Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?
The only annoying part about the modern world is that you want to have that keepass file synchronized between devices, at which point you either go down the path of something like Synchthing (not mainstream user friendly) or you just end up asking yourself “fine, what cloud service do I trust to not go looking at my files?”
I always synced my database manually either directly over usb, or wifi (KDE Connect). I have to admit that it’s not really user friendly, but once I got used to it, it’s no problem at all.
And uploading it to any cloud service should be fine as long as it’s encrypted with a strong password. But that kind of defeats the point of an offline password-manager in my opinion.
Good advice only for tech-savvy and people who are interested in self-hosting. There’s so many things that can go wrong like improper backups and accidental networking problems.
Well, you can. But you have to be PERSONALLY hacked. At which point you’re at a level of risk equal to “will my house burn and my notebook full of passwords get lost?”
And here’s a reminder that trusting centralized service with high security access control is usually a bad idea.
I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time
Offline password managers like KeepassXC are a thing, plus self hosted remote storage like Nextcloud means you’re not worried about any third party interference
I use Pleasant Password Manager, which is keepass compatible. Big fan of offline cache with online sync for access anywhere with an internet connection on top of my phone offline
And at least for LastPass no passwords were compromised. Saying they “were hacked” and leaving the extent of the hack out implies something worse IMO, it’s misleading. The safes themselves are E2E encrypted so they also don’t have your password.
That said, my vote is to Bitwarden as it’s open source and allows self hosting if you think you’re a more reliable admin than they are. Open plus more choice is always better.
This is true, but they have your encrypted vault, and all the technical data to make unlimited informed attempts at cracking it. If you used LastPass, you definitely need to be changing passwords for your critical services at a minimum.
Just this month a link was made between $35 million in crypto being stolen and the 150 victims being LastPass users.
In 2022 Lastpass was compromised through a developer’s laptop and had customer data like emails, names, addresses, partial credit cards, website urls, and most importantly vaults stolen last year, and given they’re closed source, have no independent audits, and don’t release white papers, we have no idea how good their encryption schemes actually are nor if they have any obvious vulnerabilities.
In 2021, users were warned their master passwords were compromised.
In 2020 they had an issue with the browser extension not using the Windows Data Protection API and just saving the master password to a local file.
What will 2024 bring for LastPass? They were hacked, and there’s no reason to think they won’t see more breaches of confidential customer information and even passwords in the future. This is a repeated pattern, and I’d better trust a post-it-note on my monitor for security than LastPass at this point.
The only problem with their SSH agent is, if you store let’s say 6 keys and the server is set to accept a maximum of 5 keys before booting you, and the correct key happens to be key number 6, you can end up being IP banned.
This happened to me on my own server :P
That being said, my experience was using the very first GA release of their SSH Agent, so it’s possible the problem has been sorted by now.
Firefox is extremely easy to get your password from behind the *** if it autofills. Requires physical access, but literally takes seconds. Right click the field, inspect and change the field type from password to text.
On mobile I’m assuming. I personally don’t know a way to bypass the fingerprint locks. And if you’re also having Firefox create random difficult passwords, its significantly better than reusing the same one. So you’re probably a much harder target than the majority of people. I’d have to double check but I think even on desktop if you have a master password for Firefox and don’t just have logins auto filled you’re probably good there too.
It’s 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.
I’ve used the same password for everything since 1991. If anyone’s cracked it, they haven’t attempted to get into my shit. Probably because there’s nothing worthwhile to steal.
First of all they wouldn’t know there’s nothing worthwhile until they got in. But most importantly if you’re using the same password for everything since 91 there’s around a 0% chance that password hasn’t been leaked. This means that a random person can have access to everything that you have that’s not 2fa protected without you even noticing. You said that no one tried to get into your things, how would you know? Most places don’t let you know when someone login successfully, and a lot of other places do so with an email which the attacker can quickly delete.
If you really use the same password for everything since a long while back anyone who knows your email address can get into anything yours, getting a hold of one of those password dumps is really easy, especially older ones.
if you’re using the same password for everything since 91 there’s around a 0% chance that password hasn’t been leaked
Plot twist, they’ve never had their password leaked due to never having a password.
They spend every last waking moment trolling through public or university libraries to find computers that people haven’t logged out of, and are still logged into social media, dialup modems, irc, bbs, mainframes, etc. It’s these accounts they make posts from.
Pretty lonely world when you only ever get to make one comment on one account at max like once a week. And then you never get to check the replies. You never get to check your email either, you don’t know if anyone has sent you and e-card for your birthday.
Oh and not to speak of constantly getting kicked out of those libraries once the librarians recognize you. To the point where you have to move to yet another city to have any online time again.
But hey, they’ve never had their password leak at least!
First of all they wouldn’t know there’s nothing worthwhile until they got in.
I mean, you can read all my comments and posts publicly, and social media accounts and such are just about the only thing I’ve ever had passwords for. 🤷🏻♂️
You finna steal my Lemmy account?
Security is only important when you give a shit about what can be taken without it.
Yeah some sites also dont have passwords, they just send a login link to your email every time.
I prefer passwords so I don’t have to go to my email to log in, but I understand it’s easier for some people to do it that way. Your email address becomes your identity then.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
There are yubikeys you can use to login, but it requires installing stuff on each computer you want to access. Nothing is simpler then passwords. :)
I used a yubikey for a while, they are alright, but I could only use it for logging on to a computer, not for logging into specific sites. Even though I guess that could be solved with a password manager integration.
Nothing is simpler than passwords. But we want something thats both simple and safe. Even for lazy people, tech-unsawy people, and people with bad memory.
What if every pc came with a jubikey-ish reader and every website supported a browser api for it? Probably not jubikey, but something that fit in a wallet like bank cards do (but also was an open tech so that anyone can implement and sell cards). Wouldn’t it be both safer and simpler than passwords? It would take some time to turn around of course but the same was probably the case for https, 2fa, ipv6, and tpm’s.
Those are called smart cards. Traditional smart cards needed centralized management of credentials, but FIDO2 smart cards exist that work like the keys. The reason tokens are more typically USB-based (or NFC) is every PC has USB, but most don’t have smart card readers.
FIDO2 can be used for passwordless log in on a few sites, but the site and browser need to support the feature (no extra installation). It sets a pin on the yubikey and when entered the key does all the authentication. It will likely be seen more as Apple “passkeys” gain more popularity, Windows and Android already have native support but don’t market as hard.
so your lemmy password would be ilovemypasswordLEMMY
and your reddit password would be ilovemypasswordREDDIT
that way they can keep their shitty password but it won’t be the same password on every site and they have an easy way to remember what the proper password is for the site they want to accesss
Still better than using the same password. My argument is if you can only convince them to do at least that, it’s better than every site using the same password
That’s horrible if you ever become the victim of a targeted attack. Compromise your password once on some random shitty site and they’ve got access to everything.
It’s also quite likely that incidents involving password dumps will have crackers filtering the dumped data looking for exactly passwords like this.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
Honestly, the best solution for this is a password manager and not a notebook. The average person is not going to come up with strong passwords on their own for every website. A password manager once setup can be more convenient than whatever they were doing before, so if you can get people to use one they’ll be in much better shape.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
My understanding is that this is basically what the whole passkeys initiative is. I have sort of mixed feelings on it. Hardware tokens for logging in is great, but I worry about people stealing the hardware tokens from others. Mostly people are going to use their phones, though, which should have some other mechanism of authentication.
Just switched from starfield back to cyberpunk for the 2.0 update. It’s consuming my life again. When I finish the dlc I’ll switch back to starfield and let that consume my life.
Same here dude haha. Starfield was fun, but man has Night City just sucked me back in. I love Cyberpunk so much. I am looking forward to going back to Starfield at some point, it is a great chill out and vibe kinda game.
My only suggestion would be to take your time and take breaks between them to play other games. They’re great, but they’re all very similar. An easy recipe for burnout.
Second this. They have so many activities, but kinda repetitive if play each entry back to back. With a somewhat Grundy nature, it burnt out fast, if not rush.
I just finished Chants of Sennaar. It’s a puzzle game that has you deducing out glyphic languages from context to find solutions, and it’s super satisfying.
Try heavens vault if you haven’t already! I tried chants of sennaar, but I found it to be much less elegant and less gripping than heavens vault’s language deduction system
I was never one for Skyrim, the jank was just too much to get immersed and the graphics too low end to be impressed. 450 mods later, I‘m fully immersed and impressed (runs better (fact) and looks better (subjective) than Starfield now IMO) and playing the heck out of it.
On the go, Hollow Knight has at last pulled me in on Switch. Finally finding the dash and wall climb abilities made the game a blast. Mario 3D World helps to counterweight Hollow Knight‘s melancholy.
Any mod packs or whatever to recommend? Played it once when it came out using a sneak + bow build (didn’t know it was OP when I started though). Haven’t checked out rhe DLC or anything, so I want to revisit it once I upgrade my potato rig later this year
I took the „facelift“ collection as a basis a long, long time ago but added a lot of mods myself and I‘m not sure how many - if any at all - mods of this collection are left by now.
(I mean „left“ as in „still left in my own mod setup“)
I've always been a PC gamer but I just got a retroid pocket 3 plus so I've fallen down the rabbit hole of old console games that I never played. I'm having tons of fun just building a rom collection and seeing what this thing can do. Best $150 I've spent this year, hands down.
Dynamite cop on the Dreamcast is awesome, soulcalibur is possibly the most enjoyable fighter I've ever tried, and all the Mario karts are great stupid fun. I really need to rebind my controls though, Mario kart is killing my thumb lol.
There's also some great android games that are just so cool when played on the TV with a controller like Streets of Rage 4 and TMNT Shredders revenge.
Those little handhelds look so cool! But I just got a Steam Deck a couple months ago, and I have a modded 3DS, and I work from home and don’t really have a legitimate use for another portable system haha
Maybe I’ll get it for myself for Christmas or something. What’s the OS situation? Or more to the point, is it easy enough to add roms and emulators and navigate to the game you want each time you turn it on?
It runs android and comes pretty bare. You have to install your own standalone emulators, set up retroarch, and supply all your own roms. I'm a bit of a tech dork so setting it up was part of the fun for me but if you want it ready to go out of the box this is not the device for you.
I use Daijisho as a front end to browse through all the games and platforms and its been working well for me. I followed the Retro Game Corps video on setting it all up, that guy knows his stuff.
I've been thinking about grabbing a steam deck for a while and I think a lot of those little handhelds would complement it pretty nicely as they're actually pocketable, though your DS might fill that niche for you already. Steam deck for me would be just be chilling on the couch playing games but the rp3+ seems like it's a lot easier to just throw in a bag and go.
Cool, thanks. I’ll definitely look into the setup before I get one. I don’t mind fiddling to set it up, as long as once it’s set up, it’s quick and simple to use.
Yeah, between the 3DS and the Deck my portable needs are probably well covered. I have a Switch too, but I really only use that for Ring Fit Adventure anymore (the exercise game)
The Deck is a really nice piece of kit. It’s “portable” in a very different way than the 3DS though. I’m not putting the Deck in my pocket, and in its case it takes up a huge chunk of my backpack. Also it’s kinda tiring to play handheld, just because it’s so big and heavy. But for gaming for an hour or less, I really like it. Perfect for chillin on the couch while my wife watches her murder show
I’m looking forward to the ownership base growing—hopefully more games that don’t traditionally support controllers (like Civ and Cities Skylines, etc) will in the years to come. I’ve used the Deck trackpad in games a little, but it’s not an enjoyable experience.
Completely in love with Starfield. Just finished a big storyline that had the feel of a good TV serial. The sort of self-directed epilogue of looking at my quest log and trying decide what I want to do next felt awesome and I’m going to be chasing that for while.
Same here, played the UC SysDef undercover questline yesterday and couldn’t stop playing, so i ended up playing until 3 am lol. The amount of stuff that’s in all those side quests is amazing.
That’s the one I was talking about! What did you do in the end? I stuck with space cops and regretted it until they gave me the reward. Big chunk of change.
Bomb Rush rush Cyberfunk, got almost all of the tags, now I’m trying for the ~15 mill score achievements, which I somehow always fail at like 13 mill. pain
lemmy.world
Aktywne