• lurch (he/him)@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    ·
    7 months ago

    that’s a bit risky. the foreign computer could capture passwords.

    however, in that use case, you could either display the password on the phone and manually enter it or use a portable keepass on a usb stick

    Linux: How to run: https://docs.appimage.org/introduction/quickstart.html#ref-how-to-run-appimage Download: https://keepassxc.org/download/#linux

    Windows only: https://keepass.info/help/v2/setup.html#portable

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      It’s absolutely risky, but sometimes the risk is low enough that it makes sense, like you’re at a relative’s house and setting up access to some self hosted stuff. I use it sometimes on a new install/work computer where I don’t want to set up the password manager long term.

      The USB drive works in all those cases, but I rarely bring USB drives with me, especially since I only need to access it like 1-2x/year.

      • sylver_dragon@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        This really is solvable with a KeePass setup, but it is harder. I use KeePass and host my own Nextcloud instance. One of the files I have up there is my KeePass database. If I need one of my passwords, I access it from my phone and type it in. If I really, really wanted to drop my password database on someone else’s computer, I could login to my Nextcloud instance via a web browser, pull down the file and run KeePass as a portable executable (not installed). It’d be a PITA (and there are some caveats around this process), but it’s certainly possible.

        That said, online password managers make sense for a lot of use cases. I generally recommend BitWarden when people ask me for what to use. The whole “KeePass and manual sync” answer really only works for those folks who want to self host lots of things. And it brings its own set of risks with it. I’m the type of weirdo who is running splunk locally, feed all my logs into it and have dashboards setup (and looked at regularly) dealing with security. I have no expectation that my wife will do that and so she uses BitWarden.

        I think the most important thing to convince people of is “use a password manager”. The problem TommySoda brought up is very real:

        While I understand that password reuse is a problem I also understand that remembering 50+ passwords, because literally everything requires you to make an account, is impossible.

        The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are. With a password manager, they can be the crazy unique 20 character, random string of letters, numbers, symbols, upper and lower case characters. And you won’t care. Open the website, and either copy/paste the password or (if you password manager supports it) use the auto-type feature. There are risks to each; but, nothing will ever be without risk. Just please folks, stop reusing passwords. That’s bad, m’kay.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          BitWarden

          Yeah, the level of effort required is extremely low, and it’s really nice for things like sharing passwords with an SO for things where separate logins don’t work.

          So yeah, I use Bitwarden. I plan to self-host soon (vaultwarden), I’m just figuring out how password sharing works before I go and switch my SO’s stuff over. But it’s audited, FOSS, and generally the dev makes decent decisions (though I hate the new UX overhaul).

          I self-host a bunch of stuff too. I am transitioning from Nextcloud to OwnCloud Infinite Scale now that I posixfs is in experimental status (I only use file hosting from Nextcloud anyway). However, my password manager has been very far down the list for me, because the level of effort required exceeds the value I’d get from it, especially compared to other things I can set up.

          The hard thing to teach people is that, you don’t actually need to know those 50+ passwords, nor should you care what they are.

          Exactly. Use literally any password manager that uses MFA, and set up MFA (Google Authenticator works, I personally use Aegis). I also recommend BitWarden, but there are several decent options available.

          The most important thing for them to know is that passwords should be different between services, and you can and should automate that.