Don’t download shit from random websites… make sure its from legit places…
Comment on God ****** dammit, here we go again
Kyrgizion@lemmy.world 15 hours agoYes and no; they have their own issues:
Joeffect@lemmy.world 14 hours ago
tburkhol@lemmy.world 14 hours ago
legit places…
My university, 23andMe, Transunion, Equifax, CapitalOne, United Healthcare…
AbidanYre@lemmy.world 14 hours ago
You shouldn’t download KeePass from any of those.
Joeffect@lemmy.world 14 hours ago
Legit means the keepass website… those are not legit places to download the password manager
Blackfeathr@lemmy.world 13 hours ago
Yeah UHC sold my data as soon as I was put under their coverage. Now I get so many phishing emails pretending to be from UHC.
Kyrgizion@lemmy.world 14 hours ago
These kinds of breaches are at the site level. Not much you can do as a regular user if the company doesn’t hash or salt their passwords, for example.
Pika@sh.itjust.works 14 hours ago
I believe they are replying to the article you posted in regards to the download from legit sites comment, not the fact that the sites have shit web practices (which while correct is a different thing).
Basically the modified software was a trojan keylogger combo that was forwarding passwords created and used to a home server.
That’s not something that the sites are going wrong, nor is it the password managers fault. That’s fully the users fault for downloading a trojan.
Joeffect@lemmy.world 14 hours ago
Not from what the article says
involves compromised download links and trojanized versions of the legitimate KeePass application that appear identical to the authentic software on the surface, while harboring dangerous capabilities beneath.
paraphrand@lemmy.world 14 hours ago
Oh, so don’t use unique passwords? Sure buddy.
floofloof@lemmy.ca 14 hours ago
Only download from official sites and repositories. Run everything you download through VirusTotal and your machine’s antivirus if you have one. If it’s a Windows installer check it is properly signed (Windows should warn you if not). Otherwise (or in addition) check installer signatures with GPG. If there’s no signature, check the SHA256 OR SHA512 hash against the one published on the official site. Never follow a link in an email, but always go directly to the official website instead. Be especially careful with these precautions when downloading something critical like a password manager.
Doing these things will at least reduce your risk of installing compromised software.
Godort@lemmy.ca 14 hours ago
I assure you, the rare security issues for password managers are far preferable to managing compromises every couple weeks.
Kyrgizion@lemmy.world 14 hours ago
I’ve only really been in one breach. This one is actually a breach of a “security firm” (incompetent idiots) who aggregated login data from the dark web themselves, essentially doing the blackhats’ work for them.
This is also EXACTLY why requiring online interactions to be verified with government ID is a terrible idea. Hackers will similarly be able to gain all possible wanted data in a single location. It’s simply too tempting of a target not to shoot for.
Darkassassin07@lemmy.ca 14 hours ago
I currently have 110 unique user+password combos. I wouldn’t want to change all those even once, if I were breached and had used similar credentials everywhere.
Bitwarden keeps them well managed, synced between devices, and allows me to check the whole database for matches/breaches via haveibeenpwned integration. Plus because I prefer to keep things in-house as much as possible, I even self-host the server with vaultwarden walled off behind my own vpn, instead of using the public servers. (this also means it’s free, instead of a paid service)
wreckedcarzz@lemmy.world 12 hours ago
You’ve only been in one breach that you know about so far!
JohnEdwa@sopuli.xyz 10 hours ago
Lucky you, I’ve been in at least 21 confirmed breaches so far.
Which I don’t really care about, as I’ve been using unique passwords and managers for well over two decades now.
thenoirwolfess@lemmynsfw.com 9 hours ago
One of my breaches was just Google Chrome (back when I used it) logging me entering my password in a self-hosted local web app via https but with no cert… Google. My breach was Google.