this post was submitted on 07 Sep 2023
980 points (99.0% liked)

Technology

59454 readers
5025 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

you are viewing a single comment's thread
view the rest of the comments
[–] Professor_Piddles@sh.itjust.works 31 points 1 year ago (18 children)

Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.

I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.

[–] Rootiest@lemm.ee 27 points 1 year ago* (last edited 1 year ago) (8 children)

Use KeePass.

My concern with using a text file is you have to defrost it to use it and whenever it's not encrypted it's potentially exposed. You are also vulnerable to keyloggers or clipboard captures

KeePass works entirely locally, no cloud. And it's far more secure/functional than a text file.

I personally use KeePass, secured with a master password + YubiKey.

Then I sync the database between devices using SyncThing over a Tailscale network.

KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it's protected.

You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it's useless without the combined password/hardware key.

[–] lazynooblet@lazysoci.al 3 points 1 year ago (2 children)

Absolutely, Keepass is a great alternative to cloud managed password managers.

You are also vulnerable to keyloggers or clipboard captures

Keepass (and most password managers) are vulnerable to this as well.

[–] Rootiest@lemm.ee 1 points 1 year ago

Keepass (and most password managers) are vulnerable to this as well.

Not if you use the browser extension

Plus it does automatically clear the clipboard after a short time which isn't perfect but it's still an improvement over using a text file

load more comments (1 replies)
load more comments (6 replies)
load more comments (15 replies)