Post AQtZGfppyhDj7X9ceG by eingfoan@infosec.exchange
(DIR) More posts by eingfoan@infosec.exchange
(DIR) Post #AQtZGdl9h8HqgQwr4a by haentz@mastodon.social
2022-12-23T08:41:43Z
0 likes, 0 repeats
I just deleted my account on 1Password (not using it anymore) and all I can do is hope they actually delete my data and/or never get breached. I can't be sure though. That's what you get when you trust someone with your most sensitive data. 🤷‍♂️
(DIR) Post #AQtZGeOrJW2ufZWYxU by haentz@mastodon.social
2022-12-23T08:44:21Z
0 likes, 0 repeats
Also getting rid of Bitwarden which I have been using on and off as a 1Password replacement. But I can go iCloud Keychain-only full time no problem. OF COURSE Apple could also screw up and leak your data but I trust them way more than some third party. Google too.
(DIR) Post #AQtZGevpKwPwJowtLU by haentz@mastodon.social
2022-12-23T08:52:00Z
0 likes, 0 repeats
Also, it's about time #Apple makes a real full-on Password manager app, not just this crummy list hidden somewhere on system settings… Especially considering they adopted #passkey It has been pretty quiet on this front anyway. Can't even use #passkey to log in to Apple itself. What a fail…
(DIR) Post #AQtZGfKdqgGbYmYi1Y by clipperchip@ioc.exchange
2022-12-23T08:53:22Z
0 likes, 0 repeats
@haentz No, just no. Absolutely not. Do not ever store your passwords on your mobile phone. That is a bad idea.
(DIR) Post #AQtZGfppyhDj7X9ceG by eingfoan@infosec.exchange
2022-12-23T09:01:25Z
0 likes, 0 repeats
@clipperchip @haentz can you give us more context on your statement?Passwords not on mobile phones seems not mainstream nowadays
(DIR) Post #AQtZGgYVIcwvM43IGm by clipperchip@ioc.exchange
2022-12-23T09:06:22Z
0 likes, 0 repeats
@eingfoan @haentz Mobile devices have much less security than any desktop system. It is usually a blackbox and you won't even notice if you got pwned. Myriads of exploits and other attack vectors are available. I use my phone for 2FA but it certainly does not store any password that is needed to trigger any 2FA. I strongly recommend to keep passwords for critical logins analogue. Or something similar. In my case I use an encrypted USB stick that contains a txt file file with passwords. I only plug it in & decrypt it when I am in a safe environment.
(DIR) Post #AQtZGh2HVuliqPz4gS by opal@ap.maladaptive.art
2022-12-23T10:21:36.947746Z
0 likes, 0 repeats
@clipperchip @eingfoan @haentz >Mobile devices have much less security than any desktop system.be careful saying this, mobile OSes definitely are more secure, but firmware and baseband security is pretty comparable to the situation on desktops as wellit isnt clear cut to call one class of devices more secure than the other when they have different approaches to security altogether. your own threat model matters here
(DIR) Post #AQtZSy5RwaTZCcJqm8 by eingfoan@infosec.exchange
2022-12-23T09:11:24Z
0 likes, 0 repeats
@clipperchip @haentz Since the operating systems of some mobile osS I think are designed more for security I would state quite the opposite of your sentence. Desktops (eg windows) Carry often so much Legacy (30 + years old code) that you can barely secure them …Why do you think desktops are a better?I am with you for the physical part
(DIR) Post #AQtZSyWOKQ1iYAvMlk by clipperchip@ioc.exchange
2022-12-23T09:14:03Z
0 likes, 0 repeats
@eingfoan @haentz Because I have fine grained control on what happens on the device. On ios/android I don't. Can't even install decent adblockers. And then there are attack vectors over the GSM/4G protocol that are impossible on any computer. And unrelated, what if you lose your phone? No more passwords?
(DIR) Post #AQtZSywckt0hrXCJeq by opal@ap.maladaptive.art
2022-12-23T10:23:53.649771Z
0 likes, 0 repeats
@clipperchip @eingfoan @haentz if i lose my phone then someone will still need my yubikey and decryption passphrase for the passwords
(DIR) Post #AQtZcvb03pK8N8pG76 by clipperchip@ioc.exchange
2022-12-23T10:23:27Z
0 likes, 0 repeats
@opal @eingfoan @haentz That's true. It's kinda simplified in this thread so far. But the main point is that mobile devices are more of a blackbox than any Linux or even Windows system will ever be.
(DIR) Post #AQtZcw3MMO0bn65uJk by opal@ap.maladaptive.art
2022-12-23T10:25:41.170221Z
0 likes, 0 repeats
@clipperchip @eingfoan @haentz i disagree, the blackbox attack vector matters very little in reality for most mobile users. i see phones more as a privacy risk cus they can definitely be triangulated whenever, but that has no bearing on who can log into my bank
(DIR) Post #AQtZfTOjM9OFmqIgvQ by clipperchip@ioc.exchange
2022-12-23T10:24:15Z
0 likes, 0 repeats
@opal @eingfoan @haentz Yes, but where do you get your passwords from?
(DIR) Post #AQtZfTtvUALNLatbY8 by opal@ap.maladaptive.art
2022-12-23T10:26:04.903186Z
0 likes, 0 repeats
@clipperchip @eingfoan @haentz the password store
(DIR) Post #AQtZhOEvVNFuMtd2fI by opal@ap.maladaptive.art
2022-12-23T10:26:30.142193Z
0 likes, 0 repeats
@clipperchip @eingfoan @haentz ba dum tss
(DIR) Post #AQtc7KUyElbsCcd7HU by clipperchip@ioc.exchange
2022-12-23T10:27:34Z
0 likes, 0 repeats
@opal @eingfoan @haentz The issue I worry more about is should I ever lose/break my phone, I don't want to have to struggle to keep access. For 2FA I have a backup phone (also locked away) that is authorized to do that. I simply don't trust any mobile device to store any of my passwords because I can't tell what is really happening to that file.
(DIR) Post #AQtc7L0WLSqZmTOJSS by opal@ap.maladaptive.art
2022-12-23T10:53:36.471487Z
0 likes, 0 repeats
@clipperchip @eingfoan @haentz well i really do use https://www.passwordstore.org/ so i mirror my repository on my phone so i can have access while im away from my pcim not worried about backups
(DIR) Post #AQwUXu0ubBSXilbsRM by elfinalied@freesoftwareextremist.com
2022-12-24T18:38:49.190268Z
1 likes, 0 repeats
@opal @eingfoan @clipperchip @haentz this sounds rad, I have been wanting a good phone solution for password management.