|
keep assing don't stop, won't stop assing
|
# ? Mar 8, 2019 18:35 |
|
|
# ? May 30, 2024 14:46 |
CommieGIR posted:Keepass and Mooltipass are still acceptable, right? mooltiwhat now
|
|
# ? Mar 8, 2019 18:43 |
|
URL grey tea posted:we have to turn off the lastpass browser extension whenever we don't need it or the laptop fans immediately spin up and stay that way for hours. good product. we're doing a bunch of garbage math for no reason as a sidechannel protection mechanism YOURE WELCOME
|
# ? Mar 8, 2019 18:44 |
|
Wiggly Wayne DDS posted:i've been yelling against using it since release. they've been hacked multiple times, glossed over what was impacted then, and designed the vault to allow online-only access with bypasses for the master key, 2fa or region locks the recent stuff about pretty much every single one of these not properly purging key material from memory (even when records aren't being accessed or the whole thing is locked) was extremely depressing
|
# ? Mar 8, 2019 18:46 |
|
CommieGIR posted:Keepass and Mooltipass are still acceptable, right? i use moviepass to keep my passwords safe, they're all on a post-it note under a seat in theater 3 at the local amc loews
|
# ? Mar 8, 2019 18:49 |
|
Wiggly Wayne DDS posted:it was just 2017 when taviso had a glance at it and found a rce: thanks i'll stick with 1password i think i just won't actually install it on my desktop
|
# ? Mar 8, 2019 19:29 |
|
LordSaturn posted:keep rear end is good poo poo but not something I want to train my parents to use. have you considered upgrading your parents instead
|
# ? Mar 8, 2019 20:09 |
|
Soricidus posted:have you considered upgrading your parents instead every day
|
# ? Mar 8, 2019 20:22 |
|
A piece of graph paper, a set of dice, and a personal cypher algorithm for the hand written passwords.
|
# ? Mar 8, 2019 22:39 |
|
cinci zoo sniper posted:mooltiwhat now https://www.themooltipass.com/
|
# ? Mar 8, 2019 23:19 |
|
Salt Fish posted:A piece of graph paper, a set of dice, and a personal cypher algorithm for the hand written passwords. step one: buy an enigma
|
# ? Mar 8, 2019 23:28 |
|
Lain Iwakura posted:this is a lastpast-free zone
|
# ? Mar 9, 2019 00:13 |
|
"this is in a book."
|
# ? Mar 9, 2019 02:13 |
|
Salt Fish posted:Which libxml cve are you worried about specifically? Asking about them generically is like asking a doctor who never met you if you should be taking prescriptions. I asked about them generally after reading what they were, and I'm not that worried about any of them. My question was more about how people deal with this situation on the compliance end of things in general because I imagine this situation is the state of most packages in most Linux distros. Is everyone just doing what ratbert suggested and compiling poo poo from source so they exchange known low/medium known CVE's with unknown zero days or is there a standard way people say, "This is the current state of things. It's not the best, but it's also just not that critical for our specific usage. This not only affects RHEL but also Debian. Considering the number of CVE's this package generates on a regular basis, I am not comfortable installing the most recent version in its untested state." Or did I just answer my own question? ErIog fucked around with this message at 02:38 on Mar 9, 2019 |
# ? Mar 9, 2019 02:24 |
|
ErIog posted:I asked about them generally after reading what they were, and I'm not that worried about any of them. My question was more about how people deal with this situation on the compliance end of things in general because I imagine this situation is the state of most packages in most Linux distros. 99% of compliance scanning companies pretend to not know what back porting is, then pretend not to know what low severity is, then make you file exception requests. They charge money at each step like they're hocking used cars and then go tell your management about how many vulnerabilities they got you to fix so they can do it on a quarterly cadence.
|
# ? Mar 9, 2019 02:42 |
|
gently caress that poo poo, use a proper hardware credential system:
|
# ? Mar 9, 2019 05:06 |
|
What if you have mac can you keepass then
|
# ? Mar 9, 2019 06:05 |
|
just use family 1password
|
# ? Mar 9, 2019 06:23 |
|
i use family 1password and that payment was worth not dealing wish dumbullshit
|
# ? Mar 9, 2019 06:41 |
|
CRIP EATIN BREAD posted:i use family 1password and that payment was worth not dealing wish dumbullshit
|
# ? Mar 9, 2019 09:07 |
|
BangersInMyKnickers posted:the recent stuff about pretty much every single one of these not properly purging key material from memory (even when records aren't being accessed or the whole thing is locked) was extremely depressing They should have done a better job but realistically if you have that kind of access to a machine you can just as easily install a keylogger and steal the passphrase and exfil the database file.
|
# ? Mar 9, 2019 10:01 |
|
CRIP EATIN BREAD posted:i use family 1password and that payment was worth not dealing wish dumbullshit
|
# ? Mar 10, 2019 02:03 |
|
this made me remember that I’m not at oldjob any more so I made the switch off of lastpass feels p good
|
# ? Mar 10, 2019 02:13 |
|
florida lan posted:gently caress that poo poo, use a proper hardware credential system: that subtitle is all wrong, it’s “leeloo dallas multipass.“, a three-component proper name
|
# ? Mar 10, 2019 02:20 |
|
CommieGIR posted:Keepass and Mooltipass are still acceptable, right? RE: mooltipass, i actually bought one to play around with at work. Maybe I didn't give the ~open source hardware~ long enough, but it just struck me as a dumb idea to go through all the trouble of using a smart card/pin/clunky device to unlock a bunch of static strings. It's like one giant work-around so you don't have to remember your unlock passphrase. I think you'd have to have a weirdly-specific use-case to find the mooltipass useful given all the annoying drawbacks. Like managing the keephrases to all your offline HSM's or something where you 100% trust the hardware you plug this USB device into not to be a keylogger. I wish we'd just have U2F for everything so I can just plug-in a USB drive to 2FA my pornhub premium account or w/e but here we are. Thanks for listening to my TED talk.
|
# ? Mar 10, 2019 13:29 |
|
yubikey owns as an ssh key
|
# ? Mar 10, 2019 14:44 |
|
CRIP EATIN BREAD posted:yubikey owns as an ssh key I love yubikeys: totp, PIV smart card, u2f, NFC, even comes in a tiny form factor where you just shove it in the USB port so your stupid ham fisted admins can't break it off. My only gripe is the PIV functionality is a little dodgy sometimes, but lol smartcards.
|
# ? Mar 10, 2019 14:55 |
|
CRIP EATIN BREAD posted:yubikey owns as an ssh key the hardware is super flaky tho. I've had 3 fail so far with no discernable reason.
|
# ? Mar 10, 2019 17:37 |
|
ErIog posted:how people deal with this situation on the compliance end of things in general because I imagine this situation is the state of most packages in most Linux distros. I have only dealt with PCI DSS compliance so YMMV but PCI is NOT at all about "you can't have vulnerabilities". It is about "you need to be aware of vulnerabilities and address them in the proper way", where "the proper way" can just be "acknowledge they exist and accept the risk" (hopefully after verifying the risk is negligible). For sure there are plenty of pointy haired bosses who just see it differently but tht's not compliance, that's incopetent bosses. ErIog posted:Is everyone just doing what ratbert suggested and compiling poo poo from source so they exchange known low/medium known CVE's with unknown zero days or is there a standard way people say, "This is the current state of things. It's not the best, but it's also just not that critical for our specific usage. This not only affects RHEL but also Debian. Considering the number of CVE's this package generates on a regular basis, I am not comfortable installing the most recent version in its untested state." Sounds like you did. Compliance processes are there to try to force blissfully ignorant companies into acting with some awareness of the risks that affect them. Evaluating the CVEs and going "yeah we're good" is exactly the right approach for you, it sounds.
|
# ? Mar 10, 2019 18:02 |
|
jit bull transpile posted:the hardware is super flaky tho. I've had 3 fail so far with no discernable reason. Interesting, I am on my second YubiKey so far, but only because my kid managed to lose the first one.
|
# ? Mar 10, 2019 18:42 |
|
jit bull transpile posted:the hardware is super flaky tho. I've had 3 fail so far with no discernable reason. uh wow. good thing I bought a couple spares then...
|
# ? Mar 10, 2019 19:54 |
|
I just wish it had GIDS rather than PIV, Native no software needed 2fa login for windows is pretty sweet
|
# ? Mar 10, 2019 20:02 |
|
hackbunny posted:uh wow. good thing I bought a couple spares then... my current one will randomly refuse to register until I reboot my machine. v annoying
|
# ? Mar 10, 2019 20:22 |
|
AV scan said clean, NO COLLUSION.
|
# ? Mar 10, 2019 20:27 |
|
i've never had any yubikey fail, though every once and a while it seems to lock up and I have to unplug and plug it back in ZeusCannon posted:What if you have mac can you keepass then there's a version called macpass that I use that may or may not have gaping security flaws since i've never seen anyone actually look at it closely but god is the UI just so nice, like it's way better than the default keep rear end UI
|
# ? Mar 10, 2019 23:35 |
|
https://keepassxc.org/ is what I use for mac
|
# ? Mar 11, 2019 02:04 |
|
Bhodi posted:https://keepassxc.org/ is what I use for mac nice goatse mirror
|
# ? Mar 11, 2019 02:05 |
|
akadajet posted:nice goatse mirror dsyp
|
# ? Mar 11, 2019 02:54 |
|
wait you have a Mac and you aren't using iCloud Keychain ????
|
# ? Mar 11, 2019 03:48 |
|
|
# ? May 30, 2024 14:46 |
|
BIGFOOT EROTICA posted:wait you have a Mac and you aren't using iCloud Keychain ???? I also use windows and Linux. keepAss on Dropbox works across all 3 and my phones as well
|
# ? Mar 11, 2019 06:38 |