this post was submitted on 28 Sep 2023
2275 points (98.1% liked)

Memes

45665 readers
1154 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (6 children)

Missing the whole point. Companies will not stop serving ads or selling data. Setup custom dns from somewhere like nextdns or a private pihole computer on your network. It works in windows, can get a micro pc from eBay or Amazon for <$150, then block ANYTHING you don't like.

I don't see ads at all anymore at home, in fact it's jarring when a page takes 2x time to load because of ads and shit.

Get these plugins at bare minimum: Ublock origin Sponsorblock Bitwarden or similar (not LastPass) for strong password management.

Stop crying about companies and take some steps to protect yourself.

[–] [email protected] 15 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago (1 children)

i don't know why people act like complaints aren't valid and useful

[–] [email protected] 0 points 1 year ago

If you're just going to complain, then just stfu and move on. There are a number of fixes that anyone who can follow directions can implement.

If you're complaining but doing nothing to fix it, you're wasting your time.

[–] [email protected] 9 points 1 year ago (1 children)

That's not going to stop Reddit from tracking your interactions with their site if you use it. They will sell your activity to whoever wants it. Updoots, posts read, subscriptions, saves - all potentially valuable data about a potential customer's interests.

[–] [email protected] 0 points 1 year ago

If everyone starts blocking ads, who cares where my "data" goes.

[–] [email protected] 3 points 1 year ago

Why not both. Protecting yourself from shitty behavior is important, but so is calling it out when you see it.

[–] [email protected] 3 points 1 year ago (1 children)

jfc do not use LastPass. They have a proven track record of shitty security practices and multiple breaches.

1password, bitwarden, keeper, even chrome but not LastPass.

[–] [email protected] 1 points 1 year ago

We have also KeePass for a local/non-internet solution

[–] [email protected] 2 points 1 year ago

Installing uBlock is so easy, it blows my mind when people won't do it. You set it and forget it, and no more ads. WTF, people.

[–] [email protected] 2 points 1 year ago (3 children)

What is wrong with last pass?

[–] [email protected] 6 points 1 year ago (2 children)

All vault data has been stolen in the past, and while the data is encrypted, apparently the encryption is not strong enough and there are reports that some of the vault has been decrypted by hackers: https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

[–] [email protected] 3 points 1 year ago (1 children)

Just about every centralized service will be breached at some point. At least they have a cybersecurity team and everybody got notified and can act accordingly. If you choose another just because they haven't been hacked, it's just a matter of time. I think they're still a viable option, just be ready to react to notices like these.

Personally, I chose the self-hosted route, but that comes at the cost of maybe never knowing if you get breached until its too late.

[–] [email protected] 2 points 1 year ago (1 children)

Normally I'd agree with you, but in the case of lastpass, I have to disagree. Ever since they're bought by LogMeIn, not only they significantly increased the price, they also have security incidents after security incidents, with the worst one in 2022, not to mention a bunch of vulnerabilities that seems so basic it shouldn't be a problem on other password managers. There were also shenanigans where they seemingly intentionally broke data export to slow down exodus of their users to other password managers.

They were recently spun off as a separate company from GoTo/LogMeIn, but at this point I have lost faith and would not recommend lastpass at all.

[–] [email protected] 1 points 1 year ago

Fair enough. Thanks for the extra context.

[–] [email protected] 0 points 1 year ago (4 children)
[–] [email protected] 3 points 1 year ago (1 children)

Bitwarden, or vaultwarden if you want to self-host it

[–] [email protected] 1 points 1 year ago (2 children)

I’m interested in vaultwarden, what do you think about self hosting it?

[–] [email protected] 1 points 1 year ago

I've never tried it, but from what I've read it isn't too difficult; it is something I'd like to eventually get set up. I expect you'd want either a static IP address or a dynamic DNS service to access it remotely.

You can also self-host the main bitwarden implementation, vaultwarden is just generally preferred because it's much lighter-weight, mostly because it's written in Rust instead of Typescript

[–] [email protected] 1 points 1 year ago (1 children)

It's super easy to self host (assuming you're familiar with docker), doesn't take too much server resource, and will give you access to features normally gated behind bitwarden subscriptions. Way better then the official self-hosted version. The main disadvantage is while it's open source, the code hasn't been audited yet, which might be a deal breaker for people obsessed with security.

[–] [email protected] 0 points 1 year ago (1 children)

Yeah I read it’s a bit double edged but would anyone ever want to audit a open source software that can Take over a paying one?… might just take the jump.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

It's actually starting to get common for open source password manager to get audit, often free of charge by a security company. Whether the project actually compete with a commercial project doesn't seem to matter because the goal is to assess security.

KeePassXC was recently audited for example: https://keepassxc.org/blog/2023-04-15-audit-report/

1Password, another popular opensource password manager, has also been audited: https://support.1password.com/security-assessments/

Bitwarden (including the selfhosted component) has also been audited: https://bitwarden.com/help/is-bitwarden-audited/

So it's not really strange for people expressing interest to get vaultwarden audited.

[–] [email protected] 0 points 1 year ago (1 children)

What is the diff between keypads, 1password and vailtwarden?

[–] [email protected] 1 points 1 year ago (1 children)

KeePassXC doesn't do any cloud syncing stuff. If you want your vault to be available on multiple devices, it's up to you how to achieve that (e.g. by putting the vault database file inside dropbox/gdrive/nextcloud, etc). Some people prefer this approach because they don't trust centralized vault services.

1Password and BitWarden are competitors and offer largely similar services (e.g. syncing your vault across all devices you own). BitWarden paid service is cheaper though, so it's more popular. Note that bitwarden free account is already good enough, the paid service offers some convenient features which actually pretty nice to have though, such as storing TOTP data in your vault.

VaultWarden is an alternative implementation of bitwarden server. If you're into self-hosting and want to host bitwarden vault on your own server, you can install it in your own server. It implements almost all bitwarden features, even those that only available in the highest subscription tier.

[–] [email protected] 1 points 1 year ago

Thank you very much. Vault warden it is!

[–] [email protected] 3 points 1 year ago (1 children)

I have migrated to bitwarden years ago, but still curse myself why I didn't immediately delete my lastpass account back then before the breach.

[–] [email protected] 0 points 1 year ago

Then I shall go to bitwarden

[–] [email protected] 2 points 1 year ago (2 children)

using passwords you can remember instead of An8sdfd8h4indf!id8 just because it's harder to brute force

[–] [email protected] 1 points 1 year ago

Passwords you can remember is a problem if you have multiple sites.

While I love XKCDs HorseBatteryStaplerOkay! strategy... that works well for 4-5 passwords, if you have 20+ passwords you'll pretty much wind up re-using, and if it turns out one of the 20 sites had garbage protection and gets fully hacked, any sites you used the same is also going to be vulnerable.

Personally still gotta say go with keepass or bitwarden (selfhosted if possible).

[–] [email protected] 0 points 1 year ago

It’s not just about the password you can remember it’s being able to patch your securities in case of a hack/malware or attack; Remembering a password is low on my list at that point

[–] [email protected] 1 points 1 year ago

If you are worried about people getting ahold of your vault if the company has a breach, then keepass and come up with you own system of syncing the file. It's a local file so is always under your control.

[–] [email protected] 1 points 1 year ago

Repeatedly have data stolen and data leaks. Fuck them. Also bait and switch to a one device or pay.