Ask HN: Chrome says I have 83 compromised passwords. How do I fix this?
I know, use a password manager, etc. which is great advice moving forward. But how do I clear this backlog of accounts for absolutely random websites I haven't accessed in years!
Is there any software or automation tool that can do this?
69 comments
[ 2.9 ms ] story [ 139 ms ] threadI did this when I first started using a password manager and the couple of hours that I put in years ago have paid off over and over again with peace of mind and better security practices.
Besides, how much should the bug bounty of a password manager be?
KeePass or KeePassXC if you want to control your own data and use something like Syncthing to sync
And my contingency plan if I can no longer self host, is export from one of my devices and import into the cloud version of Bitwarden. I don't see myself needing to do that, but you never know.
If something happens I’ll use my eyeballs until I figure something else out.
Nextcloud works well if you do use iOS.
No need for a VPN with either.
Also, the attacker would have to be really motivated to brute force into it, and if it happened that my phone got stolen and I was worried about your scenario, I'd be just rotating all the high-value passwords I have, which is something that I think can be done quickly.
Anyway, I hate to be Cassandra, I just lost count of how many stories I heard of people regretting taking "convenience over freedom" with critical software.
I fully agree with you on this one. However being free/libre doesn't mean that that "someone" will actually fix your problem. I've been a software developer/hacker/OSS enthusiast for close to two decades, but I'm mighty tired of 1. software that's impossible for me to fix myself, 2. its authors who don't care enough about my problem.
I've had one minor issue with 1password and I was blown away with how good their support was. They followed very good OpSec while not appearing intimidating to what they didn't know wasn't a non-technical user, they solved the problem on the spot, and they gave me a few months free to compensate for the inconvenience. At the same time, I've currently lost track of how many random Github issues I'm subscribed to, with some going on unsolved for years.
Being free/libre is just one dimension, orthogonal to other qualities software might have. These other qualities include simplicity/hackability, cost, usability, convenience, support, security, accessibility, respect for your time, ethical/mindful design, and many others. It's OK to choose your own trade-offs.
> I just lost count of how many stories I heard of people regretting taking "convenience over freedom" with critical software.
All online vaults remain available offline; the client allows a full export, including in plain old CSV. Bitwarden has builtin import functionality; or I can write a few lines of code and put it in pass. Worst case scenario, 1password going fully evil and pushing a silent client update to lock me out? I go offline, restore the app+vault from a backup, and export. It very firmly fits into the category of "problems I can fix myself".
Have you offered to pay them anything? At least a good fraction of what you pay to the proprietary alternative?
Anecdotally, I like what the developer of Blink Shell[0] has done. The app is 100% free software[1] under GPL3, so you can easily build it yourself with XCode, upload to your phone, and use as usual from there, which isn't a big hurdle for the target audience. But I bought it. At the time IIRC it costed 20 bucks on the App Store. I bought it because it was incredibly frictionless to pay the money (Apple is good at that), and it felt good to support the developer of a tool I liked and used.
So it leaves me wondering, where are the big obstacles. All other things being equal, I will choose a free/libre solution, but we know things are far from equal.
[0]: https://blink.sh [1]: https://github.com/blinksh/blink
open source, encrypted-while-at-rest and a cloud service allowing you to use it from all your machines and even while traveling on public machines.
https://en.wikipedia.org/wiki/List_of_password_managers
I just have used 1Pass for a while, maybe 5-6 years, it’s seamless with apps across everything and lots of support and because I pay for it I know there’s a business behind it which for me feels more stable with respect to longer term support.
My password are available everywhere on Android via the Authenticator app and on any browser that have the Microsoft autofill extension on whatever OS I happen to be currently using.
I have a 1Password account provided by my employer but I don't want to tie access to my password to my employment. Also I don't like that 1Passowrd required to enter a really long key to enroll a new device. And I figured that I might use the MS account I created for Windows 10 for something usefull.
As far ass I know there are no equivalent way of using the Chrome password manager outside of Chrome and Android.
It's worth it, but it isn't for the faint of heart.
[0] https://justdeleteme.xyz/index.html
(similarly and a major peeve - vast majority of signup verification emails do not have a "no this is NOT me that signed up, delete this email" option! My email gets misused a lot in some countries where my name is common and I have no easy recourse to deny it)
https://www.theverge.com/2021/3/11/22320467/dashlane-one-cli...
As you are using Chrome, you already have a password manager.
Also, since chrome is warning you about these passwords, it obviously knows your passwords - so you are already using its password manager.
Moving forward, utilise the "generate password" functionality.
Misunderstandings and hopium, mostly.
You can fix the others lazily, when/if you access them next.
If chrome knows about your passwords being pwned, you are using a password manager. Just let it pick the passwords in the future. Look at the list, and change / close a couple accounts a day/week and you'll be done eventually. Prioritize to change important accounts first.
You want strong passwords for any website that retains credit card information.
And super strong passwords for Google, email, bank and credit cards. These are all in my head and looong.
If your phone gets simjacked, you most definitely do not want to allow Google password recovery by text to "your" phone number.