|
FunOne posted:Best recommendations for password managers? Surely keeping them all in a Google Spreadsheet isn't considered best practice. I'm not interested in spending money on a service though. How is Safewin Cloud? Local only KeePass/PasswordSafe are decent. Online I'd say lastpass.
|
# ¿ Dec 20, 2015 22:41 |
|
|
# ¿ May 4, 2024 23:56 |
|
FSMC posted:Are there any safe keepass or 1pass ports for android? I went for lastpass a few years ago because all the android apps for keepass looked like sketchy unofficial ports. 1password has an android app, I can't really speak to it's safety though.
|
# ¿ Dec 22, 2015 02:40 |
|
Is there ever a valid reason for the PasswordNotRequired AD attribute to be set to True?
PBS fucked around with this message at 04:01 on Dec 23, 2015 |
# ¿ Dec 23, 2015 02:57 |
|
OSI bean dip posted:Microsoft has terrible documentation on this but its purpose is not for the user but for the administrator to set a blank (null) password. With this flag, users cannot change their passwords to blank but passwords can be set to blank by an administrator. Ah alright. So it doesn't necessarily mean the password is null or that you can proceed past authentication without one, but the potential for accounts with null passwords is there so long as it's enabled. PBS fucked around with this message at 05:25 on Dec 23, 2015 |
# ¿ Dec 23, 2015 05:20 |
|
If you log into a website with a user id and an rsa token (generated on a laptop / mobile, using a pin), would the login to the website be considered 2fa? It seems to meet the requirements. (something you have, something you know)
|
# ¿ Feb 15, 2016 22:36 |
|
EVIR Gibson posted:No. For proper 2fa you need something you know (password) and something you have (token). I figured someone might interpret it that way, I wasn't mentioning the userID as a second factor, I was just mentioning that it was a field that was present. Sorry for the confusion. To reword my question, I'm curious if the website login itself is considered 2FA if the only login requirements are a UserID and a "passcode". The passcode itself would likely be considered 2FA since you need an RSA enrolled device and to know the PIN used to generate the token. (have/know fulfilled) The benefit I see to this approach is you're only entering a TOTP on public/insecure devices. This is of limited use from the perspective of protecting data that's being accessed on a public device, but it would prevent capturing the credentials and using them for some other system. The fault is that the password you're now authenticating with is just eight numeric characters that changes every X seconds.
|
# ¿ Feb 16, 2016 01:40 |
|
Subjunctive posted:If you force the user to change their password after every login, does simple u+o auth become 2-factor? I certainly wouldn't say so. I get what you're saying (maybe), but in this case the password itself is 2fa to get. If I'm answering my own question I'd say no, the weblogin itself isn't 2fa because you're just entering a single passcode to authenticate. (Even though the passcode itself is 2fa to get) I'm wondering if this kind of login would be considered secure overall, and what any obvious pitfalls to it would be. PBS fucked around with this message at 02:10 on Feb 16, 2016 |
# ¿ Feb 16, 2016 02:06 |
|
Dex posted:i'm confused. securid works with your pin(something you know) and your token code(something you have, changes every 60 seconds), and the two of those must be correct when you're challenged. so your passphrase is PASSWORD123456 or PASSWORD456789 or whatever. are you asking about using the code _only_? don't do that. Let me explain a little further. The goal is to log into X website, the website login page has two fields. One field is UserID, the other is Passcode. The passcode itself is something you generate. You generate the passcode by entering your PIN into an RSA SecureID token client, either on a phone or computer. So if your PIN is 123456, you input this into the SecureID token client and it will spit out something like 01923227. Go back to the webpage, enter userid in userid field, enter 01923227 in the passcode field, hit login. PBS fucked around with this message at 02:28 on Feb 16, 2016 |
# ¿ Feb 16, 2016 02:21 |
|
There's a lockout policy in place.
|
# ¿ Feb 16, 2016 02:50 |
|
Seems as simple as not having autofill on. I have lastpass set so I manually fill username/password fields. The near-zero effort it takes to use their service on multiple devices is what has kept me with them, maybe something better will come along some day. I've seen dashlane around recently, not sure they really offer anything that no one else does. Their "security" page isn't very reassuing, https://www.dashlane.com/security
|
# ¿ Jul 28, 2016 00:30 |
|
OSI bean dip posted:So what will you do for the next vulnerability? I sent them an email asking them to stop having vulnerabilities, I'm pretty sure all potential issues will now be resolved. I sent similar emails to Oracle, Microsoft, Adobe, Cisco, and Apache as well. I like to try to be proactive.
|
# ¿ Jul 28, 2016 02:09 |
|
OSI bean dip posted:I don't think that you understand the problem with LastPass. Other than being a big juicy target maybe I don't. Seems like few devs actually give a poo poo about security, and internally everything is somehow a shitshow with walls thrown up around it. From my viewpoint no known major compromises for as long as they've been around given the target on their back is decent. Are you aware of an exact alternative that you'd consider to be more secure? If yes, can you explain your reasoning? I value your opinion if you care to expound.
|
# ¿ Jul 28, 2016 02:31 |
|
OSI bean dip posted:Here's the thing: LastPass cannot be audited. You have no idea about the server-side aspect of how it runs and there have been far many problems. Nobody in here will be able to tell us how the server-side works and any suggestion that they're confident that they have made things secure is kidding themselves and are really giving charlatan-level advice. I appreciate the reply. In summary, you're saying that any company that provides a service exactly like lastpass's would be considered similarly a bad decision to utilize? Realistically, what separates lastpass from any other company that I have to place a fair amount of trust in to keep my money/information/etc secure? (If anything beyond the obvious that it stores my passwords for all other services)
|
# ¿ Jul 28, 2016 02:54 |
|
OSI bean dip posted:Yes. Anyone who follows the same model like LastPass is likely to have the same problem. It seems like a significant convenience/feature loss to switch off, but I guess it wouldn't hurt to look at the alternatives a bit more.
|
# ¿ Jul 28, 2016 03:27 |
|
ming-the-mazdaless posted:Honest is not brutal. It's definitely brutal. It being honest or a curse to IT/InfoSec doesn't change that.
|
# ¿ Sep 5, 2016 14:28 |
|
OSI bean dip posted:Still using LastPass? Those replies, 10/10.
|
# ¿ Mar 16, 2017 05:22 |
|
1password makes it hilariously difficult to import from lastpass. https://support.1password.com/import-lastpass/
|
# ¿ Mar 22, 2017 01:29 |
|
OSI bean dip posted:Welcome to the hell that is getting your data from a cloud-based service. LastPass wins on the import for sure. Looking though the import to 1password now as well, total poo poo tier import. Might as well have done it by hand, going to have to anyway. 1/12 Stars PBS fucked around with this message at 01:59 on Mar 22, 2017 |
# ¿ Mar 22, 2017 01:53 |
|
Cup Runneth Over posted:LastPass -> Tools -> Import From -> LastPass Trashed 1password, it butchered the import completely. Tested out the form fill and it doesn't even work on some popular sites I tried. (With new, non-butchered items) New subscription based model they're using is 3$ a month, 3x the cost of lastpass premium which isn't even necessary anymore. Yeah, security is important so lastpass needs to go, but I don't see 1password as a viable replacement for it.
|
# ¿ Mar 22, 2017 02:20 |
|
OSI bean dip posted:Use LastPass Pocket if you need to export it. Export from the browser plugin is fine, it's even what 1password tells you to do. 1password seems to just be incapable of importing correctly.
|
# ¿ Mar 22, 2017 02:38 |
|
OSI bean dip posted:So what languages does he code in primarily? HTML oh PBS fucked around with this message at 01:38 on Mar 29, 2017 |
# ¿ Mar 29, 2017 01:33 |
|
Humble Bundle up with some decent books if anyone's interested. Don't think I saw this posted here yet. https://www.humblebundle.com/books/cybersecurity-wiley
|
# ¿ Jul 18, 2017 05:05 |
|
mewse posted:Snagged this. I didn't own a copy of Applied Cryptography so it was kinda a no-brainer You may've read it already, but Cryptography Engineering has superseded it and is also in the bundle.
|
# ¿ Jul 18, 2017 16:54 |
|
*snip*
PBS fucked around with this message at 17:10 on Sep 4, 2017 |
# ¿ Aug 23, 2017 15:21 |
|
The fix apparently breaks file sharing.
|
# ¿ Nov 30, 2017 17:17 |
|
gourdcaptain posted:And in "I am genuinely completely baffled", my Lenovo Yoga 700-11isk, the Skylake (Intel Core m5-6Y54) tablet convertible that tests vulnerable to the Intel Management Engine issues with Intel's detection tools but wasn't on Lenovo's list of vulnerable laptops: I'm surprised it even went that far.
|
# ¿ Dec 11, 2017 15:50 |
|
Anyone here have experience with BeyondTrust's Password Safe?
|
# ¿ Apr 20, 2018 00:27 |
|
22 Eargesplitten posted:Is this the place to ask about the security of popular plug-ins? My wife mentioned the "Honey" plug-in to me, the one that automatically finds coupons. For some reason it sent off spyware alarms in my head. Is that valid? Is there a site that keeps track of stuff like this? It tracks the pages you visit (ofc), but beyond that it's a fairly popular and well known plugin.
|
# ¿ Apr 21, 2018 17:39 |
|
My company has recently started forcing cache-control headers that turn off all client/server side caching for all of our webapps via our shared apache servers. Is this common, or is it as dumb as it seems?
|
# ¿ Apr 30, 2018 01:49 |
|
Space Gopher posted:If you're only talking about APIs, it might make sense as step zero in figuring out a caching strategy. API response caching gets important at scale, but "don't cache anything" is a safe default while you catalog your endpoints and try to understand what requests you can serve from cache and what needs to hit the backing server every time. No, everything. I'm told the decision comes down from infosec. I assume they blindly don't trust that applications are handling caching properly and so strip the headers and force their own.
|
# ¿ Apr 30, 2018 04:00 |
|
Yeah, I assume that's talking about using it for pages that it should be used for, not recommending it be blindly set for 100 random applications.
|
# ¿ Apr 30, 2018 05:00 |
|
Anyone implemented Swimlane?
|
# ¿ May 7, 2018 01:19 |
|
Anyone used Phantom, Swimlane, or some other security automation tool? Trying to sign up for the phantom community edition, but they're insisting on me providing my work address, which I'm not looking to do.
|
# ¿ May 15, 2018 04:16 |
|
dogstile posted:If this thread has taught me anything its that I should never get into infosec or i'll be abrasive and mad all the time. You'd probably actually fit right in at most orgs.
|
# ¿ Jul 9, 2018 15:23 |
|
Apex Rogers posted:Mind linking to the secfuck thread? They keep closing it and opening new ones, looks like this is the current though. https://forums.somethingawful.com/showthread.php?threadid=3855827
|
# ¿ Jul 9, 2018 21:44 |
|
D. Ebdrup posted:I suspect computing made a mistake in going from something that could be reasoned about, to the state today where there's something like 20 instructions with branch prediction in flight at any given time, the microcode is responsible for changing the CISC-like instruction set that amd64 claims to be into more RISC-like instructions plus a bunch of circuitry specific instructions for vector cores, et cetera, plus whatever else is actually inside a chip, especially when it seems like not even the manefacturers understand the full implications of what happens when you're putting an almost 50-year virtual machine on top of the mess that is OoO, as is the case with C which is used for a heck of a lot of most modern OS'. Having trouble getting past how long your sentences are.
|
# ¿ Aug 16, 2018 01:49 |
|
Docjowles posted:Literally changing the term to "offensive" in order to make the text less offensive is I wonder if they got offended by it.
|
# ¿ Aug 29, 2018 23:41 |
|
baka kaba posted:The thing about LastPass is ( aside) it works fine until it doesn't, and then it's a real pain to try and recover. Like usually if you sign up for a site, you can click the nice "generate password" option and submit your deets, and then the extension pops up a thing saying "I see you created an account! Want me to add it?" and you go yep. Except sometimes it doesn't do that, because the site confused it, and then you have to go looking for the generated password history and finding the one you used (hint: it's not the one at the top or bottom of the list) by trying to log in, and then manually add the account details to your vault Yeah, I've been having this issue more and more recently, except I can never find a generation history. I've started just generating it and copying it to the clipboard so if it doesn't save I can manually create the site.
|
# ¿ Sep 6, 2018 01:01 |
|
Free > 3$ a month I think I tried 1Password about a year back and it butchered the lastpass import. I also recall it struggling to fill out / save forms. Also it can't properly handle a 2 screen login process, lastpass can. PBS fucked around with this message at 02:30 on Sep 6, 2018 |
# ¿ Sep 6, 2018 01:24 |
|
|
# ¿ May 4, 2024 23:56 |
|
Cup Runneth Over posted:The Google login is 2 screen and Tumblr is 3 screen and 1Password has always worked flawlessly with those Got instructions? I see no way to get it to work without telling it to fill out the details multiple times.
|
# ¿ Sep 6, 2018 04:21 |