254
submitted 9 months ago by sidgames5@lemmy.zip to c/firefox@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] mariusafa@lemmy.sdf.org 3 points 9 months ago* (last edited 9 months ago)

Just a comment: IMO it's not worth using strong passwords on which you depend on privative/unknown security platforms. Who knows how many times they get hacked or have backdoors? Unless they specify they only store the hash I refuse to sacrifice one of my strong passwords.

Edit: To all talking about password managers. I don't believe in single point of failure as a way to go. The fact that i've to explain that xd...

[-] dev_null@lemmy.ml 25 points 9 months ago* (last edited 9 months ago)

You should use randomly generated passwords from a password manager, there is no short supply of strong random passwords.

[-] kevincox@lemmy.ml 7 points 9 months ago

Waste one of my 2272657884496751345355241563627544170162852933518655225856 possible 32 character passwords on Twitch! Outrageous! What if I run out?

[-] risencode@lemmy.ml 17 points 9 months ago

Bro over here still using one of his "strong passwords" trying to give other people security advice ๐Ÿ˜…

[-] Graz@feddit.de 15 points 9 months ago

Sacrifice? Tf you on about?

[-] MetaCubed@lemmy.world 14 points 9 months ago

Genuinely terrible advice. Every popularly available password manager service hashes all your passwords, if they have a data breach they have extremely strict reporting compliance and the majority of services will re-hash all your passwords. If youre so extremely concerned about that, host your own.

But what concerns me the most is

Unless they specify they only store the hash I refuse to sacrifice one of my strong passwords.

... What to you mean sacrifice?

[-] mariusafa@lemmy.sdf.org 1 points 9 months ago

Keeping all on one password (password manager) is a single point of failure, which i don't like. I mean sacrifice because my brain can only remeber a few 512bytes long passwords (again i don't use password managers because of single point of failure).

[-] MetaCubed@lemmy.world 3 points 9 months ago* (last edited 9 months ago)

Does your threat model involve The Mossad? There's no way on earth that you are genuinely remembering multiple 512 byte random passwords, let alone actually taking the time to type them in.

Having a password manager, with MFA, a strong master password, and rule based device verification is ultimately more secure as you can have every password be randomized.

Best practices are best practices for a reason. I recommend you follow them.

[-] mariusafa@lemmy.sdf.org 1 points 9 months ago

Mossad or other agencies arent God. If my device is cryptographically secure and doesn't have backdoors it's unfeasible to access any data with current technology. I guess you are right if you take into account Intel management engine and similar, but since I use libreboot bios that does not apply to my computer (only place that I treat as secure).

If you use Apple, Microsoft, google, etc devices, those are 100% vulnerable even if you use idk rsa 2048 (xd). The problem is who you are trusting.

That's a good point. But, yeah again I don't fall in those categories. I try to ensure that my security is only based and covered behind cryptography theory and nothing else.

[-] MetaCubed@lemmy.world 2 points 9 months ago

The point is that if someone really wants to get into your device, they will. It doesn't matter if youre using open source firmware, in a custom implementation of linux, on a MIPS CPU, and you personally build every package from source and complete a compliance code review before installing it, etc.etc.etc. If government agency x is targeting you specifically, your best line of security is to lock your device in a safe, take a boat into the middle of the ocean, and then dump it at an unrecorded location and never retrieve it.

A device is only secure as long as you are not using it, and it is not accessible physically, or by network.

You do you dude, I'm just saying your advice is awful for the average user.

[-] mariusafa@lemmy.sdf.org 1 points 9 months ago

Yeah, you are right. Anyways this always applies to anyone seeking security.

[-] LibreFish@lemmy.world 2 points 9 months ago

Isn't your computer a single point of failure? A keylogger will get your password database or you manually entered passwords all the same.

[-] mariusafa@lemmy.sdf.org 1 points 9 months ago

Who says I have the same password for my root, my user account, and my LUKS encrypted hard drive? Losing one doesn't mean losing everything like in a Password manager.

[-] LibreFish@lemmy.world 2 points 9 months ago

Not that, I meant a keyloggers could get the password to your password database in the same way it could get any accounts you log into by typing your password into a browser.

[-] Ansis@iusearchlinux.fyi 10 points 9 months ago

That is definitely an autofilled one-off password from a password manager.

[-] Umbrias@beehaw.org 4 points 9 months ago

You can see the keypassxc plugin button right there. What is the thread op on about lol.

[-] MikaTech@beehaw.org 4 points 9 months ago

How about just using a password manager and create a unique strong password for every website? That way you don't have to store so much in your brain and you get better security on any website. You also don't have to worry about more than one website being breached from reused passwords.

BitWarden is pretty great and is open source and free to use.

You can also self-host it if you don't trust them storing your hashed passwords.

this post was submitted on 22 Jan 2024
254 points (100.0% liked)

Firefox

17884 readers
20 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS