Cybersecurity thread - Sperg about cybersecurity and whatnot.

Do you use the same password on all websites?

  • Total voters
    98
Kiwi & Cow

Kiwi & Cow

Professional jimmies rustler master of shitposting
kiwifarms.net
Joined
Feb 21, 2018
I think that with the worrying amount of websites that got their data leaked recently, it should warrant a thread to discuss about cybersecurity in general.

If you somehow live under a rock, recently Twitch was hacked making the payout of streamers, the source code of Twitch and the knowledge of a Steam competitor publicly known.
Before Twitch, Facebook, Whatsapp and Instagram were all down simultaneously apparently because sensitive information was being scraped from an exploit and then leaked out there, this information could be used in actual criminal activity like identity theft.
Even before Facebook, Epik, the host provider for a plethora of right-wing boomer sites like Gab, Parler, etc was hacked twice, once by tranny-led DDoSecrets and then a second time by anonymous. The database leaks included email addresses, passwords and the entire posting history of the users of those sites.

There's already a thread on each topic if you want to learn more:


These have made the news, but according to Firefox monitor there are many more sites that have been hacked, but that nobody really talks about.

It's exactly why everyone should be using a different password for each site they use because you might not be aware of a breach although it is there, even for Mozilla it sometimes takes them years to find and then verify a leak.

Also, NEVER post personal information on the web, even if you think it's private, it really is not and all it takes for that to be publicized would be either an exploit or a hack.
 
Last edited:
  • Like
Reactions: Disco Inferno
NigKid said:
Probably an unpopular opinion in cabersecurity circles but I don't trust a single password manager
Click to expand...
As long as you can inspect the source code and compile it yourself you should have no reason not to trust it. I use Keepass personally and it's great.

But ironically enough, if I didn't have Keepass, I'd probably just have a little book in one of the drawers under my desk with all the passwords written in it. Good luck hacking into that.
 
  • Agree
  • Like
  • DRINK!
Reactions: Valiko Zizandari, Rololowlo, The Jesus Lizard and 6 others
NigKid said:
Probably an unpopular opinion in cabersecurity circles but I don't trust a single password manager
Click to expand...
I don't fully agree with you, but for the longest time I didn't trust any online synced password manager. I stayed on KeePass and manually moved my vault around instead.

Not enough version control or backups of the vault itself. Eventually my phone got some update that messed with file write permissions and my most recent database file was just wiped because it couldn't save properly. I'm not sure how far back I had to revert.
 
  • Like
  • Feels
Reactions: Hellspawn, Knight of the Rope and Lord Xenu
Dergint said:
I don't fully agree with you, but for the longest time I didn't trust any online synced password manager. I stayed on KeePass and manually moved my vault around instead
Click to expand...
Oh yeah that I can get behind, I meant those endless shilled ones that are synced. There's no way in hell Im Entrusting literally my entire identity to some company in Estonia for 2 bucks a month
 
  • Agree
Reactions: sanguis draconis, Moon Mage and Fomo Hoire
NigKid said:
Probably an unpopular opinion in cabersecurity circles but I don't trust a single password manager
Click to expand...
I was a happy LastPass customer for many years, but the private equity vultures were quick to ruin it. I now use Bitwarden on a KVM/Docker server I have at home. It's a bit of work to connect to said server because I have it locked out to damn near everything outside a Wireguard VPN. I still give money to the project because I think its an important thing to have, an open source password manager that's not a gigantic pain in my ass like KeePass is.
 
  • Like
Reactions: Knight of the Rope and lemmiwinks
NigKid said:
Probably an unpopular opinion in cabersecurity circles but I don't trust a single password manager
Click to expand...
And you should. I've heard really good things about Dashlane, that it uses your information for targeted adverts and there's one thing that made me paranoid for a while, but apparently no browser on earth is secure.

For starters, I first heard from SomeOrdinaryGamers on Youtube that someone could find your screen resolution through Tor, and not just the website's owner, some random schmuck you talk to could straight up post your screen resolution right there right now as a powerplay. When I did install Tor I was even given a warning when I accidentally set the thing to fullscreen once. I would later learn that anyone could easily gather a scary amount of information about my browser, from which operating system I'm using via the user agent, to the passwords saved on it.

I'll sum up what they can apparently collect from your browser.
  • Your login credentials
  • Your user agent (Information pertaining to the browser and computer)
  • Your search history
  • Your download history
  • Your screen resolution
  • Which extensions you use (Which is why it's discouraged to install any new extension on Tor, you must use the defaults)
  • Your bookmarks
  • Your favourite internet navigator
So if anything, don't use Firefox to store your passwords, or be smart about it, create like 10 dummy passwords and exclude your username/email address from all of them.

It definitely uses an exploit like some sort of javascript injection, but I would really be curious to understand how they manage to inject the code.

I have never used Keepass, so I can't comment on that, but if it is completely disconnected from your browser, your passwords will definitely be more secure there than elsewhere.
 
Last edited:
Kiwi & Cow said:
And you should. I've heard really good things about Dashlane, that it uses your information for targeted adverts and there's one thing that made paranoid for a while, but apparently no browser on earth is secure.

For starters, I first heard from SomeOrdinaryGamers on Youtube that someone could find your screen resolution through Tor, and not just the website's owner, some random schmuck you talk to could straight up post your screen resolution right there right now as a powerplay. When I did install Tor I was even given a warning when I accidentally set the thing to fullscreen once. I would later learn that anyone could easily gather a scary amount of information about my browser, from which operating system I'm using via the user agent, to the passwords saved on it.

I'll sum up what they can apparently collect from your browser.
  • Your login credentials
  • Your user agent (Information pertaining to the browser and computer)
  • Your search history
  • Your download history
  • Your screen resolution
  • Which extensions you use (Which is why it's discouraged to install any new extension on Tor, you must use the defaults)
  • Your bookmarks
  • Your favourite internet navigator
So if anything, don't use Firefox to store your passwords, or be smart about it, create like 10 dummy passwords and exclude your username/email address from all of them.

It definitely uses an exploit like some sort of javascript injection, but I would really be curious to understand how they manage to inject the code.

I have never used Keepass, so I can't comment on that, but if it is completely disconnected from your browser, your passwords will definitely be more secure there than elsewhere.
Click to expand...
Thanks for the copypasta, I will put it to good use!
 
Dergint said:
Not enough version control or backups of the vault itself. Eventually my phone got some update that messed with file write permissions and my most recent database file was just wiped because it couldn't save properly. I'm not sure how far back I had to revert.
Click to expand...
Mullti Port RDRAM said:
...that's not a gigantic pain in my ass like KeePass is.
Click to expand...
I used to use an open-source PW manager called Mitro. When the project ended, I started using KeepassXC. So I have no experience with Keepass version 1.x. IME it has been stable and very easy to use. Are you referring to version 1.x codebase?

I use Keepass4Android and KeepassXC on all 3 OS's (Mac, Linux, Windows) along with a hardware token. I used to use gdrive for syncing, but now I use a https connect to an OVH server. In 3-4 years I've only had one problem with the DB, but it always saves a backup automatically with changes on DB close, so it wasn't a total disaster.
 
Last edited:
  • Informative
Reactions: Fomo Hoire
I use SPIFFE concepts for all my online platforms plus rotating VPN's on burner credit cards bought overseas.
 
  • Thunk-Provoking
Reactions: lemmiwinks
lemmiwinks said:
I used to use an open-source PW manager called Mitro. When the project ended, I started using KeepassXC. So I have no experience with Keepass version 1.x. IME it has been stable and very easy to use. Are you referring to version 1.x codebase?
Click to expand...
I'm not sure which version I was on, probably something from f-Droid at free time. Whatever it was, the version control issue I had wasn't related to the code. I blame android permissions for changing unpredictability and for being incomplete (if it won't let keepass write, then keep the file the same. Don't let keepass write an empty file over top the old file!).

lemmiwinks said:
but now I use a https connect to an OVH server.
Click to expand...
Can you elaborate on this / make suggestions? I think I recognize that acronym as a VPS provider, not any particular storage solution.

I've been considering setting up a nextcloud with server side encryption, remote storage, and an rsync backup of the storage. Maybe with all of that I'll feel more ok with the idea of trusting cloud storage with important files... But I've never bothered to figure all that out and it seems overkill for the size of the files I would actually store.

lemmiwinks said:
In 3-4 years I've only had one problem with the DB, but it always saves a backup automatically with changes on DB close, so it wasn't a total disaster.
Click to expand...
:informative: I don't know if that's new or if I had to look for and enable that, but it might be enough dummy proofing for me to use keepass again, I'll have to look into that, thanks.
 
  • Like
Reactions: lemmiwinks
Dergint said:
Can you elaborate on this / make suggestions? I think I recognize that acronym as a VPS provider, not any particular storage solution.
Click to expand...
Yeah, OVH is a vps provider. I actually use their down-market brand (Kimsufi) but I didn't think anyone would recognize the name. I have a dedicated server with 2TB storage and unlimited bandwidth for about $12 a month plus tax. I use it for BitTorrent, a personal VPN, share media to mine and a few family/friends various Kodi devices. And also, just as kind of toy for me to mess around on and learn stuff. Eventually I want to containerize things and when I do, I would like to try Nextcloud, but I have yet to get around to learning enough (docker, lxc/lxd) to be comfortable.

It's pretty straightforward. You just set up a network share on your client OS and point KeePass to the database you want to use. It would be easier to use Nextcloud than it is to set up network shares manually, but it isn't that hard to do. If you are willing to do a bit of reading and can follow instructions, there is plenty of documentation online. I don't know if my setup would be bulletproof against a skilled and determined attacker because I'm no expert, but I trust OVH more than I trust google (not a high bar) and I don't have any reason for anyone to target me, so I am fine with it.

Keepass2Android has all kinds of protocols built in, so you just plug-in your credentials. I guess if you are really worried you can make your phone have read-only permissions.
Screenshot_20211013-161225_Trebuchet.jpg
Dergint said:
I don't know if that's new or if I had to look for and enable that, but it might be enough dummy proofing for me to use keepass again, I'll have to look into that, thanks.
Click to expand...
That's why I was asking. I was thinking that maybe some problems were with the older keepass platform. That's one thing that is annoying about open-source projects. All the forks and fragmentation can be confusing. Especially with client/server or different UI's and frontends. It's also a big part of what makes open-source good, too.
Screenshot 2021-10-13 164023.png
IDK if these are the default settings or what, but that's what mine look like. It saves a second database with the prefix "old" e.g. old.keebase.kdbx
 
  • Informative
Reactions: Fomo Hoire
NigKid said:
Probably an unpopular opinion in cabersecurity circles but I don't trust a single password manager
Click to expand...
KeePass is probably the only one. I have the same caution, disabled all networking permissions and actually reviewed some of the source code so I understood what's going on. It's pretty good out of all the other ones out there.

Never use an online password manager.
 
Does anyone do CTFs on sites suck as Hack The Box and Blue Team Labs Online? I find them pretty fun to do.
 
I should probably look into using a password manager. I don't use the same one on all sites, but I'm guilty of cycling through a small number of passwords, with some variation on them.
 
  • Feels
Reactions: Aidan
Magicicada_septendecula said:
I should probably look into using a password manager. I don't use the same one on all sites, but I'm guilty of cycling through a small number of passwords, with some variation on them.
Click to expand...
I like KeePass since I think having the password manager on some server to be counter productive overall. Just be sure to have backups. I use syncthing to sync the veracrypt container that my KeePass file is in onto two other computers and at least once a month push that container to a remote storage server.
 
  • Agree
Reactions: Moon Mage, Celebrate Nite and Magicicada_septendecula
You must log in or register to reply here.
Back