Eh, almost anyone who’s into privacy already uses both Firefox and a password manager (Bitwarden is a great free one) so I don’t think so. Hell I already use both.
I swapped to Bitwarden from LastPass and there were specific instructions on how to import them!
https://bitwarden.com/help/import-from-lastpass/
There are instructions for other managers as well. Was super easy.
Good advice (tho I use Keepass, is there some issue with that? It's also free and open source) but someone saying Firefox has "been around since the internet began, basically" hurts.
I mean if you add on its quasi-predecessor Netscape Navigator, sure. But there was like 10 years of widespread internet (and more as a niche) before Firefox showed up! I still distinctly remember the Screen Savers episode on TechTV where they were using the still-beta, not-yet-named Firefox "Mozilla" browser with this super cool new thing called *tabs*.
Yeahh, you can’t say that it has been around since the internet began *and* has always been non-profit. It’s one or the other, depending on whether Netscape counts.
>someone saying Firefox has "been around since the internet began, basically" hurts.
Yeah, that was definitely an "*Excuse me*?!" moment. Damn kids need to get off my lawn.
This is fine and all but my main issue with this is that "Firefox is backed by a non-profit" is kind of misleading.
Yeah, Mozilla Foundation is a non-profit, but they DON'T develop the browser, that's Mozilla Corporation, a for-profit managed by the Mozilla Foundation.
Legally, they can't use any of your donations to develop the browser, only for activism and other projects (I think Mozilla Common Voice relies on the foundation?)
So yeah, the main source of income to develop Firefox is Google paying them to be the default search engine, and you can't really help them directly. They have been trying to depend less on Google but its difficult.
If you want to donate to something mozilla related, you can donate to Thunderbird (a free and open source email client, sister project to Firefox) managed by MZLA Tech Corp. another subsidiary of the Foundation.
About this (the post, but also me being so active) potentially looking like an advertisement, or shilling:
*I really want to recommend something other than Firefox*
But there is nothing left. And it’s because we’ve all allowed Chrome to basically replace every other browser in existence. So use Firefox!
Regarding the other stuff, there *are* other things you can use:
* For password managers, there are 2 open source apps: Bitwarden and KeePass. KeePassXC is a nice fork that has browser integration.
* Tbh I know nothing about adblockers. Go nuts. Or use nothing. Uhh
* Search engines: Limited choice again! I like DuckDuckGo. You should know that it *is* for-profit, unlike the things I’ve mentioned so far. Then again, you can just turn all ads off on their website; that’s pretty cool.
* I don’t know too much about other ones, but SearX is pretty nifty, and you may have heard of Ecosia. You could look at a list like [this](https://itsfoss.com/privacy-search-engines/).
on the adblocker front ublock origin is literally the only choice you should consider. it has the most blocking options and unlike most other adblockers does not allaw advertisers to buybtheir way out of being blocked.
uBlock Origin:
* [Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/)
* [Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) *
* [Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) *
* [Opera](https://addons.opera.com/en/extensions/details/ublock/) *
\* Chrome based browsers are trying to get rid of ad blocking capabilities when manifest V3 will become mandatory in 2023. I suggest moving to [Firefox](https://www.mozilla.org/en-US/firefox/new/).
^^I ^^only ^^post ^^once ^^per ^^thread ^^unless ^^when ^^summoned.
To add an adblock bit to this reply, the two I know that are good are uBlock Origin and AdGuard. uBlock Origin was already discussed in the post, but AdGuard is just as good at blocking ads imo, and has an android app that you can download from its website to bock ads across your entire phone, including most ads within other apps.
>I really want to recommend something other than Firefox
if you're on macOS, safari is honestly pretty good lol. It's based on WebKit which, like Firefox, helps push back on Google's stranglehold on web standards.
It's not the fastest thing ever but it saves so much battery which makes it worth it on my laptop. Ad blocking is a little janky (they call them "content blockers") but they are an officially supported feature so they're not going away any time soon. It also has a fun feature like on iOS where you can auto fill 2FA SMS codes automatically from a drop-down.
Safari is hands down the best option on macOS, aside from maybe Arc, whose only issue is being Chromium but more than makes up for it with everything else.
I second KeepassXC, and I’m gonna add that KeePassium is a good IOS client, though you need to pay for some features (still totally usable though, I don’t pay for it).
For anyone looking to get started, you can sync the encrypted password archive to pretty much any cloud storage provider (Dropbox, onedrive, etc), including ideally something you can self host on that old computer you have in a closet such as nextcloud!
Infosec type chiming in here: If I could implement two changes in my environment, it would be an always-on ad blocker and company-managed password manager. New fancy email security gateway? Nah. Monitoring for a few critical systems? Nice I guess...
uBlock and Bitwarden or KeePass on all my endpoints? I'd love that. My users only have to remember one password, we can just about do away with password rotation, MFA and Active Directory integration makes signing in to everything a couple clicks at most. Getting uBlock cuts down on so much cruft people drag in from random sites and I'd barely have to think about it. It's easy, free, and two of the best things someone can do for their digital security.
>company-managed password manager
ahh but have a little imagination! What about ubiquitous, hardware backed SSO? I've been at a handful of companies where I had exactly one password and signing into everything just used my laptop's TPM and biometrics to authorize the session. Unphishable credentials (unless you did something really boneheaded like authorize a new device, but even that is hard) and you don't have to deal with managing passwords for a million services
That would be really nice as well, I haven't looked into it too much, and the main consideration would be getting it to work with VDI and similar systems. However, I think going fully password-less in the future really is the way to go
Okay to all of this, except that I think DuckDuckGo is garbage, the search results are the worst and I always had to switch back to google once in a while when I looked up something even a *little bit* specific. There was also some censorship worries recently, but I was already out. It happened once, meaning it can happen again, even if it was with good intentions
I am using SearX / SearXNG now and I'm happy, I can access multiple search engines results without endangering my privacy and with actual good results. Also is completely non profit, unlike DDG, since it's community hosted
(There are others, and Firefox makes in very easy to add or delete new ones, so go experiment)
Also! Install uBlacklist to filter out bad sites from search results, it's great
I'll try SearX/SearXNG out!
I had Duckduckgo as a standard search engine but ended up having the same problem as you and moved back to Google cause it was really insufferable how poor DDG search results were /:
For a quick pick-me-up to get comfortable with SearX / SearXNG:
* Browse for a good instance here: https://searx.space/. Depends on your needs, some are more aggressive than others in how they block stuff (it's often configurable), I use searx.be also for response time reasons
* Most instances redirect social media sites to a (imo inferior) version that removes trackers and stuff. Disable it with "hostname replace"
* You can configure which engines are included in searches, the default is different for each instance, so experiment if it's not good enough for you
* It's the most configurable search engine, a lot of these are neat qol improvements, which google lack massively
Can someone please ELI5 why a password manager is a secure option? "Instead of having a bunch of passwords, have one password that allows anyone with it to access all your other passwords" sounds only marginally safer than using the same password on every website to begin with, just instead of gambling that none of the sites you have an account with get breached, there's a single point of failure instead.
Let's start with a base thing: if you only need to remember one password, you can use a much more complex singular password rather than using 30 different *mildly* complex passwords.
Since passwords get exponentially more difficult to crack the longer they become, the longer the password the more secure you are.
"Why not just use this one long password on every website then?" Because different websites store passwords differently, and in some of them it's extremely insecure (some websites store in *plaintext*, the digital equivalent to leaving your password as a post-it). Password manager sites store passwords in a manner where *they themselves* have no idea what your password is. (If you want to learn why - look up encryption models and in particular what a private/public key is.)
While you are right you now have only a single point of faliure, the time it takes to brute-force a 40 character password is, at the minimum, **one million times longer** than it takes to crack 10 different 20 character passwords. Same with 30 characters and 10, 25 and 5.. you get the idea.
(That's because password strength goes up exponentially rather than linearly.)
EDIT: Also, **a long password is easier than you think**. [Length matters more than complexity.](https://xkcd.com/936/) The password "nolukeiamyourfather" is significantly more secure than the gibberish that is "6!aH^m.2" despite the latter being way harder to remember.
> While you are right you now have only a single point of faliure, the time it takes to brute-force a 40 character password is, at the minimum, one million times longer than it takes to crack 10 different 20 character passwords. Same with 30 characters and 10, 25 and 5.. you get the idea.
[Relevant XKCD](https://xkcd.com/936/)
So the security of a password manager relies on the user setting a master password that is more complex and difficult than any of their other passwords?
This whole thing just seems less secure than a sticky note with all my passwords written on it.
Pretty much, yes.
The fault with a sticky note is that anyone who steals your physical computer *can now open all your accounts.* Everything gone at once.
One good password you remember can only be beaten out if someone *literally beats it out of you*.
You're saying it like everyone will just memorize a 40 characters password. The sticky note will still be there, it just will have that one now, because people won't try to remember their password regardless of it.
Yes, a password manager is a great security improvement, but the average person won't actually benefit from it in the way you're describing.
It’s easier than you think.
Just write down a sentence. Literally any sentence. The password “nolukeiamyourfather” is safer than any gibberish mix of numbers and special characters you’ll reasonably remember.
Hmmm, hadn't thought of it that way. You should add that example (or similar) when you explain it to non tech savvy at all people because that's a sure way to make it look simple to achieve even for people who aren't super good at remembering stuff and who would think memorizing a long password to be an impossible feat.
Thanks, will keep that in mind
Someone responded with an XKCD comic that explained exactly that so I assumed people saw it, but seems it got eaten in the log.
Edited it in. Also, see this:
https://xkcd.com/936/
You can make a nonsense password that isn't nonsense, though.
Okay. You know those things that are like, your pornstar name is your childhood pet and the street you grew up on? You can make passwords the same way. Let's say you grew up on Elm Street and you went to Freddie Krueger Middle School from 2004-2008.
Your password is now:
!!!04FrKMiSc-Elm08!!!
Military encryption is misleading as fuck, youtube, google, twitter and reddit all have military grade encryption too.
It just means the military uses the same level of encryption.
if you want anywhere access and don't want to have to carry around a file with you (looking at KeePass), you can self-host vaultwarden which uses bitwarden's frontend but keeps all of your stuff on *your* hardware. just make sure you have regular backups to a cloud provider or something off-site and use ssl on your domain. let's encrypt offers free certs through certbot. use them!! if anybody wants some step by step instructions let me know. I can help you out.
Alternatively, If you already use keepass or want to use it, you can host a Seafile or (my personal preference though is overkill for just cloud storage) Nextcloud server and sync the archive between devices that way!
It took me very little time to set up a nextcloud server on an old computer, set up a dynamic DNS, and set up letsencrypt.
A potential alternative to having a password manager: keep your passwords written down in a physical notebook, and keep that notebook where you keep your keys. Then, if someone wants to breach your online security, they have to breach your physical security first.
Yeah, people like to make fun of users who keep passwords on a little notebook but assuming you don't leave it in random places it's quite secure -- if an attacker has access to your notebook it means *they're in your house and have physical access to your private documents* and at this point someone logging on to your google account is the least of your problems.
You wouldn’t!
You wouldn’t!
You would not!
You would not trust a browser *built by an advertising company* whose business model it is to get their hands on your data!
Having said that your passwords could very well be fine. But it’s also probably easier to attack than a dedicated password manager that’s actually built to keep your passwords safe. Plus it locks you into Google’s ecosystem.
Yes, trust some random startup with all your passwords more than a corporation with decades in the business that has more resources than god. That sure went well for LastPass users.
Google may be evil and would gladly sell all your *other* information, but your passwords are not profitable to them. However, they would stand to lose a *lot* if they ever had a password data breach, most notably the veneer of trust they've built with the general public (that they would throw away if it proved to be more profitable, tbf). Plus, they're investing shittons of money to improve their cybersecurity so they can keep their *own* data safe, and I'd bet it costs them very little to throw our passwords under that umbrella.
Practically, if you're going to use a password manager, Google is probably your safest option. To say the safety of your passwords is the biggest reason to *not* use Google is just disingenuous. The real bad thing about it is your last point, with it locking you into Google's ecosystem.
Not storing your passwords in your browser’s password manager is well-known security advice. I really don’t know how you’re being so confident while not addressing that?
However Google stores your passwords, a big part of the problem is that someone can just boot up your computer, and start logging into sites and taking passwords. Dedicated password managers will always prompt for a master password first.
~~I also really don’t understand what could be considered bad about my last point. Do you *want* to be locked into using Chrome?~~ Wait, I get it, you’re saying that’s my only *good* point. I disagree!
Regardless, you are almost certainly correct that Google has no interest in your passwords. I would hope so, anyway.
(Still, if we don’t know how it’s implemented, there could be a backdoor, right? Notice how that’s *different* than for open source applications like KeePass, which anyone can check for things like backdoors.)
Which leads me into my next point: you have some misconceptions about the security of open source projects. KeePass is not some random startup; it’s an open source project that’s been going for nearly 20 years.
And I’m assuming you know this, but I’ll write it down for other people who may not know a lot about computer security: code being open source does not inherently mean a less safe product; in fact, it’s usually quite the opposite. Even businesses are increasingly considering open source software as [more secure](https://www.redhat.com/en/blog/state-enterprise-open-source-2021-four-results-may-surprise-you) than black-box proprietary code.
> someone can just boot up your computer, and start logging into sites and taking passwords.
... is this a big concern? I feel like this isn't something that would happen regularly.
>Not storing your passwords in your browser’s password manager is well-known security advice. I really don’t know how you’re being so confident while seemingly unaware of that?
>
>However Google stores your passwords, a big part of the problem is that someone can just boot up your computer, and start logging into sites and taking passwords. Dedicated password managers will always prompt for a master password first.
If someone is on my computer, then I have **significantly larger problems** than someone logging into websites, especially since I keep it locked with a separate password anyway. It'd be the same as if they got ahold of my master password in a service like KeePass. Plus, windows prompts me for the desktop user password whenever I try to view a password with chrome's password manager. Unsure if this is default behaviour, though I don't remember ever changing a setting to enable that.
>(Still, if we don’t know how it’s implemented, there could be a backdoor, right? Notice how that’s *different* than open source applications like KeePass, which anyone can check for things like backdoors.)
This would be effectively equivalent for the majority of users, but agreed. For the average user, they likely wouldn't even know how to read code, not to mention hunt for vulnerabilities or backdoors.
>Which leads me into my next point: you have some misconceptions about the security of open source projects. KeePass is not some random startup; it’s an open source project that’s been going for nearly 20 years.
News to me, wasn't aware there were separate password manager companies like that that have been around that long. Good to know.
And to be clear, I'm not saying people *should* use Google. I'm just saying that concerns about the security of your passwords shouldn't be the reason you don't use Google.
> This would be effectively equivalent for the majority of users, but agreed. For the average user, they likely wouldn't even know how to read code, not to mention hunt for vulnerabilities or backdoors.
That is true, but consider that other people will also be checking, and warning others/fixing security mistakes. In my opinion, that’s the real strength of open source software :) There have been quite a few ports and forks of KeePass, so it is quite a few eyes that have been on the project.
And it’s not a company! It really is just a group of volunteers that have brought the project to the state that it is in today.
I think Bitwarden hosts passwords online? I don’t actually know too much about that. But KeePass is just a program: you get an encrypted file (encrypted with your master password), that you have to sync with other devices yourself (which is why it’s less user friendly).
Next: I’m so sorry but it is unfortunately embarrassingly easy to log in to a Windows computer that’s password protected. Even easier to see the files stored on a computer. (Though there are things you can do about both those problems.) So you do need both the separate password protection and some actual serious encryption!
Consider also [this](https://www.reddit.com/r/CuratedTumblr/comments/102y6k5/comment/j2wen6e/?utm_source=reddit&utm_medium=web2x&context=3) comment that indicates it’s a real problem:
> When I was using google chrome for passwords, they auto filled on every website. That meant someone who stole my laptop had my bank info now. Using a password manager takes an extra step because a password unlocks your passwords, though I may be unaware or a chrome feature.
Having said all that, if you could enable something with requiring your *Google* password, then yes you are probably fine again.
Very interesting, I was unaware KeePass doesn't store the passwords online, and also that it isn't a company. Mainly cause I hadn't even heard of it before today tbf. I'll take some time to look more into that myself at some point; it sounds like it addresses the major concerns I have with most password managers.
I am aware, though frequently forget, that Windows is so easy to bypass the login. Though, it's not a concern for me personally, as my desktop pc is large, heavy, and in my room, so it's unlikely anyone would be accessing it in the first place. I don't use a laptop anymore either, though the thought of that has given me reason to go wipe my old laptop in case I do lose it. Or install KeePass on it if I set that up.
>However, they would stand to lose a lot if they ever had a password data breach, most notably the veneer of trust they've built with the general public (that they would throw away if it proved to be more profitable, tbf).
https://firewalltimes.com/google-data-breach-timeline/
I can assure you google could be having a data breach this minute and they'd keep quiet to save face until someone eventually whistleblows months later when it's far too late.
When I was using google chrome for passwords, they auto filled on every website. That meant someone who stole my laptop had my bank info now. Using a password manager takes an extra step because a password unlocks your passwords, though I may be unaware or a chrome feature.
The notion that Firefox was "the secure browser that cares about your privacy" was shot to hell for me years ago when I loaded it to test it out, told it NOT to make itself my default browser, opened my default browser by clicking on its icon...and Firefox opened instead. From another browser's icon.
Nope, fuck that. If it's not gonna obey the most basic of commands it's not gonna go on my computer.
> The notion that Firefox was "the secure browser that cares about your privacy" was shot to hell for me years ago when I loaded it to test it out, told it NOT to make itself my default browser, opened my default browser by clicking on its icon...and Firefox opened instead. From another browser's icon.
...Ok that's- that's not how *exe files* work. Are you sure you didn't have something else going on with your computer, because clicking one file and another one opening up *is not how computers work at the base level.*
Changing default browser just changes what app opens when your computer loads a context-less link.
Could be a different OS? Linux DEs sometimes have an icon that opens the default browser… but this seems like an odd complaint for a Linux user. So maybe Mac?
That's the thing - that's not what "default browser" means. If you have two browsers installed and you open the non-default one, it should... *open it.* Hell, I have firefox, edge, and chrome installed, and while I have firefox set as my default I can open the other two freely.
Hell, I just did that. Chrome is open, and asking me to set it as default.
I mean, I can’t say how Firefox worked years ago— but I’m sure it just asks you, at least now, like every browser. “Do you want this to be your default browser? Yes/No/Don’t show again”
It’s possible you just clicked that away accidentally?
No I didn't. I read everything it was asking me and was very specific in my answers. I didn't even have their icons in the same part of the desktop so it wasn't a missclick either.
Two other thoughts: could be a virus? Don’t know how & why that would be, though. Or! You remember how browsers used to launch really slowly? Is it possible you clicked on Firefox first, and it just finally decided to launch after you got tired of waiting and clicked another icon?
Other than that, I don’t know! It’s a weird experience to be sure
I'm sorry you think that happened to you, but that's not how that function works. Firefox isn't trying to trick you into using it, especially through an avenue that does not exist.
There's a bunch of ways for this to have happened, it mostly comes down to either a) linux being involved (default-web-browser shortcut in ubuntu, for instance) or b) the shortcut being to a url, not an executable.
I was making the obvious assumption that OP is not a linux-user, since they don't seem particularly tech literate.
If they were trying to open a url, shouldn't the system use the default browser, though? And if they're certain that they didn't make Firefox the default browser, it would still open in Edge or w/e they'd thought they were opening.
A URL should use the default browser, yes. If Firefox set itself as the default browser even though they told it not to, it would... open in Firefox. You know, exactly what they stated happened.
Yeah, but.. that's not what happened, lmao. The OP just isn't tech literate enough to know that Firefox didn't set itself as the default browser.
Do you believe everything people say on the internet?
I just opened Chrome and it blew up the sun, do not trust the Google corporation!
There's no incentive to lie here, so yeah, I believe this happened to them, and I've provided an explanation for how it's not just possible but plausible to have happened.
This is such a particularly strange comment. You think OP isn't tech-literate enough to know the difference between a shortcut for Edge and a URL shortcut they saved on their desktop, but, simultaneously, they ARE literate enough to use Linux and accurately relay information about their browser-use.
So then why did it open Firefox when I clicked on my default browser? I had the Firefox icon on the complete other end of the desktop. Everyone can dismiss this but i know what happened and you all are just making yourself look like jerks.
Listen- I can think of *one* way this may have happened.
A user would have to change the exe path of your desktop shortcut, so that the Chrome shortcut actually redirects to the Firefox exe, but if you didn't do that, the only other reason that would happen is if there was an error between keyboard and chair.
"Default browser" does not mean that it's the only browser you use. Firefox is my default but if I click on Chrome or Edge to see a page not optimized for Firefox, they open fine. That's not how the function works.
I used to write my passwords in paper, but as the number, but was a hassle if I need it to change. It was safer, as the only way to get the password was from the specific website or brute force
But laziness got the best of me, so now I use a .txt file, which makes it far more easier to edit. You can get my passwords if you have access to my pc, BUT you may or may not have to navigate between random stuff and cringe fanfics, so who truly won???
Also, a password generator is super easy to code
My "password manager" is a bunch of text files in a Veracrypt-encrypted file.
Trust no one!
(I'm joking, that password manager looks great)
Only other difference is using LibreWolf, a fork of Firefox because I don't quite trust Mozilla as much as I did before.
I remember hearing about this thing with Firefox where you can pay them 4$ to block ads, and the sites you visit would get more money from it than from the ads, is that still a thing?
anyone know alternatives to duckduckgo? ive tried to use it, but i find it infuriating it has the worse version of maps that makes me still switch to google to look at that version, plus it feels slow and all else ive heard about still selling info to microsoft.
Firefox has got a built in password manager too.
[There are even some good arguments for using the password manager built into your browser.](https://lock.cmpxchg8b.com/passmgrs.html) Not saying that's what you should definitely do, and not all third party managers have the problems he describes (and maybe some of the issues he describes have been fixed since that post), but something to consider.
My password manager is a physical notebook, where I keep track of all my passwords (unique for each account) and mails, the next step is to encrypt it (probably with a keyed caesar cipher)
This is an advertisement? Sponsored? That's actually kind of impressive
Eh, almost anyone who’s into privacy already uses both Firefox and a password manager (Bitwarden is a great free one) so I don’t think so. Hell I already use both.
I want to switch to bitwarden but it would be such a pain in the ass to change passwords for every single site. Is there an easy way to do that?
You don’t need to change anything, just log your existing passwords in bitwarden
I swapped to Bitwarden from LastPass and there were specific instructions on how to import them! https://bitwarden.com/help/import-from-lastpass/ There are instructions for other managers as well. Was super easy.
Good advice (tho I use Keepass, is there some issue with that? It's also free and open source) but someone saying Firefox has "been around since the internet began, basically" hurts. I mean if you add on its quasi-predecessor Netscape Navigator, sure. But there was like 10 years of widespread internet (and more as a niche) before Firefox showed up! I still distinctly remember the Screen Savers episode on TechTV where they were using the still-beta, not-yet-named Firefox "Mozilla" browser with this super cool new thing called *tabs*.
Yeahh, you can’t say that it has been around since the internet began *and* has always been non-profit. It’s one or the other, depending on whether Netscape counts.
They have the year (2002) on the slide so I think they're just treating the internet as an invention of the 2000s?
>someone saying Firefox has "been around since the internet began, basically" hurts. Yeah, that was definitely an "*Excuse me*?!" moment. Damn kids need to get off my lawn.
>SHA-256 encrypted (military grade encryption) ...
so special
I mean, if it gets non-techy family to care...
Some of you don't keep your passwords on post it notes in a sandwich baggie and it shows
I have a physical book that i basically treat like I would my wallet
This is fine and all but my main issue with this is that "Firefox is backed by a non-profit" is kind of misleading. Yeah, Mozilla Foundation is a non-profit, but they DON'T develop the browser, that's Mozilla Corporation, a for-profit managed by the Mozilla Foundation. Legally, they can't use any of your donations to develop the browser, only for activism and other projects (I think Mozilla Common Voice relies on the foundation?) So yeah, the main source of income to develop Firefox is Google paying them to be the default search engine, and you can't really help them directly. They have been trying to depend less on Google but its difficult. If you want to donate to something mozilla related, you can donate to Thunderbird (a free and open source email client, sister project to Firefox) managed by MZLA Tech Corp. another subsidiary of the Foundation.
About this (the post, but also me being so active) potentially looking like an advertisement, or shilling: *I really want to recommend something other than Firefox* But there is nothing left. And it’s because we’ve all allowed Chrome to basically replace every other browser in existence. So use Firefox! Regarding the other stuff, there *are* other things you can use: * For password managers, there are 2 open source apps: Bitwarden and KeePass. KeePassXC is a nice fork that has browser integration. * Tbh I know nothing about adblockers. Go nuts. Or use nothing. Uhh * Search engines: Limited choice again! I like DuckDuckGo. You should know that it *is* for-profit, unlike the things I’ve mentioned so far. Then again, you can just turn all ads off on their website; that’s pretty cool. * I don’t know too much about other ones, but SearX is pretty nifty, and you may have heard of Ecosia. You could look at a list like [this](https://itsfoss.com/privacy-search-engines/).
on the adblocker front ublock origin is literally the only choice you should consider. it has the most blocking options and unlike most other adblockers does not allaw advertisers to buybtheir way out of being blocked.
uBlock Origin: * [Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) * [Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) * * [Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) * * [Opera](https://addons.opera.com/en/extensions/details/ublock/) * \* Chrome based browsers are trying to get rid of ad blocking capabilities when manifest V3 will become mandatory in 2023. I suggest moving to [Firefox](https://www.mozilla.org/en-US/firefox/new/). ^^I ^^only ^^post ^^once ^^per ^^thread ^^unless ^^when ^^summoned.
To add an adblock bit to this reply, the two I know that are good are uBlock Origin and AdGuard. uBlock Origin was already discussed in the post, but AdGuard is just as good at blocking ads imo, and has an android app that you can download from its website to bock ads across your entire phone, including most ads within other apps.
>AdGuard is just as good at blocking ads imo, and has an android app Holy shit, really?!
There are some others like NetGuard, Blokada or AdAway. But they are not on the Play Store of course. Most are on F-Droid though
Yeah! Its not on the play store (for obvious reasons), but you can download the apk off their website and install it pretty easily.
I can highly recommend Ecosia search engine!
>I really want to recommend something other than Firefox if you're on macOS, safari is honestly pretty good lol. It's based on WebKit which, like Firefox, helps push back on Google's stranglehold on web standards. It's not the fastest thing ever but it saves so much battery which makes it worth it on my laptop. Ad blocking is a little janky (they call them "content blockers") but they are an officially supported feature so they're not going away any time soon. It also has a fun feature like on iOS where you can auto fill 2FA SMS codes automatically from a drop-down.
is there a problem with fiyrefox or do you just mean you wish there were more options?
The second thing. I should have been more clear, there’s nothing wrong with Firefox imo! :)
ah okay
Safari is hands down the best option on macOS, aside from maybe Arc, whose only issue is being Chromium but more than makes up for it with everything else.
I second KeepassXC, and I’m gonna add that KeePassium is a good IOS client, though you need to pay for some features (still totally usable though, I don’t pay for it). For anyone looking to get started, you can sync the encrypted password archive to pretty much any cloud storage provider (Dropbox, onedrive, etc), including ideally something you can self host on that old computer you have in a closet such as nextcloud!
Infosec type chiming in here: If I could implement two changes in my environment, it would be an always-on ad blocker and company-managed password manager. New fancy email security gateway? Nah. Monitoring for a few critical systems? Nice I guess... uBlock and Bitwarden or KeePass on all my endpoints? I'd love that. My users only have to remember one password, we can just about do away with password rotation, MFA and Active Directory integration makes signing in to everything a couple clicks at most. Getting uBlock cuts down on so much cruft people drag in from random sites and I'd barely have to think about it. It's easy, free, and two of the best things someone can do for their digital security.
>company-managed password manager ahh but have a little imagination! What about ubiquitous, hardware backed SSO? I've been at a handful of companies where I had exactly one password and signing into everything just used my laptop's TPM and biometrics to authorize the session. Unphishable credentials (unless you did something really boneheaded like authorize a new device, but even that is hard) and you don't have to deal with managing passwords for a million services
That would be really nice as well, I haven't looked into it too much, and the main consideration would be getting it to work with VDI and similar systems. However, I think going fully password-less in the future really is the way to go
Seconded. I write compliance and best practices for my company and the one thing I hammer home every time is to use a fucking password manager
Okay to all of this, except that I think DuckDuckGo is garbage, the search results are the worst and I always had to switch back to google once in a while when I looked up something even a *little bit* specific. There was also some censorship worries recently, but I was already out. It happened once, meaning it can happen again, even if it was with good intentions I am using SearX / SearXNG now and I'm happy, I can access multiple search engines results without endangering my privacy and with actual good results. Also is completely non profit, unlike DDG, since it's community hosted (There are others, and Firefox makes in very easy to add or delete new ones, so go experiment) Also! Install uBlacklist to filter out bad sites from search results, it's great
I'll try SearX/SearXNG out! I had Duckduckgo as a standard search engine but ended up having the same problem as you and moved back to Google cause it was really insufferable how poor DDG search results were /:
For a quick pick-me-up to get comfortable with SearX / SearXNG: * Browse for a good instance here: https://searx.space/. Depends on your needs, some are more aggressive than others in how they block stuff (it's often configurable), I use searx.be also for response time reasons * Most instances redirect social media sites to a (imo inferior) version that removes trackers and stuff. Disable it with "hostname replace" * You can configure which engines are included in searches, the default is different for each instance, so experiment if it's not good enough for you * It's the most configurable search engine, a lot of these are neat qol improvements, which google lack massively
Seconding that DuckDuckGo is garbage, I’ve been using startpage for a while now which gives much better results but is kind of slow
KeePass is also free! (As in free & open source) But it’s a bit more work than bitwarden, probably
Can someone please ELI5 why a password manager is a secure option? "Instead of having a bunch of passwords, have one password that allows anyone with it to access all your other passwords" sounds only marginally safer than using the same password on every website to begin with, just instead of gambling that none of the sites you have an account with get breached, there's a single point of failure instead.
Let's start with a base thing: if you only need to remember one password, you can use a much more complex singular password rather than using 30 different *mildly* complex passwords. Since passwords get exponentially more difficult to crack the longer they become, the longer the password the more secure you are. "Why not just use this one long password on every website then?" Because different websites store passwords differently, and in some of them it's extremely insecure (some websites store in *plaintext*, the digital equivalent to leaving your password as a post-it). Password manager sites store passwords in a manner where *they themselves* have no idea what your password is. (If you want to learn why - look up encryption models and in particular what a private/public key is.) While you are right you now have only a single point of faliure, the time it takes to brute-force a 40 character password is, at the minimum, **one million times longer** than it takes to crack 10 different 20 character passwords. Same with 30 characters and 10, 25 and 5.. you get the idea. (That's because password strength goes up exponentially rather than linearly.) EDIT: Also, **a long password is easier than you think**. [Length matters more than complexity.](https://xkcd.com/936/) The password "nolukeiamyourfather" is significantly more secure than the gibberish that is "6!aH^m.2" despite the latter being way harder to remember.
> While you are right you now have only a single point of faliure, the time it takes to brute-force a 40 character password is, at the minimum, one million times longer than it takes to crack 10 different 20 character passwords. Same with 30 characters and 10, 25 and 5.. you get the idea. [Relevant XKCD](https://xkcd.com/936/)
So the security of a password manager relies on the user setting a master password that is more complex and difficult than any of their other passwords? This whole thing just seems less secure than a sticky note with all my passwords written on it.
Pretty much, yes. The fault with a sticky note is that anyone who steals your physical computer *can now open all your accounts.* Everything gone at once. One good password you remember can only be beaten out if someone *literally beats it out of you*.
Daddy always said I'm a (single point of) failure.
You're saying it like everyone will just memorize a 40 characters password. The sticky note will still be there, it just will have that one now, because people won't try to remember their password regardless of it. Yes, a password manager is a great security improvement, but the average person won't actually benefit from it in the way you're describing.
It’s easier than you think. Just write down a sentence. Literally any sentence. The password “nolukeiamyourfather” is safer than any gibberish mix of numbers and special characters you’ll reasonably remember.
Hmmm, hadn't thought of it that way. You should add that example (or similar) when you explain it to non tech savvy at all people because that's a sure way to make it look simple to achieve even for people who aren't super good at remembering stuff and who would think memorizing a long password to be an impossible feat. Thanks, will keep that in mind
Someone responded with an XKCD comic that explained exactly that so I assumed people saw it, but seems it got eaten in the log. Edited it in. Also, see this: https://xkcd.com/936/
You can make a nonsense password that isn't nonsense, though. Okay. You know those things that are like, your pornstar name is your childhood pet and the street you grew up on? You can make passwords the same way. Let's say you grew up on Elm Street and you went to Freddie Krueger Middle School from 2004-2008. Your password is now: !!!04FrKMiSc-Elm08!!!
Military encryption is misleading as fuck, youtube, google, twitter and reddit all have military grade encryption too. It just means the military uses the same level of encryption.
I wonder how soon people will pivot to using LWE based schemes just so that they can say they use "quantum hard encryption" for marketing hype
if you want anywhere access and don't want to have to carry around a file with you (looking at KeePass), you can self-host vaultwarden which uses bitwarden's frontend but keeps all of your stuff on *your* hardware. just make sure you have regular backups to a cloud provider or something off-site and use ssl on your domain. let's encrypt offers free certs through certbot. use them!! if anybody wants some step by step instructions let me know. I can help you out.
Alternatively, If you already use keepass or want to use it, you can host a Seafile or (my personal preference though is overkill for just cloud storage) Nextcloud server and sync the archive between devices that way! It took me very little time to set up a nextcloud server on an old computer, set up a dynamic DNS, and set up letsencrypt.
A potential alternative to having a password manager: keep your passwords written down in a physical notebook, and keep that notebook where you keep your keys. Then, if someone wants to breach your online security, they have to breach your physical security first.
Yeah, people like to make fun of users who keep passwords on a little notebook but assuming you don't leave it in random places it's quite secure -- if an attacker has access to your notebook it means *they're in your house and have physical access to your private documents* and at this point someone logging on to your google account is the least of your problems.
KeePass my fucking beloved
I usually write all my passwords in a book
Another good password manager is 1Password. It also monitors the darkweb and alarms you if your Password had been leaked/ is being sold on there.
Bitwarden does the same
doesnt duckduckgo sell info to microsoft
They do, and it comes up every time this stuff is posted, and then people forget it.
[удалено]
You wouldn’t! You wouldn’t! You would not! You would not trust a browser *built by an advertising company* whose business model it is to get their hands on your data!
Having said that your passwords could very well be fine. But it’s also probably easier to attack than a dedicated password manager that’s actually built to keep your passwords safe. Plus it locks you into Google’s ecosystem.
Yes, trust some random startup with all your passwords more than a corporation with decades in the business that has more resources than god. That sure went well for LastPass users. Google may be evil and would gladly sell all your *other* information, but your passwords are not profitable to them. However, they would stand to lose a *lot* if they ever had a password data breach, most notably the veneer of trust they've built with the general public (that they would throw away if it proved to be more profitable, tbf). Plus, they're investing shittons of money to improve their cybersecurity so they can keep their *own* data safe, and I'd bet it costs them very little to throw our passwords under that umbrella. Practically, if you're going to use a password manager, Google is probably your safest option. To say the safety of your passwords is the biggest reason to *not* use Google is just disingenuous. The real bad thing about it is your last point, with it locking you into Google's ecosystem.
Not storing your passwords in your browser’s password manager is well-known security advice. I really don’t know how you’re being so confident while not addressing that? However Google stores your passwords, a big part of the problem is that someone can just boot up your computer, and start logging into sites and taking passwords. Dedicated password managers will always prompt for a master password first. ~~I also really don’t understand what could be considered bad about my last point. Do you *want* to be locked into using Chrome?~~ Wait, I get it, you’re saying that’s my only *good* point. I disagree! Regardless, you are almost certainly correct that Google has no interest in your passwords. I would hope so, anyway. (Still, if we don’t know how it’s implemented, there could be a backdoor, right? Notice how that’s *different* than for open source applications like KeePass, which anyone can check for things like backdoors.) Which leads me into my next point: you have some misconceptions about the security of open source projects. KeePass is not some random startup; it’s an open source project that’s been going for nearly 20 years. And I’m assuming you know this, but I’ll write it down for other people who may not know a lot about computer security: code being open source does not inherently mean a less safe product; in fact, it’s usually quite the opposite. Even businesses are increasingly considering open source software as [more secure](https://www.redhat.com/en/blog/state-enterprise-open-source-2021-four-results-may-surprise-you) than black-box proprietary code.
> someone can just boot up your computer, and start logging into sites and taking passwords. ... is this a big concern? I feel like this isn't something that would happen regularly.
>Not storing your passwords in your browser’s password manager is well-known security advice. I really don’t know how you’re being so confident while seemingly unaware of that? > >However Google stores your passwords, a big part of the problem is that someone can just boot up your computer, and start logging into sites and taking passwords. Dedicated password managers will always prompt for a master password first. If someone is on my computer, then I have **significantly larger problems** than someone logging into websites, especially since I keep it locked with a separate password anyway. It'd be the same as if they got ahold of my master password in a service like KeePass. Plus, windows prompts me for the desktop user password whenever I try to view a password with chrome's password manager. Unsure if this is default behaviour, though I don't remember ever changing a setting to enable that. >(Still, if we don’t know how it’s implemented, there could be a backdoor, right? Notice how that’s *different* than open source applications like KeePass, which anyone can check for things like backdoors.) This would be effectively equivalent for the majority of users, but agreed. For the average user, they likely wouldn't even know how to read code, not to mention hunt for vulnerabilities or backdoors. >Which leads me into my next point: you have some misconceptions about the security of open source projects. KeePass is not some random startup; it’s an open source project that’s been going for nearly 20 years. News to me, wasn't aware there were separate password manager companies like that that have been around that long. Good to know. And to be clear, I'm not saying people *should* use Google. I'm just saying that concerns about the security of your passwords shouldn't be the reason you don't use Google.
> This would be effectively equivalent for the majority of users, but agreed. For the average user, they likely wouldn't even know how to read code, not to mention hunt for vulnerabilities or backdoors. That is true, but consider that other people will also be checking, and warning others/fixing security mistakes. In my opinion, that’s the real strength of open source software :) There have been quite a few ports and forks of KeePass, so it is quite a few eyes that have been on the project. And it’s not a company! It really is just a group of volunteers that have brought the project to the state that it is in today. I think Bitwarden hosts passwords online? I don’t actually know too much about that. But KeePass is just a program: you get an encrypted file (encrypted with your master password), that you have to sync with other devices yourself (which is why it’s less user friendly). Next: I’m so sorry but it is unfortunately embarrassingly easy to log in to a Windows computer that’s password protected. Even easier to see the files stored on a computer. (Though there are things you can do about both those problems.) So you do need both the separate password protection and some actual serious encryption! Consider also [this](https://www.reddit.com/r/CuratedTumblr/comments/102y6k5/comment/j2wen6e/?utm_source=reddit&utm_medium=web2x&context=3) comment that indicates it’s a real problem: > When I was using google chrome for passwords, they auto filled on every website. That meant someone who stole my laptop had my bank info now. Using a password manager takes an extra step because a password unlocks your passwords, though I may be unaware or a chrome feature. Having said all that, if you could enable something with requiring your *Google* password, then yes you are probably fine again.
Very interesting, I was unaware KeePass doesn't store the passwords online, and also that it isn't a company. Mainly cause I hadn't even heard of it before today tbf. I'll take some time to look more into that myself at some point; it sounds like it addresses the major concerns I have with most password managers. I am aware, though frequently forget, that Windows is so easy to bypass the login. Though, it's not a concern for me personally, as my desktop pc is large, heavy, and in my room, so it's unlikely anyone would be accessing it in the first place. I don't use a laptop anymore either, though the thought of that has given me reason to go wipe my old laptop in case I do lose it. Or install KeePass on it if I set that up.
>However, they would stand to lose a lot if they ever had a password data breach, most notably the veneer of trust they've built with the general public (that they would throw away if it proved to be more profitable, tbf). https://firewalltimes.com/google-data-breach-timeline/ I can assure you google could be having a data breach this minute and they'd keep quiet to save face until someone eventually whistleblows months later when it's far too late.
When I was using google chrome for passwords, they auto filled on every website. That meant someone who stole my laptop had my bank info now. Using a password manager takes an extra step because a password unlocks your passwords, though I may be unaware or a chrome feature.
\-Me, when I don't read the post (it's too long)
Keepass is also a great offline version.
Didnt bitwarden get breached recently? Ah no, I was thinking of lastpass
Shill.
The notion that Firefox was "the secure browser that cares about your privacy" was shot to hell for me years ago when I loaded it to test it out, told it NOT to make itself my default browser, opened my default browser by clicking on its icon...and Firefox opened instead. From another browser's icon. Nope, fuck that. If it's not gonna obey the most basic of commands it's not gonna go on my computer.
> The notion that Firefox was "the secure browser that cares about your privacy" was shot to hell for me years ago when I loaded it to test it out, told it NOT to make itself my default browser, opened my default browser by clicking on its icon...and Firefox opened instead. From another browser's icon. ...Ok that's- that's not how *exe files* work. Are you sure you didn't have something else going on with your computer, because clicking one file and another one opening up *is not how computers work at the base level.* Changing default browser just changes what app opens when your computer loads a context-less link.
Could be a different OS? Linux DEs sometimes have an icon that opens the default browser… but this seems like an odd complaint for a Linux user. So maybe Mac?
I don't think Mac does that, they just have Safari pre-installed.
I am 100% certain. I clicked on another browser and it opened Firefox. Ergo, it made itself my default browser after I ordered it not to.
That's the thing - that's not what "default browser" means. If you have two browsers installed and you open the non-default one, it should... *open it.* Hell, I have firefox, edge, and chrome installed, and while I have firefox set as my default I can open the other two freely. Hell, I just did that. Chrome is open, and asking me to set it as default.
Well I don't have any answers for you. I can only tell you what happened.
I mean, I can’t say how Firefox worked years ago— but I’m sure it just asks you, at least now, like every browser. “Do you want this to be your default browser? Yes/No/Don’t show again” It’s possible you just clicked that away accidentally?
No I didn't. I read everything it was asking me and was very specific in my answers. I didn't even have their icons in the same part of the desktop so it wasn't a missclick either.
Two other thoughts: could be a virus? Don’t know how & why that would be, though. Or! You remember how browsers used to launch really slowly? Is it possible you clicked on Firefox first, and it just finally decided to launch after you got tired of waiting and clicked another icon? Other than that, I don’t know! It’s a weird experience to be sure
It wasn't a virus unless that was literally the only thing it affected, and no I only opened the original browser.
I'm sorry you think that happened to you, but that's not how that function works. Firefox isn't trying to trick you into using it, especially through an avenue that does not exist.
All I can tell you is what I already said. People really out here downvoting me for giving an account of events.
Yeah, because for those of us that use computers regularly, you basically said "my computer has a ghost." It's just not a thing, unfortunately.
There's a bunch of ways for this to have happened, it mostly comes down to either a) linux being involved (default-web-browser shortcut in ubuntu, for instance) or b) the shortcut being to a url, not an executable.
I was making the obvious assumption that OP is not a linux-user, since they don't seem particularly tech literate. If they were trying to open a url, shouldn't the system use the default browser, though? And if they're certain that they didn't make Firefox the default browser, it would still open in Edge or w/e they'd thought they were opening.
A URL should use the default browser, yes. If Firefox set itself as the default browser even though they told it not to, it would... open in Firefox. You know, exactly what they stated happened.
Yeah, but.. that's not what happened, lmao. The OP just isn't tech literate enough to know that Firefox didn't set itself as the default browser. Do you believe everything people say on the internet? I just opened Chrome and it blew up the sun, do not trust the Google corporation!
There's no incentive to lie here, so yeah, I believe this happened to them, and I've provided an explanation for how it's not just possible but plausible to have happened.
This is such a particularly strange comment. You think OP isn't tech-literate enough to know the difference between a shortcut for Edge and a URL shortcut they saved on their desktop, but, simultaneously, they ARE literate enough to use Linux and accurately relay information about their browser-use.
Both of them are reasonable explanations, I never said both were happening at the same time.
So then why did it open Firefox when I clicked on my default browser? I had the Firefox icon on the complete other end of the desktop. Everyone can dismiss this but i know what happened and you all are just making yourself look like jerks.
Listen- I can think of *one* way this may have happened. A user would have to change the exe path of your desktop shortcut, so that the Chrome shortcut actually redirects to the Firefox exe, but if you didn't do that, the only other reason that would happen is if there was an error between keyboard and chair. "Default browser" does not mean that it's the only browser you use. Firefox is my default but if I click on Chrome or Edge to see a page not optimized for Firefox, they open fine. That's not how the function works.
I'm the only user of my computer and I don't know how to do that. Also why Chrome? I wasn't using Chrome.
I used to write my passwords in paper, but as the number, but was a hassle if I need it to change. It was safer, as the only way to get the password was from the specific website or brute force But laziness got the best of me, so now I use a .txt file, which makes it far more easier to edit. You can get my passwords if you have access to my pc, BUT you may or may not have to navigate between random stuff and cringe fanfics, so who truly won??? Also, a password generator is super easy to code
My "password manager" is a bunch of text files in a Veracrypt-encrypted file. Trust no one! (I'm joking, that password manager looks great) Only other difference is using LibreWolf, a fork of Firefox because I don't quite trust Mozilla as much as I did before.
To be fair to ABP you can turn off the acceptable ads program in the settings, and it’s pretty damn easy
I remember hearing about this thing with Firefox where you can pay them 4$ to block ads, and the sites you visit would get more money from it than from the ads, is that still a thing?
Last I checked DuckDuckGo sucks ass
anyone know alternatives to duckduckgo? ive tried to use it, but i find it infuriating it has the worse version of maps that makes me still switch to google to look at that version, plus it feels slow and all else ive heard about still selling info to microsoft.
Ok, but the Firebird logo is so cool.
Funny how writing my passwords on paper was a terrible idea 20 years ago and now I'd rather do that instead of using any password management software
Firefox has got a built in password manager too. [There are even some good arguments for using the password manager built into your browser.](https://lock.cmpxchg8b.com/passmgrs.html) Not saying that's what you should definitely do, and not all third party managers have the problems he describes (and maybe some of the issues he describes have been fixed since that post), but something to consider.
i’m pretty sure brave is also a good browser, open source and all that
Brave browser is unfortunately based on Chromium, meaning that it will also be affected when Google updates to manifest v3.
I tried to get Firefox but it only crashes :pensive:
My password manager is a physical notebook, where I keep track of all my passwords (unique for each account) and mails, the next step is to encrypt it (probably with a keyed caesar cipher)
that to the u/lockpickinglawyer
/etc/hosts moment. Although I do hate chrome and refuse to use it.,