Comment on Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data
ikidd@lemmy.world 8 months agoComment on Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data
ikidd@lemmy.world 8 months ago
Tier1BuildABear@lemmy.world 8 months ago
Yeah, those.
ikidd@lemmy.world 8 months ago
So is your problem with using a password manager at all, or just the companies/sources of them?
Tier1BuildABear@lemmy.world 8 months ago
Any company trying to get my data, really, and my passwords are the most sensitive of my data. Even if I coded one myself, and kept it completely local, my passwords are all in one place if that device gets compromised.
I can remember my passwords, so why take the gamble?
ikidd@lemmy.world 8 months ago
Well, you do you, but I’m happier with complex unique password locked behind a 2FA open source self hosted encrypted vault than I am remembering a few passwords shared amongst services. I have 400+ entries in it, and if I get hit by a bus, my wife has access to it with her yubikey.
JDubbleu@programming.dev 8 months ago
Because by not using a password manager I guarantee you are duplicating passwords between services. This means the second one service you use is compromised, every single service you use with that same email/password combination is compromised. Even if every one of your passwords had a slight deviation malicious actors know people do this and will likely be able to write a program that attempts those deviations on other services. You’re effectively leaving your security up to weakest link in services you sign up for, and security is rarely implemented well.
By using a password manager you generate a long as fuck, 20+ character long password that is unique to each services you use. These passwords being random and unique to each service protects you from rainbow tables and other hash table based attacks. In the event Bitwarden or another password manager you use is breached anything they get will be worthless as long as your master password is not compromised (which should only ever exist in your head) due to the data being encrypted at rest.
It is a similar concept to using a secure, trusted middleman for processing payments instead of giving your credit card to every single site that asks for it.
fosstulate@iusearchlinux.fyi 8 months ago
People should consider using a double-blind scheme with cloud-connected managers.
The site/service gets the actual credential, being two components <randomcomplexity><specialrule>
The manager gets only <randomcomplexity>
Consider the example of
U})wJAL0}RhIr’)Rgs{,&^>I3/versusU})wJAL0}RhIr’)Rgs{,&^>I3/basedStatus of Dmitri and Ji Yuan: crushed
ikidd@lemmy.world 8 months ago
Host it yourself if you don’t trust them with Vaultwarden, and other FOSS product you can audit.