How do you keep track of PINs for various things?

I have been randomizing my passwords for years, initially through KeePass, then Lastpass once it came out, then Bitwarden. However, when it comes to PINs, I’m much less savvy at randomizing them. I have the same pin on both of my work phones and my personal phone, and my PC pin is just a slight variant of it. I’m looking into getting a safe now to store my encrypted password vault in as well as our documents like passports and birth certificates, and I know I’m going to be tempted to use the same pin there as well.

Do you tend to use different pins for different things? If so, how do you remember all of them?

they also go in the password manager :+1:

11 Likes

Yeah, also in a password manager. You most likely have to remember/write down a few PINs/passwords to get into your phone, and into Bitwarden. The rest, if you use them enough, you tend (or not) to remember them; otherwise, you can look them up.

For me, it’s hard to make up stories about a random number for remembering, but it’s easier if the PIN is a passphrase.

1 Like

Probably not the optimal security practice but I tend to use one PIN for each “type” of thing I need a PIN for. For example, all my phone apps that have a PIN use the same PIN (this would not include phone lock PIN).

Yeah i use my password manager

Two ways:

  1. Veracrypt. Create a volume, say 1mb, put a text file in there, done. Can choose from a dozen types of encryption, hidden volume, key files, etc.
  2. For android: There’s file commander and encrypt file pro. Same thing, create text files.

I would never trust a password manager. Lastpass (among others) were hacked and others have/had vulnerabilities. I had been saying for years (mostly on reddit before I left that shit heap) to never use a service like that because I see it as the weakest link in the chain. Was met with downvotes, criticism, and childish name-calling. Guess I won that one.

1 Like

Off-topic, but - does your distrust extend to password managers operating fully offline? E.g. KeepassXC/1Password?

Not off-topic. 1password was breached last october during okta and two vulnerabilities were disclosed in january. So yes, I don’t trust anything that was specifically designed for passwords. It’s just too risky when there’s better and safer.

1 Like

I see 1Password specifically no longer supports local-only vaults but there still are password solutions that do. Pass/Gopass, KeepassXC, LAN Vaultwarden, …

You reference breaches of cloud data stored by LastPass and 1Password, but why the distaste for all password managers, including ones that never touch the cloud?

EDIT: Additionally, with zero knowledge encryption, someone gaining access to your encrypted vault is effectively the same as someone stealing your VeraCrypt thumb drive/the device your container is on, no?

For me, it’s all on the password manager (Bitwarden).

I’m not worried about the container falling into the wrong hands, I actually keep it in my wallet in the event of an emergency. They would still need the password (and if I included a keyfile/keyfiles, they would need that/them too). Keyfiles are completely innocuous, I can use as many as I want, and they’re kept behind an encrypted disk. Plus, this doesn’t leave out the possibility that I’m also using a hidden volume.

There’s never been a breach of veracrypt’s security, and it’s been around for 10 years, which was a fork of truecrypt that’s been around since 2004. So, 20 years without a problem. If it isn’t broken, don’t fix it. Do password managers have full drive encryption, hidden containers, plausible deniability, keyfiles, token files, 15 forms of encryption? Have these password managers been tested in court? What do they use for encryption? So many questions but it doesn’t matter because what we have already works.

1 Like

You are essentially managing your passwords by storing them in a VeraCrypt container. If that works for you - great. My point is that you can still do that, just put your password database in that container. You’ll have your 20 year unbroken encryption plus whatever the chosen password manager’s security is - and you’ll have access to the utilities/convenience option that manager provides.

You have a preference, and that’s fine, but it’s not mutually exclusive with these kinds of software, nor are password managers fundamentally insecure.

If your threat model prohibits you from saving your database in the cloud or on disk, don’t. But again, not fully grasping your fundamental distaste for an entire classification of utility.

1 Like