this post was submitted on 12 Mar 2024
1005 points (99.3% liked)

Technology

59457 readers
3512 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Avast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.

you are viewing a single comment's thread
view the rest of the comments
[–] Tier1BuildABear@lemmy.world 3 points 8 months ago (3 children)

Any company trying to get my data, really, and my passwords are the most sensitive of my data. Even if I coded one myself, and kept it completely local, my passwords are all in one place if that device gets compromised.

I can remember my passwords, so why take the gamble?

[–] ikidd@lemmy.world 4 points 8 months ago (1 children)

Well, you do you, but I'm happier with complex unique password locked behind a 2FA open source self hosted encrypted vault than I am remembering a few passwords shared amongst services. I have 400+ entries in it, and if I get hit by a bus, my wife has access to it with her yubikey.

[–] Tier1BuildABear@lemmy.world 2 points 8 months ago

You do you as well, one of the amazing things about all the technology we have available to us lol.

[–] JDubbleu@programming.dev 3 points 8 months ago* (last edited 8 months ago) (1 children)

Because by not using a password manager I guarantee you are duplicating passwords between services. This means the second a service you use is compromised, every single service you use with that same email/password combination is compromised. Even if every one of your passwords had a slight deviation malicious actors know people do this and will likely be able to write a program that attempts those deviations on other services. You're effectively leaving your security up to weakest link in services you sign up for, and security is more often implemented poorly than implemented well.

By using a password manager you generate a 20+ character long password that is unique to each service you use. These passwords being random and unique to each service protects you from rainbow tables and other hash table based attacks. In the event Bitwarden or another password manager you use is breached anything they get will be worthless as long as your master password is not compromised (which should only ever exist in your head) due to the data being encrypted at rest.

It is a similar concept to using a secure, trusted middleman for processing payments instead of giving your credit card to every single site that asks for it.

[–] Tier1BuildABear@lemmy.world 1 points 8 months ago (1 children)

Just curious, how do you know they're secure? Like how do you know it's only local and not being uploaded somewhere? I'm not about to tear through the code of open source password manager apps to make sure it's "safe" when I can keep track of them myself, but yes, I do see your point about that not being as safe as them being completely randomly generated for each account

[–] JDubbleu@programming.dev 3 points 8 months ago* (last edited 8 months ago)

The great thing about open source is that anyone can read the code. Even if you don't read every line yourself there are others who will. In popular projects it's pretty much a guarantee any suspicious or malicious changes get caught almost immediately due to the visibility of everything.

As for local-only I trust Bitwarden and their encryption schemes enough that I use their cloud sync, but you can always self host it in a Docker container with no Internet access if you're concerned about it.

[–] fosstulate@iusearchlinux.fyi 0 points 8 months ago* (last edited 8 months ago)

People should consider using a double-blind scheme with cloud-connected managers.

The service you're setting a password for gets the actual credential, being two components , whereas the manager gets only

Consider the example of U})wJAL0}RhIr')Rgs{,&^>I3/ versus U})wJAL0}RhIr')Rgs{,&^>I3/based

It protects against password database compromise at least. Keyloggers, MITM, etc. are another matter.