Add-on: same password, same identity. - eviltoast
  • Paradachshund@lemmy.today
    link
    fedilink
    arrow-up
    20
    arrow-down
    3
    ·
    1 year ago

    Everyone talks about password managers these days, but isn’t that telling the hackers exactly where to go to get all your passwords? Seems like a much higher chance of catastrophic failure to me if you have a single point of entry.

    • moonmeow@lemmy.ml
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      Yes that’s definitely a concern to keep in mind.

      The problem is that if someone doesn’t use a password manager they’re morenlikely to reuse weak ones.

      Using a password manager is a better path, as long as there is awareness on how to keep it secured.

      • Browning@lemmings.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        I use the same password for every site, but I put the name of the site at the end of the password.
        For example:
        NotmypassB3ta.
        NotmypassGoogle.
        NotnypassLemmy. Etc.
        I figure it might stop the most lazy of attacks.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          8
          ·
          1 year ago

          It will stop a lot of attacks but if someone figures it out, you’re screwed. So I don’t recommend it.

          But years ago I used the same password everywhere except with a few differences due to different requirements (like special characters) and the weakest passwords I used got leaked on pastebin (or similar). And sure enough many accounts got compromised, not a huge deal and I didn’t lose anything I cared about.

          The interesting part is that no-one seemed to try the leaked password + 1234 or a capital letter in the beginning.

        • moonmeow@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          That sounds not ya I’m sure it stops a , as long as the actual password is also strong. IMO there’s still some vulnerability. If someone finds out your password and notices thepattern ‘pass+Site’, then they mighttryyon another site.

          Also why it’s a good idea to have a few emails yo use across multiple sites.

        • Droechai@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I had something similar but ran into issues with sites requiring specific symbols, disallowing certain symbols and limiting lengths or similar

          • wewbull@iusearchlinux.fyi
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            That annoys me so much. Especially when the randomly generated line noise password I’m using doesn’t happen to include one of the three punctuation characters they need to be “secure”.

    • Hexarei@programming.dev
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      1 year ago

      Only if you’re using a third-party password manager, rather than something stored/managed locally.

        • itslilith@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          I’m using KeepassXC, which has a browser integration that is quite good, and a local database. I synchronize it to my devices (using Syncthing, so it’s p2p). The database is encrypted with a pretty good password, and a key file. the key file has never and will hopefully never be transported via internet. The database is synced to a server I’ve rented as well, but never the key.

          It’s not perfect, but potential attackers would need to

          a) have access to one of my daily devices (the server won’t be enough, since they need the key file)

          b) crack my password

          Obviously, for someone dedicated this is still quite reasonable, but then again, I don’t think that’s my threat profile. The chance of getting caught up in a larger breach is a basically zero once you use your own solution, and it should be reasonably safe, if you don’t do anything stupid.

          • Paradachshund@lemmy.today
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Oof, I barely understand most of that so definitely over my head I think. It sounds like you’ve made a good system for yourself though, nice job!

            • itslilith@lemmy.blahaj.zone
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              I could’ve phrased some things simpler, haha

              But yeah, I’m quite happy with it. KeepassXC is a local password manager, and Syncthing lets you synchronize files and folders across devices, and it uses Peer-to-Peer (p2p) technology, so unlike something like Google drive you’re not relying on some could server, it just transfers between your devices directly.

              It’s not plug and play to install, but not that hard either. But still, I can see that commercial options are a lot easier for many people c:

          • Piemanding@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            They would also need to know what you are using in the first place. Since fewer people do this it does make it a bit safer.

            • itslilith@lemmy.blahaj.zone
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Exactly. As long as you don’t have someone really determined or some three letter agency after you, it’s going to be pretty safe

        • Rodeo@lemmy.ca
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          That’s the neat part, you don’t.

          Security and convenience are opposites. You have to decide if you want a local-only manager that is more secure, a sync service like syncthing that you can set up yourself, or a third-party cloud app like LastPass (which has been compromised at least once that I know of).

          Personally I just do all my email and banking on my desktop at home, and it’s actually only inconvenienced me a few times over the years.

          • Hexarei@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I store mine in a selfhosted Nextcloud instance accessible only via a Nebula overlay network (alternative to tailscale) and it’s both convenient and secure.

          • itslilith@lemmy.blahaj.zone
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            the only thing that gets less secure is more devices potentially compromised, but the act of syncing shouldn’t make it more dangerous by itself (if using a key file or a master password too long to be reasonably cracked), right?

            or am I missing something?

          • Paradachshund@lemmy.today
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Sticking to desktop only wouldn’t be realistic for me unfortunately. Sounds like the solutions aren’t quite there yet for an average user.

            • 0xD@infosec.pub
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              1 year ago

              They are, just use a normal one (I use bitwarden) that you can access from everywhere and protect it with 2FA.

              The goal is to have varied, secure passwords across everything.

        • Hexarei@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I store mine in a selfhosted Nextcloud instance, KeepassDX on Android supports accessing it directly. Works perfectly and even provides an autofill service for Android. Very easy and very convenient.

    • FiveMacs@lemmy.ca
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      I just use a password manager for my password managers password manager. 2fa on all of em. Takes me forever to login

    • gornius@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      1 year ago

      The main argument to use password managers to prevent password leaks to all of your services (that you use with the same login/email). You can’t trust any service to store your password securely, therefore you should use different ones everywhere.

      Using a password manager gives you the convenience of using one, strong password that’s being used very securely, and mitigating risk of password leaks spreading further.

      If you abstract it that way, it by no means eliminates the risk of someone breaking into your database, but makes it harder and from a single entry point, instead of any service that uses your password.

      Plus many of those password managers give you an option to use YubiKey for additional security.

      Oh and also you won’t ever need to press “forgot password” ever again due to the arbitrary requirements that your password doesn’t pass, so you modify it slightly so it would.

    • wewbull@iusearchlinux.fyi
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      The greatest threat is password databases being leaked from the services you use. Not your phone or laptop. Physical access to a device is a pretty high security bar.

      If you don’t let people make notes of passwords they use one crap memorable password for everything. Let them store it, and advise them to do it somewhere encrypted. Ta da! Password manager.

      • Nintendo@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        you literally described the exact use case for password managers. in security, it’s not about IF you get breached, it’s WHEN and how to recover from it. this includes cloud password managers. you can hack all the data you want from these companies but any reputable password manager company will employ a Zero Trust model where your data is stored encrypted. they can completely upend the company and destroy their whole infrastructure, but they still can’t do shit unless they have your master pass or a time machine.