|
Add another person who is completely happy with 1Password. It took me forever to get Chrome to completely drop all my old passwords and stop trying to autofill the passwords even though I said "please delete all the saved passwords", but once I got it all configured, I can't imagine using something other than it, it works well for me. My one pet peeve with is the tiny UX disparities between mobile versions. iOS has a fancy recents page on the favorites view of recently used ones, Android doesn't get that.
|
# ¿ Jul 31, 2019 02:51 |
|
|
# ¿ May 14, 2024 14:59 |
|
zhar posted:on the topic of 1password are there any compelling reasons for me to update from my pre subscription 1password version 6? I'd say sync specifically designed for passwords and a year of deleted item recovery are pretty compelling, along with the watchtower analytics as mentioned.
|
# ¿ Jul 31, 2019 18:07 |
|
Raenir Salazar posted:Would this be a good thread to ask about how WW2 era cipher machines worked? I'm not understanding how a half-rotor results in only 1 of 26 output key lamps lighting up. There only being 13 letters is just for brevity otherwise they wouldn't be able to fit all 26 lines between the rotor on the left and the right.
|
# ¿ Apr 17, 2020 03:26 |
|
beuges posted:When I first sent them a query about it, I got this: Isn't chromium introducing the native password revealer thanks to edgium putting it into upstream?
|
# ¿ Apr 24, 2020 06:02 |
|
Mr. Crow posted:Seems like the most likely thread for people to have experiences with yubikeys, my computer choked trying to read mine today and couldn't enumerate the USB, after plugging it in and out it saw it fine... Y'all have experience with yubikeys going bad or anything? This thing is years old at this point and I've never seen a USB die unless I accidently jammed it in the slot the wrong way or there is a real electrical short. Probably just a random usb glitch I've never had issues with them.
|
# ¿ May 5, 2020 18:28 |
|
So this is when the Surface team gets a smug look on their face and says "i told you so" about Thunderbolt security concerns, right?
|
# ¿ May 11, 2020 18:36 |
|
Honestly I kind of agree with the Google engineer. If someone's popped your computer, you might have bigger problems than Google's threat model.
|
# ¿ Jul 2, 2020 22:34 |
|
FWIW: this was also an edge case of him needing a macOS device so he had bought a VPS running macOS that was using VNC by default, so he installed nomachine. It seems like more of an edge case than "oops rdp popped", so I'm not really sure what the right answer is.
|
# ¿ Jul 3, 2020 20:48 |
|
Cup Runneth Over posted:You think that's scary? I know from experience there are banks with customer support that will trigger a 2FA auth and ask you to repeat it back to them to verify your identity. No, not a scammer. The actual customer support. When working with phone support I'm not really sure what the better situation is. I know Simple (my bank) does do this, but the phrasing of the message is "Your Simple verification code to provide to the Simple team member is xxxxxx", not just "Your Simple verification code to log in is xxxxxx".
|
# ¿ Jul 5, 2020 21:36 |
|
Sickening posted:I have been signing up firstname@gmail.com for everything that asks me for an email for more than a decade. Whoever that person is that works at google, I hope they enjoy it. I would also assume nope@nope.com gets a bunch as well. they're probably not a googler try firstname@google.com
|
# ¿ Oct 16, 2020 00:18 |
|
I’m not saying your company is potentially over their collective heads in this, but yikes. The only truly unphishable 2FA method is U2F which has iffy mobile support to begin with (and that’s assuming smartphones). Everything else is phishable with varying amounts of effort.
|
# ¿ Jan 18, 2021 06:21 |
|
BonHair posted:It also seems like it would be difficult to track down the actual physical person who did a thing in case of incidents with that setup? Or is that me misunderstanding? I don't think so. And I bet since it's all going through your external IP, Mallory (or someone just not wanting to do work) could just login to company1...n@ over and over and over again and DoS everyone else in the company
|
# ¿ Jan 20, 2021 03:57 |
|
Mr. Crow posted:You sure? otherwise known as "we speculated at the method Android and iOS calculates fingerprints, we never tested it against real devices, we think this will work" (and it's from 4 years ago)
|
# ¿ Mar 1, 2021 00:01 |
|
RFC2324 posted:Yeah, I wonder how many people think they are protected by 2fa but forgot that FB requires a phone number for sms failover to enable 2fa at all You can disable phone number failover after setting up 2FA
|
# ¿ Apr 6, 2021 19:16 |
|
Martytoof posted:Does pastebin pro ever actually go on sale? It's "sold out" every time I check. It went on sale at some point since I have a pro account (back in December of 2018)
|
# ¿ Apr 7, 2021 19:47 |
|
Well the writing was on the wall (and frankly I don't mind because the .com stuff is way better than any of the other options), but 1Password has quietly (at the moment) officially announced the end to per-version licenses still being available, and future versions of the desktop app will require the subscription. https://1password.community/discussion/comment/601917/#Comment_601917
|
# ¿ Jun 15, 2021 23:43 |
|
With the power of the desktop app integration, I basically never even type my master password of 1Password into any web pages or Chrome extension, so at this point it's a pretty minor concern.
|
# ¿ Jul 6, 2021 00:55 |
|
I'd also weigh the risk of the potential threat actors against how much risk you're willing/able to mitigate. Like if your goal is doxxing members of an aggressive group who own guns, the amount of care you'd want to put into making sure that you're unidentifiable is different than posting fursuit content.
|
# ¿ Jul 24, 2021 19:05 |
|
wolrah posted:Do you guys not have a MDM that supports Apple Business Manager? I haven't actually used this capability yet but my understanding was that any remotely modern Mac could have MDM profiles pushed to it the moment it connects to the internet similarly to an iOS device. It exists and is awesome until you remember that unless you bought the Macs through the business/school account it's an absolutely nightmare to get them added to ABM/ASM for MDMing
|
# ¿ Sep 21, 2021 19:01 |
|
Proud Christian Mom posted:boy isnt this the loving truth on the plus side it turns the “pretty please can you turn off activation lock” hour long phone call with Apple support into an easy one click setting
|
# ¿ Sep 21, 2021 21:14 |
|
Martytoof posted:Now I wish I had read this thread before the edits Judging from context it sounds like we definitely didn’t want to know
|
# ¿ Oct 13, 2021 02:43 |
|
cr0y posted:I am sure this has been covered before but... yubikey is actually impossible to phish, code based TOTP is phishable if you're not paying attention. I have a 5Ci on my keys, the 5NFC that it's replacing at home, plus a 4 that I have for work testing purposes
|
# ¿ Nov 3, 2021 17:07 |
|
cr0y posted:Google authenticator has an export option which generates a big QR code that I am thinking you could screenshot and stash away somewhere safe as a backup for this scenario. https://malicioussitethatsnotactuallygoogle.com asks for a OTP code, you type it in, attacker quickly uses the information they've gotten from the phishing page to log in to the real page with U2F/FIDO2/WebAuthn, https://malicioussitethatsnotactuallygoogle.com can't ask for the credential for https://google.com because not the same origin.
|
# ¿ Nov 3, 2021 18:14 |
|
If you're paranoid, use a Yubikey and don't stress further about it. What people often forget is there's another less technical way of getting access to your data if they really want it. If the Mossad wants to log into your account that has U2F, then they'll just show up to your house with a set of jumper cables and a car battery and ask really nicely for you to unlock it please.
|
# ¿ Nov 3, 2021 19:24 |
|
cr0y posted:Ya I'm not super concerned because I am a garbage person and have nothing of value, but I'm now more aware of needing a better way to backup my TOTP secrets. nope
|
# ¿ Nov 3, 2021 20:07 |
|
cr0y posted:Well that's dumb I mean any modern phone is encrypted and and siloing data per app, but a a device compromised by relatively high level malware (so not "you were watching porn" popups) could potentially look at the TOTP secrets
|
# ¿ Nov 3, 2021 20:27 |
|
Mantle posted:I'm trying to de-smartphone and TOTP authentication is one of my blockers. From what I understand, wouldn't all of my service providers that are currently using TOTP need to support my Yubikey? Pretty much.
|
# ¿ Nov 3, 2021 21:07 |
|
chin up everything sucks posted:Honestly, I have no idea - I don't think anything survives a wipe + firmware flash unless the device was compromised via a supply chain attack, but I can't say that with 100% certainty. Unless they compromise your Mac/Windows device with a separate zero-day before you manage to DFU your iPhone and use that to put it back
|
# ¿ Dec 16, 2021 21:34 |
|
GrunkleStalin posted:The family and enterprise plans would let you create a dedicated “cloud account” with it’s own secret key & password to handle billing and another to handle all your passwords. FWIW: avoiding ever touching the web interface could be done by signing up on a mobile device and using App Store or Google Play billing.
|
# ¿ Jan 3, 2022 00:11 |
|
bull3964 posted:Best not use safari on MacOS and sign out of google accounts on iOS. https://github.com/WebKit/WebKit/commit/f73005ed826014988f8ee447de23927749fb56e5 When in doubt, call Apple out directly
|
# ¿ Jan 17, 2022 17:19 |
|
Martytoof posted:I’ve done zero actual research but every time I see a pro/con list someone invariably mentions that QNAP software is less secure, whatever that means. QNAP uses textarea rather than input for the username/password fields so take that as you will as an example of their development prowess
|
# ¿ Jan 28, 2022 04:07 |
|
SoFi finally got a bank charter and isn’t using a partner bank anymore and their app is good so I’ve been fine with them.
|
# ¿ Mar 4, 2022 23:10 |
|
KozmoNaut posted:I have a few good randomly generated passwords that I can remember by the typing patterns, like for instance the general pattern is diagonally up and left, then down, then straight across. Jumps and upper/lowercase and symbols are of course scattered. Except for the fact that the pattern makes the problem size smaller 4-5 words randomly generated is way more memorable with a way bigger problem size IMO
|
# ¿ Mar 13, 2022 20:54 |
|
I just use 5 EFF dice ware words and call it a day, no symbols, spaces as separator
|
# ¿ Mar 14, 2022 03:30 |
|
Should I put my Universal Life Church minister number in my signature yes / no?
|
# ¿ Apr 2, 2022 18:04 |
|
Internet Explorer posted:Has anyone heard anything odd with Instagram recently? My wife had someone log into her account from a different state. She didn't have MFA, but it was a unique password generated and stored from 1Pass. I asked if she had used it as SSO for another service or anything, thinking maybe she got phished that way, but she's saying no. And it's not like she's logging in to it on her computer. Not linked to Facebook, no Facebook account. I've seen a few reports of this happening lately with the ig.me URL
|
# ¿ Jun 1, 2022 04:22 |
|
AlternateAccount posted:Have they talked about the details of twitters coming encrypted DMs? Proper E2E or…? “just vibes” I wouldn’t be surprised if it’s never implemented due to not having the engineering capacity to add it
|
# ¿ Nov 28, 2022 22:52 |
|
Boris Galerkin posted:Can someone smart tell me why 1Password isn't susceptible/is more secure than LastPass? I still use and pay for 1Password but out of habit/inertia at this point. secret key 1Password never gets your secret key, so there's an extra 128bits of entropy for your vaults when stored on their servers you need both the secret key and the password to unlock a vault, so attacking their servers would basically be pointless
|
# ¿ Dec 23, 2022 19:01 |
|
wolrah posted:LastPass works the same way. The password vault is just an encrypted blob from the standpoint of their servers. If you ignore the years of incompetence, on paper they're doing all the same things as anyone else in the space. They just have a long history of doing those things worse than everyone else. no? the only thing needed to decrypt your lastpass vault is your password, 1p requires both your password and secret key
|
# ¿ Dec 23, 2022 20:08 |
|
|
# ¿ May 14, 2024 14:59 |
|
My password manager opinions: If you want free: Bitwarden is the only option If you want to pay: 1Password has more creature comforts than Bitwarden does (SSH key agent, a full 1Password experience in Safari on iOS that's exactly like the desktop web extension, better UI, plus the Secret Key)
|
# ¿ Dec 25, 2022 21:02 |