98
Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218)
(www.helpnetsecurity.com)
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
Stop using "the cloud" to store your passwords. Unless you control said cloud, you have to trust someone to not fuck up their security that you now depend on. Everyone eventually does.
The difference is also, that someone who's job is storing other people's passwords is by definition a target. So is the fuck up, someone will notice. If you host those yourself, or you rent a place where you can host them for yourself, that is just one person's server. The interest and possible gain for someone gaining access is so small, it's even unlikely. So when you inevitably fuck it up, the chances someone notices before you do are relatively small.
That probably works well for people who are able to self host.
I use cloud password storage. I don't have the knowledge, time, or inclination to self host.
In this context "self host" can ironically mean using a cloud service for hosting. You can use a file based password manager and just sync the database. Solutions like KeePass have apps for many platforms, and they can often even directly load from cloud storage, like Google drive, OneDrive or DropBox. The password database is strongly encrypted, and even if your storage gets compromised, your passwords are still safe (assuming a good password or some then better security was used to encrypt it).
You give up the convenience of having a single service and having to get each device to access the file. But that's it. It's not that hard and so much better than a password service, even if just for their attack surface, or the "likely target" these are.