|
There're new data protection laws coming into Europe and we're taking the opportunity to review password management... I've seen a bit of too-ing and throwing in previous threads about lastpass and others. Are there any decent standard applications or procedures for small business password management where pass's need to be accessible between different team members? I have massive reservations about third party password hosting but at the same time how we manage it now isn't up to scratch (google drive and spreadsheets baby). That said I don't want headaches down the line if at all possible and tbh lastpass seems the best option for what we need. Please thread, educate me on the correct way forwards..
|
#
?
Feb 23, 2018 12:21
|
|
|
|
| # ? Jun 7, 2024 19:41 |
|
|
CareyB posted:There're new data protection laws coming into Europe and we're taking the opportunity to review password management... Lastpass is *not* the answer and we will all laugh if you end up using it. They have repeatedly shown no interest in secure program design except for the bi-annual clowning they receive from Tavis. Then they’re all “WE ARE FIXING THIS AND HAVE DEDICATED OURSELVES TO MAKING THIS SECURE. NOTHING TO SEE HERE” until it happens again. With alarming regularity. The only ones I’ve seen regularly recommended is either KeePass or 1Password. Both appear reasonably secure and the developers are extremely responsive toward any issues.
|
|
#
?
Feb 23, 2018 12:42
|
|
|
Proteus Jones posted:Lastpass is *not* the answer and we will all laugh if you end up using it. does this apply to their enterprise product as well? my sense is that tavis was specifically targeting their free option. full disclosure, beyond features i'm not sure what differs between the two. i'd imagine most of the same issues...
|
|
#
?
Feb 23, 2018 12:50
|
|
|
npm loudmouth posted:For the people asking "why is 5.7.0 a prerelease released as stable", it's not: so “latest” does not mean the latest locally installed version nor “next” the next version you need to install immediately in order to bring your system up-to-date with fixes to critical security issues huh also there is 5.7.1 out now which you probably should or shouldn’t update to
|
|
#
?
Feb 23, 2018 13:02
|
|
|
Oh my god. Some major fuckups I can see: 1) They don't label it as -rc#/pre/alpha/whatever. 2) Running "npm update -g npm" installs a PRE-RELEASE VERSION. 3) Their blog post about 5.7.0 doesn't mention it's a pre-release at all. 4) It was marked as a normal SEMVER minor stable release. Jesus. More choice quotes from that thread: quote:This isn't a bug, this is all working exactly as written and intended. There's a correctMkdir function that explicitly uses the sudo caller (not the effective or real user ID) to recursively chown any directory it is called to, and then this function is used all over the place, notably in places like the installation etc directory. quote:Not a single pull request was merged in the last 2 months that came from an outside contributor. There are currently over 70 PRs open and none of them have any activity from the npm team.
|
|
#
?
Feb 23, 2018 13:21
|
|
|
Proteus Jones posted:Lastpass is *not* the answer and we will all laugh if you end up using it. That was my suspicion. It would be good to know if the enterprise version is in fact as vulnerable as the free version. We've got 1password on our shortlist too however it looks to be a fair bit more work to maintain our end which is where lastpass seems to have it beat, but obviously day to day productivity isn't the only factor here....
|
|
#
?
Feb 23, 2018 13:30
|
|
|
ratbert90 posted:2) Running "npm update -g npm" installs a PRE-RELEASE VERSION. it's loving insane to me that people try to upgrade npm with npm and not the actual distribution channels that exist separately for a reason
|
|
#
?
Feb 23, 2018 13:30
|
|
|
Blinkz0rz posted:it's loving insane to me that people try to upgrade npm with npm and not the actual distribution channels that exist separately for a reason If npm shouldn't be updated using npm, perhaps they shouldn't provide that option???
|
|
#
?
Feb 23, 2018 13:31
|
|
|
you're not wrong but that's literally how you install @next if you want to test it this whole thing is a huge secfuck both by the npm developers but also by users who don't rtfm
|
|
#
?
Feb 23, 2018 13:34
|
|
|
Blinkz0rz posted:you're not wrong but that's literally how you install @next if you want to test it If the manual is dumb, change the manual. This wouldn't have been as big of a deal if it was like, 5.7.0-pre.
|
|
#
?
Feb 23, 2018 13:35
|
|
|
ratbert90 posted:If the manual is dumb, change the manual. This wouldn't have been as big of a deal if it was like, 5.7.0-pre. Blinkz0rz posted:you're not wrong
|
|
#
?
Feb 23, 2018 13:40
|
|
|
Avenging_Mikon posted:Corporate AV in general seems pretty worthless. I found out yesterday McAfee on my workstation was using a DAT from Jan 8. When I told one of our infrastructure guys (because I thought it was linked to a server problem they'd just solved, someone clobbered the SQL database the AV server used) he said "That's less than ideal." This is about par for the course for a lot of orgs. At the last industry place I worked at the Servicedesk would physically check on any machine that hadn’t checked in for a couple of weeks, or checked in once but not updated everything. All non MS AVs on windows are worse than useless. For macs there’s basically nothing.
|
|
#
?
Feb 23, 2018 13:57
|
|
|
fishmech posted:i doubt the policy setters even knew a windows defender was a thing or banned it by name by and large they expect you to be paying for something at the very least (as in explicitly for av, i know you're technically paying through having a windows license)
|
|
#
?
Feb 23, 2018 14:00
|
|
|
re AV it has to be centrally managed so you can prove compliance and that people are getting updates. A lot of the compliance stuff is stupidly written or more worried about audit trails and accountability. these can be modern but most auditors are really bad, so I’ve had to explain git and pull requests to every one of them I’ve ever had the misfortune of meeting. most compliance docs also want it on both workstations and all servers, yet I almost never see it on servers....
|
|
#
?
Feb 23, 2018 14:24
|
|
|
91 days until gdpr comes into force and chaos reigns
|
|
#
?
Feb 23, 2018 14:38
|
|
|
univbee posted:by and large they expect you to be paying for something at the very least (as in explicitly for av, i know you're technically paying through having a windows license) yup, "free" is synonymous with "bad' in their eyes and man when they dig in their heels can that thinking be hard to dislodge. it's not entirely unreasonable when it's something like an av solution where you need to go to the vendor and say "we paid you $butts for this now fix a broken thing" and not get some huffy  responsefreeasinbeer posted:re AV it has to be centrally managed so you can prove compliance and that people are getting updates. it's also this, and coincidentally epo just happens to track all that stuff remotely so while you've got it installed anyway why not peruse our mcaffee selection
|
|
#
?
Feb 23, 2018 14:40
|
|
|
CareyB posted:That was my suspicion. It would be good to know if the enterprise version is in fact as vulnerable as the free version. We've got 1password on our shortlist too however it looks to be a fair bit more work to maintain our end which is where lastpass seems to have it beat, but obviously day to day productivity isn't the only factor here.... I was in the same situation as you about six months ago when I was evaluating password managers for my company. LastPass Enterprise and 1Password Teams were the final candidates. LastPass definitely had a better UI, but with a password manager I figured security was far more important. I chose 1Password and don't regret it. I like being able to sleep at night. I also have the added benefit of every time a new exploit comes out for LastPass I get to give the smuggest smile ever to my boss who stubbornly uses the free version of LastPass for some stuff.
|
|
#
?
Feb 23, 2018 14:44
|
|
|
CareyB posted:That was my suspicion. It would be good to know if the enterprise version is in fact as vulnerable as the free version. We've got 1password on our shortlist too however it looks to be a fair bit more work to maintain our end which is where lastpass seems to have it beat, but obviously day to day productivity isn't the only factor here.... i'd bet dollars to donuts that the free and enterprise versions of lastpass share the same codebase and have the same vulnerabilities. of course that's besides the point because the primary problem is the organisation behind the software. as others have already mentioned they have an abysmal track record when it comes to security and have not really shown any improvements. basically they cannot be trusted to handle things properly.
|
|
#
?
Feb 23, 2018 14:49
|
|
|
Blinkz0rz posted:does this apply to their enterprise product as well? my sense is that tavis was specifically targeting their free option. full disclosure, beyond features i'm not sure what differs between the two. i'd imagine most of the same issues... CareyB posted:That was my suspicion. It would be good to know if the enterprise version is in fact as vulnerable as the free version. We've got 1password on our shortlist too however it looks to be a fair bit more work to maintain our end which is where lastpass seems to have it beat, but obviously day to day productivity isn't the only factor here.... if they can't keep their free offering secure, why would you trust them to keep any other offering secure "not leaking all your passwords" should not be a premium feature
|
|
#
?
Feb 23, 2018 14:54
|
|
|
cheese-cube posted:i'd bet dollars to donuts that the free and enterprise versions of lastpass share the same codebase and have the same vulnerabilities. of course that's besides the point because the primary problem is the organisation behind the software. as others have already mentioned they have an abysmal track record when it comes to security and have not really shown any improvements. basically they cannot be trusted to handle things properly. thanks guys - I take the same standpoint. yep this is GDPR related. We need to be on the ball with it even if the enforcement ends up bring weak or non existent. prolly about time tbf.
|
|
#
?
Feb 23, 2018 14:55
|
|
|
Thycotic has a cheap and good cloud service
|
|
#
?
Feb 23, 2018 15:09
|
|
|
Main Paineframe posted:if they can't keep their free offering secure, why would you trust them to keep any other offering secure "we spent all of our time securing the product that actually makes us money"
|
|
#
?
Feb 23, 2018 15:10
|
|
|
Wiggly Wayne DDS posted:91 days until gdpr comes into force and chaos reigns https://www.youtube.com/watch?v=P3ALwKeSEYs
|
|
#
?
Feb 23, 2018 15:59
|
|
|
CareyB posted:There're new data protection laws coming into Europe and we're taking the opportunity to review password management... shared drives and spreadsheets is fine you just don't get nice password generation or validation tools (though you could certainly write them with excel). The problem comes in when you start integrating with the browser in which case you are doomed to javascript and failure regardless of password manager.
|
|
#
?
Feb 23, 2018 16:33
|
|
|
Blinkz0rz posted:"we spent all of our time securing the product that actually makes us money" it's the same product, just with some features paywalled. and the point of the free version is to attract users and convince them to upgrade
|
|
#
?
Feb 23, 2018 16:45
|
|
|
Shaggar posted:shared drives and spreadsheets is fine you just don't get nice password generation or validation tools (though you could certainly write them with excel). The problem comes in when you start integrating with the browser in which case you are doomed to javascript and failure regardless of password manager. i never integrated any password manager with any browser and i don’t see why anyone would trust that combination. why don’t browsers query the password managers themselves anyways? safari wants to push iclown keychain but what about the others ?
|
|
#
?
Feb 23, 2018 17:43
|
|
|
windows has protected storage which IE, Edge, and Chome use for creds. A password manager could synchronize its internal db with the windows cred store and thereby make them available to browsers using the store.
|
|
#
?
Feb 23, 2018 17:46
|
|
|
oh no gandi  quote:Hello,
|
|
#
?
Feb 23, 2018 18:56
|
|
|
CareyB posted:There're new data protection laws coming into Europe and we're taking the opportunity to review password management... We use 1pass Enterprise, I've not had any complaints. I do not use any browser integration.
|
|
#
?
Feb 23, 2018 19:26
|
|
|
ate all the Oreos posted:oh no gandi As far as I can tell, I only got this off whois-scraped emails, not any internally stored ones.
|
|
#
?
Feb 23, 2018 20:32
|
|
|
i dunno if this is the right thread or if this question is not yospos-y enough but this is where all the cool security friends hang out so here is my attempt to avoid a Security Fuckup. Is there a set of best practices or, idk even something anecdotally that you've done, for initial customer registration? So, imagine you're some company that holds data about someone that is confidential. This person may come to you in some scenario wherein they do not create an account with your services (e.g. you go to a doctor's office for the first time, you want to access your medical records later). What is the "best" way to do the initial registration such that you can guarantee the identity of the person doing the registering? "Best" in this case, from the perspective of the business, is with as little user interaction as possible. I've found some information on services like Payphone or IAM products that reach out to LexisNexis or credit bureaus or whatever but I have no idea if those services are mature enough or even if they should be used.
|
|
#
?
Feb 23, 2018 21:14
|
|
|
My dr's office asks for email when you onboard as a patient for the first time, and gives you a paper printout of a one time registration code that's a large random number. Lexis/Credit/etc is a horrendously lovely way to authenticate a user, especially since virtually all of it is public info.
|
|
#
?
Feb 23, 2018 21:39
|
|
|
In my experience, services who don't use the Danish national online IDs will send a paper letter with a login + password (latter is one-use, to be changed). Of course they get my address from the national database so. But as above, the email field in a registration form should basically just be a black box that checks for an @ (there are archaic email addresses that use ! instead but gently caress them, theyre 30+ years out of date). Then send a confirmation link to that email that they can click to verify the address. I don't know how you make sure the person you're talking to is the real person or they just stole an identity.
|
|
#
?
Feb 23, 2018 21:44
|
|
|
uh, bang paths still work?
|
|
#
?
Feb 23, 2018 21:46
|
|
|
Johnny Five-Jaces posted:i dunno if this is the right thread or if this question is not yospos-y enough but this is where all the cool security friends hang out so here is my attempt to avoid a Security Fuckup. Theres no good way to do this cause you cant identify a person outside of the initial interaction with the 3rd party (ex: doctor in this case). The way my doc does it (and thus how eclinicalworks does it) is I gave them my email address and then when I go to sign up on their webzone my email address is already associated with my records. If the user is at home and decides they want access and hasn't gone through that onboarding at the practice, you're mostly SOL. You could maybe use an account number for auth if they have one on their mail but that's not great. Even if you used something like LexisNexis, you still need to match it to the patient's identity at the practice and the doctor probably only has name + dob + address which is not a great match. you can always give up and use SSN + dob, but don't do that please.
|
|
#
?
Feb 23, 2018 21:46
|
|
|
https://twitter.com/GossiTheDog/status/967050903302934533
|
|
#
?
Feb 23, 2018 21:47
|
|
|
hobbesmaster posted:uh, bang paths still work? sure, in theory
|
|
#
?
Feb 23, 2018 21:52
|
|
|
Why are there so many of these? Is there even a legitimate use case of having an S3 bucket anyone in the whole world can write to, that it justifies this as even being a valid acl config?
|
|
#
?
Feb 23, 2018 21:52
|
|
|
mrmcd posted:Why are there so many of these? Is there even a legitimate use case of having an S3 bucket anyone in the whole world can write to, that it justifies this as even being a valid acl config? "i give up assigning IAM roles to my coworkers, everyone gets *"
|
|
#
?
Feb 23, 2018 21:52
|
|
|
|
| # ? Jun 7, 2024 19:41 |
|
|
hes saying why does s3 even allow unauthenticated writes? theres no valid use case.
|
|
#
?
Feb 23, 2018 21:54
|
|