I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.
Comment on Larion Studios forum stores your passwords in unhashed plaintext.
Ledivin@lemmy.world 1 year agoI just wanted to drop a reminder that both LastPass and Norton LifeLock were hacked within the past year alone.
SaltySalamander@kbin.social 1 year ago
SomeRandomWords@lemmy.blahaj.zone 1 year ago
Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?
AnonTwo@kbin.social 1 year ago
I don't know what you're trying to say. I think it was safe to assume Salty probably meant the local-based keepass or something like that?
I wouldn't have immediately gone to text doc or spreadsheet. those aren't password managers.
DrQuint@lemm.ee 1 year ago
The only annoying part about the modern world is that you want to have that keepass file synchronized between devices, at which point you either go down the path of something like Synchthing (not mainstream user friendly) or you just end up asking yourself “fine, what cloud service do I trust to not go looking at my files?”
h_a_r_u_k_i@programming.dev 1 year ago
Good advice only for tech-savvy and people who are interested in self-hosting. There’s so many things that can go wrong like improper backups and accidental networking problems.
lowleveldata@programming.dev 1 year ago
Use KeePassXC and you can’t get hacked
DrQuint@lemm.ee 1 year ago
Well, you can. But you have to be PERSONALLY hacked. At which point you’re at a level of risk equal to “will I get mugged and my notebook full of passwords get lost?”
neatchee@lemmy.world 1 year ago
And here’s a reminder that trusting centralized service with high security access control is usually a bad idea.
I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time
Hexarei@programming.dev 1 year ago
Offline password managers like KeepassXC are a thing, plus self hosted remote storage like Nextcloud means you’re not worried about any third party interference
neatchee@lemmy.world 1 year ago
I use Pleasant Password Manager, which is keepass compatible. Big fan of offline cache with online sync for access anywhere with an internet connection or even my phone offline
Vash63@lemmy.world 1 year ago
And at least for LastPass no passwords were compromised. The safes themselves are E2E encrypted so they also don’t have your password.
That said, my vote is to Bitwarden as it’s open source and allows self hosting if you think you’re a more reliable admin than they are. Open plus more choice is always better.
Kangie@lemmy.srcfiles.zip 1 year ago
And at least for LastPass no passwords were compromised
I’m just going to leave this here:
ram@bookwormstory.social 1 year ago
Just this month a link was made between $35 million in crypto being stolen and the 150 victims being LastPass users.
In 2022 Lastpass was compromised through a developer’s laptop and had customer data like emails, names, addresses, partial credit cards, website urls, and most importantly vaults stolen last year, and given they’re closed source, have no independent audits, and don’t release white papers, we have no idea how good their encryption schemes actually are nor if they have any obvious vulnerabilities.
In 2021, users were warned their master passwords were compromised.
In 2020 they had an issue with the browser extension not using the Windows Data Protection API and just saving the master password to a local file.
What will 2024 bring for LastPass? They were hacked, and there’s no reason to think they won’t see more breaches of confidential customer information and even passwords in the future. This is a repeated pattern, and I’d better trust a post-it-note on my monitor for security than LastPass at this point.
BigDiction@lemmy.world 1 year ago
This is true, but they have your encrypted vault, and all the technical data to make unlimited informed attempts at cracking it. If you used LastPass, you definitely need to be changing passwords for your critical services at a minimum.
Kbin_space_program@kbin.social 1 year ago
KeePass is a thing that exists and is fantastic.