|
Kheldarn posted:I don't care how it makes me, I will NEVER trust a password manager. If on Windows, you could use a locally-running one like KeePass and tell Windows Firewall to not let it have any outbound or inbound communication. That should assuage your .
|
# ? Sep 15, 2019 23:30 |
|
|
# ? May 15, 2024 02:52 |
|
PirateBob posted:How do the password managers integrate with browsers? Extensions/add-ons. Not all password managers have them but the likes of LastPass and Bitwarden have extensions for all major browsers (including the Edge Chromium builds) and apps on Android and iOS. Bitwarden is open source but isn't as fully featured as LastPass but Bitwarden may be more secure (I'm no expert though). Firefox Lockbox or whatever most likely will never be cross browser and cross platform.
|
# ? Sep 16, 2019 00:05 |
|
D. Ebdrup posted:If you pay attention you'll note that in the US, companies which leak personal information that the state can benefit from don't get any form of punishment and barely get a slap on the wrist in the form of a class-action lawsuit that they can then get out of by making it extremely hard to claim (see: Equifax). Yeah, so the thing about the cloud-based password managers is that they can't leak your passwords, because the vault is encrypted with your master password. If you forget your password and ask them to reset it they can't do it (bitwarden as an example, but 1password keepass and lastpass are the same). Security problems still exist, but they have been things like a flaw where the browser plugin could potentially be spoofed by an attack website to leak keys, or their sync could get intercepted by a highly complex and targeted MITM attack, or other mildly esoteric stuff. Not "oops we leaked our database and now all your passwords are known". That can't happen because they don't have your passwords, only an encrypted blob of data that is impossible* to recover. *if you are using a high-strength passkey. and the NSA isn't using quantum computers or some poo poo. WattsvilleBlues posted:Bitwarden is open source but isn't as fully featured as LastPass but Bitwarden may be more secure (I'm no expert though). Firefox Lockbox or whatever most likely will never be cross browser and cross platform. LastPass is always an avoid rating by info-security goons, because lastpass had a meh response to security flaws in the past. (A well-known pro security researcher told them their browser plugin had a bug and they were like "nuh-uh".) 1password / keepass get gold stars. Apple keychain is good if you're apple all the time. Bitwarden doesn't have a long track record so it's hard to say how good they are, but they've done an independent audit which is nice.
|
# ? Sep 16, 2019 01:00 |
|
PirateBob posted:Is there really no way to make Firefox move to the tab to the left when closing a tab? I have the Focus On Left Tab After Closing extension installed, and I'm pretty sure thats what you want. Klyith posted:You do you, but if you aren't using strong, unique passwords for everything you are tinfoiling yourself into far more insecurity than whatever your paranoid imagination comes up with about password managers. If you can remember them all in your head you are doing passwords wrong in the modern world (or you have rain man memorization ability). I use a "single" password that is 13 digits long of gibberish, that I modify slightly depending on the title of the website. It's pretty great since it's extremely secure and easy to remember. Someone might be able to crack the pattern, but they'd require like half a dozen leaked passwords to figure it out.
|
# ? Sep 16, 2019 01:25 |
|
A lot of passwords get hacked and leaked to the dark web or whatever anyway so the complexity of the password probably doesn't matter as much as whether you turn on two factor authentication for everything. And preferably you don't get the codes sent through sms.
|
# ? Sep 16, 2019 01:42 |
|
Fashionable Jorts posted:I use a "single" password that is 13 digits long of gibberish, that I modify slightly depending on the title of the website. It's pretty great since it's extremely secure and easy to remember. Someone might be able to crack the pattern, but they'd require like half a dozen leaked passwords to figure it out. Nope, this is not extremely secure: there have been a number of cases where websites run by idiots kept passwords in plaintext and then been hacked. Also cases where hackers compromise websites to steal info on entry (ie you fill in the text box with a password or credit card number, and instead of securely going to the site gets transparently copied to the badguys). Your pattern probably isn't as unguessable as you think. This is what some people do for a hobby or how they make their living. But regardless, if someone were to guess merely that your password was repeated with a pattern, this would make cracking any other hashed password leaks tied to you (same email address for example) much easier. They might just run 12 characters + all combinations of 6 characters. This reduces your password strength to something that is trivial to break. It also means that changing your password is probably quite difficult. ANY FORM OF PASSWORD REUSE IS BAD.
|
# ? Sep 16, 2019 02:00 |
|
Installing the KeePass browser plugin for Firefox has changed my life. Let it change your life too.
|
# ? Sep 16, 2019 02:02 |
|
Fashionable Jorts posted:they'd require like half a dozen leaked passwords to figure it out. This has undoubtedly already happened.
|
# ? Sep 16, 2019 02:29 |
|
astral posted:This has undoubtedly already happened. I'm subscribed to a number of those mailing lists that check for password leaks, and they're always for ancient websites I haven't touched in years, long before I started my new password method (oh no my Neopets account when it was Petname123) Klyith posted:Nope, this is not extremely secure: there have been a number of cases where websites run by idiots kept passwords in plaintext and then been hacked. Also cases where hackers compromise websites to steal info on entry (ie you fill in the text box with a password or credit card number, and instead of securely going to the site gets transparently copied to the badguys). I'm tempted to post some here to see some brains melt trying to decipher it.
|
# ? Sep 16, 2019 03:09 |
|
Fashionable Jorts posted:I'm subscribed to a number of those mailing lists that check for password leaks, and they're always for ancient websites I haven't touched in years, long before I started my new password method (oh no my Neopets account when it was Petname123) ok I guess that's fine then since websites always realize when they've been breached and are definitely, absolutely going to let their users know ASAP when it happens
|
# ? Sep 16, 2019 03:50 |
|
Fashionable Jorts posted:I'm tempted to post some here to see some brains melt trying to decipher it. I don't want to talk you out of whatever puzzle scheme you've concocted, I only want to make sure that you know that 1) it's not as secure as randomly-generated passwords kept in a password manager 2) telling other people that your scheme is "extremely secure" is both wrong and dangerous misinformation. your genius mega-brain might be doing substitutions and transpositions that only Turing or the NYT crossword staff could decipher, but other people are going to think adding "t99to3" or "rqd3g" to a random key is a brilliant idea that nobody will be able to decipher. basically, don't brag about doing something dumb. other than that, do whatcha wanna astral posted:ok I guess that's fine then since websites always realize when they've been breached and are definitely, absolutely going to let their users know ASAP when it happens fortunately haveibeenpwned goes directly to the hacked database dumps to keep people informed
|
# ? Sep 16, 2019 04:33 |
|
Did the "Copy to Clipboard" function disappear from anybody else's share menu in the latest Firefox Mobile for Android? I use that button constantly but it's gone now as of 68.1.1.
|
# ? Sep 16, 2019 04:42 |
|
Has anyone else see the SA Forums main page lagging since 69? Like scrolling down the page is extremely choppy? It only happens sometimes and a reload fixes it immediately, so I assume it's related to a rotating ad, but it only happens on the main forum page.
|
# ? Sep 16, 2019 05:43 |
Klyith posted:Yeah, so the thing about the cloud-based password managers is that they can't leak your passwords, because the vault is encrypted with your master password. If you forget your password and ask them to reset it they can't do it (bitwarden as an example, but 1password keepass and lastpass are the same). While Linux doesn't have dtrace in mainline, KVM (used by Google and Amazon) can presumably be traced with eBPF (which is the Linux equivalent of dtrace, and is based on Berkeley Packet Filters which came from BSD) so I don't see how that's any different. Windows just recently added dtrace, and Hyper-V is used for Azure. That covers just about every hypervisor. The point of all of this isn't to scare anyone away from using the (well, this shouldn't be the only reason - there are plenty more reasons for that than just this), but to make it clear that they're not in any way magic. Also, minor detail - but do you mean that Bitwarden had an independent audit done, or do you mean they did the audit? Because the latter isn't independent, and the sentence doesn't lead me to believe it's the former.
|
|
# ? Sep 16, 2019 09:53 |
|
Fashionable Jorts posted:I have the Focus On Left Tab After Closing extension installed, and I'm pretty sure thats what you want. I did something similar before I started using Bitwarden. It's probably quite safe, but I found I started getting sloppy about varying the phrase over time. The logins add up, I have over 60 in my manager now. So new passwords for webshops etc were often poor, reused or I had to do the reset dance ever time I logged in. Unless someone sets out to attack you personally, most password crackers try to find the easy pickings using automated tools. So your scheme might be safe enough in your case. But it's not good universal advice to give, because someone else might be sloppier. "Use a reputable password manager with strong, unique phrases for each login, protected by a strong master passphrase" is good universal advice. The risk of the manager itself being compromised is well worth reducing, because the consequences can be so big. I do it by not having my main email, my national identity login, nor any complete details to payment stuff. It means I have to remember some more stuff, but compared to before, my security is way up, my own memory requirement is way down and my workflow is more streamlined.
|
# ? Sep 16, 2019 09:54 |
|
PirateBob posted:How do the password managers integrate with browsers?
|
# ? Sep 16, 2019 10:06 |
|
effika posted:Did the "Copy to Clipboard" function disappear from anybody else's share menu in the latest Firefox Mobile for Android? I use that button constantly but it's gone now as of 68.1.1. If it is the actual Android system share menu, then I believe "Copy to Clipboard" is not part of the core system and is created by an app like Google Drive or something like that.
|
# ? Sep 16, 2019 10:09 |
|
Klyith posted:I don't want to talk you out of whatever puzzle scheme you've concocted, I only want to make sure that you know that I think it would be more helpful if you went into greater detail about the strength of a password manager over other examples, like a very long pass phrase with numbers and symbols. I get not having to remember passwords, that's cool, but having a manager seems like just another vector waiting to be exploited. There's already been a couple password managers that failed to do their job and that taints the rest of them.
|
# ? Sep 16, 2019 15:21 |
|
Does 2FA stop password manager hacks even if the password is obtained? I mean I know it'll stop my neighbour's dog from checking it out but is it inaccessible to all but the most dedicated of quantum nerds?
|
# ? Sep 16, 2019 16:06 |
|
D. Ebdrup posted:With dtrace on FreeBSD with Xen (used by one of the major providers) or bhyve as a hypervisor for guest OS, it's not exactly difficult to find the passwords in memory once the database been unlocked at least once. Who says it gets decrypted server side? As I understand Bitwarden, it stored encrypted data only and it's decrypted on your device. Obviously it's possible for them to be dishonest and find out your password somehow, but that trust paradox is everywhere. WattsvilleBlues posted:Does 2FA stop password manager hacks even if the password is obtained? I mean I know it'll stop my neighbour's dog from checking it out but is it inaccessible to all but the most dedicated of quantum nerds? I'm not exactly sure how it's implemented, I think it only limits which device can download the password data. So if you somehow could steal the data and the master password, then it could be decrypted.
|
# ? Sep 16, 2019 16:17 |
|
Anyone know of an extension where I can just type in some dimensions and it'll automatically resize my browser window? I tried these 2: https://addons.mozilla.org/en-US/firefox/addon/window-resizer-webextension/ https://addons.mozilla.org/en-US/firefox/addon/window-layout-resizer/ Neither worked. The first one didn't resize the window at all, the second one wouldn't let me type in the textboxes to create a layout.
|
# ? Sep 16, 2019 16:36 |
|
The Web Developer extension does that among many many other things.
|
# ? Sep 16, 2019 16:47 |
|
D. Ebdrup posted:<password managers are not immune to your pc being compromised> I was replying to a guy worried about a cloud password manager doing the same thing as equifax and having everyone's passwords dumped, which can't happen. I made no claims about immunity to your pc being locally compromised, because they aren't. That's not a security flaw in your password manager, that's a security flaw in your entire universe. (Though in fact some of them try their best to protect against that by not keeping the full plaintext password database in memory and only decrypting passwords as needed. But that's a race where the attacker has the inside track.) D. Ebdrup posted:Also, minor detail - but do you mean that Bitwarden had an independent audit done, or do you mean they did the audit? Because the latter isn't independent, and the sentence doesn't lead me to believe it's the former. Freakazoid_ posted:I think it would be more helpful if you went into greater detail about the strength of a password manager over other examples, like a very long pass phrase with numbers and symbols. The strength of a password manager is that you never re-use passwords or even parts of passwords. That's the whole story. Pass phrases can be strong passwords that are more memorable than 12 random characters, but they still have inherent problems with human memory. Most people cannot memorize a different passphrase for every account (or even just important ones that you actually care about), and keep straight which one is their bank account and which is their SA account. Why you never re-use passwords: 1. some places are run by idiots and have literally stored passwords in plaintext (some of them have been big sites) 2. some places get hacked and attackers log incoming passwords in plaintext 3. hacked password dumps don't go away If you re-use passwords you are immediately vulnerable to #1 & #2. In combination with #3, it means that if your phrase is discovered, any re-use in existing dumps is vulnerable even if you add numbers & symbols to make it semi-unique. Meaning that when you get the latest notice that someone has had their login database stolen, you still need to change your password there. GPU hash attacks are the most common method that passwords get hacked these days. Fully unique high-strength passwords can virtually ignore hash attacks. Freakazoid_ posted:I get not having to remember passwords, that's cool, but having a manager seems like just another vector waiting to be exploited. There's already been a couple password managers that failed to do their job and that taints the rest of them. Password managers have vulnerabilities like a tank has vulnerabilities. It's built to protect you but isn't perfect. Password re-use has vulnerabilities like standing in the open with a big sign that says "SHOOT ME!". If password managers have a taint, then any memorization system is a porta-potty after a 3-day festival. I'm not aware of an incident where a password manager had an in-the-wild attack that compromised their software to steal passwords. Even LastPass, the worst offender, is just getting owned repeatedly in private by Tavis Ormandy.
|
# ? Sep 16, 2019 17:40 |
|
Speaking of LastPass (and Tavis): https://www.bleepingcomputer.com/news/security/password-revealing-bug-quickly-fixed-in-lastpass-extensions/ Oops.
|
# ? Sep 16, 2019 18:06 |
Klyith posted:I was replying to a guy worried about a cloud password manager doing the same thing as equifax and having everyone's passwords dumped, which can't happen. I made no claims about immunity to your pc being locally compromised, because they aren't. That's not a security flaw in your password manager, that's a security flaw in your entire universe. For the record, I use KeePass - I was exclusively talking about the ones using KeePass with OTP and keyfiles is real nice, although I wish it could integrate into FreeBSDs PAM, so I could tie it to a local account like the Windows client can do. And it's good to hear that it's independently audited, because anything else makes it sounds like OpenBSD developers.
|
|
# ? Sep 16, 2019 18:25 |
|
D. Ebdrup posted:So do they have a password store implemented in javascript when people are using just the browser to get their passwords? Otherwise, it seems like they'd have to decrypt it server-side. Although I wouldn't put it past them to do it in javascript, as it's the only way to not do it server-side and not require people to use a local app. Yeah, I suppose so, that's the language of browser addons. There's no problem with doing it in javascript. But if you have one, there are standalone apps as well.
|
# ? Sep 16, 2019 18:32 |
|
Klyith posted:I'm not aware of an incident where a password manager had an in-the-wild attack that compromised their software to steal passwords. Even LastPass, the worst offender, is just getting owned repeatedly in private by Tavis Ormandy. This just happened again last week, and was fixed well within the 90 day disclosure. I've used LastPass for years, and I realize they've had their issues, but the vulnerabilities that have been exposed have been getting patched. That gives me the peace of mind I need for the kind of attackers I'd expect to target me. If Mossad decides they want my gmail, it doesn't matter what password manager I use. I will still be Mossad'ed upon.
|
# ? Sep 16, 2019 18:38 |
|
I use Myki, about not being the passwords in the cloud is good.
|
# ? Sep 16, 2019 18:47 |
|
duz posted:The Web Developer extension does that among many many other things. Perfect Thanks
|
# ? Sep 16, 2019 18:51 |
|
Has anyone figured out a restart button for the newer versions yet? Edit: (I don't care about keeping tabs between restarts, I'm dicking around in my userChrome and am tired of manually exiting and starting it again, especially when half the time a message pops up saying "Firefox is still running!") Double edit: better yet, can anyone tell me how to add a "space" to the bottom of the window, so firefox stops placing things behind the tabs I've forced down there? Finally got my tabs working mostly correct, but now they are on top of whatever is at the bottom of the window. Most of the time its fine, but on certain websites it makes navigation difficult (such as covering up the time progress bar in spotify). Fashionable Jorts fucked around with this message at 03:28 on Sep 17, 2019 |
# ? Sep 17, 2019 03:18 |
|
Klyith posted:Password managers have vulnerabilities like a tank has vulnerabilities. It's built to protect you but isn't perfect. Also the basic idea behind keepass's security for example is that the password file is very slow to decrypt (and also requires a lot of memory in the newer algorithm). So instead of trying a billion passwords per second to try to decrypt the file, the attacker is able to maybe try tens of passwords. A random website might have the passwords stored as anything from a slow hash (good) down to just plain text (very bad). But because you don't reuse passwords, you don't have to care about the latter.
|
# ? Sep 17, 2019 07:05 |
|
God damnit I really need to move to a PW manager. This conversation might be the last push I needed.
|
# ? Sep 17, 2019 12:07 |
|
The Dave posted:God damnit I really need to move to a PW manager. This conversation might be the last push I needed. I can't live without one. I have too many sites to remember each password, and frankly, assigning random passwords to sites (let's say 20 characters long) it is a very good way to secure yourself.
|
# ? Sep 17, 2019 13:37 |
|
For the people doing their own passwords: Total character length matters more than "how human-unreadable it is". Writing a small unique sentence is pretty acceptable. A short "m%tqo.,32" is still a bad password.
|
# ? Sep 17, 2019 17:22 |
|
Is Diceware still a decent way to get a good master password?
|
# ? Sep 17, 2019 17:35 |
|
FRINGE posted:For the people doing their own passwords: Total character length matters more than "how human-unreadable it is". Writing a small unique sentence is pretty acceptable. A short "m%tqo.,32" is still a bad password.
|
# ? Sep 17, 2019 17:51 |
|
doctorfrog posted:Is Diceware still a decent way to get a good master password? Yes, it's great. You can of course be hardcore and mix up the Catalan + Finnish lists with some added punctuation for spice, but 5-6 Diceware words is plenty. Here's a nice video on it, perhaps mostly for people who don't know about it yet: https://www.youtube.com/watch?v=Pe_3cFuSw1E It references this video, also nice, which shows how hilariously fast you can crack MD5 hashed passwords, which many websites sadly still use, with an affordable-ish cracking rig. https://www.youtube.com/watch?v=7U-RbOKanYs https://haveibeenpwned.com/Passwords Hilariously, that has been pwned 120 times.
|
# ? Sep 17, 2019 18:03 |
|
Ola posted:Hilariously, that has been pwned 120 times. That's why I use "incorrect horse battery staple" as my password.
|
# ? Sep 17, 2019 18:14 |
|
Nalin posted:Installing the KeePass browser plugin for Firefox has changed my life. Let it change your life too. Which plugin of the 9001 of them do you use?
|
# ? Sep 17, 2019 18:23 |
|
|
# ? May 15, 2024 02:52 |
|
Firefox is moving to a 4-week release cycle (from the current 6-8 week cycle) starting with Firefox 71.
|
# ? Sep 17, 2019 18:26 |