2023 Security Check-up Reminder

[Plaintiff is fat]

Virgin moron who boasts about his 66GB porn collection under his real name responds to this thread and comments on KF's opsec




more about him on his thread

 

[TheDarknessGrows]

Possible Woman Moment , but I refuse to have any passwords available online, including a password manager, saved via browser, etc. Got a notebook with a lock on it and a hidden key. If someone’s breaking into my house, I have more problems than my Protonmail account getting hacked.

You could spend a pretty chunk of change installing security and alarms for your new car— or, you could buy a $40 steering wheel lock, 1970s style. Sometimes what always worked, still works.

Yeah I have a major mental block when it comes to password managers. I know Josh always recommends them but I feel like I am;handing my passwords to a service I have no reason to trust.

@Null you know a lot about this stuff; could you explain to me why I am mistaken about password managers?

 

[XANA]

Remember, friends, KF had a database breach a few years ago (iirc it was mostly a dump of emails, IP addresses, and usernames from the last several hundred people who connected to the site). Someone tried to breach late last year. It can happen again.

Privacy Tool's website endorses SurfShark VPN, but I don't trust a company that YouTubers shill.

 

[Matt Damon]

It's a never-ending arms race. Nobody can afford to be complacent.

To a degree, yeah. But if you're an irrelevant, low-profile person and every online account you use has a unique password that will take hundreds of centuries to crack, you don't have that much to worry about, short of being keylogged.

 

[NotFatChild]

If you asked me to pick the least likely type of person to run a site like chudbuds, 'married woman with kids' would probably be in the top 5.

The more I think about it the more I am in awe.

 

[Übermensch Doom Cuck]

So, I guess anything related to a word "Byuu" is cancer now.
One of them faked death.
The other tried to hack this site to gather private info.

 

[Generic Retard]

I'm also ditching LastPass. Had an IT vendor at work today tell us that it's not safe anymore.

TL;DR They have weak key derivation mechanisms for a lot of older accounts still in place since forever, but claim no one was at risk because the attacker would not be able to decrypt the gathered data. Which is also not true because URLs for services were apparently not being encrypted, because they were regarded as "not sensitive".
Early accounts have something like 1000 iterations of PBKDF2 which can be broken apparently (compare that to 100k iterations on newer accounts).

https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/

Just read the comments of all the people mad about never having their masterkey re-generated with better security.

PS: Oh right, that's from 2021. They were hacked again in 2022 because they didn't change their own keys/passwords IIRC. Who would want to leave their passwords there, wtf...

 

[RotPockets]

Care to review my OpSec?
- Hide My Email disposable emails (single use)
- generated passwords (single use)
- 2FA (locked with FaceID)
- Nord VPN
- local Pi-hole (blocking telemetry & ads)
- Private Relay (when using Mobile network)
- AdGuard Pro (when using Mobile network)
- encrypted iPhone (FaceID)
- encrypted backup iPhone (TouchID) for locating, locking, or erasing main iPhone.


(Example email address, not actually in use)

Pi-hole statistics to show how much unnecessary traffic can be blocked.

AdGuard Pro blocklists, not as extensive as Pi-hole.

I tried to ask if there were any glaring holes in my approach, but apparently I angered the Android fanboys by using words they didn’t understand. FYI every Android Firmware has Facebook integration baked in to the OS, if you remove it, it breaks the firmware.

 

[The Mass Shooter Ron Soye]

I use a unique password for/to every login(nothing shares as pw) i have that is the maximum characters the system/site allows that is randomized upper case characters, lower case characters, numbers, allowed symbols for the system/site, and unicode ascii if possible.

Am I doing it correctly?

You want a different email for every website, or at least the ones you don't want to be linked together. You could use mail forwarding like Null mentioned.

 

[Preacher ✝]

I refuse to believe people were not using burner emails for a site like that.
Let me open the leak text file with all the addresses and search gmail and...
View attachment 4730212

You can have burner gmails if you know what you're doing with them.

 

[New001]

Good thing I signed up for pretty much every service like that with a cock.li Email address.
Have lots of email addresses and just slap em into thunderbird, Easy mode.

 

[Post Reply]

I tried to ask if there were any glaring holes in my approach, but apparently I angered the Android fanboys by using words they didn’t understand. FYI every Android Firmware has Facebook integration baked in to the OS, if you remove it, it breaks the firmware.

I don't trust Nord, personally. Mullvad and ProtonVPN are alternatives I like.

 

[General Emílio Médici]

I would trust a random KiwiFarmer, especially ones whose join dates are before December 7th 2022, far more than I do most mainstream media or even law enforcement.

Though that isn't saying much given the state of media and law enforcement.

Also I would never use a password manager. I generate long passphrases and keep them on a physical piece of paper. Good luck hacking a sheet of cellulose glowniggers. And good luck guessing which random string of schizo text is a password for which account and which ones are just meaningless babble.

 

[reptile baht spaniard rid]

Yeah I have a major mental block when it comes to password managers. I know Josh always recommends them but I feel like I am;handing my passwords to a service I have no reason to trust.

@Null you know a lot about this stuff; could you explain to me why I am mistaken about password managers?

password managers are better than using the same password everywhere, because they protect YOU from a site leak like this

HOWEVER they can result in "all eggs in one basket" and if you use anything that has online password syncing, you now are reduced to "what if that gets hacked wide open" which is something to worry a bit about.

The good ones keep everything encrypted at all times and require your master password, but that could still leak. It all depends on how paranoid you need to be, but a password manager is way above same password everywhere ralph style.

one thing I've not experimented with is letting the browser store which EMAIL you used, and the password manager store the password, but with no site identifying information.

 

[supremeautismo]

You can have burner gmails if you know what you're doing with them.

Gmail usually requires "recovery" bullshit like emails/phone numbers. It ends up being a gay daisy chain of burners and alts. If Yahoo wasn't so broken it'd be the main email I'd use. Protonmail isn't even accepted by several websites.

It's all so very tiring…

 

[Generic Retard]

If anyone with that degree of sophistication has that level of access to your computer, you're pretty well fucked no matter what.

I'm pretty sure Keepass obfuscates itself in memory because of that reason. Probably not unbreakable (see Denuvo) but still at least something.

 

[NoodleFucker3000]

I appreciate you Null, but you know damn well if people actually took your advice to heart, this site wouldn't exist.

 

[Max2019]

Isn't "Correct Horse Battery Staple" far easier to guess than an 8 character random password, if the hacker guesses you're doing that and uses a dictionary attack instead of bruteforcing random characters?

 

[Twinkie]

Just a reminder: Lastpass had two security breaches recently.

I've never regretted keeping it old-fashioned with my passwords

 

[General Emílio Médici]

Also free my nigga @byuu he dindu nuffin he was a good boy coming back from the dead and shit maybe just slap a temporary kick