Hacker Newsnew | past | comments | ask | show | jobs | submit | 33Backpack33's commentslogin

For the average person it's best they use a cloud password manager as they're not responsible enough to do their own backups of a local password manager.


You could do that salt and pepper thing found here: https://passwordbits.com/salting-passwords/

This way you don't store your full password in your password manager.


As far as I can tell Bitwarden doesn't inject any scripts. I know people complain it doesn't have that overlay like LastPass has but Bitwarden not having might be a plus now.


Not when script kiddies already have free tools like this https://vimeo.com/308709275


If we all agree it's not secure then why do we keep using it?

I rather have a unique password then rely on SMS anything especially if that account allows you to reset your password by SMS.


username + unique password would be better than all the other options listed.

Adding SMS seems to add new points of attack that either hurt the user or just delays the hurting.


When you consider SMS 2FA is often used to fix the poor or reused password problem we see it's not helping much at all but only delaying the problem.


That’s bullshit, nobody is going to bother with attacks like this to steal your uber or doordash account. SMS 2fa kills credential stuffing attacks for all but the highest value targets.


You do know uber and doordash accounts are hacked all the time because of password reuse? There is a huge black market for hacked accounts from doordash and the like.


That’s my point. These accounts are worth a couple of dollars, nobody would spend $50 on a hacked uber or doordash account.

These accounts are only worth anything as long as they’re cheaper and easier to use than stolen credit cards.


The original VICE article said it was $16 and they can take as many accounts as they want. It seems worth it to me.


Yeah, because that $16 plan is totally going to last for long after people start abusing this at scale.


It doesn't stop it but delays it. The attacker seeing a SMS 2FA screen doesn't mean they give up, it just means the user is now more valuable. This explains it https://passwordbits.com/dont-need-sms-2fa/


This article goes more in depth and answers the questions you bring up https://passwordbits.com/dont-need-sms-2fa/


This article does a better job of explaining how SMS 2FA doesn't solve the credential stuffing problem. https://passwordbits.com/dont-need-sms-2fa/


Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: