Computers & Electronics

Iphone message "this password has appeared in a data leak..."

  • Last Updated:
  • Jun 4th, 2021 11:25 pm
Deal Expert
Aug 22, 2006
28883 posts
14417 upvotes
alpovs wrote: I save my login details in some apps on the phone but I don't use my phone for anything serious like banking or purchasing. I save my login details in browser on my PC. And it's Firefox without a connection to any account, not Chrome which always wants you to connect to your Google account and save everything you do. And not Edge which I think wants the same with Microsoft. And I save my login details in a text file on my PC Face With Stuck-out Tongue And Tightly-closed Eyes Sometimes I think I should copy them to a paper notebook but I've been too lazy to do that.
The most secure online way would be a self hosted instance of Keepass.
It's open source and can utilize a variety of communication protocols.
For me for example, it lives on a secure file server that's only accessible via VPN. So I have no reliance on anyone but myself which is both a very good and very bad thing.

It's better than paper (which can get lost, isn't easily updated, isn't remotely viewable, etc) and better than other password managers which have a host of problems not limited to being closed source, being insecure, being a paid product, being someone else's project which you're subject to the whims of, and as you mentioned before you're trusting a 3rd party with your active passwords.
Do you not have anything else to do rather than argue with strangers on the internet
Nope. That's why I'm on the internet arguing with strangers. If I had anything better to do I'd probably be doing it.
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
death_hawk wrote: The most secure online way would be a self hosted instance of Keepass.
It's open source and can utilize a variety of communication protocols.
For me for example, it lives on a secure file server that's only accessible via VPN. So I have no reliance on anyone but myself which is both a very good and very bad thing.

It's better than paper (which can get lost, isn't easily updated, isn't remotely viewable, etc) and better than other password managers which have a host of problems not limited to being closed source, being insecure, being a paid product, being someone else's project which you're subject to the whims of, and as you mentioned before you're trusting a 3rd party with your active passwords.
Last time I looked into it Bitwarden was better.
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
Andy34 wrote: Well that answers whether anyone should listen to you regarding internet security!Face With Tears Of Joy
I didn't give any advice, so nobody should listen to me. And I don't care.

So, do you think keeping your passwords on your phone is better?
Deal Addict
Dec 19, 2015
2837 posts
1468 upvotes
Calgary, AB
alpovs wrote: I didn't give any advice, so nobody should listen to me. And I don't care.

So, do you think keeping your passwords on your phone is better?
Yes. Secured by biometrics. No different to you storing your passwords in Firefox.
Deal Expert
Aug 22, 2006
28883 posts
14417 upvotes
alpovs wrote: Last time I looked into it Bitwarden was better.
Any reason why?
At least it's open source so anything I said before could probably be translated to Bitwarden too.
Do you not have anything else to do rather than argue with strangers on the internet
Nope. That's why I'm on the internet arguing with strangers. If I had anything better to do I'd probably be doing it.
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
Andy34 wrote: Yes. Secured by biometrics. No different to you storing your passwords in Firefox.
Hm, I don't use biometrics with Firefox.

1) If you think biometrics is better than passwords, google this misconception. One example: https://blog.malwarebytes.com/privacy-2/2020/04/the-passwordless-present-will-biometrics-replace-passwords-forever/

2) Are you sure your phone doesn't "backup" your passwords to "the cloud" before they are encrypted where they can be accessed by the cloud owner?
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
death_hawk wrote: Any reason why?
At least it's open source so anything I said before could probably be translated to Bitwarden too.
I forgot the details but I think I should have said it was better for me. "By default, the KeePass database is stored on a local file system (as opposed to cloud storage)." And I was looking for a server solution.
Deal Expert
Aug 22, 2006
28883 posts
14417 upvotes
alpovs wrote: "By default, the KeePass database is stored on a local file system (as opposed to cloud storage)." And I was looking for a server solution.
Keepass can be stored on both public and private cloud solutions. I host an instance locally because I specifically don't want it on a cloud provider due to security.
But you can stick it on all the major providers without (technical) issue.
Do you not have anything else to do rather than argue with strangers on the internet
Nope. That's why I'm on the internet arguing with strangers. If I had anything better to do I'd probably be doing it.
Member
Feb 9, 2008
406 posts
328 upvotes
Vancouver, BC
From what I've read, none of the good password managers keep your actual password in the cloud. They claim to keep the hashed or encrypted form of the password.
Then the password gets decrypted locally via the browser plugin or app, when you enter your master password.

I don't think there's any perfect password storing method.
The more security measures, the more inconvenient it is so even if you have the best security measures, it can get defeated by the user.
Enforced long passwords with upper and lower case letters, numbers, symbols? The password will end up on a sticky note and/or changed by 1 character every month.
My boss believes in not storing passwords electronically, and keeps a password notebook in a drawer.
But it's inconvenient to go to the office to look up a password, so he uses the same passwords everywhere.
I'm just waiting for us to be hacked.

Even if you keep your password secure, sites could be hacked.
If you use the same email/password everywhere, hackers will find your other accounts.
But trying to remember a different password for every site would be difficult.
That's where password managers are helpful, allowing you to generate a different password for each site.
For most users, unlocking an app with a fingerprint is the most effort they're willing to make for security.
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
death_hawk wrote: Keepass can be stored on both public and private cloud solutions. I host an instance locally because I specifically don't want it on a cloud provider due to security.
But you can stick it on all the major providers without (technical) issue.
I was going to put it on my NAS at home. My understanding was that Keepass database was just a file that you need to refresh every time by copying it over. Is it correct? I was a while since I looked at it. Bitwarden database is synchronized automatically.
Jr. Member
Jun 11, 2018
182 posts
108 upvotes
Apple already sold your personal data to China government. So, why bother? haha
Deal Addict
Dec 19, 2015
2837 posts
1468 upvotes
Calgary, AB
alpovs wrote: Hm, I don't use biometrics with Firefox.

1) If you think biometrics is better than passwords, google this misconception. One example: https://blog.malwarebytes.com/privacy-2/2020/04/the-passwordless-present-will-biometrics-replace-passwords-forever/

2) Are you sure your phone doesn't "backup" your passwords to "the cloud" before they are encrypted where they can be accessed by the cloud owner?
Presumably the password you use on your computer is extremely long and complex, not something easy to remember? I’m not suggesting it’s better than password, but it’s better than most passwords used by most people. I’m not keen on having to type a 20 character password every time I unlock my computer or phone...

As for whether I’m sure about Apple encrypting my passwords before syncing between devices. I “trust” them enough to do so in a secure manner. Far more than a smaller company, considering the difficulty law enforcement organisations have in accessing data on their phones and computers.

As an FYI it’s usually safer to access stuff like banking on your phone than it is on a laptop. Less chance of malicious software being installed.

Either way, it’s FAR more secure than having a text document on a computer connected to the internet, and your passwords are generally more likely to be taken from malware installed on your devices than someone like Apple.
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
Andy34 wrote: As an FYI it’s usually safer to access stuff like banking on your phone than it is on a laptop. Less chance of malicious software being installed.
Sure Smiling Face With Open Mouth And Smiling Eyes
Andy34 wrote: Either way, it’s FAR more secure than having a text document on a computer connected to the internet, and your passwords are generally more likely to be taken from malware installed on your devices than someone like Apple.
I don't install malware on my computers.
Deal Addict
Dec 19, 2015
2837 posts
1468 upvotes
Calgary, AB
alpovs wrote: Sure Smiling Face With Open Mouth And Smiling Eyes

I don't install malware on my computers.
Oh well that’s ok then. If you don’t install it then it’ll never get on your computer!
Deal Fanatic
Sep 16, 2013
6458 posts
4252 upvotes
SW ON
Andy34 wrote: Oh well that’s ok then. If you don’t install it then it’ll never get on your computer!
Never has.
Deal Addict
User avatar
Apr 29, 2018
1956 posts
1395 upvotes
Vancouver
alpovs wrote: Never has.
... as far as you know.
Can't Stop. Won't Stop. Game Stop
Deal Expert
Aug 22, 2006
28883 posts
14417 upvotes
zerod wrote: From what I've read, none of the good password managers keep your actual password in the cloud. They claim to keep the hashed or encrypted form of the password.
Then the password gets decrypted locally via the browser plugin or app, when you enter your master password.
That's what should happen, but unless you can compile your own clients you have to trust that they're doing this properly.
I could "tell" you all day that I'm doing this, but unless you can verify it, you have to trust that I'm doing it.
What applies to bitcoin applies to this. Not your keys, not your coins.


I don't think there's any perfect password storing method.
There isn't but some are better than others.

The more security measures, the more inconvenient it is so even if you have the best security measures, it can get defeated by the user.
That's true. The weakest link is typically the end user.
Enforced long passwords with upper and lower case letters, numbers, symbols? The password will end up on a sticky note and/or changed by 1 character every month.
Image
My boss believes in not storing passwords electronically, and keeps a password notebook in a drawer.
But it's inconvenient to go to the office to look up a password, so he uses the same passwords everywhere.
I'm just waiting for us to be hacked.
This is one example of a really bad password storage method.
Even if you keep your password secure, sites could be hacked.
If you use the same email/password everywhere, hackers will find your other accounts.
But trying to remember a different password for every site would be difficult.
That's where password managers are helpful, allowing you to generate a different password for each site.
For most users, unlocking an app with a fingerprint is the most effort they're willing to make for security.
You nailed it. As long as you keep your master password secure and the storage method is good enough, you're no longer low hanging fruit.
Having *any* password manager and unique passwords everywhere is better than one single password for everything. The moment a single site gets hacked, your entire existence is pwned.
alpovs wrote: I was going to put it on my NAS at home. My understanding was that Keepass database was just a file that you need to refresh every time by copying it over. Is it correct? I was a while since I looked at it. Bitwarden database is synchronized automatically.
Technically it is. But there's a wide variety of protocols that it supports to keep it in sync with other devices.
The simple (but insecure) way is to stick it on Dropbox/Google Drive/whatever. That's what I did at one point. Now I store it on a NAS with VPN access and treat it like a normal file. This way if a device gets compromised I can revoke the key and they won't have access since everything is stored remotely (to the device). Backups are encrypted and sent offsite. This is obviously more complicated than just shoving it on dropbox but offers security advantages in exchange for a good bit of user friendliness.

There's no reason you couldn't set up your own Bitwarden server, but VPN is probably a good thing since you probably shouldn't expose it to the internet.
You could probably pay them to host it for you, but that comes at a cost and the trust that they're doing what they can to keep your data safe especially since it's public facing.

I'm hiding behind a VPN so there's no exposed attack surface outside of a VPN.
Again, security tradeoffs for convenience/ease of use.
alpovs wrote: I don't install malware on my computers.
I mean... most people don't *willingly* install malware on their computers.
Even taking the best security precautions, sometimes you get supply chained and a trusted thing you installed is no longer trusted.
Do you not have anything else to do rather than argue with strangers on the internet
Nope. That's why I'm on the internet arguing with strangers. If I had anything better to do I'd probably be doing it.

Top