1Password is the latest victim of Okta’s compromise
Says logins are safe, as high-profile customers complain they knew about the breach before Okta
www.theregister.com
Last edited:
Password managers
- Thread starter SixTwoSix
- Start date
www.theregister.com
Commissario
"On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."
blog.1password.com
Okta Support System incident and 1Password | 1Password
We detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.
Today is the day I finally nuked my crappass account.
Have been using proton exclusively for the last month and zero issues. Not missing anything from lastpass at all.
Have been using proton exclusively for the last month and zero issues. Not missing anything from lastpass at all.
Something like £4 million of crypto was stolen from compromised lastpass users recently as well.
Soldato
I'm starting to notice more services rolling out passkeys. Bitwarden just recently updated both their US and EU servers to support it, and according to their X account the clients should be updated within a couple of days.
I'm still a bit confused with passkeys, are they meant to replace both passwords and 2FA?
I'm still a bit confused with passkeys, are they meant to replace both passwords and 2FA?
Yes.
Think of a 2fa as a "backup" to your password. Even if the password is compromised the 2fa keeps people out.
Passkeys does away with the weakness of a password as it is end to end encrypted from your device to the service.
Associate
Hah yes I had used Lasspass and another for a while until a couple of years ago when they started getting hacked and encrypted passwords leaked.
I've been using Google/Chrome to save passwords plus MFA for more important accounts, plus I use a Pixel phone so it makes sense for me. If Google is ever hacked the whole world is screwed.
Just remember to transfer the MFA accounts correctly when transferring to a new phone.
Soldato
Going to give Proton pass another go now it looks like it's been updated and features added.
Associate
Im liking passkeys very much. Started using yubikeys last october and have it setup as passkeys for accounts that support it. Cant wait for bitwarden to have full support for it
Last edited:
Protons security model is a bit more secure than other password managers.
Every item in a vault is individually encrypted. (including metadata)
Each vault is individually encrypted.
And then your account itself is secured using bcrypt, end to end encryption, TOTP if you have it enabled, and argon2id and passkeys coming soon.
The top item is the most important, as even if proton is compromised, hackers wont be able to see "Online banking login" or "My 2 million bitcoin seed phrase". It will just be hashed information.
Last time I checked yubikeys had a limited number of passkeys they can support, as well as no ability to create backups? Has that changed?
Last edited:
Associate
Didnt know about the passkey limit but i have not encountered it yet. So far i enrolled only a handful of passkeys.
For backup, i have a separate yubikey that is also registered as a passkey. No cloning feature though so had to register the 2 keys.
For backup, i have a separate yubikey that is also registered as a passkey. No cloning feature though so had to register the 2 keys.
Soldato
So far so good with Proton Pass and importing from Bitwarden, few websites that it's not detecting the login form to autofill (i.e no icon appearing) that Bitwarden does detect and fill.
Anyone else been creating passkeys? I used watchtower in 1Password to find all the supported logins and create passkeys for each. It always seems to fallback to the password login though, shouldn't all the sites and apps provide an option to actually delete the password leaving only the passkey for login?
Very few support true passwordless (is that even a word?), Microsoft do it and I think Google do.
I use passkeys everywhere they're available. They're much better security wise (cryptographic single-use certificate based pukbey auth), and they're painless for the user. I generally set up two passkeys per service to be safe, one in Vaultwarden (self-hosted Bitwarden) and one on my iCloud Apple Keychain. That way, every site I visit with a passkey has the Bitwarden addon pop up with the key as soon as I hit the login page, but if I'm ever somewhere on a shared computer, or somehow Vaultwarden is unavailable, I have a backup that works anywhere using my phone's camera. I love them.
I have Yubikey, OTP and passkeys enabled on Github and they all work. I just use whichever I get to first (press my Yubikey or hit enter on the Bitwarden popup if it 'wins').