.
Just not very user friendly.
It is very user friendly, at least for reliability and security if you keep it in a safe location. It is cumbersome and slow.
I’m going back to paper for most things and I don’t know man, I think it’s more user friendly given the current tech landscape. My paper notebook never changed the interface to add a huge Copilot button.
Neither did my laptop, desktop, or phone. I use Linux and GrapheneOS, so I don’t deal with most of the nonsense people have been complaining about.
GrapheneOS is a significantly more complicated and less accessible option for most users compared to a simple paper notebook, which is the context of this post.
But if you want to go this deep, then yes, maybe your phone using your custom OS never introduced Gemini or Copilot without your will. It is however running a Qualcomm modem firmware you can’t control and is phoning home, regardless of your GrapheneOS settings, with your GPS coordinates and other data you can’t read, at any time. Don’t worry, with tech we can always find a malicious feature that works against the user, regardless of how deep you want to dive.
Can you expand upon this?
Sure, there are always things you can’t control in a mobile phone because modem manufacturers don’t like to give up that control (and I’m sure there are regulatory concerns as well).
My point is that if you don’t want Gemini, Copilot or whatever, you can make choices to avoid them. Each choice has consequences, and some just reveal issues you had ignored up to that point (e.g. your modem issue).
But why not a paper notebook? For me:
I use Bitwarden, which gives me a lot of convenience, allows me to self-host and iwny data, and encourages me to use really strong passwords.
“For most things”? Like written notes are whatever, if you don’t mind carrying it around with you everywhere you go and hoping it doesn’t rain. But definitely do not put your passwords in there…
Modern password managers are super inexpensive, easy to use, and essential security tools. You can’t store your passkeys or TOTP in your notebook either.
I doubt the target demographic for a paper password notebook is logging into their accounts everywhere, as if that’s some common occurrence.
Ah yes, famously, before the invention of laptops universities and schools didn’t work on every single rainy day, because paper notebooks and books are impossible to keep dry. As a matter of fact, the UK never had an educational system before the digital age for this very reason, it’s so sad.
You shouldn’t store 2FA and recovery codes on your password manager. They offer the feature as a competitive selling point, but the entire point of having 2FA is avoiding single point of failures.
Not impossible but shit happens. Used to happen to me all the time. I used to walk/bike everywhere.
Your password manager is not usually the point of failure, it’s almost always the provider.
You’re not wrong, I just can’t be arsed to manage 2 separate password managers.
You’re not wrong either, I just think we are talking about two very different kinds of user here, and they have different levels of challenge and convenience to balance. I’m not even talking about myself: I moved everything to analog, but not my password manager - I use a password manager like yourself, a 2FA app and a physical USB key.
Some papers resist water and are not crazy expensive. If its a notebooksl you are going to carry everywhere I guess it could be a good buy.
Im guilty of this. I dont write out the passwords in plaintext though. Its mostly just a few letters to remind me of which version of my many “master” passwords i used and then asterisks. ~PW0****$~ kinda thing. I know its bad but I can’t bring myself to trust a password manager.
If you keep the book secure, it’s probably safer than any computer based record system - right up until someone untrustworthy gets their eyes on the book.
With a physical book, you can store it in a safe deposit box when you don’t need access, make partial copies, copies take (everyone, bad guys and good) significantly longer to make even with a photocopy process… most importantly, people intuitively understand the vulnerabilities of a physical book.
Now, the physical book won’t stop keyloggers…
Sure, it’s a horrible idea in an open office environment but if someone wants to use this at home for all their passwords it really won’t hurt anything.
Especially when helping your parents living in the middle of nowhere.
Seeing them struggle with the changes happening in the last few decades, makes me worry what I’ll be like when i need some young whippersnapper so that I can pay via personal, irrational, conditional thinking.
Sometimes I share this fear.
But then I think - I’m on Lemmy, so I think “I’m still hip to new jazz.”
But then I remember that Virtual Reality will (probably) be commonplace someday, and something somewhere will require it - and I know in my heart that I’ll complain loudly about it before, during, and after I (demand that my grandchild) use it (for me).
I see no issue with this, especially for an elderly person, for example, to keep at home. The only way this will get “breached”, is if someone breaks into her home. At that point, the password book is the least of her concerns anyway. In fact, from a cyber security point of view, this is brilliant if kept in a safe place, such as a locked safety box. You can’t really remotely hack a physical book.
What?
Sorry, it just read to me like you’re presuming a old person that struggles with tech would be a woman. I should’ve left a more constructive comment.
Oh! Hahahahaha!! Not at all! I specifically had my grandmum in mind, since my grandad has passed long ago.
Oh haha sorry!
My mother uses something similar to keep track of her passwords for everything. While I prefer a password manager like Bitwarden or Keepass. I would rather her use a note book like this over something like Google or Apples password managers.
Or even worse, the same password for everything.
Self hosted and air gapped.
Just as the Lord intended.
Quantum proof
As long as the notebook is in a locked draw I would pass this on an IT Audit.
Unfortunately it’s a combination lock, and the code is written on a post-it stuck on the front of the drawer.
That is still better than in a password manager with no access controls
The combination is 1-2-3-4-5!
How the fuck do you know my PIN number?!
And very power efficient
The indexing and search need improvement.
xkcd.com/2176
I should get this for my dad, he recently got a new computer at best buy and the geek squad told him his files were all in the cloud and sent him home. Guess who got a call the next day because “all my passwords are in a word document in some fucking cloud”. Yeah that was a fun day spent setting up his computer while listening to his rant about the geek squad and “the fucking cloud”… thanks geek squad…
As a software engineer who values humanity has done a good bit of work with “the cloud”, i think your dad has the right set of feelings towards the cloud. That fucking cloud can go get bent
Oh I agree but it would be nice if he’d have listened to me years ago and started using a password manager at least. I know he’ll never go full self hosting, but come on at least use Bitwarden!
That’s exactly what I use. Chances of my house getting robbed is small. Chances of yet another data breach is very high - this year my data was breached at least 2ce that I remember.
Keeepass, simple and easy to use! keepassxc.org
* for the tech inclined
Managing sync between mobile and desktop is a bit more complicated than average consumers have the patience for (it’s really not very complicated, average consumers are just impatient)
I’ve found 1password a good compromise. Unbreached so far!
i got bitwarden
For a lot of people at 60+, writing things down is easier and safer. It will also help anyone that would need to troubleshoot or in the event of death in a very simple way.
I dropped my book and now debt collectors are after me. 0/5 would not recommend.
My password logbook caught on fire, and half my passwords were burnt. I lost the other half when I threw a bucket of water on it to put the fire out. 😟
I can’t order food. I can’t buy things. I can’t get money.
0/5. Send help.
You should’ve paid me a $9.99 monthly subscription so you could enjoy the privilage of me keeping your book safe 🤗
Is it AI powered tho?
we might laugh at this but I think this is useful. Even though I wouldn’t use something like this and I’d just use a regular dedicated blank notebook and my password manager, it can be useful to people who have problems with computers and can’t handle a password manager, yet may give pages with good templates to show how to record sensitive information.
Or for folks that would be otherwise leaving logins and passwords in a clear text file on their desktop (glares at coworker). It’s still clear text, but at least it’s air gapped. It’s not for me, but it’s certainly for someone.
I have hundreds of logins, the convenience of a password manager is just too nice.
Exactly this is the reason why I gifted it to someone. I’m already glad they don’t use 1 password for every website.
PSA: Home use? That’s probably okay. Work use? If you’re in-office, this is a ticking time-bomb that can get you fired, one way or another. Use the company 1password or whatever you have access to, please. Thank you.
InfoSec likes nothing more than for you to tell them not to worry because you write all your passwords down and only read emails after you’ve printed them. 100% secure.
In my office I have a list that says passwords all nonsens and just as a decoy. I have a system that I use for rotation woth a visual reminder (by association, not directly) somwhere in my office
So far the combined might of the Russian, Chinese, American and North Korean hacking teams have been unable to crack the post-it note on my desk.
now they know where to look.
If they’re in my apartment I’ve already got bigger problems.
You didn’t know they were coming, didn’t tidy up, and now you feel awkward. The struggle is real.
Add an extra layer of security by putting it in an envelope and stapling it to the bottom of your desk
I had one of these I got it around 15ya but I never used it. I remember liking a particular aspect of it as if I had a specific use-case in which it would be handy but I can’t remember what that was. Anyways, I’ve been on the keepass bandwagon through multiple reboots of it’s software lineage along with Keepass2Android and I am satisfied.
This isn’t the flex you think it is, OP. 99% of cybercriminals are also cowards. Physical security of ANY kind beats even the best password managers.
If you don’t know what lattice-based encryption is and how to purchase it through NordVPN, start reading up because encryption as we know it isn’t long for this world. Pretty sure they already dragged their feet too long on Bitcoin’s algorithm but the day cracking common ciphers is within the grasp of quantum clusters is the day we all become Amish. Plan accordingly!
My understanding is that quantum computing has been taken into account for some modern cryptography. And that memory-hard cryptography basically defeats quantum computing solutions. There are a few methods, but one of them is just very long keys, it’s trivial to make a cryptographic key longer.
So sure, you could defeat some of that with a machine operating with 1024 entangled qbits, (which is… oh man… not an easy task), in which case, wow, congratulations. But what if I increase my key length to 100k? It might take an extra 3 seconds to check the key and log in, but it’ll take an extra 25 years for quantum computing to catch up.
Won’t longer key lengths increase the overhead for everything?
Yes and No.
Yes, everything increases in difficulty but the increases in difficulty are asymmetrical.
The difficulty of reversing a computation (e.g. reversing a hash or decrypting an encrypted message) grows much faster than just performing the computation (e.g. hashing a message or encrypting one).
That’s the basis for encryption to begin with.
It’s also why increasing the size of the problem (e.g. the size of the hash or the size of a private key) makes it harder to crack.
The threat posed by quantum computing is that it might be feasible to reverse much larger computations than it previously was. The caveat on that, however is that they have a hard limit of what problems they can solve based on the number of qbits they have.
So for example, let’s say you use RSA for encryption and someone builds a 1024 qbit quantum computer. All you have to do is increase your key size so that it would require 1025 qbits to crack, and then that quantum computer wouldn’t provide an attacker any benefit at all.
(Of course, they’d still be able to read your old messages, but that’s also a fundamental principle of cryptography; it only protects you for a period of time)
Can’t wait to hand write my 32-bit passwords.
You haven’t changed your password for 30 days. Reset it now.
My handwriting comes with free encryption at rest. Even I might not be able to read it.
Still waiting for passkey support
I save all my passwords in a README.txt file
That’s how they get you, i put mine in a DONTREADME.txt file.
It’s actually super useful for old people, who sometimes like to “accidentally log off” and stuff.
Or Microsoft who randomly needs to verify someone’s identity before they can log into.tgeir computer but the user doesn’t have a smart phone. So they need to call someone trusted to have them log into their email from a different computer just to get the code so the user can log into their computer.
But that also means they didn’t have access to any saved passwords so a notebook helps.
I really should put Linux on her machine but then I have to show her how to do that too. It’s a lose-lose so I keep it the same.
I miss local accounts.
You can still use local accounts with Windows 11. It’s just a bit fiddley. If you use Rufus to make your boot usb, there’s a bunch of deshitification options you can do.
Honestly, for at home personal use, it’s better than any on device password manager. It’s not hackable. Someone has to break into your home and steal it. For an office environment though…worst way to handle it after sticky notes.