this post was submitted on 31 Oct 2023
83 points (98.8% liked)

Cybersecurity

5773 readers
90 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
kid
[email protected]
83
LastPass breach linked to theft of $4.4 million in crypto (www.bleepingcomputer.com)
submitted 1 year ago by [email protected] to c/cybersecurity
15 comments fedilink hide all child comments
top 15 comments
sorted by: hot top controversial new old
[–] sugar_in_your_tea 3 points 1 year ago (3 children)

Another reminder to not put all your eggs in one basket. Maybe this will convince me to self-host my password manager.

[–] ALERT 7 points 1 year ago

vaultwarden is perfect. go ahead and host it!

[–] tail 4 points 1 year ago (2 children)

Better yet keep it all offline

[–] sugar_in_your_tea 2 points 1 year ago

Nah, the UX of a browser extension is really nice, especially since it seamlessly syncs between my phone, work computer, personal laptop, and personal desktop.

That said, I would never put cryptocurrency keys in the cloud, that stays offline. But bank accounts have insurance and most other important services have MFA, so just moving my passwords to a self-hosted server is good enough for me.

[–] [email protected] 1 points 1 year ago

I'm not too sure that the relative additional security, considering most people's threat models, really justifies this much inconvenience. YMMV I guess.

[–] spaghettiwestern 4 points 1 year ago (1 children)

In 2015 when Lastpass was purchased by Logmein was what convinced me to move to Keepass and ultimately KeepassXC. Syncthing on Linux, Android and Windows, a complex password and separate key file provide multiple layers of security. It works reliably and provides easy access to login information on any device.

[–] sugar_in_your_tea 4 points 1 year ago (1 children)

I'll have to look at it again, but the last time I did, the inconvenience of it not being integrated with my browser kept me away. Bitwarden has been audited, is open source, and can be self hosted.

[–] spaghettiwestern 3 points 1 year ago* (last edited 1 year ago) (2 children)

KeepassXC has a browser addon that works well for most sites, but I don't think you can go wrong with Bitwarden either.

[–] decisivelyhoodnoises 2 points 1 year ago (1 children)

I think you meant to type keepassxc

[–] spaghettiwestern 2 points 1 year ago

That I did. Thanks.

[–] sugar_in_your_tea 1 points 1 year ago (2 children)

I'll have to look into it again.

Is there anything for Android autofill in apps? It's not a deal breaker, just nice to have.

[–] decisivelyhoodnoises 3 points 1 year ago (1 children)

Keepassxc has a keyboard which you can change to and it fills fields without typing (you need to type your master password though)

[–] sugar_in_your_tea 1 points 1 year ago (1 children)

Does it stay unlocked for a while (say, an hour or so)? If so, that's absolutely an option. I use a very long password, so having to do it every time would be extremely tedious.

[–] decisivelyhoodnoises 2 points 1 year ago* (last edited 1 year ago)

Yes you can set the timeout duration

[–] spaghettiwestern 2 points 1 year ago

There is, but I can't tell you anything except that it exists. I use passwords so infrequently on Android that I've never bothered with it.