undefined | Better HN

0 pointsvntok1y ago0 comments

If your setup includes a password manager, generated unique passwords and enabling 2FA everywhere you can, there's not much else to do.

Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.

Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)

0 comments

2 comments · 1 top-level

jxjnskkzxxhx1y ago· 1 in thread

I happen to think that having your password manager online is a mistake.

mdaniel1y ago

For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:

- SHA1 or NTLM hash prefix matching https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...

- actually download the HIBP db and check for yourself https://haveibeenpwned.com/API/v3#PwnedPasswordsDownload

Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes

j / k navigate · click thread line to collapse