So all my passwords are locked behind a single password? Isnt this essentially the same as using the same password for every site. In that they only need to cracl o e password to have access to everything?
The danger of using the same password everywhere is from leaks caused by poor security in one of those sites.
Passwords getting leaked are almost always unrelated to how strong the passwords are and has more to do with how those password are stored, and what protection measures they have against unauthorized people accessing them.
No one is ever going to “crack” your single password for your password manager as long as it is a strong password, though you might write it down in your wallet and lose it in a busy station, just like some administrator of a website might forget to close outside access to their mysql database containing unencrypted plaintext passwords.
In theory, yes but if you use a good password manager and have a strong master password the encryption should be practically impossible to break.
The fact that you only have to remember one password means that this password can and should be a very strong one. 20+ characters with upper and lowercase letters, numbers and symbols should take centuries to crack.
You should be safe as long as your master password isn’t small, less than 15 characters. The longer the password, the better. Personally what I do is use a pass phrase to make it easily memorable, and then use it as a base to inflate security somewhat artificially.
Wrap the pass phrase around in brackets or symbols; mix lower/upper case; replace (or add to) a word in your pass phrase with one from a random other language, so instead of hello you type bonjour. Bonus points if you are able to replace even a few letters in your pass phrase with fancy diacritics, or fuck it add an emoji or two.
Then again there are a LOT of other factors which go into security. Theoretically the lyrics of song are decent as a pass phrase but there’s not much point if everyone knows what your favourite song is, or if you are learning Spanish then you’ll replace the English words with Spanish.
Unless you’re in a position where you’re targeted by nations or are working extremely high profile jobs like CEO or digital security you should be safe really with all these but as I said there’s a lot to keep in mind.
2FA is in the name, 2 factor authentication. A “factor” can be considered as proof that you are who you are. The more the factors provided, the more concrete proof the system has that the user is legitimate.
What a factor is is a more complicated. It can be broadly put in 3 categories (there’s more but we’ll ignore for now) :
something you know, like a PIN/password
something you are, like biometrics/eye scanning
something you have, like an ATM card or phone
The 2FA you are thinking of is probably the 1st (a password you know) + a PIN sent to or generated by something you have (a phone). If the 2nd pin was some you had created by memory like a password rather than a remote system generated one then it would be considered same as the first factor, it wouldn’t be multi factor.
So yeah it’s important that you keep both factors as secure as possible. A good password + a phone to generate TOTPs. I mean theoretically you can keep a password of ABC and keep 2FA on so hackers wouldn’t be able to get into your system but let’s follow best practices yeah? Use a password generator to make complex passwords for a login and enable 2FA.
For example, consider the case of a 1Password vault falling into the hands of an attacker. They do not have the option to just crack your password, as the password is mixed with a randomly generated value to ultimately derive the key. They would need to simultaneously brute force your password and that random value. This should almost be impossible. However, given access to a client that already has knowledge of the secret value, it would fall back to brute forcing the password.
So all my passwords are locked behind a single password? Isnt this essentially the same as using the same password for every site. In that they only need to cracl o e password to have access to everything?
The danger of using the same password everywhere is from leaks caused by poor security in one of those sites.
Passwords getting leaked are almost always unrelated to how strong the passwords are and has more to do with how those password are stored, and what protection measures they have against unauthorized people accessing them.
No one is ever going to “crack” your single password for your password manager as long as it is a strong password, though you might write it down in your wallet and lose it in a busy station, just like some administrator of a website might forget to close outside access to their mysql database containing unencrypted plaintext passwords.
In theory, yes but if you use a good password manager and have a strong master password the encryption should be practically impossible to break. The fact that you only have to remember one password means that this password can and should be a very strong one. 20+ characters with upper and lowercase letters, numbers and symbols should take centuries to crack.
You should be safe as long as your master password isn’t small, less than 15 characters. The longer the password, the better. Personally what I do is use a pass phrase to make it easily memorable, and then use it as a base to inflate security somewhat artificially.
Wrap the pass phrase around in brackets or symbols; mix lower/upper case; replace (or add to) a word in your pass phrase with one from a random other language, so instead of hello you type bonjour. Bonus points if you are able to replace even a few letters in your pass phrase with fancy diacritics, or fuck it add an emoji or two.
Then again there are a LOT of other factors which go into security. Theoretically the lyrics of song are decent as a pass phrase but there’s not much point if everyone knows what your favourite song is, or if you are learning Spanish then you’ll replace the English words with Spanish.
Unless you’re in a position where you’re targeted by nations or are working extremely high profile jobs like CEO or digital security you should be safe really with all these but as I said there’s a lot to keep in mind.
How does this all compare to using 2fa everywhere?
2FA is in the name, 2 factor authentication. A “factor” can be considered as proof that you are who you are. The more the factors provided, the more concrete proof the system has that the user is legitimate.
What a factor is is a more complicated. It can be broadly put in 3 categories (there’s more but we’ll ignore for now) :
The 2FA you are thinking of is probably the 1st (a password you know) + a PIN sent to or generated by something you have (a phone). If the 2nd pin was some you had created by memory like a password rather than a remote system generated one then it would be considered same as the first factor, it wouldn’t be multi factor.
So yeah it’s important that you keep both factors as secure as possible. A good password + a phone to generate TOTPs. I mean theoretically you can keep a password of ABC and keep 2FA on so hackers wouldn’t be able to get into your system but let’s follow best practices yeah? Use a password generator to make complex passwords for a login and enable 2FA.
Just don’t use your master password anywhere else than your password manager.
If your password manager only works offline, then it is impossible to leak on the internet.
Depends if you trust your password manager site more than either site you put the same pw into
This is not necessarily true.
For example, consider the case of a 1Password vault falling into the hands of an attacker. They do not have the option to just crack your password, as the password is mixed with a randomly generated value to ultimately derive the key. They would need to simultaneously brute force your password and that random value. This should almost be impossible. However, given access to a client that already has knowledge of the secret value, it would fall back to brute forcing the password.