Comment

Comment on God ****** dammit, here we go again

Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.

source

Sort:hotnew top

Weslee@lemmy.world ⁨1⁩ ⁨hour⁩ ago
I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place

source
- Magnum@lemmy.dbzer0.com ⁨1⁩ ⁨hour⁩ ago
  So when someone figures out your rule he has all the passwords
  
  source
  - Weslee@lemmy.world ⁨1⁩ ⁨hour⁩ ago
    What’s more likely, a password manager gets a breach or someone targets only me and manages to find out multiple passwords across multiple services and cross compares then works out what the random numbers and letters mean…
    
    source
    Magnum@lemmy.dbzer0.com ⁨57⁩ ⁨minutes⁩ ago
    No you are right, your method is stronger than using a password manager hahaha
    
    source
sobchak@programming.dev ⁨1⁩ ⁨hour⁩ ago
I was thinking about this earlier. The password manager browser plugin I use (Proton Pass) defaults to staying unlocked for the entire browser session. If someone physically gained access to my PC while my password manager was unlocked, they’d be able to access absolutely every password I have. I changed the behavior to auto-lock and ask for a 6-digit PIN, but I’m guessing it wouldn’t take an impractical amount of time to brute-force a 6-digit PIN.

Before I started use a password manager, I’d use maybe 3-4 passwords for different “risks,” (bank, email, shopping, stupid shit that made me sign up, etc). Not really sure if a password manager is better (guess it depends on the “threat” you’re worried about).

source
artyom@piefed.social ⁨14⁩ ⁨hours⁩ ago
And an email alias.

source
- stealth_cookies@lemmy.ca ⁨7⁩ ⁨hours⁩ ago
  I hate how many places don’t allow for + aliases. I want to know who leaked my email.
  
  source
  - T156@lemmy.world ⁨5⁩ ⁨hours⁩ ago
    At the same time, it is trivially easy to strip a + alias, so I’d not trust it to do anything much at all.
    
    source
    Miaou@jlai.lu ⁨2⁩ ⁨hours⁩ ago
    If you use aliases for all services, it makes it slightly harder to automate trying one leaked email on another site, since the hacker needs to add the new alias on the other service.
    
    No one is going through of all these credentials manually, so any extra obscurity can actually bring you security in a pinch. Although if you have different passwords this shouldn’t matter much…
    
    source
    -> View More Comments
  - artyom@piefed.social ⁨7⁩ ⁨hours⁩ ago
    No + required. There are hundreds of companies offering aliases using their shared domain.
    
    source
  - CodenameDarlen@lemmy.world ⁨4⁩ ⁨hours⁩ ago
    Even if your alias is leaked they can remove the + part and it’ll lead to your original email.
    
    source
- wreckedcarzz@lemmy.world ⁨12⁩ ⁨hours⁩ ago
  Catch-all address 😎
  
  source
  - artyom@piefed.social ⁨11⁩ ⁨hours⁩ ago
    I use either, depending on the application.
    
    source
BrianTheeBiscuiteer@lemmy.world ⁨12⁩ ⁨hours⁩ ago
Also 2FA. You’ll still want to change passwords but it buys you time.

source
Dave@lemmy.nz ⁨14⁩ ⁨hours⁩ ago
Don’t forget unique email addresses. I’ve had two spam emails in the last 6 months, I could trace them to exactly which company I gave that email address to (one data breach, one I’m pretty sure was the company selling my data). I can block those addresses and move on with my life.

My old email address from before I started doing this still receives 10+ spam emails a day.

source
- BitsAndBites@lemmy.world ⁨11⁩ ⁨hours⁩ ago
  I’ve started using {emailaddress}+{sitename}@gmail.com i.e. myemail+xyzCompany@gmail.com
  
  That way I can at least see who sold my info. I wish I would have started doing this long ago though. Some sites dont let you use the plus symbol even though it’s valid though
  
  source
  - akilou@sh.itjust.works ⁨11⁩ ⁨hours⁩ ago
    This trick is common enough and trivial to reverse engineer. I can just purge my billion-email-address hacked list of all characters between a + and an @ and have a clean list that untraceable with your system.
    
    source
    AMillionMonkeys@lemmy.world ⁨10⁩ ⁨hours⁩ ago
    Right? Has this ever worked for anyone? I’ve never bothered because of how easy it is for spammers to bypass.
    
    source
    -> View More Comments
blazeknave@lemmy.world ⁨5⁩ ⁨hours⁩ ago
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?

source
- Vigge93@lemmy.world ⁨4⁩ ⁨hours⁩ ago
  I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
  
  You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in different languages than english can also greatly increase the resistance to dictionary attacks.
  
  source
realitista@lemmus.org ⁨14⁩ ⁨hours⁩ ago
Which one works on all browsers including mobile safari and mobile Firefox?

source
- sc2pirate@lemmy.world ⁨14⁩ ⁨hours⁩ ago
  Bitwarden has been good for me, but I actually don’t know about safari…
  
  source
  - nocturne@slrpnk.net ⁨14⁩ ⁨hours⁩ ago
    It works with Safari. I use both Bitwarden and mobile/desktop Safari.
    
    source
    realitista@lemmus.org ⁨13⁩ ⁨hours⁩ ago
    Thank you for actually answering the question.
    
    source
    -> View More Comments
- Aetherion@lemmy.world ⁨1⁩ ⁨hour⁩ ago
  Bitwarden
  
  source
- Miaou@jlai.lu ⁨2⁩ ⁨hours⁩ ago
  If there’s one thing I’ve always been wary of, it’s the password manager browser extensions. And I’ve been proven right. Don’t be lazy, it takes 30 extra seconds to do it manually.
  
  Pishing detection is nice though, I’ll admit.
  
  source
- Pika@sh.itjust.works ⁨14⁩ ⁨hours⁩ ago
  Keepass does a pretty decent job. I have keepassXC on my Windows, Debian and Android devices. On Android it’s integrated into the phone(and the autofill service if actual 2fa isn’t supported on the app) so it works on every application. With IOS though I know they can be a stickler on anything remotely technical so I’m not sure if something similar exists with it. I also use syncthing as the service to make sure the same copy of the database is on each device to prevent having to use a password manager that requires a subscription for a cloud service, this also minimizes my risk factor of a cloud service being compromised.
  
  source
- stealth_cookies@lemmy.ca ⁨7⁩ ⁨hours⁩ ago
  Not an iOS user and it certainly seems like something they would be behind on, but with Android every password manager with a Android app will work since the hooks are built directly into Android. Other than websites and apps that don’t implement passwords properly it works pretty well.
  
  source
- CrazyLikeGollum@lemmy.world ⁨11⁩ ⁨hours⁩ ago
  For mobile safari Bitwarden (and I think a number of others, but Bitwarden’s the only one I can speak to) ties into Apple’s password management system for autofill and password generation. Still have to use the app or webpage (either Bitwarden’s official site or self-hosted vaultwarden) for more in depth management.
  
  For mobile Firefox, on iOS it’s the same as Safari. On Android you can either use the Bitwarden add-on or use it with the app and Android’s built-in password management system just like on iOS.
  
  Since you mentioned “all browsers” for chrome/chromium based browsers there is also on add-on for both mobile and desktop. For Internet Explorer and pre-chrome Edge I don’t believe there’s an add-on but it can still work, it’ll just be more of a pain since you autofill either won’t work or will be spotty. You’ll probably be relying on the standalone desktop app.
  
  On MacOS it integrates with Apple’s password management, so no need for an add-on on desktop safari.
  
  For other browsers, you’ll probably have to use the desktop app and manually copy/paste just like for IE.
  
  I also remember seeing some third-party integration for the windows terminal app and various Linux terminals, but I can’t really speak to their quality or functionality since I haven’t used them. But that would probably cover your needs for terminal based browsers like Lynx.
  
  source
  - realitista@lemmus.org ⁨10⁩ ⁨hours⁩ ago
    Thank you! You may have finally convinced me to go this directions
    
    I assume Firefox desktop is also supported on Windows and Mac?
    
    source
    CrazyLikeGollum@lemmy.world ⁨10⁩ ⁨hours⁩ ago
    There’s an add-on for the browser for both, but on Mac, the desktop app is what integrates with the system wide password manager. I don’t know if desktop Firefox is integrated into that, so you may need both the add-on and desktop app to get the same systemwide functionality.
    
    On Windows it’s worth having both the browser add-on and desktop app installed as well, since the browser add-on only works in browser but the desktop app, while somewhat hit or miss whether or not it works with any specific application, is supposed to provide autofill/generation capabilities anywhere you have username/password field.
    
    source
- haulyard@lemmy.world ⁨13⁩ ⁨hours⁩ ago
  Heard great things about bitwarden. I’ve personally been using 1Password for over a decade.
  
  source
  - thenoirwolfess@lemmynsfw.com ⁨9⁩ ⁨hours⁩ ago
    I’ve heard great things about Bitwarden, Vaultwarden, 1Password and Keepass, although the latter may fall out of preference rapidly. Some also recommend the Apple Cloud key storage. Call me a stickler but I haven’t trusted Apple security since the Fappening, even if it was the victims’ fault for not using 2FA
    
    source
- BombOmOm@lemmy.world ⁨14⁩ ⁨hours⁩ ago
  I’m a big fan of the Keep It Simple method, and went with Password Safe. Works on Linux, Windows, iOS, and Android. It’s big thing is it just makes an encrypted password file which then you can sync between devices however you like (Box, Dropbox, etc)
  
  Which one works on all browsers including mobile safari and mobile Firefox?
  
  It has an auto-type and copy feature, so no need for browser support.
  
  source
  - ImgurRefugee114@reddthat.com ⁨14⁩ ⁨hours⁩ ago
    Something to keep in mind about not using browser integrations is that you can fall victim to simple keyloggers and clipboard stealers. But using an extension can also be a weakpoint if it autopopulates incorrectly or on a compromised site; but that’s far less common.
    
    But, dear readers, don’t let that dissuade you: even a text file in a veracrypt volume is better than “PurpleElephant1994”
    
    source
    u_u@lemmy.dbzer0.com ⁨14⁩ ⁨hours⁩ ago
    I would dare say PurpleElephant1994 is already much better than most passwords people have been willingly tell me.
    
    source
    -> View More Comments
    JohnEdwa@sopuli.xyz ⁨10⁩ ⁨hours⁩ ago
    In theory auto-population is way more likely to save you from getting scammed because it won’t do it for a fake site, as the URL doesn’t match. In practice though most people are just going to be annoyed it didn’t work and do it manually anyway before they realize why it didn’t work.
    
    source
    AbidanYre@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    Autopopulate is probably less likely to mistake I and l or O and 0 in a fake site though.
    
    source
    wreckedcarzz@lemmy.world ⁨12⁩ ⁨hours⁩ ago
    One second, let me just
    
    PurpleElephant1994!
    
    source
- paraphrand@lemmy.world ⁨14⁩ ⁨hours⁩ ago
  Keychain should work in both now. (iCloud passwords)
  
  source
Malfeasant@lemmy.world ⁨9⁩ ⁨hours⁩ ago
And when that password manager gets cracked?

source
- KairuByte@lemmy.dbzer0.com ⁨5⁩ ⁨hours⁩ ago
  Just as an example, 1Password has a secondary encryption key that they can’t even recover. If you lose it, you’re fucked. I doubt the chances of that being cracked are any good at all.
  
  source
- ayyy@sh.itjust.works ⁨8⁩ ⁨hours⁩ ago
  Got any examples? Because I have…some…examples of password reuse being a real-life problem.
  
  source
  - jellygoose@lemmy.ca ⁨8⁩ ⁨hours⁩ ago
    LastPass recently, check Addie Lamarr’s channel on YouTube.
    
    source
    Aetherion@lemmy.world ⁨1⁩ ⁨hour⁩ ago
    LastPass is the maximum shit. They got hacked like 3 times in a year and my company‘s password notes got leaked.
    
    We are now with Bitwarden and this was the biggest security hardening measure we have taken.
    
    source
- echodot@feddit.uk ⁨8⁩ ⁨hours⁩ ago
  I seem to remember that the passwords were encrypted so, all they got was the passwords people use for their password manager which because people were using the password manager and therefore had random passwords it didn’t really matter hugely.
  
  source
Kyrgizion@lemmy.world ⁨15⁩ ⁨hours⁩ ago
Yes and no; they have their own issues:

cybersecuritynews.com/hackers-weaponize-keepass-p…

source
- Godort@lemmy.ca ⁨14⁩ ⁨hours⁩ ago
  I assure you, the rare security issues for password managers are far preferable to managing compromises every couple weeks.
  
  source
  - Kyrgizion@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    I’ve only really been in one breach. This one is actually a breach of a “security firm” (incompetent idiots) who aggregated login data from the dark web themselves, essentially doing the blackhats’ work for them.
    
    This is also EXACTLY why requiring online interactions to be verified with government ID is a terrible idea. Hackers will similarly be able to gain all possible wanted data in a single location. It’s simply too tempting of a target not to shoot for.
    
    source
    Darkassassin07@lemmy.ca ⁨14⁩ ⁨hours⁩ ago
    I currently have 110 unique user+password combos. I wouldn’t want to change all those even once, if I were breached and had used similar credentials everywhere.
    
    Bitwarden keeps them well managed, synced between devices, and allows me to check the whole database for matches/breaches via haveibeenpwned integration. Plus because I prefer to keep things in-house as much as possible, I even self-host the server with vaultwarden walled off behind my own vpn, instead of using the public servers. (this also means it’s free, instead of a paid service)
    
    source
    wreckedcarzz@lemmy.world ⁨12⁩ ⁨hours⁩ ago
    You’ve only been in one breach that you know about so far!
    
    source
    JohnEdwa@sopuli.xyz ⁨10⁩ ⁨hours⁩ ago
    Lucky you, I’ve been in at least 21 confirmed breaches so far.
    Which I don’t really care about, as I’ve been using unique passwords and managers for well over two decades now.
    
    source
    -> View More Comments
- Joeffect@lemmy.world ⁨14⁩ ⁨hours⁩ ago
  Don’t download shit from random websites… make sure its from legit places…
  
  source
  - tburkhol@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    
    legit places…
    
    My university, 23andMe, Transunion, Equifax, CapitalOne, United Healthcare…
    
    source
    AbidanYre@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    You shouldn’t download KeePass from any of those.
    
    source
    Joeffect@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    Legit means the keepass website… those are not legit places to download the password manager
    
    source
    Blackfeathr@lemmy.world ⁨13⁩ ⁨hours⁩ ago
    Yeah UHC sold my data as soon as I was put under their coverage. Now I get so many phishing emails pretending to be from UHC.
    
    source
  - Kyrgizion@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    These kinds of breaches are at the site level. Not much you can do as a regular user if the company doesn’t hash or salt their passwords, for example.
    
    source
    Pika@sh.itjust.works ⁨14⁩ ⁨hours⁩ ago
    I believe they are replying to the article you posted in regards to the download from legit sites comment, not the fact that the sites have shit web practices (which while correct is a different thing).
    
    Basically the modified software was a trojan keylogger combo that was forwarding passwords created and used to a home server.
    
    That’s not something that the sites are going wrong, nor is it the password managers fault. That’s fully the users fault for downloading a trojan.
    
    source
    Joeffect@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    Not from what the article says
    
    involves compromised download links and trojanized versions of the legitimate KeePass application that appear identical to the authentic software on the surface, while harboring dangerous capabilities beneath.
    
    source
- paraphrand@lemmy.world ⁨14⁩ ⁨hours⁩ ago
  Oh, so don’t use unique passwords? Sure buddy.
  
  source
- floofloof@lemmy.ca ⁨14⁩ ⁨hours⁩ ago
  Only download from official sites and repositories. Run everything you download through VirusTotal and your machine’s antivirus if you have one. If it’s a Windows installer check it is properly signed (Windows should warn you if not). Otherwise (or in addition) check installer signatures with GPG. If there’s no signature, check the SHA256 OR SHA512 hash against the one published on the official site. Never follow a link in an email, but always go directly to the official website instead. Be especially careful with these precautions when downloading something critical like a password manager.
  
  Doing these things will at least reduce your risk of installing compromised software.
  
  source