Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
oslo.town is one of the many independent Mastodon servers you can use to participate in the fediverse.
An online home for the people of Oslo, Norway 🇳🇴 but a gateway to the world.

Administered by:

Server stats:

228
active users

oslo.town: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

#passwordmanager

6 posts6 participants0 posts today
Public
Gabriel N

I like #Strongbox but a bit worried about about this reddit.com/r/strongbox/comment

While I don't known too much about Applause, Reddit is not pleased at all. And generally if someone pays money (hopefully a lot because Strongbox is nice) they expect to earn it back with interest.

Maybe they do it by making strongbox better and growing the user base, but usually it's too temping to milk the existing userbase.

I might give ProtonPass a try, or go back to Secrets, unless I remember why I switched away :-) or there is always Apple Passwords. Having it half enabled (for passkeys) is quite annoying so maybe I'll see how bad the new apps are. They seem to have family sharing nowadays.

Anyone have other suggestions for good native #passwordmanager ?

Public
gtbarry

US seizes $23 million in crypto linked to LastPass breaches

U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.

#LastPass #PasswordManager #cryptocurrency #crypto #ripple #databreach #security #cybersecurity #hackers #Hacking

bleepingcomputer.com/news/secu

BleepingComputer · US seizes $23 million in crypto stolen via password manager breachBy Sergiu Gatlan
Replied in thread
Public *
Erik van Straten

@sophieschmieg @neilmadden

IMO we need to stop coming up with algorithms to securely store "derivatives" of typically weak passwords, as

IT WILL FAIL.

From akkadia.org/drepper/SHA-crypt.:

In addition, the produced output for [...] MD5 has a short length which makes it possible to construct rainbow tables.

Please correct me if I'm wrong, but even in 2025 suggesting that a rainbow table is feasible for (lets cut a few bits for MD5 weaknesses) random numbers of 120 bits in length is BS (in order to create FUD).

If I'm right about that, the least bad thing to do is:

1) Everyone should use a password manager (pwmgr) because people simply do not have the ability to come up with a sufficiently strong password that is *unique for each account*, let alone for multiple accounts (sometimes hundreds), to remember them absolutely error-free, and to recall which password was chosen for which account.

Note: IMO password *reuse* currently is the biggest threat. Entering a reused password on a fake (phishing) website may have devastating consequences, because (when a password is reused for multiple accounts) chances are that ALL those accounts are compromised. Note that the complexity and uniqueness of the password are IRELLEVANT. And, what KDF is used on the server, is IRRELEVANT as well.

2) Let the pwngr generate a (cryptographically) random password, as long and with as much entropy as allowed by the server.

3) Use a strong master password and NEVER forget it (typical beginner failure).

4) Make sure the database is backed up in more than one place, and make a backup after each modification.

5) Make sure that the device the password mamager is used on, *never* gets compromised.

6) Double check that https:// is used. Better, make sure to use a browser that blocks http:// connections and warns you (Safari on iOS/iPadOS now supports "Not Secure Connection Warning"). In all browsers such a setting is OFF by default: ENABLE IT!

7) On a mobile device: use "Autofill". The OS then transfers the domain name (shown in the browser's address bar) to the pwmgr. If a matching domain name is *not found* in the pw database, assume that you're on a (fake) phishing website! In that case: DO NOT ATTEMPT TO LOG IN by looking up credentials yourself. Reasons for 7, two examples:
----
fake: circle-ci·com
real: circleci.com
----
fake: lîdl.be
real: lidl.be
----

If people would follow this advice (which is not just mine), even MD5 for storing a one-way derivative of the password on the server would be fine.

HOWEVER: don't use MD5 - because "never use MD5 for whatever" is easier to remember than "don't use MD5 if preimage attacks are possible".

P.S. I'm not a cryptographer (although I'm quite interested in the matter).

#MD5#PasskeysStillSuck#PasswordManager
Public
Linux Is Best

Someone really should start another not self-hosted, non-US-based, Password Manager. I only know of two:

1) Heylogin
2) pCloud

(1Password, is owned by a Canadian company, owned by a US company).

1) Heylogin - Sucks.

It is completely tired to your phone. Using their web browser extension? Check your phone. Want to log in to a site? Check your phone. Want to update a login details? Check your phone.

You ever lose or damage your phone, you're f-cked. It is not designed for multiple devices either.

2) pCloud

It is indeed outside US-jurisdiction. The company is not owned by any business in the USA. It does not own any businesses itself in the USA. But they do resell services in the USA, and the only way you can avoid not being assigned to one of those US Servers is to use a VPN so you'll be forwarded to their Europe Servers.

From their own documentation:

" As a consequence API calls have to be made to the correct API host name depending were the user has been registered – api.pcloud.com for United States and eapi.pcloud.com for Europe. "

#PasswordManager #Password #Security #Privacy

ExploreLive feeds
About