New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yeah, jolly good.
Dogshit.
It's what's for dinner!
I've looked back at Keepass and a couple other tools since this thread started, and I've decided: Passwords are overrated. Make EVERYTHING a one-time password.
"I forgot my password" and a reset link via SMTP is inherently more secure than anything besides not using the service.
There's really no need to guess for anyone that has experience running their own business. The biggest major cost for a new company is going to be from getting and retaining customers. Everything is essentially a sunk cost until you're generating that revenue! You can puff your chest up all you like, and whether or not you can actually back that up makes not one whit of difference unless people are buying your product.
IMO Password management should not be 'in a service'. It's not a tricky problem like email deliverability.
Use keepassXC and contribute to it if you can.
I use Keepass in read/write mode from 1 of two workstations (thinkpad if I'm on road), and read-only mode from all other devices.
The password db is synced with Dropbox on all my platforms. Simple. Worked for 9years so far.
I've used KeePassX for years (now updated to KeePassXC thanks to this thread) and I'm totally happy. Sync using dropbox and you're golden.
I tried 1Password and LastPass for a while but always came back to keepass.
For what it's worth...
I'd emailed the founder of AB last year (long before the subscription change) and he and I exchanged a thread - seemed like a nice guy and interested in improving his product.
I followed up when I found out about the subscription change and told him how disappointed I was. He replied and said (in part):
"I know not everyone wants to use subscriptions and that's why we are NOT forcing it upon you. Simply select 'More Options' from the setup screen and you're able to set things up just the way you've always have."
Well, not a major one, but..
https://bugs.chromium.org/p/project-zero/issues/detail?id=1209
That's what the dev of OpenSSL was saying.
What exactly doesn't qualify it as major? You get full access to the passwords.
Plus...
Welp, I'm done with LastPass. Fuck up badly once, fine. Fuck up badly twice..
Anyone tried bitwarden?
I don't understand why google/apple doesnt just build this into their OS's and have it sync to mobile. They offer all that free storage, how much transactional cost is their in implementing this?
Also, do the mobile versions of these apps kill battery while waiting in the background for a password to be needed by the user?
I don't get why they don't build it into their operating systems. I mean WTF
welp shit, must have misread the thing yesterday.
i guess its time to migrate to something else..
I like the part when LastPass said they couldn't get his calc.exe starting exploit to work on MacOS.
I need to migrate asap.
"Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases."
http://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/
Hahahaha!
Also very funny: So much about the, oh so much hard work to build super-duper-secure client-side code. Hahaha.
Who's the idiot, now?
Bullshit. Not being able to say that and not applying that is the major reason for *ssl's plethora of vulnerabilities.
Some F* people are currently working an creating a verifiable ssl/tls codebase.
The major problem is btw not even the lousy code of the guys at lastpass or others.
The problem is that browsers are the single most big, fat, bloated, insecure pile of crap on our systems - and - that the users happily buy the bullshit of the browserguys, shit like "sandboxing" and whatnot idiotic attempt du jour to somehow make people believe their lousy crap was somehow safe. Well, no, it is not and worse, it can not be safe.
There simply is no way to somehow make secure a codebase of millions of lines containing ultra-crap like javascript (plus interpreter/jit), half an OS, plus whatnot ... all written in C or C++.
It's hard enough to have a tight knit team of experienced developers to produce relatively small code bases of at least reasonable quality in C or C++, based on good and tested specs.
Browsers, however, all of the major ones, are created by large armies of developers based on anything between "someone wrote the 'spec' in plain english in 1990", diverse (utterly floating and inprecise) "standards", and "hey, someone just came up with som'in cool!".
I btw. honestly believe that at least some major browsers would would really honestly like to make their crap reasonably secure - but to do that one would need to start all over fresh (which quite probably nobody will do).
That's why in our offices I have placed some "internet stations" which can be used by everyone - but nobody is allowed (or able) to have an internet connection at his work-system. Particularly developers. They don't like that, neither do I but it's the only way I see to keep us reasonably secure.
That's precisely when I said "Enough."
What you migrating to?
Right now I'm converting their "CSV encapsulated in Javascript everywhere" export to KeePass v1 compatible XML. Then I'll test a few different things. I don't like anything, I've tried so far, though. Each OS-agnostic tool has an annoying "I NEED TO BE IN FRONT" interface that slows down the fact I don't give a shit and just want it to work.
If you expect no vulnerabilities to ever appear in a service I'd say that's a bit naive. Thus the reason for only using it to store things that are not critical or career/life ending if compromised. People make mistakes and you can always count on them to do it time and time again.
Don't throw the baby out with the bath water I guess is what I'm saying. If you're going to use a service for storing some passwords, use one that you're sure will have fast response times to issues, not one that has never been found vulnerable. Having never been found vulnerable means three things to me:
Thats a racist remark -_-
No, he's referring to India as a country, not of Indians as a race or ethnicity. (India is multi-ethnic, too, by the way.)
Bug bounty programs are uncommon in India. The title "Software Engineer" is handed out liberally. These are characteristics of India as a country.
So is having quite some quite good universities. Real universities (as opposed to the politicized crap organisations in certain countries producing clueless ego-driven "hackers"). Just saying.
Thats a racist remark -_-
4 - The exploit(s) have not been disclosed but sold to hmm actors.
And while you are right in your assessment, it should be pointed out that not all product teams are similarly capable, especially when it comes to security. A team employing for example Stefan Esser is much more probable to have given vastly more care on how to make stuff right than a team with great programmers but not security experts.
Maybe I'm not understanding your statement but Apple does that: Keychain. It works on OSX and iOS and sync's via iCloud (natch).
OK, I confess it, I'm a racist due to thinking that Indians are not stupid and uneducated.
To make it worse I also think that 2 bathrooms, one for ladies and one for gents, is sufficient.