|
Password managers that make you copy and paste by hand or work by blindly typing into any window with a plausible title are completely retarded, fail to protect users from phishing sites, and shouldn't be taken seriously by anyone. Please don't use them or recommend them to people
|
# ? Jul 25, 2019 03:01 |
|
|
# ? May 31, 2024 05:35 |
|
Rufus Ping posted:Password managers that make you copy and paste by hand or work by blindly typing into any window with a plausible title are completely retarded, fail to protect users from phishing sites, and shouldn't be taken seriously by anyone. Please don't use them or recommend them to people Your suggestion then?
|
# ? Jul 25, 2019 03:15 |
|
1password
|
# ? Jul 25, 2019 03:34 |
|
Rufus Ping posted:Password managers that make you copy and paste by hand or work by blindly typing into any window with a plausible title are completely retarded, fail to protect users from phishing sites, and shouldn't be taken seriously by anyone. Please don't use them or recommend them to people pass, the standard password manager: completely [ableist slur]
|
# ? Jul 25, 2019 03:36 |
|
ozymandOS posted:pass, the standard password manager: completely [ableist slur] Yes. pass, the "standard password manager" which relies on the user to copy and paste passwords into what may or may not even be a genuine website, is indeed a completely retarded suggestion for how to store your website logins
|
# ? Jul 25, 2019 03:48 |
|
If you are using KeePass, just use the Kee browser plugin (Firefox and Chrome versions available) and avoid auto-type.
|
# ? Jul 25, 2019 03:56 |
|
Subjunctive posted:True in all aspects. I gave my boss the extension security rundown and he agreed. He also then asked what extensions we should whitelist including password managers. I have to find a way of generating a report of what extensions users have on their Chrome browsers on company-owned laptops but not necessarily logged in to company-owned g suite accounts with them. Just to get an idea of what we're possibly going to break or what we have to whitelist, to go into company-wide comms about the whole initiative. He also asked me to recommend 2 or 3 password managers that we will in turn recommend to users after he said "we probably need to whitelist people's lastpass extensions" and I said "oh the internet told me lastpass sucks!"
|
# ? Jul 25, 2019 03:57 |
|
Rufus Ping posted:Yes. pass, the "standard password manager" which relies on the user to copy and paste passwords into what may or may not even be a genuine website, is indeed a completely retarded suggestion for how to store your website logins My wallet requires me to manually hand my cash over if I want to pay for something, and it doesn't even prevent me from handing my cash to completely the wrong person. That must mean it's useless, and I'm an idiot for continuing to keep my money in it.
|
# ? Jul 25, 2019 04:09 |
|
Powered Descent posted:My wallet requires me to manually hand my cash over if I want to pay for something, and it doesn't even prevent me from handing my cash to completely the wrong person. That must mean it's useless, and I'm an idiot for continuing to keep my money in it. If there were a new magic type of money which could be securely teleported to its intended destination without being susceptible to being snatched by a third party, and also prevented people falling for financial scams involving impersonation, then this analogy might begin to make sense
|
# ? Jul 25, 2019 04:18 |
|
Potato Salad posted:Someone who understands telco: what do? The short version is that STIR/SHAKEN allows telephone providers to sign call setup traffic and either confirm that the caller is authorized to A. The user making the call is the one associated with this number. This is for direct lines to telcos or how a PBX would sign its own outbound traffic. B. The trunk the call is coming from is authorized to use this number, but we have no idea who's actually making the call. This is for PBXes and the like. C. The call is coming from a trusted gateway, but we're not sure beyond that. Presumably to start off it'll be presented with some kind of "verified" tag when a call is properly signed, but the hope would be that eventually the major telcos have it deployed widely enough that we can make a shift similar to the trajectory of HTTPS where we go from having it being considered "Secure" to that being the normal state and not having it becoming "Insecure". Supposedly this is a decent intro talk about it, I haven't watched yet: https://www.youtube.com/watch?v=W25a3I0gWp8 I haven't actually implemented it yet, I'm not sure if it'll even be relevant at my level or if it's for those one level above me, but the concept seems sound. I think if it's sufficiently widely deployed it can largely solve this problem.
|
# ? Jul 25, 2019 04:47 |
|
sadus posted:Control V it will autotype both username and password I've hit control V, had someone message me on skype while logging into a site and it sent my username and password to them. I never use control v anymore.
|
# ? Jul 25, 2019 05:02 |
|
gourdcaptain posted:Frustratingly, one of them is the bank I use. Don't expect them to ever get it right.
|
# ? Jul 25, 2019 08:21 |
|
Rufus Ping posted:If there were a new magic type of money which could be securely teleported to its intended destination without being susceptible to being snatched by a third party, and also prevented people falling for financial scams involving impersonation, then this analogy might begin to make sense Monero (XMR) and being smart about who you're dealing with online?
|
# ? Jul 25, 2019 11:06 |
|
fyallm posted:I've hit control V, had someone message me on skype while logging into a site and it sent my username and password to them. I never use control v anymore.
|
# ? Jul 25, 2019 12:39 |
|
evil_bunnY posted:Joke's on you for using any app that dares steal focus. TBH it should be an OS level permission defaulting to "gently caress you" Literally: does this exist in W10 and if so where?
|
# ? Jul 25, 2019 12:42 |
|
wolrah posted:The short version is that STIR/SHAKEN allows telephone providers to sign call setup traffic and either confirm that the caller is authorized to Sounds like SPF for phone numbers to me
|
# ? Jul 25, 2019 14:48 |
|
My VoIP provider many years ago didn’t set my ANI up correctly and thus for years I could dial overseas and not get billed for the calls. I did a lot of wardialing back then. I have little faith in telcos getting this right.
|
# ? Jul 25, 2019 14:51 |
|
Schadenboner posted:Literally: does this exist in W10 and if so where? Maybe you can hack it like this? https://community.spiceworks.com/topic/1749029-program-to-prevent-any-windows-window-from-taking-precedence-focus evil_bunnY fucked around with this message at 15:11 on Jul 25, 2019 |
# ? Jul 25, 2019 15:03 |
|
So was that equifax "was my info stolen in the hack?" Website hacked yet?
|
# ? Jul 25, 2019 15:51 |
|
cr0y posted:So was that equifax "was my info stolen in the hack?" Website hacked yet? Was that the one run by Equifax where you had to waive rights in order to check? And that also had a bad cert IIRC?
|
# ? Jul 25, 2019 15:53 |
|
Schadenboner posted:Was that the one run by Equifax where you had to waive rights in order to check? And that also had a bad cert IIRC? This was one that went up yesterday to see if you qualify for class action money
|
# ? Jul 25, 2019 16:11 |
|
evil_bunnY posted:Joke's on you for using any app that dares steal focus. TBH it should be an OS level permission defaulting to "gently caress you" BangersInMyKnickers posted:Sounds like SPF for phone numbers to me Lain Iwakura posted:My VoIP provider many years ago didnt set my ANI up correctly and thus for years I could dial overseas and not get billed for the calls. I did a lot of wardialing back then.
|
# ? Jul 25, 2019 16:49 |
|
Cugel the Clever posted:I swear my parents knew the fundamentals of computer operation in the early 2000s, but either they lost it along the way or have just grown incapable of transposing the knowledge they do have into a different, but closely parallel context...
|
# ? Jul 25, 2019 17:18 |
|
Rufus Ping posted:Password managers that make you copy and paste by hand or work by blindly typing into any window with a plausible title are completely retarded, fail to protect users from phishing sites, and shouldn't be taken seriously by anyone. Please don't use them or recommend them to people autotype is bad, but given that most password manager exploits have been exploiting the browser plugins as opposed to the safe itself, and the frequency with which field names change (or are dynamically generated), copy-paste seems like as good a method as any wyoak fucked around with this message at 17:33 on Jul 25, 2019 |
# ? Jul 25, 2019 17:28 |
|
Rufus Ping posted:If there were a new magic type of money which could be securely teleported to its intended destination without being susceptible to being snatched by a third party, and also prevented people falling for financial scams involving impersonation, then this analogy might begin to make sense Look, all I'm saying is that there's nothing wrong with simple, straightforward tools. (Do one thing and do it well, now where have I heard that before...) Never mind that 1Password doesn't have plugins for many places passwords need to go. Yes, most passwords do go into a web browser these days, but what about credentials for veracrypt archives, or virtualbox VMs, or ssh connections in a terminal, or LUKS volumes, or openvpn tunnels? I use all of these frequently. I'm perfectly happy using nice simple KeePassX and seeing to the security arrangements myself, rather than farming it out to a subscription service.
|
# ? Jul 25, 2019 17:30 |
|
wyoak posted:how exactly do you want people to enter passwords browser extension wyoak posted:autotype is bad, but given that most password manager exploits have been exploiting the browser plugins as opposed to the safe itself, yes the quality of browser extensions varies hugely and is the obvious place to attack. this is why i recommend 1password, who are competent, have a good track record of avoiding such problems, and who make their own browser extensions rather than requiring the use of third party products. this is not true of other well known password managers wyoak posted:and the frequency with which field names change (or are dynamically generated), copy-paste seems like as good a method as any 1password is generally very good at identifying the correct fields, and is not defeated by mere changes of name Powered Descent posted:Look, all I'm saying is that there's nothing wrong with simple, straightforward tools. (Do one thing and do it well, now where have I heard that before...) the "one thing" is "log me into this website using the appropriate saved creds", and "do it well" ought to include things like "without requiring the user to copy and paste from one app to another when this is avoidable" and "if a side effect is that the user can't accidentally get phished, that sounds like a good idea". snarkily quoting the unix philosophy doesn't make any sense here Powered Descent posted:Never mind that 1Password doesn't have plugins for many places passwords need to go. Yes, most passwords do go into a web browser these days, but what about credentials for veracrypt archives, or virtualbox VMs, or ssh connections in a terminal, or LUKS volumes, or openvpn tunnels? I use all of these frequently. that's fine. they haven't removed the copy button. you are welcome to keep using it for non-browser logins Powered Descent posted:I'm perfectly happy using nice simple KeePassX and seeing to the security arrangements myself, rather than farming it out to a subscription service. go ahead. the move to a hosted saas model is a legit complaint and one i argued against for years on these very forums. i used to handle the backup and cross-device sync of my password db myself. but it's irresponsible to recommend this to users without your level of expertise. it's like the goon stereotype of the early 2000s who installs linux on his grandfather's computer because he doesn't recognise that people's circumstances, requirements, and level of understanding are different apropos man posted:Monero (XMR) and being smart about who you're dealing with online? no - "being smart about who you're dealing with online" is precisely the element of human error which should be minimised. monero does not fulfill the requirements of the mythical currency in my post
|
# ? Jul 25, 2019 19:43 |
|
wolrah posted:I've wondered for quite a while why it's still a thing or why it ever was. I haven't yet come up with a single case where having a different application be able to pop up and steal focus from what you're currently interacting with is the best way to achieve something. I definitely agree that at minimum it should be a permission-gated thing that defaults to no, but I'd rather it just not be a thing at all.
|
# ? Jul 25, 2019 19:52 |
|
wolrah posted:I've wondered for quite a while why it's still a thing or why it ever was. I haven't yet come up with a single case where having a different application be able to pop up and steal focus from what you're currently interacting with is the best way to achieve something. I definitely agree that at minimum it should be a permission-gated thing that defaults to no, but I'd rather it just not be a thing at all. While we're asking for impossible Windows features, why is it, in the Year Of Our Lord 2019, in the age of at-least-1080p displays, Microsoft cannot make loving properties sheets larger than a postage stamp, or resizable at all?
|
# ? Jul 25, 2019 20:21 |
|
fyallm posted:I've hit control V, had someone message me on skype while logging into a site and it sent my username and password to them. I never use control v anymore. I've tried mitigating this issue by configuring autotype to only type the password without enter. I can type the username myself or the browser can remember it. Another configuration that I need is a 200 ms typing delay, otherwise characters start dropping when you try to autotype them through a VirtualBox console and couple RDP sessions. Can you imagine how frustrating it is watching KeePass two finger type the password knowing you could type it faster yourself. In my opinion, copy-pasting passwords should be completely forbidden. The danger of autotyping in a wrong window is minimal compared to where copied password can end up. If you must copy it make sure you don't have any RDP sessions or virtual machine consoles open. I learned my lesson when I tried to paste a string inside a Lubuntu virtual machine and instead of the string I wanted, I got a string that I had copied the previous night on my home computer. That string had travelled through a RDP session to Win7 virtual machine, from there over the VirtualBox console, that had been showing the Windows lock screen the whole time, to the Linux host computer and from there to the Lubuntu virtual machine. After that I disabled clipboard on quite a few of my VirtualBox machines.
|
# ? Jul 25, 2019 20:50 |
|
There's an option in Keepass to cancel auto-type if the target changes: [e] I've been using Keepass for over a decade, and literally my only grumble so far is that I had to tick the 'make this look nice on high-res displays' thing in the application properties after upgrading to a 4k display spincube fucked around with this message at 21:09 on Jul 25, 2019 |
# ? Jul 25, 2019 21:05 |
|
Lolz... A few weeks ago I posted about our joke of an alarm system company sending our information to someone without verification.. I called to make a small change to our call list. All I did was say my name and the company; that was all that was needed. I made changes to our call list with no zero verification at all. Just.... wow....
|
# ? Jul 25, 2019 21:25 |
|
Darchangel posted:While we're asking for impossible Windows features, why is it, in the Year Of Our Lord 2019, in the age of at-least-1080p displays, Microsoft cannot make loving properties sheets larger than a postage stamp, or resizable at all? My complaint isn't even a Windows thing, my Ubuntu laptop is just as bad about it. I don't recall if OS X also had it. As for your complaint, Microsoft is slowly updating all the legacy UI elements that have been around since Windows 9x (or occasionally prior like that one font control panel), but they sure are taking their own sweet time with little obvious rhyme or reason.
|
# ? Jul 25, 2019 22:19 |
|
Rufus Ping posted:but it's irresponsible to recommend this to users without your level of expertise. it's like the goon stereotype of the early 2000s who installs linux on his grandfather's computer because he doesn't recognise that people's circumstances, requirements, and level of understanding are different That's reasonable (though still arguable). But it's a very different position than: Rufus Ping posted:Password managers that make you copy and paste by hand or work by blindly typing into any window with a plausible title are completely retarded, fail to protect users from phishing sites, and shouldn't be taken seriously by anyone. Please don't use them or recommend them to people
|
# ? Jul 25, 2019 22:43 |
|
Powered Descent posted:That's reasonable (though still arguable). But it's a very different position than: a password manager that auto-fills without context is a security risk, and worse misleads the user. auto-submit is far more dangerous the point of a password manager is to shift the technical burden of managing passwords and authenticating where those passwords go
|
# ? Jul 25, 2019 22:48 |
|
Powered Descent posted:That's reasonable (though still arguable). But it's a very different position than: The only difference is that I've given up on you and am instead appealing to you not to hurt other people. I still think it's moronic
|
# ? Jul 25, 2019 22:51 |
|
Wiggly Wayne DDS posted:auto-submit is far more dangerous Sure am glad pages can't read form fields or key presses till the submit button is clicked,
|
# ? Jul 25, 2019 22:57 |
|
yeah i was avoiding mentioning that tiny loophole in the auto-submit security design, clouds the argument a bit
|
# ? Jul 25, 2019 23:00 |
|
Rufus Ping posted:Sure am glad pages can't read form fields or key presses till the submit button is clicked, Preach. It really bothers me the Web 2.0 javascriptEngine world we live in today has javascript security take the form of either a) make sure it is coming from a trusted location but b) lol, it's just easier to put a minimized, obfuscated version of the same JS on the server itself and requires deobfuscation and tracking names to make sure it ain't doing one of the million insidious things JS allows you to do. Not even just JS either, CSS, weird HTML tags too ..
|
# ? Jul 25, 2019 23:06 |
|
I use keypass and stumbled into this thread on a whim and saw the last few posts. I'm generally not going to recommend keepass to people that aren't comfortable with PC basics, but how do people here feel about Mozilla's Lockbox thing?
|
# ? Jul 25, 2019 23:57 |
|
|
# ? May 31, 2024 05:35 |
|
Wiggly Wayne DDS posted:the point of a password manager is to shift the technical burden of managing passwords Yes. Wiggly Wayne DDS posted:and authenticating where those passwords go I would argue that it's vastly better to teach users to have some common-sense awareness of what they're doing than to have them rely on half-measures like a password manager that refuses to do its thing when it isn't satisfied.
|
# ? Jul 26, 2019 01:00 |