|
Thanks Ants posted:You're not genuinely after a discussion, you're sealioning You caught me! I'm just a LastPass shill and hoping to wear y'all down!
|
#
?
Feb 25, 2018 20:31
|
|
|
|
| # ? May 9, 2024 23:36 |
|
|
save everyone time and drill your questions down into specifics then. you've been talking extremely broadly about this and haven't given us anything of substance to give evidence for or against with regards to other password managers. let's not even delve into that meltdown a few minutes ago which password managers are you looking at at the moment? what operating systems are you using? mobile phone integration? teams? you mentioned shared passwords out of the blue as if it was a common thing every did so you have some strange requirements that you're failing to tell everyone else. we can help if you actually mention them and try to present a question in good faith that people can help you with. otherwise you're just going to continue yelling whenever anyone actually answers you but it doesn't fit your views.
|
|
#
?
Feb 25, 2018 20:33
|
|
|
Wiggly Wayne DDS posted:save everyone time and drill your questions down into specifics then. you've been talking extremely broadly about this and haven't given us anything of substance to give evidence for or against with regards to other password managers. let's not even delve into that meltdown a few minutes ago Here's an additional question for him: what sort of experience do you have in security and why do you feel like you're qualified to have your opinions when being challenged with factual arguments? Your profile also intrigues me: quote:I work in IT as a Systems/Network Administrator and would like to meet more people in the field. Are you just looking for people that fit within your own little echo chamber?
|
|
#
?
Feb 25, 2018 22:20
|
|
|
Can we please talk about anything other than lastpass
|
|
#
?
Feb 25, 2018 22:48
|
|
Cat Army 
|
Yeah, that dude is obviously too ignorant to ever change his way of thinking, this is just going in circles.
|
|
#
?
Feb 25, 2018 22:55
|
|
|
I want Troy hunts pwned password service integrated with my AD, but have no desire to write my own password filter.
|
|
#
?
Feb 25, 2018 23:25
|
|
|
ElCondemn posted:I was hoping to find other articles explaining how an exploit that's possible through LastPass is mitigated by 1password/whoever. The other password managers mitigate those issues by not being run by incompetent developers who have a long history of repeatedly getting their product badly compromised and then refusing to learn from it. You're asking for a technical solution to "the developer is a loving idiot who can't secure their security software despite it being their literal job". You're never going to get a decent answer for that because the human factor is really important in security. The question isn't "okay, what theoretical attack vectors are there", it's "why is it that LastPass has been repeatedly compromised and other password managers haven't?" The answer to that question isn't really a matter of technology.
|
|
#
?
Feb 25, 2018 23:30
|
|
|
Has Dashlane ever be audited (or hacked) ? They seem pretty serious. It's kind of a mix of Keepass and 1P/LP.
|
|
#
?
Feb 25, 2018 23:39
|
|
|
LastPass is poo poo but Tavis Ormandy's reaction to looking at 1Password doesn't inspire confidence either https://twitter.com/taviso/status/760231214812844032?lang=en
|
|
#
?
Feb 25, 2018 23:58
|
|
|
iCloud Keychain is by FAR the best pass manager if you're deep into the Apple ecosystem.
|
|
#
?
Feb 26, 2018 00:08
|
|
|
Jose Valasquez posted:LastPass is poo poo but Tavis Ormandy's reaction to looking at 1Password doesn't inspire confidence either Was that ever followed up on? As far as I know he's never disclosed anything near to the nature of his LastPass discoveries. I'd also note that AgileBits developers never respond "THAT IS AN EDGE CASE THAT WILL ALMOST NEVER HAPPEN" to bug reports. Once a bug is confirmed, it's usually "Holy poo poo, that's bad. We'll be right back" and then two days later "OK, fixed client is now in the distribution pipeline" There is SUCH a chasm between LastPass and KeePass and 1Password.
|
|
#
?
Feb 26, 2018 00:16
|
|
|
Real question time. I use Keepass at work, home, and on my android phone. I want to use 2 factor because any and all of my passwords I can both remember and type on my phone without wanting to kill myself are breakable, what should I get/use, and how does it compare to the 2nd best thing in a similar product space?
|
|
#
?
Feb 26, 2018 00:16
|
|
|
Proteus Jones posted:Was that ever followed up on? As far as I know he's never disclosed anything near to the nature of his LastPass discoveries. This is the only public disclosure I found https://bugs.chromium.org/p/project-zero/issues/detail?id=888 which was fixed pretty quickly so maybe it is fine now, but he did also say he was going to stop looking at password managers right after that https://twitter.com/taviso/status/769378052254015488?lang=en
|
|
#
?
Feb 26, 2018 00:40
|
|
|
Methylethylaldehyde posted:Real question time. I use Keepass at work, home, and on my android phone. I want to use 2 factor because any and all of my passwords I can both remember and type on my phone without wanting to kill myself are breakable, what should I get/use, and how does it compare to the 2nd best thing in a similar product space? I use the KeeOTP plugin to add TOTP to my KeePass entries. That lets me generate TOTP codes on my desktop computer. I also use Authenticator Plus for my Android phone and I add my TOTP keys to that too so I can generate keys with my phone.
|
|
#
?
Feb 26, 2018 03:08
|
|
|
Last Chance posted:iCloud Keychain is by FAR the best pass manager if you're deep into the Apple ecosystem. Until someone calls in and manages to human engineer Apple into giving them access to toys that aren't theirs again... Doesn't matter how good your security kit is if your staff sucks.
|
|
#
?
Feb 26, 2018 10:26
|
|
|
I've been using Keepass for the last 2 years.Nalin posted:I use the KeeOTP plugin to add TOTP to my KeePass entries. That lets me generate TOTP codes on my desktop computer. I take it this can also work with an iphone?
|
|
#
?
Feb 26, 2018 10:45
|
|
|
Speaking of KeepAss, is it reasonable to assume that the Argon2 key derivation function provides some protection against brute-force attacks?
|
|
#
?
Feb 26, 2018 12:23
|
|
|
Mr Chips posted:Speaking of KeepAss, is it reasonable to assume that the Argon2 key derivation function provides some protection against brute-force attacks? Yes. The point of a key derivation function is to make each attempt of a different password require a non-trivial amount of compute resources. (Argon2 can require processor time, memory, or both depending on how it's configured) A good one can dramatically increase the time needed for brute-forcing.
|
|
#
?
Feb 26, 2018 13:41
|
|
|
I still recommend 1Password to everyone that asks and use it myself, but I loving hate that they are pushing all new users to the cloud-based vaults.
|
|
#
?
Feb 26, 2018 16:17
|
|
|
Happy to pay my $3/month for 1Password and not have to worry about storing/syncing the vault myself.
|
|
#
?
Feb 26, 2018 17:24
|
|
|
Less Fat Luke posted:I still recommend 1Password to everyone that asks and use it myself, but I loving hate that they are pushing all new users to the cloud-based vaults. They may be pushing people toward the subscription service, but you don’t have to use it. They still offer syncing over local network, Dropbox or iCloud (only useful for all macOS/iOS). You do lose being able access multiple vaults simultaneously if you don’t use their service along with some other features like “travel mode”, so it may or may not be worth it.
|
|
#
?
Feb 26, 2018 17:28
|
|
|
https://www.bleepingcomputer.com/news/security/samsam-ransomware-hits-colorado-dot-agency-shuts-down-2-000-computers/ Yikes
|
|
#
?
Feb 26, 2018 17:35
|
|
|
Sefal posted:https://www.bleepingcomputer.com/news/security/samsam-ransomware-hits-colorado-dot-agency-shuts-down-2-000-computers/ quote:The agency's IT staff is working with its antivirus provider McAfee to remediate affected workstations and safeguard other endpoints before before reintroducing PCs into its network. 
|
|
#
?
Feb 26, 2018 17:48
|
|
|
Sefal posted:I've been using Keepass for the last 2 years. Yes, there are multiple TOTP apps that support iOS. Authy, Google Authenticator, FreeOTP, and Toopher are just a couple.
|
|
#
?
Feb 26, 2018 17:56
|
|
|
Jose Valasquez posted:This is the only public disclosure I found https://bugs.chromium.org/p/project-zero/issues/detail?id=888 which was fixed pretty quickly so maybe it is fine now, but he did also say he was going to stop looking at password managers right after that When you start up 1password in the browser they make you match a code between the extension and the app on your computer, I think that's how they fix the problem he found. The new extension doesn't have this problem, because it doesn't interface with a external program.
|
|
#
?
Feb 26, 2018 18:08
|
|
|
That code matching thing was already implemented before tavis tweeted about it so ai don’t think that’s what’s up, but maybe they used it that way afterwards, who knows
|
|
#
?
Feb 26, 2018 18:15
|
|
|
That was my favourite part
|
|
#
?
Feb 26, 2018 18:27
|
|
|
Pick a fight (make a suggestion/case): Google Authenticator, Authy, or other (for non-U2F)?
|
|
#
?
Feb 26, 2018 18:29
|
|
|
Tapedump posted:Pick a fight (make a suggestion/case): Google Authenticator, Authy, or other (for non-U2F)? I use Authenticator+ on my phone because it works great and has automatic backups to my Google Drive for when I need to restore without reactivating all my 2FAs
|
|
#
?
Feb 26, 2018 18:31
|
|
|
I use Microsoft Authenticator. Mostly because I like the push notification approval for Microsoft services. OTP for everything else.
|
|
#
?
Feb 26, 2018 18:45
|
|
|
I use Duo. Used to use Authy back when cloudflare used their proprietary garbage for 2fa. Both acceptable imo
|
|
#
?
Feb 26, 2018 18:46
|
|
|
I mean, if you use OTP you're gonna end up having to use a few different ones anyway, since Microsoft and Steam force you to use theirs to 2FA their services, and Humble Bundle and Twitch require Authy for their 2FA.
|
|
#
?
Feb 26, 2018 18:49
|
|
|
Kerning Chameleon posted:I mean, if you use OTP you're gonna end up having to use a few different ones anyway, since Microsoft and Steam force you to use theirs to 2FA their services, and Humble Bundle and Twitch require Authy for their 2FA. i don't know about the other services you mentioned, but Microsoft doesn't care what authenticator you are using. e: humble bundle doesn't require authy either Steam does require you use their own service, and Twitch does require Authy. Blizzard also requires you to use their own authenticator. The Fool fucked around with this message at 18:55 on Feb 26, 2018 |
|
#
?
Feb 26, 2018 18:51
|
|
|
Kerning Chameleon posted:I mean, if you use OTP you're gonna end up having to use a few different ones anyway, since Microsoft and Steam force you to use theirs to 2FA their services, and Humble Bundle and Twitch require Authy for their 2FA. I use Authenticator+ for my MS account, so that's not true. Steam is stupid, so yeah that one is annoying.
|
|
#
?
Feb 26, 2018 19:00
|
|
|
CLAM DOWN posted:I use Authenticator+ for my MS account, so that's not true. Steam is stupid, so yeah that one is annoying. But if you use the Microsoft authenticator you get passwordless logins basically, which are real nice.
|
|
#
?
Feb 26, 2018 19:31
|
|
|
Another vote for Authenticator+. Having gone through multiple Nexus 5xs due to their storage issue I got real sick of recovering my 2FA each time. I am 100% okay with having my 2FA codes stored on Google Drive, which uses a completely different 2FA setup. For end-user type stuff at work I prefer Duo due to the push notifications, much easier to get users onboard. But all admin stuff is in Authenticator+.
|
|
#
?
Feb 26, 2018 19:32
|
|
|
CLAM DOWN posted:I use Authenticator+ for my MS account, so that's not true. Steam is stupid, so yeah that one is annoying. I use the code generator in 1Password. I think Steam and Battlenet are the only accounts I need to use with their OTP generators.
|
|
#
?
Feb 26, 2018 19:32
|
|
|
Proteus Jones posted:I use the code generator in 1Password. I think Steam and Battlenet are the only accounts I need to use with their OTP generators. Unless battlenet changed anything I was able to extract the key and time shift (and something else..) out of the app into a windows application to generate the same codes as the one on my phone. You need access to app cache via root to see that data.
|
|
#
?
Feb 26, 2018 19:48
|
|
|
|
|
#
?
Feb 26, 2018 21:43
|
|
|
|
| # ? May 9, 2024 23:36 |
|
|
Proteus Jones posted:They may be pushing people toward the subscription service, but you don’t have to use it. They still offer syncing over local network, Dropbox or iCloud (only useful for all macOS/iOS).
|
|
#
?
Feb 26, 2018 21:45
|
|