|
Pigbuster posted:Authy is ending support for their desktop app next month, March 19. Is there a good alternative that similarly uses the same account across both mobile and desktop? I don't want to drag my phone out every time I have to log in to a place. 1Password?
|
#
?
Feb 13, 2024 22:04
|
|
|
|
| # ? May 24, 2024 09:40 |
|
|
rafikki posted:1Password? It’s the GOAT and absolutely worth the money.
|
|
#
?
Feb 14, 2024 02:08
|
|
|
Already got it, but I’m not keen on having one point of failure or having to enter my password every time I need 2FA (assuming I’d have to; I don’t see the option in any menu while on the lock screen).
|
|
#
?
Feb 14, 2024 02:29
|
|
|
1Password for passwords and 2FA backup codes, Microsoft Authenticator for the actual 2F.
|
|
#
?
Feb 14, 2024 02:32
|
|
|
Why? If someone got access to your 1Password they could still use the backup codes. It doesn't seem like any added protection for a massive reduction in ease of use.
|
|
#
?
Feb 14, 2024 02:34
|
|
|
If you store the 1Password account secret somewhere safe (and don’t write your passphrase on it) then I don’t think anyone’s getting into your 1Password vault without borderline tailored malware.
|
|
#
?
Feb 14, 2024 02:38
|
|
|
I really got to assure people that the level of effort someone needs in order to access your 1password account is extremely high. Yall giving up the convenience of 1password authenticators on shared accounts and the auto fill feature, seems insane. The weak link is going to be something else. Lastpass is the cheating ex you gotta move on from and learn to trust again.
|
|
#
?
Feb 14, 2024 02:41
|
|
|
Shumagorath posted:If you store the 1Password account secret somewhere safe (and don’t write your passphrase on it) then I don’t think anyone’s getting into your 1Password vault without borderline tailored malware. I agree, which is why I am asking why you bother to use Microsoft Authenticator for your MFA and store your backup codes in 1Password. Unless I misunderstood you?
|
|
#
?
Feb 14, 2024 02:44
|
|
|
I don’t need to split my vault and 2FA, but I already have, and MS Auth lets me do one-touch 2FA for the stuff I use most. If I ever switch phone operating systems again (iOS will only let you export to iCloud / Worst Cloud whereas Android backs up to OneDrive) then I’ll consider going all-in on 1Password.
|
|
#
?
Feb 14, 2024 02:47
|
|
|
I'm lazy and put my TOTP in both Authy and KeePass.
|
|
#
?
Feb 14, 2024 02:49
|
|
|
Shumagorath posted:I don’t need to split my vault and 2FA, but I already have, and MS Auth lets me do one-touch 2FA for the stuff I use most. If I ever switch phone operating systems again (iOS will only let you export to iCloud / Worst Cloud whereas Android backs up to OneDrive) then I’ll consider going all-in on 1Password. Ah, I understand. I thought it was more a recommendation than that. Yeah, I use 1Password for all of my MFA. And my families. And any orgs I do work with. My only MFA not in 1Password is my MFA to get into 1Password.
|
|
#
?
Feb 14, 2024 02:51
|
|
|
Internet Explorer posted:My only MFA not in 1Password is my MFA to get into 1Password. There are still 2-3 accounts where I never put the whole mechanism into any vaults; just memorizing an adequate password and still using 2FA. My ability to completely recover everything from memory died with the family copper landline, so now I like to have services that can support each other and one key for each lives in my head or on-body.
|
|
#
?
Feb 14, 2024 02:58
|
|
|
Could use 1Paasword and Bitwarden I’m lazy so I just use Bitwarden for both
|
|
#
?
Feb 14, 2024 03:31
|
|
|
Hed posted:I WISH I could get my flipper to do something useful like be an opener for my garage door or car doors I use mine to emulate amiibo’s. I tried to get it to unlock my car, but I guess the flipper can’t do rolling code or something 🤷
|
|
#
?
Feb 14, 2024 08:21
|
|
|
MustardFacial posted:I tried to get it to unlock my car, but I guess the flipper can’t do rolling code or something 🤷 You're very lucky you didn't desync your keyfob.
|
|
#
?
Feb 14, 2024 11:55
|
|
|
Pigbuster posted:Authy is ending support for their desktop app next month, March 19. Is there a good alternative that similarly uses the same account across both mobile and desktop? I don't want to drag my phone out every time I have to log in to a place. KeePassXC can let you add TOTP to a password registration if you want to manage the database location, otherwise all major password managers with cloud storage can manage TOTP items.
|
|
#
?
Feb 14, 2024 12:57
|
|
|
Mustache Ride posted:Could use 1Paasword and Bitwarden
|
|
#
?
Feb 14, 2024 13:38
|
|
|
If a site doesn't let me do MFA with Yubikey it doesn't deserve to have it stored outside 1Password.
|
|
#
?
Feb 14, 2024 16:23
|
|
|
I spent a chunk of the weekend going through my 1Password, rotating really old passwords (especially ones with lower complexity) and also setting up Passkey everywhere I can and eliminating old defunct sites. Dear god is passkey still such a shitshow. First and foremost, 1Password can't do autofill of Passkeys in chrome on android yet. So anything I setup in 1password by itself can only actually be used on a desktop browser or in apps on Android. I got around that by setting up two passkeys (one in 1Password and 1 in Android synced to my google account) in every place that allowed me to do it. But then most places implementation of it, when it actually was supported, was pretty bad. Virtually no one lets you disable a password auth when you do passkey so you are missing out of one big security aspect of it since if the site has a breach that exposes passwords, you are still affected. Paypal doesn't recognize 1Password as a valid place to store passkeys so it errors on setup. I was able to set it up on Android but a whole fat lot of good that does because they still require you to to MFA with passkeys (as does Amazon). So, not only are you not getting all the security benefits, you aren't getting the convenience benefits either. Bestbuy's interface is straightforward enough and it seems to allow you to bypass the text based MFA which is good, but password still works when you have passkeys setup. CVS bypasses MFA as well it seems like, but setup is a bit of a shitshow in that you have to have it actually prompt you to setup a passkey on login as there's nothing at all in the account settings that lets you manage them. So, if you issue a passkey there seems to be no way to revoke it right now. LinkedIn claims to support it, but I have no such setting in my user control panel. Twitter only supports it on iOS devices and nothing else. Microsoft only supports it in desktop browsers (though thankfully it recognizes 1Password), you don't have the option to set it up under Android. It bypasses MFA at least though. Out of everything, Synology seems to be the one doing the best with it. You setup a passkey, it disables your password login and their app based MFA. You can use either/or but not both at once. You can even freeform name what the device/method the key represents instead of just taking the browser info. Only thing that's kind of amiss is that their account recovery when using passkey if you lose it only seems to be text message based. None of my financial institutions or medical stuff has added a passkey option (or even have MFA beyond email or text based offerings.)
|
|
#
?
Feb 14, 2024 17:09
|
|
|
bull3964 posted:None of my financial institutions or medical stuff has added a passkey option (or even have MFA beyond email or text based offerings.) In 2024, we're lucky they aren't still just sending them plain-text. Best Buy has better security than your bank and who knows when that will change.
|
|
#
?
Feb 14, 2024 17:18
|
|
|
Why would you want your passkeys in 1pass?
|
|
#
?
Feb 14, 2024 17:39
|
|
|
Fart Amplifier posted:Why would you want your passkeys in 1pass? So they synchronize across everything, same as any other reason why you would use 1Password.
|
|
#
?
Feb 14, 2024 18:17
|
|
|
Is the built-in password manager in Chrome OK? I'm a basic bitch, and from the user experience standpoint it works fine for me. I have 2FA on my google account, and a passphrase on my Chrome data sync.
|
|
#
?
Feb 15, 2024 10:34
|
|
|
browser password managers are fine these days, the only issue being how to deal with passwords you need to use outside of the browser
|
|
#
?
Feb 15, 2024 15:01
|
|
|
evobatman posted:Is the built-in password manager in Chrome OK? I'm a basic bitch, and from the user experience standpoint it works fine for me. I have 2FA on my google account, and a passphrase on my Chrome data sync. Just use Bitwarden.
|
|
#
?
Feb 15, 2024 16:18
|
|
|
Yay Bank of America. 
|
|
#
?
Feb 15, 2024 20:14
|
|
|
Vibe check this statement for me:quote:I am always going to assume breach in all circumstances. Hedging your bets on "well the attackers would have to already be on the inside to exploit this" is in my opinion, an irresponsible stance for a cybersecurity professional. It's not 2012, perimeter security is dead.
|
|
#
?
Feb 15, 2024 20:46
|
|
|
MustardFacial posted:Vibe check this statement for me: Countless breaches happen because the "perimeter" was bypassed for the sake of employee personal convenience and delicate feelings. Yes I am bitter. Yes I had a developer so angry they almost cried because random loving terminal app their installed on their mac book pro automatically uninstalled and they weren't consulted/warned weeks in advance.
|
|
#
?
Feb 15, 2024 20:56
|
|
|
MustardFacial posted:Vibe check this statement for me: That's just a way of saying zero trust. I might be a little nicer about how I said it, but on the technical side it is good and true.
|
|
#
?
Feb 15, 2024 21:02
|
|
|
Perimeter security is dead and the average user is going to find workarounds for anything you do, well-intentioned or not, if they at all perceive you as being the enemy of them getting their job done. Yes that includes if their workflow depends on their special snowflake terminal application and suddenly it goes away.
|
|
#
?
Feb 15, 2024 21:03
|
|
|
MustardFacial posted:Vibe check this statement for me: It is a correct statement.
|
|
#
?
Feb 15, 2024 21:11
|
|
|
MustardFacial posted:Vibe check this statement for me: It checks out.
|
|
#
?
Feb 15, 2024 21:13
|
|
|
Internet Explorer posted:That's just a way of saying zero trust. I might be a little nicer about how I said it, but on the technical side it is good and true. While yes it is a proponent of zero trust, I've always used to in the sense of assuming an attack will happen, or is presently happening. I think of it more as a mindset to approach the field, and not necessarily as part of a framework. Sickening posted:Countless breaches happen because the "perimeter" was bypassed for the sake of employee personal convenience and delicate feelings. Yes I am bitter. Yes I had a developer so angry they almost cried because random loving terminal app their installed on their mac book pro automatically uninstalled and they weren't consulted/warned weeks in advance. While I totally agree with you, I don't have enough dedicated cybersecurity experience to make a statement like that. corgski posted:Perimeter security is dead and the average user is going to find workarounds for anything you do, well-intentioned or not, if they at all perceive you as being the enemy of them getting their job done. Yes that includes if their workflow depends on their special snowflake terminal application and suddenly it goes away. It's always the loving developers.
|
|
#
?
Feb 15, 2024 21:13
|
|
|
corgski posted:Perimeter security is dead and the average user is going to find workarounds for anything you do, well-intentioned or not, if they at all perceive you as being the enemy of them getting their job done. Yes that includes if their workflow depends on their special snowflake terminal application and suddenly it goes away. They can use one of the other dozen approved terminal apps and go about their lives. If that causes them to view security as their mortal enemy, so be it. MustardFacial posted:It's always the loving developers. I wish it were true, they are just throwing the biggest baby tantrums lately. The industry small pivot away from kissing the feet of devs isn't being taken so well.
|
|
#
?
Feb 15, 2024 21:14
|
|
|
Internet Explorer posted:That's just a way of saying zero trust. I might be a little nicer about how I said it, but on the technical side it is good and true. I could not think of a nicer way to say it while still being succinct so I had Copilot do it for me quote:In light of our evolving security landscape, I believe it is prudent for us to adopt a proactive approach in protecting our organization's data. Rather than assuming our current security measures are foolproof, it is essential to remain vigilant and consider the possibility of breaches occurring from both internal and external sources. Sickening posted:I wish it were true, they are just throwing the biggest baby tantrums lately. The industry small pivot away from kissing the feet of devs isn't being taken so well. My entire sysadmin, devops, and cloud admin career has been fighting against developers wanting some stupid bullshit approved, or complaining that SonarQube rejected their lovely insecure code, or demanding they be exempted from update policies because it "disrupts their workflow"
|
|
#
?
Feb 15, 2024 21:23
|
|
|
MustardFacial posted:Vibe check this statement for me: True and accurate. Might want to soften the blow depending on the audience, but I have had many conversations with managers that sound like this. Your second shot at it right above this is a good edit to ensure nobody decides to throw a tantrum over you being curt, while still sending the same message.
|
|
#
?
Feb 15, 2024 21:40
|
|
|
https://www.youtube.com/watch?v=fiCZP09F6FQ
|
|
#
?
Feb 15, 2024 23:06
|
|
|
Sickening posted:They can use one of the other dozen approved terminal apps and go about their lives. If that causes them to view security as their mortal enemy, so be it. Soft skills are important, nobody likes a BOFH and if you want people to proactively engage with security you need to be respected.
|
|
#
?
Feb 15, 2024 23:35
|
|
|
MustardFacial posted:While yes it is a proponent of zero trust, I've always used to in the sense of assuming an attack will happen, or is presently happening. I think of it more as a mindset to approach the field, and not necessarily as part of a framework. The framework is good but yes the mentality of viewing everything that ever touches a network as a vector is really the only way to approach things. All we are all doing is making the blast radius as small as we can and making it harder to move laterally so attackers have to work for it. Then they are more likely to trip alarms and responses built around these systems. That’s really all that can be done. Having a functional edge firewall to protect you from direct external attacks is the lowest hanging fruit and yet I still see a frustrating number of people going around with the whole “well, if they’re in the perimeter, we already lost. May as well give up” mentality. These people will never go away. Developers will absolutely be terrible offenders if given a chance. But really if you have proper governance and modern devops practices, the worst they should be able to do practically is slip through (mostly automated) security testing when they’re trying to push something. Or maybe they compromise their dev/test environment. Nothing will stop them from writing terrible software, but if your system can keep the most egregious poo poo out of production and away from real things, then it’s all good. Keep them in the development shame cube with a very small window to get their stuff into prod and it’s fine.
|
|
#
?
Feb 16, 2024 00:13
|
|
|
|
| # ? May 24, 2024 09:40 |
|
|
corgski posted:Soft skills are important, nobody likes a BOFH and if you want people to proactively engage with security you need to be respected. I don't think anybody is advocating for being a BOFH, and one of the main goals of an effective cyber team should be to work with other teams to find equitable solutions and not just throw mandates over the wall and tell them to figure it out. However, both teams have to be equally invested. If cyber has gone through the effort of approving multiple terminal apps for people to choose from and they're still going "But that's not my favourite one though!" Then that's on them to get in a huff about. Resources aren't endless, there has to be flexibility from both sides.
|
|
#
?
Feb 16, 2024 00:22
|
|