r/Passwords

Parents of college students: How did you help your kids organize usernames, passwords, recovery emails, and important online accounts before they left for college?

I want to help my college-aged kids create a long-term system for managing passwords, recovery methods, and important online accounts. I’m interested in both security best practices and real-world experiences from families who have gone through this transition.

Web and AI searches lead me to certain password software that can maintain usernames and passwords to log in automatically, but it seems like they are incomplete if it means having separate security questions. And, if you did use those software apps, it seems like you would still want/need a back-up in case there is some hacking or corruption of their software?

For context, both kids and here at home, we have phones, tablets and computers where these various accounts can be accessed.

At home, we use an old-style address book that we've had for 30+ years to log all our accounts (a few years ago, I counted over 250 entries). This works for us, but I don't think it's safe for a young adult in a dorm or apartment and being on the move to classes, etc.

Speaking more broadly, I wouldn't mind modernizing our username/password records management. I can see a point in 15-20 years where it may be a security risk to have that book if we have some in-house care, etc. So, this question is asked for my kids right now, but also how it can be used for average adults?

Thanks in advance for any feedback.

reddit.com
u/402_Found_not_Lost — 8 hours ago

Google started cross checking my saved Passwords whenever "non-google data breaches" are detected

I use separate Passwords for everything so I'm curious if these were just 2 unrelated breaches that were just now discovered or you think Equifax got sloppy upstream?

Regardless: I change my Passwords frequently, MFA has its flaws but at this point its a helpful additional security layer. I also settup several different alerts for logins(text notifications and a completely new unrelated email that I auto forward all incoming emails to so I can still complete account recoveries if I get locked out and give myself at least a proactive chance of changing my Passwords before the breacher does

What am I missing?

u/bilbywilby — 2 days ago
▲ 8 r/Passwords+2 crossposts

New Sign In and Passkey Notification… But Then Nothing…

I was watching YouTube this morning, when I saw a Google Prompt YouTube Notification pop up that said my Google account had been signed into on a new device (an iPad I was unfamiliar with). Then I got another notification that said a passkey had been created.

I instantly jumped into action, tapped both notifications, but YouTube might’ve glitched, because it did not take me to a new screen after tapping both notifications (since I was already in the app maybe?) then I went to my Google account settings and saw… nothing… That’s right, no new passkeys, no new sign in’s and no evidence of the notifications I just received.

Regardless, I changed my password, I signed out of all devices, downloaded the Authenticator app, setup backup codes, turned on 2 step verification, the whole nine yards.

After doing this, I went back in to see if I could find ANY evidence at all of this sign in and passkey (checked other devices used, history, I only have one passkey that I created) and couldn’t find ANYTHING. Of course, I clicked the notifications expecting to be redirected to a “was this you?” page, but that never happened. I checked my email to see if there was any sign in alerts sent to my recovery email. Nothing.

What the heck happened? Is my account compromised? Any advice for me? Anything is helpful.

reddit.com
u/DarkOrbit253 — 2 days ago

Are We Close to the End of Passwords?

We’ve been hearing for years that passwords are dead, yet they remain one of the most important layers of security for both individuals and organizations.

It’s true that passkeys, biometrics, and other authentication methods are gaining traction, but passwords are still the primary way most people secure their accounts.

Do you think passwords will eventually disappear?

reddit.com
u/PandaSecurity — 6 days ago
▲ 2 r/Passwords+2 crossposts

Why I deliberately didn't bind my Keystore key to biometric auth (Flutter password manager, now open source)

I've been building a zero-knowledge password manager (PassKeyra) in Flutter for the past year, and I just released it under the GPL-3.0 license.

The most interesting Flutter problem was biometric unlock, and I made a deliberate trade-off I'm not 100% sure about. I'd love this community's take.

The vault is encrypted with a key derived from the master password (PBKDF2-HMAC-SHA256, AES-256-GCM), entirely in Dart. For biometric unlock, I didn't want to keep that vault key in plaintext behind a simple fingerprint, so I wrap it with a hardware AES-256-GCM key stored in the Android Keystore.

Flutter_secure_storage is great for storing secrets, but it doesn't expose the wrap/unwrap primitives I needed. So I wrote a small native Kotlin plugin (BiometricKeywrapPlugin) over a MethodChannel: wrapKeyMaterial / unwrapKeyMaterial / clearWrappingKey. StrongBox is best-effort, with a fallback, because setIsStrongBoxBacked(true) doesn't throw at build time: it throws at generateKey() via StrongBoxUnavailableException on devices that don't have it (a lot of mid-range phones and tablets).

The obvious "secure" choice is setUserAuthenticationRequired(true), so the Keystore key only decrypts after a fresh biometric auth through a CryptoObject. I deliberately chose NOT to do that.

The reason: CryptoObject-bound auth requires STRONG biometric (Class 3). That silently breaks face unlock on a huge number of devices. Many Pixels and Samsung tablets only expose Class 1/2 / WEAK / CONVENIENCE. Users would lose biometric unlock for no visible reason. So the key is non-exportable and hardware-bound, but with setUserAuthenticationRequired(false), and biometric auth is enforced at the app layer via local_auth.authenticate() BEFORE wrap/unwrap is ever called.

Once auth passes, unwrap runs without a second prompt. The honest downside, which I left as a comment in the code: the key isn't cryptographically bound to strong biometric. It's the same model as Bitwarden and 1Password, but I'd rather say it plainly than pretend it's more solid than it is. The code (it's all there, including that comment): https://github.com/Pass-Keyra/PassKeyra

 

My questions for you:

  1. Would you have forced Class 3 and accepted losing face unlock on a lot of devices?

  2. Is there a cleaner pattern to get both broad device support AND CryptoObject-level binding in Flutter?

 

Thanks for reading this far, and a special thank you to anyone who takes the time to go look at the code. That's exactly the point of open source: you shouldn't have to take my word for it.

(This is a shipped freemium app, with an ad banner in the free version. I'm posting here for the technical discussion.)

u/PassKeyra — 6 days ago

Found a saved password for a website I never signed up for

Going through my passwords to delete old accounts and found one saved to a weird link I don't ever recall logging in to (the website seems to have been taken over completely by someone else, it talks about complex coding which I never did)

What are my options here? I don't see a way to log in if the old version of whatever the site was no longer exists

reddit.com
u/Snow-Gecko — 5 days ago
▲ 1 r/Passwords+1 crossposts

Facebook hacked. Passkey, Email, Phone number removed.

is my Facebook gone forever? I tried doing Facebook hack recovery but it’s giving me the error to sign in from a device I used to sign in before. which I only signed in on one device and it’s claiming I never used that device to sign in before? I don’t get how they got through if I had a passkey ? meta ai chat was having technical issues and couldn’t help now its not allowing me to chat with them again? it’s not making any sense at all.

reddit.com
u/SuzyM815 — 4 days ago
▲ 2 r/Passwords+1 crossposts

Went to reset my password and this popped up. Which one do I choose?

u/kattwills — 7 days ago

Testers needed for a new Bezel-based 2FA app (RotarySafe)

Your authenticator app displays 2FA codes to anyone who glances at your phone — I built one that requires a physical combination on your watch first

Most TOTP apps have a quiet problem: open the app, codes are right there. Anyone nearby who sees your screen — or grabs your unlocked phone for a second — has your 2FA codes.

RotarySafe works differently. Your codes are in an encrypted vault on your phone. To open that vault, you have to enter a physical rotary combination on your Wear OS watch — like dialing a safe. Four steps, each a number of clicks left or right on the watch bezel. Get it wrong three times and it locks until you clear it from your phone with your fingerprint.

The codes never appear on screen until the combination is correct. And since it holds no internet permission, nothing ever leaves your devices.

It's in closed testing right now and I'm looking for people who care about 2FA security to use it daily and give honest feedback.

To get access:

  1. Join the testing group → https://groups.google.com/g/rotarysafe_closedtesting
  2. Register as a tester → https://play.google.com/apps/testing/com.luly.rotarysafe
  3. Install the app → https://play.google.com/store/apps/details?id=com.luly.rotarysafe

On the "Become a Tester" page, click the link that says "Download it on Google Play."When you click to "buy" it, Google will show a message: "Test card: Always approves" or "You will not be charged."This meaning 0 cost for you now and after the testing, by the group membership.

You'll need a Wear OS smartwatch — the physical combination is the whole security model, so it can't work without one. Imports from Google Authenticator if you want to move accounts over easily.

u/Wide-Income2575 — 9 days ago

How to recover my gmail account

If someone takes money and recovers my Gmail account, I am ready.

I have the phone number in my Gmail.but I have not recovery gmail and mobile number

u/Independent_Meat7112 — 11 days ago

Fiancé changed his passcode because a security issue popped up on his phone and asked him to do so

I tried to get into my fiancé‘s phone last night because I have been very suspicious of him and he changed his passcode when I asked him about it he said he had to change it because a a security thing came up on his phone and prompt him to change it. Can this be true??? it’s a personal cell phone not used for work or anything. I’ve never heard of a security issue asking you to change your passcode to get into your phone.

reddit.com
u/Significant-End-9444 — 11 days ago
▲ 3 r/Passwords+2 crossposts

A Lot of Nepal's WiFi Passwords Are Predictable.

I recently wrote a short article about common WiFi security mistakes and how weak passwords can put home networks at risk. Many people still use passwords based on names, birthdays, phone numbers, or the default credentials set by their ISP, making them easier to guess than they think.

The article also talks about public WiFi risks and a few simple ways to improve your network security.

DISCLAMER: This is shared for educational and awareness purposes only. Accessing or attacking networks without permission is illegal and unethical. The goal is to help people understand the risks and better secure their own networks.

Article: https://medium.com/@hadeyghoptey/nepals-wifi-passwords-are-already-in-someone-s-wordlist-bd2ce5b80bd9

reddit.com
u/hadeyghoptey — 13 days ago