At 12/29/23 09:52 AM, YendorNG wrote:
and use a password manager.
more on this
I'm a heavy user of password managers, if anyone is interested. I have over 200 passwords in my database, which has a master password of around 60 characters, and it is synced between three personal devices: my home laptop, my smartphone and my internship workstation
I use KeePassXC. the password database used is de facto standardized, so KeePass2Android and other implementations can open and modify this database. I use SyncThing in order to synchronize the password database across devices.
the technology itself is strong and historically well established. there are strong guarantees provided by all hardware, operating system, underlying libraries and end-user software as well. at this point I just "trust it"
my choice of software was made by my supervisor at my first internship, I did not consider all implementations and possibilities for password managers. for instance, there are cloud-based solutions and managers built-in into browser, however I stuck with the choices of my previous supervisor
never EVER save your password database in a device not TOTALLY controlled and owned by you, never EVER open your password manager in such alien device. I have to use my university password in many public computers. it is a strong password, but it is manageable to type manually by looking at it from my smartphone. it is convenient, and if a keylogger captures my password, it is just one account compromised. if you go through the hassle of opening a password manager in an alien device, it is indefensible and then every account is compromised.
I have been sloppy about synchronizing my password database, and now I have divergent copies at every personal device. currently, it is a minor headache, thus I took no actions so far. unless there is a built-in solution, I will simply put all three versions in a thumb-drive and merge manually. it happens.
make backups of your password database. even if you keep in sync between many devices, replication and redundancy is not backup!!!! there is a negligible chance that a corrupt copy overwrites consistent copies while syncing. currently I did one backup so far, a year ago, to an external HDD. this is really bad, I need more backups.
beware old or broken systems. some systems refuse long passwords, or worse: silently accept a long password while truncating it, and then rejecting your login. some systems will go crazy when you add culture-specific characters like áàûïóíç or emojis. it is very possible for a system to keep track of character encoding, even if it has to be reencoded several times while in transit (did you know JavaScript uses UTF-16?), but some systems do it incorrectly and will lose information and break. if the system is robust and you use it a lot, you can try to set a very long password with several culture-specific characters, otherwise stick to standard ASCII special characters like *!&$%@#()[]{}. if the system does not inform limits and appears broken with long passwords, try lengths like 32, 20, 16, 12, 8 and 6. be specially wary when creating an account on a beautiful Web form, while you will have to login later using an old-ass broken desktop game or app. some systems are so broken, they will keep multiple versions of passwords, in this case don't edit your password entries (which would overwrite the previous password), create a new one while keeping the original for a while
do not underestimate unimportant websites. maybe you are creating an one-time throw-away account, or else you had the problems described above. even then, settle for a strong password within the constraints of the system or lack of personal interest. I do not know anecdotes to share, but I follow this ideal. I think that if someone wants to destroy you, that one-time throw-away account with a weak password may bite back.
minimize the time you leave you password manager open. typing the master password might be boring and error-prone, but DO NOT let it open the entire day for convenient login at any time. beware the evil maid attack. and remember: "keep your friends close, and enemies closer" -- some gangster movie quote. your friends and family and coworkers are the more likely to stab you, specially if they were blackmailed into doing it
</braindump>
edit: don't lose your master password or password database, stupid! don't trust your brain memory.