Post AOSLzuKAuHLNxRgn44 by lightweight@mastodon.nzoss.nz
(DIR) More posts by lightweight@mastodon.nzoss.nz
(DIR) Post #AORee2FWSuIU8XpyGu by lightweight@mastodon.nzoss.nz
2022-10-11T00:55:20Z
0 likes, 0 repeats
Periodic reminder: if you're not using a password manager, you need to. I recommend https://bitwarden.com - it's fully FOSS. If you're capable, I strongly recommend running your own. Here's how: http://tech.oeru.org/setting-your-own-bitwarden-password-manager-and-vaultwarden-sync-server
(DIR) Post #AORee2cZ5EjFI0cNBg by Suiseiseki@freesoftwareextremist.com
2022-10-11T03:25:49.267139Z
0 likes, 0 repeats
@lightweight "FOSS" you say? The bitwarden server is licensed under AGPLv3-only and the client under GPLv3 - it's free software.
(DIR) Post #AORgtsjPotlr9wVGYy by lightweight@mastodon.nzoss.nz
2022-10-11T03:34:18Z
0 likes, 0 repeats
@Suiseiseki I use FOSS to mean Free and Open Source Software to ensure people know I don't merely mean open source. I assume that Free/Libre Software people will know what I'm talking about as they tend to be far better informed.
(DIR) Post #AORgttzP8w9f3ozY7k by Suiseiseki@freesoftwareextremist.com
2022-10-11T03:51:04.976455Z
0 likes, 0 repeats
@lightweight If you want to be actually neutral, you kind of need to say "FLOSS": https://www.gnu.org/philosophy/floss-and-foss.en.html
(DIR) Post #AORhQNbcZ7oWBHLzfM by ocdtrekkie@mastodon.social
2022-10-11T02:50:19Z
0 likes, 0 repeats
@lightweight I strongly discourage password managers. A single point of failure stored on an insecure Internet-connected medium is not a good idea, and we should stop promoting them as a good solution.
(DIR) Post #AORhQO66jmCThpcLBY by lightweight@mastodon.nzoss.nz
2022-10-11T03:08:34Z
0 likes, 0 repeats
@ocdtrekkie what's your alternative?
(DIR) Post #AORhQOc0p9ilImXoum by ocdtrekkie@mastodon.social
2022-10-11T03:14:07Z
0 likes, 0 repeats
@lightweight Unique passwords only in memory for a very short list of truly sensitive sites, a couple common passwords everywhere else, and 2FA actually everywhere. Failing that I recommend paper/wallet cards if your memory isn't up to the task for email/bank/hosting stuff.Password complexity doesn't actually buy you much and people vastly overestimate the value of their accounts. My Mastodon password? Not unique at all. There's no sensitive data here! And I have 2FA anyways.
(DIR) Post #AORhQP1BJZr0YqJv96 by ocdtrekkie@mastodon.social
2022-10-11T03:15:12Z
0 likes, 0 repeats
@lightweight Password managers almost universally get compromised and also promote security exhaustion: Where you are putting undue effort into solutions that don't meaningfully protect you that much.
(DIR) Post #AORhQPaHD5vWJgjwqe by ocdtrekkie@mastodon.social
2022-10-11T03:19:54Z
0 likes, 0 repeats
@lightweight Your Bitwarden can be compromised by anyone on the planet if a vulnerability is found. The number of people who can compromise a post-it note under your keyboard are people who can physically get your desk.Which one has a larger attack surface?
(DIR) Post #AORhQQ1ZZblFgLVkOW by Suiseiseki@freesoftwareextremist.com
2022-10-11T03:56:56.699335Z
0 likes, 0 repeats
@ocdtrekkie >Your Bitwarden can be compromised by anyone on the planet if a vulnerability is found.Um no, if you compromise the server side, you won't be able to get anything, as the server doesn't store the keys needed to decrypt your passwords if you set it up correctly.Meanwhile, attacking the computer running the password manager itself takes quite a bit more effort.To make many high quality passwords, you need to put it all into the password manager basket - but you can take steps to make that basket hard to take.You can use a password book if you want, as long as you have a safe to put it in, but generating secure passwords yourself is not easy and typing different long passwords in for each account gets tiresome, while copy-pasting from a password manager doesn't.
(DIR) Post #AORjO2VkDy225NcJEm by ocdtrekkie@mastodon.social
2022-10-11T03:59:28Z
0 likes, 0 repeats
@Suiseiseki Your first assumption is that the password manager's security is flawless and unbreakable, which is always false.Your second mistake is believing you need "many" high quality passwords. You might need like five or ten.
(DIR) Post #AORjO30aNIhZd22wJE by Suiseiseki@freesoftwareextremist.com
2022-10-11T04:18:57.056464Z
0 likes, 0 repeats
@ocdtrekkie >Your first assumption is that the password manager's security is flawless and unbreakableWhere did I assume that?Although the password manager may have some vulnerability, to get you, an attacker needs to get into your computer first - which isn't so easy if you run only free software.I prefer using pass myself and my password databases aren't available via the internet - it doesn't matter even if you can somehow decrypt the password storage if you can't get it in the first place.>is believing you need "many" high quality passwords. You might need like five or ten.You need a separate, high quality password for each account - as tying accounts together when you don't need to or allowing the possibility of lateral movement between accounts is stupidity, even if accounts aren't that important on their own.
(DIR) Post #AORkzk37PeMzmnljtY by ocdtrekkie@mastodon.social
2022-10-11T04:24:26Z
0 likes, 0 repeats
@Suiseiseki The assumption getting into a computer running exclusively free software is hard... not really a good assumption, a lot of free software can't afford outside auditing and community review can be mixed.How sensitive is the data in any given one of those accounts? My Mastodon account has no sensitive information and the damage to me of its compromise is nonexistent. Understand your accounts, ensure most of them do not matter.
(DIR) Post #AORkzkThondZ7GCyKu by ocdtrekkie@mastodon.social
2022-10-11T04:26:45Z
0 likes, 0 repeats
@Suiseiseki Most stores I have shopped at do not have my payment info stored. My home address isn't sensitive info, so with no payment info and no sensitive info (assuming I am not hiding my purchase history), the security of most of my online store accounts do not matter.Most sites get compromised by the vendor side anyways, your obscene password policy isn't actually helping you anyways.
(DIR) Post #AORkzktwFGcYQcTvE0 by Suiseiseki@freesoftwareextremist.com
2022-10-11T04:36:57.512983Z
0 likes, 0 repeats
@ocdtrekkie >a lot of free software can't afford outside auditing and community review can be mixed.I love readdddiiiinnnnnnggggg the soooooooouuuuuuurrrrrcccccccccccccccceeeeeeeee, so that's not too much of an issue to me.>How sensitive is the data in any given one of those accounts? My Mastodon account has no sensitive informationYour account is full of metadata, which is quite sensitive, although you can get most of that just by asking the server for your posts.>Understand your accounts, ensure most of them do not matter.Even if they turn out to not actually matter, there's no point taking a risk when you don't need to.>Most sites get compromised by the vendor side anyways, your obscene password policy isn't actually helping you anyways.Maybe, but if you have sites x, y, z with different passwords on each and you don't actually have any sensitive information on site x, figuring out the password on site x won't help you with sites y and z.If x, y and z have the same password, you can likely access all three and possible even reveal more information that can be gleaned from x, y and z on their own.
(DIR) Post #AORmuxdVfY5ANydfFI by ocdtrekkie@mastodon.social
2022-10-11T04:41:14Z
0 likes, 0 repeats
@Suiseiseki I've truly reviewed source on a few things but it pales in comparison to the scope of what I rely on.Yes, we can not care about public metadata at all: It's already public, we don't need to secure it!There is always a cost/benefit, but you are failing to evaluate the cost of managing hundreds of passwords (which forces you to rely on a single point of failure) against the near zero benefit of securing non-sensitive accounts.
(DIR) Post #AORmuyFnNChuIiYEvA by Suiseiseki@freesoftwareextremist.com
2022-10-11T04:58:31.464127Z
0 likes, 0 repeats
@ocdtrekkie >Yes, we can not care about public metadata at all: It's already public, we don't need to secure it!Not all of the metadata in the account is made public.>you are failing to evaluate the cost of managing hundreds of passwords (which forces you to rely on a single point of failure)Your computer(s) are 1 or n points of failure, so adding another point of failure makes little difference.A keylogger on your computer is going to get you just as well as if you have a password manager or not.
(DIR) Post #AOSLzsGYYlGFZdys9A by Quokka@aus.social
2022-10-11T08:11:13Z
0 likes, 0 repeats
@lightweight Is it really _F_OSS if to get the features you should, like hardware key support, you have to have a subscription?
(DIR) Post #AOSLzt8nJ6e8HrMBge by lightweight@mastodon.nzoss.nz
2022-10-11T08:11:54Z
0 likes, 0 repeats
@Quokka if you host your own, you get the 'premium' service at no cost.
(DIR) Post #AOSLztgpGZrtzPHMjQ by Quokka@aus.social
2022-10-11T08:14:48Z
0 likes, 0 repeats
@lightweight Cool. Have been meaning to check if I have some AWS/Azure/GCP credit and spare domain name somewhere, might see about hosting myself somewhere. Time-poor though!
(DIR) Post #AOSLzuKAuHLNxRgn44 by lightweight@mastodon.nzoss.nz
2022-10-11T08:17:31Z
0 likes, 0 repeats
@Quokka heh - I run several on a few $5-$20/month Digital Ocean instances (equivalent to a $100-$300/month on Azure or AWS in my experience :) ).
(DIR) Post #AOSLzuugiWYDmglwye by mike@social.chinwag.org
2022-10-11T08:25:50Z
1 likes, 0 repeats
@lightweight @Quokka Bitwarden is extremely lightweight for a personal setup. Do look up "vaultwarden", seriously. Just that project's page will get you going.Also - I don't think it's well known that they are sincerely the most open commercial service I have ever seen. They publish the source to *everything* down to their public web site. You could spin up a replica of their entire company if you wanted to put the resources into it.