this post was submitted on 28 Sep 2023
323 points (75.7% liked)

Games

32957 readers
921 users here now

Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.

Weekly Threads:

What Are You Playing?

The Weekly Discussion Topic

Rules:

  1. Submissions have to be related to games

  2. No bigotry or harassment, be civil

  3. No excessive self-promotion

  4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts

  5. Mark Spoilers and NSFW

  6. No linking to piracy

More information about the community rules can be found here.

founded 2 years ago
MODERATORS
 

Larion Studios forum stores your passwords in unhashed plaintext. Don't use a password there that you've used anywhere else.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 91 points 1 year ago (4 children)

Don’t use a password ~~there~~ that you’ve used anywhere else

Just get a password manager already

[–] [email protected] 74 points 1 year ago (3 children)
[–] Spacecraft 11 points 1 year ago (1 children)

I want to suggest 1Password even though it’s not free (I used bitwarden for many years though). It has its own SSH agent which is a dream.

[–] Belazor 7 points 1 year ago

The only problem with their SSH agent is, if you store let’s say 6 keys and the server is set to accept a maximum of 5 keys before booting you, and the correct key happens to be key number 6, you can end up being IP banned.

This happened to me on my own server :P

That being said, my experience was using the very first GA release of their SSH Agent, so it’s possible the problem has been sorted by now.

[–] [email protected] 10 points 1 year ago

BitWarden is awesome. Been using it since 2 of my colleagues went to work for them

[–] [email protected] 1 points 1 year ago (1 children)

How is this better than Firefox built-in password manager?

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Firefox is extremely easy to get your password from behind the *** if it autofills. Requires physical access, but literally takes seconds. Right click the field, inspect and change the field type from password to text.

[–] [email protected] 2 points 1 year ago (1 children)

So if my passwords are behind fingerprint there's no problem?

[–] [email protected] 1 points 1 year ago (1 children)

On mobile I'm assuming. I personally don't know a way to bypass the fingerprint locks. And if you're also having Firefox create random difficult passwords, its significantly better than reusing the same one. So you're probably a much harder target than the majority of people. I'd have to double check but I think even on desktop if you have a master password for Firefox and don't just have logins auto filled you're probably good there too.

[–] [email protected] 1 points 1 year ago

Thank you. I do use master password on everything. This does ease my mind a bit.

[–] Ledivin 30 points 1 year ago* (last edited 1 year ago) (5 children)

I just wanted to drop a reminder that both LastPass and Norton LifeLock have been hacked within the past year alone.

[–] [email protected] 31 points 1 year ago

KeePass is a thing that exists and is fantastic.

[–] [email protected] 23 points 1 year ago (2 children)

I just want to drop a reminder (to you specifically) that you don't have to use a cloud-based password manager. Roll your own.

[–] [email protected] 12 points 1 year ago (1 children)

Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?

[–] [email protected] 14 points 1 year ago (1 children)

I don't know what you're trying to say. I think it was safe to assume Salty probably meant the local-based keepass or something like that?

I wouldn't have immediately gone to text doc or spreadsheet. those aren't password managers.

[–] [email protected] 3 points 1 year ago (1 children)

The only annoying part about the modern world is that you want to have that keepass file synchronized between devices, at which point you either go down the path of something like Synchthing (not mainstream user friendly) or you just end up asking yourself "fine, what cloud service do I trust to not go looking at my files?"

[–] [email protected] 2 points 1 year ago (1 children)

I always synced my database manually either directly over usb, or wifi (KDE Connect). I have to admit that it's not really user friendly, but once I got used to it, it's no problem at all.

And uploading it to any cloud service should be fine as long as it's encrypted with a strong password. But that kind of defeats the point of an offline password-manager in my opinion.

[–] [email protected] 2 points 1 year ago

I have mine in a self hosted Nextcloud instance, best of both worlds

[–] [email protected] 1 points 1 year ago

Good advice only for tech-savvy and people who are interested in self-hosting. There's so many things that can go wrong like improper backups and accidental networking problems.

[–] neatchee 9 points 1 year ago (1 children)

And here's a reminder that trusting centralized service with high security access control is usually a bad idea.

I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time

[–] [email protected] 1 points 1 year ago (1 children)

Offline password managers like KeepassXC are a thing, plus self hosted remote storage like Nextcloud means you're not worried about any third party interference

[–] neatchee 1 points 1 year ago* (last edited 1 year ago)

I use Pleasant Password Manager, which is keepass compatible. Big fan of offline cache with online sync for access anywhere with an internet connection on top of my phone offline

[–] [email protected] 7 points 1 year ago (1 children)

Use KeePassXC and you can't get hacked

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

Well, you can. But you have to be PERSONALLY hacked. At which point you're at a level of risk equal to "will my house burn and my notebook full of passwords get lost?"

[–] Vash63 0 points 1 year ago* (last edited 1 year ago) (3 children)

And at least for LastPass no passwords were compromised. Saying they "were hacked" and leaving the extent of the hack out implies something worse IMO, it's misleading. The safes themselves are E2E encrypted so they also don't have your password.

That said, my vote is to Bitwarden as it's open source and allows self hosting if you think you're a more reliable admin than they are. Open plus more choice is always better.

[–] [email protected] 5 points 1 year ago

And at least for LastPass no passwords were compromised

I'm just going to leave this here:

https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

[–] [email protected] 4 points 1 year ago

Just this month a link was made between $35 million in crypto being stolen and the 150 victims being LastPass users.

In 2022 Lastpass was compromised through a developer's laptop and had customer data like emails, names, addresses, partial credit cards, website urls, and most importantly vaults stolen last year, and given they're closed source, have no independent audits, and don't release white papers, we have no idea how good their encryption schemes actually are nor if they have any obvious vulnerabilities.

In 2021, users were warned their master passwords were compromised.

In 2020 they had an issue with the browser extension not using the Windows Data Protection API and just saving the master password to a local file.

What will 2024 bring for LastPass? They were hacked, and there's no reason to think they won't see more breaches of confidential customer information and even passwords in the future. This is a repeated pattern, and I'd better trust a post-it-note on my monitor for security than LastPass at this point.

[–] BigDiction 1 points 1 year ago

This is true, but they have your encrypted vault, and all the technical data to make unlimited informed attempts at cracking it. If you used LastPass, you definitely need to be changing passwords for your critical services at a minimum.

[–] dpkonofa 4 points 1 year ago (1 children)
[–] CuddlyCassowary 1 points 1 year ago

I literally trust them with my life. Agreed.

[–] [email protected] -4 points 1 year ago

This is the correct answer.