Lastpass been compromised
- Thread starter teenwolf
- Start date
936: Password Strength - explain xkcd
Explain xkcd is a wiki dedicated to explaining the webcomic xkcd. Go figure.
www.explainxkcd.com
I think some security people argue this might not be the best password still, don't shoot the messenger.
This is kind of what Web3 is trying to do. You create a crypto wallet (e.g., Metamask - free, runs as a browser extension) and then when you want to register/login to a website it involves just one click.
It's kind of the same idea that you see with websites that let you login with Google/Facebook/Twitter etc, but Web3 is about decentralisation - no reliance on companies like Google.
In either case, both options are far less annoying than having to register accounts all over the place
Bitwarden is free
Simply because Bitwarden is open source, and thus you can verify how secure it is. With 1Password, all you ever have is trust of their word. Their history is good, but open source is always going to tip the edge.
- Joined
- 9 Apr 2012
- Posts
- 13,159
But in a practical sense, how is Bitwarden better. You're saying it is theoretically better because it is open source but you've acknowledged yourself it isn't.
1.) No, I said it is because of that. In a straight comparison where all else is equal, open source is objectively superior for security based applications.
2.) Bitwarden is free, with a paid tier. 1Password is not, and is more expensive.
3.) Bitwarden can be self-hosted.
4.) As I stated before, 1Password is only really useful if you're within the Apple ecosystem.
I'll give 1Password one thing - if on an Apple device, the UI is quite nice.
I hope it works and gets widely adopted as it would be annoying if it splinters and you still have to hop back and forwards between your inbox and password logins.
It's already becoming time consuming with 2FA and damn annoying when your phone bleeps.
Sorry dude but that's just a internet myth and fallacy in the same way people wrongly keep spreading that Linux is secure as some of the biggest internet exploits have been due to open source.
Take OpenSSL for example as it's one of the biggest open source projects on the internet and is scoured over by 1000's of developers every day due to it's importance for worldwide secure connections and financial transaction yet no one noticed for years that a main developer added code that could be used to leak logins,passwords and creditcard details until hackers looking over the open souce code finally noticed it as used it for the heartbleed exploit.
They spent $1.2 million back in 2015 in attempt to harden OpenSSL yet if you google "openssl bug 2022" it's still full of serious issues that it's become a game of whack a mole.
OpenSSL audit kicks off for post-Heartbleed strengthening program
We can rebuild him. We have the technology. We can make him better...stronger...faster
www.theregister.com
I hope it works and gets widely adopted as it would be annoying if it splinters and you still have to hop back and forwards between your inbox and password logins.
It's already becoming time consuming with 2FA and damn annoying when your phone bleeps.
Sorry dude but that's just a internet myth and fallacy in the same way people wrongly keep spreading that Linux is secure as some of the biggest internet exploits have been due to open source.
Take OpenSSL for example as it's one of the biggest open source projects on the internet and is scoured over by 1000's of developers every day due to it's importance for worldwide secure connections and financial transaction yet no one noticed for years that a main developer added code that could be used to leak logins,passwords and creditcard details until hackers looking over the open souce code finally noticed it as used it for the heartbleed exploit.
They spent $1.2 million back in 2015 in attempt to harden OpenSSL yet if you google "openssl bug 2022" it's still full of serious issues that it's become a game of whack a mole.
OpenSSL audit kicks off for post-Heartbleed strengthening program
We can rebuild him. We have the technology. We can make him better...stronger...faster
Not a myth at all. It is true that open-source doesn't mean jack if no audits are done, but when they are, you know their audits are actually legitimate. Posting examples of times when it failed doesn't disprove my point when we are talking like-for-like comparisons.
Soldato
- Joined
- 3 Jun 2005
- Posts
- 3,278
- Location
- The South
Isn't that susceptible to a dictionary attack though?
I would have thought throwing in a few uppercase, numeric and symbol characters in to that would increase the difficult against both brute forcing and dictionary attacks
I don't think any one is saying open source is any more secure but it is a lot easier to independently verify, pen test and in turn fix security vulnerabilities given the number of eyes looking at it, whereas you're completely reliant on the "creator" (or bug bounties) with close source and hoping they are doing adequate testing.
You're wrong, OpenSSL is the perfect example of a open source that is used world wide and it has been under constant security audits since 2015 and to date the most amount of money that has been spent on any open source security auditing (they were up to $6 million by 2019) yet as soon as the audits are complete massive holes are then found so the previous security audits are no longer valid.
Two more vulnerabilities uncovered in OpenSSL
TuxCare helps organizations take care of support, maintenance, & security for Enterprise Linux systems.
tuxcare.com
Do you seriously think if Bitwarden spends a few grand on a 3rd party security audits then somehow it's more legit and safe than the continuing security audits of OpenSSL that has had millions spent on it to hire the worlds leading security experts which ironically bitwarden uses to make secure connections to websites?
Trying to make out that this is some single random event in the past that doesn't count or disprove your personal opinion that open source is safer is delusional, sorry.
You're wrong, OpenSSL is the perfect example of a open source that is used world wide and it has been under constant security audits since 2015 and to date the most amount of money that has been spent on any open source security auditing (they were up to $6 million by 2019) yet as soon as the audits are complete massive holes are then found so the previous security audits are no longer valid.
Two more vulnerabilities uncovered in OpenSSL
TuxCare helps organizations take care of support, maintenance, & security for Enterprise Linux systems.
Do you seriously think if Bitwarden spends a few grand on a 3rd party security audits then somehow it's more legit and safe than the continuing security audits of OpenSSL that has had millions spent on it to hire the worlds leading security experts which ironically bitwarden uses to make secure connections to websites?
Trying to make out that this is some single random event in the past that doesn't count or disprove your personal opinion that open source is safer is delusional, sorry.
Edit: Actually forget it.
Soldato
- Joined
- 21 Oct 2011
- Posts
- 22,381
- Location
- ST4
I have a simple little formula for creating passwords. It also has the benefit of making them easier to remember too.
Soldato
- Joined
- 16 Jan 2003
- Posts
- 10,813
- Location
- Nottingham
Passkeys.
Passkeys - Apple Developer
Passkeys are easier to use than passwords and far more secure. Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required.
Microsoft, Google etc are going to support them.
Agreed, it's a bit old and clunky.
That's the thing, it works just fine but I haven't known anything else. My question was more related to security/does it still have a place in 2022, more intrigue for what the rivals are like.
I have so far only encountered one website that does that. It also made a lot of sense as, it was the type of website you would visit very infrequently (time frame in months or even years.)
I always used to use a two or three long and complex passwords. But then I went through a spate of forums (mainly car ones) getting hacked.
Got sick of over and over going through everything to change the passwords. That's when I discovered lastpass.
I get the risk, but it's convenience also each site is a different generated one. So if one place gets hacked I change the one..... Unless lastpass. Hah
I am liking Bitwarden. I got annoyed when I forgot to cancel the lastpass auto renewal.
Got sick of over and over going through everything to change the passwords. That's when I discovered lastpass.
I get the risk, but it's convenience also each site is a different generated one. So if one place gets hacked I change the one..... Unless lastpass. Hah
I am liking Bitwarden. I got annoyed when I forgot to cancel the lastpass auto renewal.
Soldato
- Joined
- 16 Jan 2003
- Posts
- 10,813
- Location
- Nottingham
I was using 1Password but since iOS 15 included filling 2FA codes I moved over to iCloud keychain, I prefer to use as many built in apps and features as possible though.