this post was submitted on 14 Mar 2024
404 points (98.6% liked)

Privacy

31871 readers
406 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I went in to delete mine. Was forced to put in my real name and current employer without any way to opt out. So for a short brilliant moment I was Bobo Bobolicious of Bob's Boat Oars

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 8 months ago (5 children)

What's a good multiplatform password manager these days? I've been meaning to move away from LastPass for forever (and update my passwords in the process), I just haven't found the time to sort through all of that.

[–] [email protected] 38 points 8 months ago (2 children)

I really like BitWarden. Benefits:

  • open source - can even host your own storage server if you want (e.g. vaultwarden)
  • security audited
  • free - has paid tiers, but you probably don't need them
  • apps - Desktop (Linux, Windows, macOS), browser extension (basically all of them?), mobile, command-line, web app

It has some neat features and hasn't annoyed me too much yet.

[–] [email protected] 4 points 8 months ago

Also nearly complete rolling out Keypass/Webauthn compatibility!

[–] [email protected] 3 points 8 months ago (1 children)
[–] [email protected] 2 points 8 months ago

I just moved from Dashlane it was painless

[–] [email protected] 16 points 8 months ago (1 children)
[–] [email protected] 2 points 8 months ago

I'll have a look, thanks

[–] [email protected] 8 points 8 months ago (4 children)

Say what you want about old timers but [ Notebook and Pencil ] has a 100% success rate if the attacker doesn't have physical access.

[–] [email protected] 4 points 8 months ago (1 children)

Actually, that would make it easier to fall for a phishing page. My browser extension will only offer to fill example.com. If I'm on exarnple.com, it won't. This makes me say "hmm, why no match for this page? ah! the domain is different". With a notebook, I'd happily type the password in just the same.

[–] [email protected] -3 points 8 months ago

PEBKAC isn't really an argument greater than a Strawman. If you're saying operators can't be trusted to be competent you might as well argue that these people shouldn't own computers or cellphones, or kitchen knifes or other things that require a minimum competence.

[–] [email protected] 4 points 8 months ago (1 children)

Sure, but that's where the cross platform comes in, because I'd rather not have to lug said notebook around with me.

[–] [email protected] 2 points 8 months ago (1 children)

Convenience and Security are different goals. You can either put security before or after convenience.

[–] [email protected] 1 points 7 months ago

I'm gonna go for taking reasonable action of fortification and then try my luck.

And negative, usable security is a delicate balance of security and convenience. It employs various layers of usable redundant security methods that keep things to the best possible and reasonable level of security available, while also maintaining useful defense. If I were doing anything rendering me a target of a malicious actor, that's a different story. But run of the mill individual passwords for each website/service coupled with 2FA along with password database encryption is enough to keep a nobody like me reasonably comfortable.

[–] [email protected] 2 points 8 months ago

I’m not typing a 64-character random string from a notepad everytime I log in somewhere tho

[–] [email protected] 1 points 8 months ago

And an encrypted vault probably has a near 100% success rate even if the attacker has access to it given a sufficient vault password.

[–] [email protected] 5 points 8 months ago
[–] [email protected] 1 points 8 months ago (1 children)

KeepassXC with iCloud sync is my setup at the moment.

[–] [email protected] 1 points 8 months ago (1 children)

With iCloud? Really? Just WAO!

[–] [email protected] 4 points 7 months ago (2 children)

It’s an encrypted database and I am not tech savvy enough to self host a sync service.

[–] [email protected] 2 points 7 months ago (1 children)

I get it, and I'm sorry that I cake across as insensitive to that. Reading my comment again, I can see that I sounded just like an "Arch Master Race" Looney. On the other hand, none of us knew how to self-host, but each of the ones that do it now, learned. It's about privacy and how much you want to move away from our dependence on big tech (privacy). You could start with something as simple as SyncThing on your computer, and slowly scale from there as you learn. I would even argue that you could use something like sync.com, only to start at least segregating who could potentially have your data, my understanding is that they run a zero-knowledge model, even for the free tier. More importantly, suggesting to others to use Apple, Google, Microsoft or any of the other huge offenders out there, you could be looked down upon as a troll by in these privacy instances. I hope you can get away from Apple's grasp as much as possible at some point, and feel free to come and ask, many of us have already walked the rockiest roads to that freedom, and we're more than willing to share and help. Good luck.

[–] [email protected] 2 points 7 months ago (1 children)

Thanks for the advice!

My Apple devices are from work and we are able to use them privately with admin rights. On my private account I have mostly open source software like Quodlibet for my music collection, Firefox, Inkscape, and so on. My Mailaccount is from a small German privacy by design provider. I have a Synology NAS I run Paperless NGX and Jellyfin on. I switch Operating systems regularly.

I think I am well set up 😁.

[–] [email protected] 1 points 7 months ago

Yes you are Sir. You're on the greener side of the fence, for sure.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

I question whether a lot of people even need sync.

Passwords in general don't change for long periods of time. Really the only rationale for doing so is confirmed or suspected compromise (two-factor processes make this rarer still). It doesn't strike me that an almost permanently static input merits regular synchronization.

The alternative is doing a one-off manual sync (copy and paste) between two local DBs, then locally moving one of them to the target device. Zero online connectivity has to dramatically reduce attack surface. Is five minutes' maintenance per year an unacceptable convenience penalty to pay?