Post 9manoDB0ZlsEgWMjqa by Gargron@mastodon.social
(DIR) More posts by Gargron@mastodon.social
(DIR) Post #9manXZHj7m3GKVZX2e by Gargron@mastodon.social
2019-09-04T22:17:59Z
3 likes, 10 repeats
Some older, inactive Mastodon accounts are being turned into spam accounts.Every account I've checked has been in the haveibeenpwned.com database, i.e. the spammers are using breaches from other websites and randomly trying e-mail/password combinations to get access to those accounts, insert spam links in the bio and start following people.An exceptionally simple defence against this happening to you is using two-factor authentication. Check your account settings to see how to enable it.
(DIR) Post #9manjGJZTtJEyB0k4W by Gargron@mastodon.social
2019-09-04T22:20:07Z
1 likes, 3 repeats
On a more fundamental level, you should not be using the same password on different websites, and use a password manager like KeePass to generate and keep track of the passwords.
(DIR) Post #9manjjWgsC2DZGN82y by marix@chaos.social
2019-09-04T22:20:06Z
0 likes, 0 repeats
@Gargron talking of which, is there any chance to get Webauthn support into Mastodon? I saw the issue in Github but it seems to be stalled.
(DIR) Post #9mankJMJeF7uhVnLsG by ZoeyGlobe@mastodon.technology
2019-09-04T22:20:18Z
0 likes, 0 repeats
@Gargron I would if I could use SMS for it, I don't have any time for any modern smartphones, so can't run those authenticator apps.
(DIR) Post #9manoDB0ZlsEgWMjqa by Gargron@mastodon.social
2019-09-04T22:21:01Z
0 likes, 0 repeats
@ZoeyGlobe SMS is bad for two-factor authentication, because it can be spoofed. That's how Jack Dorsey's (Twitter CEO) account was compromised.
(DIR) Post #9manr7TgDjlJsYUBwO by 444.koyu@koyu.space
2019-09-04T22:21:31Z
0 likes, 0 repeats
@Gargron I was wondering, because all accounts contained genuine content and profile metadata. I might announce such measurements as well to my users.
(DIR) Post #9mansRTrKsd2CrCUbY by Tchambers@mastodon.social
2019-09-04T22:21:46Z
0 likes, 0 repeats
@Gargron could you imagine in future versions of Mastodon the ability to require end users to have two factor on?
(DIR) Post #9mao58wnYMOmUVnDTU by 361.xj9@social.sunshinegardens.org
2019-09-04T22:24:07.726060Z
0 likes, 0 repeats
@ZoeyGlobe @Gargron U2F keyfob then?
(DIR) Post #9maoLbbqkvIo1CqP4a by ij@nerdculture.de
2019-09-04T22:26:26Z
0 likes, 0 repeats
@Gargron - well there not only weak user passwords out there, but very old and apparently unmaintained and insecure instances. According to my federations statistics like 25% are running a Mastodon version <=2.8.0
(DIR) Post #9maoQZjHAqFbdQggPQ by ZoeyGlobe@mastodon.technology
2019-09-04T22:27:56Z
0 likes, 0 repeats
@Gargron Reasonable, but is no 2-auth better than SMS 2-auth?
(DIR) Post #9mapJ2ClWBndaWRu52 by wtfgraciano@mastodon.social
2019-09-04T22:36:51Z
0 likes, 0 repeats
@Gargron have you seen what basecamp did earlier this year about a similar issue? Maybe the main instance could do something like it idkhttps://m.signalvnoise.com/protecting-basecamp-from-breached-passwords/
(DIR) Post #9maqYfNUFxAzNXTvVI by dadosch@social.tchncs.de
2019-09-04T22:51:49Z
0 likes, 0 repeats
@gargron Make 2FA Auth a requirement after signup? only instance admin able to disable this setting in general / for single people who don't have a phone etc.
(DIR) Post #9marS0qs7OJzuEcL9E by DrunkenWolf@mastodon.social
2019-09-04T23:01:06Z
0 likes, 0 repeats
@Gargron The problem is keeping track of enviorments. Is keepass for Windows(Edge), Google(Chrome), Apple(Safari)? for Computers, Tablets, phones? Or do we have to choose alternative password managers for each? At the end of the day, having the same password for the accounts I use the most is just quick and simple.
(DIR) Post #9mawjrg3T0cIR2tDsm by dheadshot@mastodon.social
2019-09-05T00:01:05Z
0 likes, 0 repeats
@Gargron... Until KeePass gets pwned...
(DIR) Post #9mawnA9XERPYbYFe9g by Gargron@mastodon.social
2019-09-05T00:01:42Z
1 likes, 0 repeats
@dheadshot KeePass is a program that stores passwords in an encrypted file on your machine behind a master password (the only password you need to remember henceforth)
(DIR) Post #9mazapfNsDRzSGxc8G by dmonad@donotban.com
2019-09-05T00:31:57Z
0 likes, 0 repeats
@Gargron I prefer EnPass. It supports sync between multiple platforms and browsers, and the encrypted wallet file can be stored on my own cloud.
(DIR) Post #9mb1cCzKqgzRz54ntQ by trash@mastodon.host
2019-09-05T00:53:58Z
0 likes, 0 repeats
@Gargron Or not use the same password that you used on MySpace after it was breached.
(DIR) Post #9mb5IBR1JZJLBujUKu by theprivacyfoundation@mastodon.social
2019-09-05T01:35:24Z
1 likes, 0 repeats
@DrunkenWolf @Gargron #KeepassXC is a fork of Keepass that is available on Mac, Windows and Linux and is sync-able with #nextcloud and other #cloud services. It is connectable to most browsers, is actively maintained and is a quality build. https://www.keepassxc.org
(DIR) Post #9mb5mS12EQo1Is0jvU by Clashin_Creepers@mastodon.social
2019-09-05T01:42:15Z
0 likes, 0 repeats
@Gargron Very true. The problem is... nobody wants to
(DIR) Post #9mb9Nu4x9jkCuuOUS0 by popekingjoe@mastodon.social
2019-09-05T02:22:46Z
0 likes, 0 repeats
@Gargron I prefer Bitwarden. It's FOSS and works on every modern browser, as well as Android and iOS.
(DIR) Post #9mbVQjyhMi8vRxE67M by alexlaw@mastodon.social
2019-09-05T06:29:46Z
0 likes, 0 repeats
@Gargron is that why I suddenly gained a bunch of followers a couple nights ago?
(DIR) Post #9mbo9mRgpsxzJEPgBs by manuelcaeiro@mastodon.social
2019-09-05T09:59:35Z
0 likes, 0 repeats
@Gargron Pocket safe password manager:https://img1.etsystatic.com/002/0/6778765/il_fullxfull.382476109_qots.jpg
(DIR) Post #9mbv1f0jIHn1c3sUbI by alexesc@social.librem.one
2019-09-05T11:16:35Z
0 likes, 0 repeats
@Gargron Another way to reduce spam accounts is to make mastodon users less incentivized to create more than one accounts.Some people, including me, join an instance because it specializes around a topic (Art, games, socializing, computers) but people have more than one interest. So we create an account per instance that strikes our hobbies.Reddit has subredits, this solves needing multiple usernames for subscribing to different topics. We need something like that...
(DIR) Post #9mc9upOTn3Pv6JBdy4 by steveroy@mastodon.social
2019-09-05T14:03:24Z
0 likes, 0 repeats
@Gargron Would be good to be able to close unused Mastodon accounts. Last I checked this wasn’t possible?
(DIR) Post #9mc9zAWbASkLnO3QTA by ice@patch.cx
2019-09-05T14:04:16.989605Z
0 likes, 0 repeats
@Gargron lol good
(DIR) Post #9mcB09PssEesbNwhea by BalooUriza@meow.social
2019-09-05T14:15:33Z
0 likes, 0 repeats
@Gargron To be fair, almost everyone is in HIBP at this point.
(DIR) Post #9mgYA0IxTWbqkbL960 by evertprants@fosstodon.org
2019-09-07T16:53:53Z
0 likes, 0 repeats
@Gargron I just use pass https://www.passwordstore.org/It has an android app