|
wolrah posted:I didn't specify a provider for a reason. Everyone has their own threat models and makes their own trust decisions. CBP is a three letter acronym
|
# ? Nov 15, 2019 00:24 |
|
|
# ? May 13, 2024 03:42 |
|
Ya as unfortunate that it may be, I'll take it over the risk of being held up at the border where I'm a born citizen for christ sake.
|
# ? Nov 15, 2019 00:29 |
|
Lambert posted:With 1password taking VC money, what are good alternatives? What versions of KeePass should one use for Windows and Android? I'm not sure why VC investment means users need to get out, but whatever. For keepass I use the standard windows version off the keepass site, with gdrive software doing the sync rather than a plugin. And Keepass2Android on my phone, which syncs with google drive automatically. BitWarden is another (more user friendly) alternative that I just had a good experience with... but they're a for-profit company so if VC is an automatic no they may have the same problem.
|
# ? Nov 15, 2019 01:28 |
|
Why is 1password taking VC money bad?
|
# ? Nov 15, 2019 01:30 |
|
VC money generally pushes for absurd returns on investment (to compensate for all the dog-walking-but-an-app shite they lose money on), and you can't really achieve that by just selling a good product that people want at a reasonable price.
|
# ? Nov 15, 2019 01:34 |
|
I think I’ll just wait til they turn that hypothetical corner, then. Still the best in class product today.
|
# ? Nov 15, 2019 02:20 |
|
AlternateAccount posted:I think I’ll just wait til they turn that hypothetical corner, then. Still the best in class product today. I feel the same but ty for that Jabor
|
# ? Nov 15, 2019 02:23 |
|
This news would've concerned me 10 years ago when there were no viable alternatives. If 1Password implodes tomorrow from chasing after ROI there are already plenty of options to replace it. I think the shareholders (founders, early employees) are just looking to cash out a little before they have to compete with much, much larger companies. Look at what a unique service Dropbox was until the large companies saw that there's a market for it.
|
# ? Nov 15, 2019 11:35 |
|
Klyith posted:I'm not sure why VC investment means users need to get out, but whatever. Thanks, I'll check it out!
|
# ? Nov 15, 2019 11:41 |
|
eames posted:This news would've concerned me 10 years ago when there were no viable alternatives. If 1Password implodes tomorrow from chasing after ROI there are already plenty of options to replace it. It brought about the rise of cheap and easy cloud storage, dramatically reducing the risk of data loss for the average consumer?
|
# ? Nov 15, 2019 14:20 |
|
The Iron Rose posted:It brought about the rise of cheap and easy cloud storage, dramatically reducing the risk of data loss for the average consumer? That's the argument that poster is making, yes. Lambert fucked around with this message at 14:41 on Nov 15, 2019 |
# ? Nov 15, 2019 14:34 |
|
The Iron Rose posted:It brought about the rise of cheap and easy cloud storage, dramatically reducing the risk of data loss for the average consumer? Yes, that’s my point? 1PW pioneered low friction password management and these tools are becoming a commodity. More competition for the company but a net win for all customers. I could easily see Google, Microsoft, Apple & Co rolling out fully featured E2EE password managers in the future. Some people will be skeptical but it would be a win the average user who is still reusing his password across all sites. e:fb eames fucked around with this message at 14:37 on Nov 15, 2019 |
# ? Nov 15, 2019 14:35 |
|
Lol my bad, I read that as being critical and I apologize!
|
# ? Nov 15, 2019 14:38 |
|
I'd probably switch over to some Microsoft/Google password manager in a heartbeat. And maybe Mozilla Lockwise will be worth using a few more updates down the line? Tons of VC money tend to make products worse, so I'm worried about 1pw.
|
# ? Nov 15, 2019 14:42 |
|
I feel like password management is a high risk venture from a business point of view, no matter the revenue potential.
|
# ? Nov 15, 2019 14:53 |
|
CLAM DOWN posted:Why is 1password taking VC money bad?
|
# ? Nov 15, 2019 14:59 |
|
Sickening posted:I feel like password management is a high risk venture from a business point of view, no matter the revenue potential. Apple seems to manage ok. I'm not sure there's much revenue potential for a MS or Google, but it does seem like a really sticky feature for keeping people in your ecosystem. Lambert posted:And maybe Mozilla Lockwise will be worth using a few more updates down the line? Maybe, but the debut gave me little hope. Until mozilla re-engineers their system to be identity->site rather than site->identity it's a complete nonstarter. evil_bunnY posted:Same as everyone else taking huge VC money, forces them into a grow huge or die model This isn't accurate, VCs exist that aren't chasing uber-for-x and this group seems like one of the sane ones. (They're 100% hoping that eventually someone big comes with a big acquisition offer.)
|
# ? Nov 15, 2019 15:51 |
|
e:oops
|
# ? Nov 16, 2019 15:48 |
|
Klyith posted:This isn't accurate, VCs exist that aren't chasing uber-for-x and this group seems like one of the sane ones. (They're 100% hoping that eventually someone big comes with a big acquisition offer.)
|
# ? Nov 16, 2019 17:40 |
|
Hopefully this is a good thread to ask this but what about myQ wifi/app garage door opener security? Should I just stick to pressing the light gray button on the dark gray remote as man has done for decades? Also semi-related what about Kwikset Bluetooth locks? Just use a metal key?
|
# ? Nov 17, 2019 21:36 |
|
tangy yet delightful posted:Hopefully this is a good thread to ask this but what about myQ wifi/app garage door opener security? Should I just stick to pressing the light gray button on the dark gray remote as man has done for decades? No idea about the myQ opener, but AFAIK all of the Kwikset locks with the easy rekeying feature which I'm pretty sure means all of the smart locks (if it has an extra slot next to the keyway it has this) are weak to a variety of physical attacks. If you're concerned about the garage door opener but don't want to lose the functionality all you need is a simple relay tied in to a home automation platform of your choice.
|
# ? Nov 18, 2019 01:35 |
|
Tell me about password managers and why I should give my poo poo to a third party application?
|
# ? Nov 18, 2019 02:37 |
|
Combat Pretzel posted:Tell me about password managers and why I should give my poo poo to a third party application? you shouldn't be using passwords more than once, so you need a way to keep track of all the hundreds of passwords we accumulate nowadays. as for the 2nd, thats why I use keepass, so I have control of the whole thing. I can just toss my encrypted database on a cloud share and its pretty close to the ones you pay to give them your info in functionality
|
# ? Nov 18, 2019 02:44 |
|
If you don't use a password manager already, what is your current process for remembering a unique, randomly-generated password for every website you use? Once we know that, we can figure out which strategy is better for you
|
# ? Nov 18, 2019 02:45 |
|
It's pretty straightforward: - You should use a separate, strong password for every individual service. Using a weak password is bad, and using the same password on different services is bad. - You can't remember a separate, strong password for every individual service you use. So instead, you use a password manager to remember all the individual passwords, and the only thing you need to remember is the strong password that unlocks the password manager. A good password manager will be set up in such a way that you're the only one that actually sees your passwords, so you're not really handing them over to a third party.
|
# ? Nov 18, 2019 02:50 |
|
RFC2324 posted:as for the 2nd, thats why I use keepass, so I have control of the whole thing. I can just toss my encrypted database on a cloud share and its pretty close to the ones you pay to give them your info in functionality Rufus Ping posted:If you don't use a password manager already, what is your current process for remembering a unique, randomly-generated password for every website you use? Once we know that, we can figure out which strategy is better for you Combat Pretzel fucked around with this message at 02:56 on Nov 18, 2019 |
# ? Nov 18, 2019 02:54 |
|
Out of curiosity can you type each of them into https://haveibeenpwned.com/Passwords
|
# ? Nov 18, 2019 03:09 |
|
I do that occasionally. None of the current ones are compromised. Happened only once a long while back. Some Russian teenager snagged my Ubisoft account and played The Crew for months with it. Must have come from one of those leaks, because the account was linked to a Gmail account with a safe password and 2FA, and I never received a mail about password resets or whatever. It's been secured with a new password and 2FA, too, now. I am signed up to that service, so whenever my default email address shows up in a newly detected breach, I get notified.
|
# ? Nov 18, 2019 03:12 |
|
Combat Pretzel posted:What plugin do you use for filling in password fields on web pages? KeeForm? I don't actually. Most of my password usage is CLI or in an RDP window, so I mostly just use the built in autotype, even for webpages since I am already in the habit.
|
# ? Nov 18, 2019 03:33 |
|
wolrah posted:No idea about the myQ opener, but AFAIK all of the Kwikset locks with the easy rekeying feature which I'm pretty sure means all of the smart locks (if it has an extra slot next to the keyway it has this) are weak to a variety of physical attacks. Thanks I'll did into myQ a little more to see what functionality and data policy stuff it has. And for the lock I'll look in the morning and if it has the rekey feature I'll probably replace it within 6 months if the bank account holds up.
|
# ? Nov 18, 2019 07:06 |
|
Rufus Ping posted:Out of curiosity can you type each of them into https://haveibeenpwned.com/Passwords Why do they invite you to send their server your actual plaintext password string instead of a common hash function of it? Wouldn't that make people feel safer using it, and still come with a negligible chance of false positive?
|
# ? Nov 18, 2019 07:16 |
|
Dumb Lowtax posted:Why do they invite you to send their server your actual plaintext password string instead of a common hash function of it? Wouldn't that make people feel safer using it, and still come with a negligible chance of false positive? While I have never gone through the source of the site the api works by having you send the first part of your hash, then it sends back a list of potential matches and you match your hash on the client side. So not only are you not sending your password, you’re not even sending the whole hash. I imagine that page works the same way.
|
# ? Nov 18, 2019 07:26 |
|
Nah, like, behind that link it appears that it's just got a password entry box right there that says "password" as the placeholder text... if that's the way it is then people are inputting their real passwords there for sure
|
# ? Nov 18, 2019 07:30 |
|
Dumb Lowtax posted:Nah, like, behind that link it appears that it's just got a password entry box right there that says "password" as the placeholder text... if that's the way it is then people are inputting their real passwords there for sure I'm not great at javascript but looking at the source it seems like it's sending a substring of the sha1 of the password input just like it's described in the about page? code:
|
# ? Nov 18, 2019 08:51 |
|
The Fool posted:While I have never gone through the source of the site the api works by having you send the first part of your hash, then it sends back a list of potential matches and you match your hash on the client side. This is correct. fake edit: Andohz is way faster than me.
|
# ? Nov 18, 2019 16:42 |
|
Rufus Ping posted:Out of curiosity can you type each of them into https://haveibeenpwned.com/Passwords Better yet, don't type your passwords into a webpage because a stranger tells you to. It happened to be ok this time but even "safe" pages can get hijacked. The problem with reusing passwords is that some lovely forum that you last used in 2011 will get cracked, and because they were using MD5 (if they were even hashing at all), someone can now automate attacking a variety of sites with 20% of your credentials. If you've ever seen the "I am a hacker and watched you jerk it, your password is 'F@tD1c|<s', give me money or else" that's where that password came from. The advice used to be "use a separate password for every site that you must not get compromised on" like your bank since you maybe had email, bank, and something else, but with the growing importance of Internet use to everything, you can't remember all of these, so use a password manager so that you only need to remember one. Keep rear end is the strongest option but the least user friendly, while 1Password and LastPass have browser integration but their own set of (potentially security) problems Even a paper notebook works, as long as you're willing to accept loss due to fire or theft, the inconveniences of using one, and are willing to manually think of a strong password for everywhere. It's also a good option if you or someone you need to recommend this to is functionally computer illiterate. Regardless of what you choose, absolutely do never reuse your passwords.
|
# ? Nov 18, 2019 16:52 |
|
Also how many libraries / remote resources does that page call in? Could any of them have some well-hidden custom backdoor that simply polls that text box? It seems like the page owner is in a great position to benefit of they decide to quietly help load someone's corrupt resource, since presumably you get paid a lot if you sell all the passwords that people are sufficiently worried about the security of to enter here. I don't know the answer, but personally I'd rather do the SHA stuff locally and provide only that to the convenient text box. BTW pwsafe.exe for Windows came up in the other thread and looks extremely lightweight and open source
|
# ? Nov 18, 2019 19:57 |
|
Password dumps are relatively cheap unless they are specifically targeted.
|
# ? Nov 18, 2019 20:01 |
|
While those are valid concerns for most random websites, Troy Hunt has been around for a while and has a proven track record.
|
# ? Nov 18, 2019 20:04 |
|
|
# ? May 13, 2024 03:42 |
|
The Fool posted:While those are valid concerns for most random websites, Troy Hunt has been around for a while and has a proven track record. Don't worry; unless things have changed, he's trying to sell it. He'll still be a part of it, at least. astral fucked around with this message at 20:24 on Nov 18, 2019 |
# ? Nov 18, 2019 20:22 |