Discussion in 'General Discussion' started by Feek, 14 Oct 2021.
Royal mail will lose it
I agree it's a nice offer but I wouldn't take it.
You're better off buying a Raspberry Pi and hosting it yourself if you really wanted to.
Most people wouldn't trust themselves that's why they get others to do it. For the sake of £10 a year that might cost you a lot more loss if someone ever gets into your accounts, and it's hosted correctly (not saying people on here don't host it correctly) but it's a team of people who look after it I assume (BitWarden).
Hence the "if you really wanted to" But yes, just paying the £10 a year is a much better option.
It's cheaper as well instead of purchasing a pi just for passwords.
Done, along with 2FA on my email, hopefully I’m a bit more secure….
Most definitely interested, I’m wondering why you say hosted by you? - isn’t Bitwarden it’s own entity with its own servers etc? (Sorry , I’m well out of my depth on this stuff…)
There's two types, hosted by BitWarden and Self Hosted. Self hosted requires you to set it up on your own and look after backups, ssl certs, power consumption bill for the server it's on, hardware replacement purchasing e.t.c.
Is there 2FA for the shop account too?
So the data breach was a lie or some people have been phished via some unofficial OCUK discord/group or some scalper that got banned has gone mad.
Someone breaks into an email and first thing they think off is trying to scam on a computer hardware forum.
I hope you're also reworking the trust system and the MM process as I've had to politely email a couple of users on here to **** off, delete my personal infomation and remove me off their spam email lists as for some reason they still have my email/personal details 6-12+ months after I've purchased something from them.
All it takes is one person who uses the MM to get their account hacked and if its one of these I need purchase all this hardware for my "friends" types they'll have mountains of names/address/banking info and phone numbers in their emails.
You can say that about any site. Facebook market place, Gumtree, Ebay e.t.c. Not just relating to OcUK. It's more important now than ever before to set up a secure password vault with best practices.
Remove yourself from sites you don't use, delete your data online where possible.
Educate yourself about secure password vaults, implement it so in future you shouldn't come across this problem again. If all websites made 2FA compulsory it wouldn't matter.
For someone to get access to an account with 2FA/MFA on they must have the code that gets sent to you on top of the password you use. Using a password manager enables you to click and forget.
i.e - password "nS2ac#[email protected]$Tz37E", or "horse-staple-battery". Both of these would never be used on another website so when a website is compromised you don't have to worry about changing it for every other website you have an account with. It's all saved in the password vault.
It takes a little while to set up though, but do it over time. I have 160 passwords currently saved. Every place uses a different password with all sites that have 2FA/MFA allowed, enabled.
As time goes on these attacks are just going to get bigger so if you don't have this enabled you are going to find yourself having to change passwords a lot more than ever before.
In theory, I could give you my password for overclockers but you would never get in because it uses a second authentication. You need both to login successfully. Not only that is, that one password is only used here so you would never gain access to my other accounts anywhere else.
What's worse is if you have to change it for every single site because you have used the same password over and over again for different places.
We do have a problem though if your vault is compromised they still have access to the whole entire list of your passwords. So it's important 2FA is enabled on the vault.
Just done thanks, how long has 2FA been on here? I have the Authenticator app for Ubisoft mainly but never crossed my mind to search for it here.
Glad this was posted, Someone had changed my email address..
I've now changed my email address back to my own, Changed passwords and enabled security.
As I said, it’s two clicks to back up your vault from any Bitwarden instance or browser extension. You’d surely do that regularly no matter who hosts it. If (when) I drop dead (or BW itself disappears), you load your backup somewhere else and carry on.
and you do know that the backup is plain text right? It warns you to delete it properly and not to store it on any standard drive.
Go backup yours and open that file.
EDIT: ahhhhh they must have just implemented encrypted .json recently. It never used to be like that on the previous version. I just noticed there is now an option for encrypted backups. My bad.
Done. The internet is getting tedious.
With all the various breaches that are in "the wild" all it takes is someone to look for specific usernames/email address and to potentially try them on similar sites.
For example if my details from another computer related site were hacked someone might look for my username on other sites and try that password&name combo to see if it works, potentially you can automate this to a very high degree.
If you've got a breach that might include emails or their contents it become even easier.
It's one of the reasons I've never reused a password across two sites, and for my important ones like here the password is long and complicated (my old UO passwords were long but because I was typing them in multiple times a day I can still do them in seconds).
Yes I’ve been running servers for 30 years and contributing to FOSS for 20 of them. I’m aware of some backup options being plain text, but there is an encrypted option. Plus it’s a single command to encrypt the file with GPG or any other system you prefer (AES or whatever). It’s not hard to put it on an encrypted USB and gpg —encrypt file.txt for safekeeping.
Edit: I’ve just seen your own edit. No bother. Whether it’s hosted with BW, me or the pope doesn’t matter. Back up your vault weekly or monthly, use a strong master password and you’re set. The offer was to less techy members, I’d imagine most of us can run a server and use GPG and AES crypt.
Good call. Would much prefer to just have 2FA on MM only. Makes logging in on the forum only easier.
Just tick "Remember me"?
Separate names with a comma.