442
submitted 1 year ago* (last edited 1 year ago) by sunaurus@lemm.ee to c/lemmy@lemmy.ml

I think for a while leading up to the recent session stealing hack, there has been a massive amount of positivity from Lemmy users around all kinds of new Lemmy apps, frontends, and tools that have been popping up lately.

Positivity is great, but please be aware that basically all of these things work by asking for complete access to your account. When you enter your Lemmy password into any third party tool, they are not just getting access to your session (which is what was stolen from some users during the recent hack), they also get the ability to generate more sessions in the future without your knowledge. This means that even if an admin resets all sessions and kicks all users out, anybody with your password can of course still take over your account!

This isn't to say that any current Lemmy app developers are for sure out to get you, but at this point, it's quite clear that there are malicious folks out there. Creating a Lemmy app seems like a completely easy vector to attack users right now, considering how trusting everybody has been. So please be careful about what code you run on your devices, and who you trust with your credentials!

you are viewing a single comment's thread
view the rest of the comments
[-] cooljacob204@kbin.social 9 points 1 year ago

1password is probably the most valuable subscription I pay for.

[-] pizzahoe@lemm.ee 19 points 1 year ago

If anyone's looking for a free and open source option, Bitwarden is also great.

[-] nekat_emanresu@lemmy.ml 2 points 1 year ago* (last edited 1 year ago)

You two have no idea do you? lol

When you pass your password into an app, it can just copy and store it. If at any point you put a password through, even once, its compromised and no password manager will help in the slightest.

I make bobApp, you download bobApp, if you put a password into it, you are done.

edit: answering both of you.

Then i misunderstood. After i typed this I noticed others said what you meant. My bad.

[-] jiji@lemmy.world 12 points 1 year ago

I think their point is password managers make it very easy to have completely unique passwords, and if your Lemmy password is compromised you can change it without worrying about any other accounts being compromised. Not that a manager would magically protect you from ever being compromised.

[-] pizzahoe@lemm.ee 9 points 1 year ago

I think you misunderstood us lol.. we're not saying your password will not get leaked by the app.. we're saying it's gonna be unique and random bullshit generated so the hacker won't be able to get to your other accounts since passwords are different.

[-] TheSaneWriter@lemm.ee 2 points 1 year ago

You're correct, but by maintaining distinct passwords with a password manager you make sure only the one account is compromised. 2FA also helps, you may have the username and password, but the 2FA code that you were given needs to be used immediately or else it will expire, and an expired 2FA code won't allow you to successfully breach the account you're trying to break into to.

[-] lowleveldata@programming.dev 15 points 1 year ago

KeePassXC is free and completely offline

[-] grue@lemmy.ml 4 points 1 year ago

And if you want it to be online, you can just share your .kdbx file between your computers using Syncthing or whatever.

[-] steltek@lemm.ee 1 points 1 year ago

Also Password Store! Syncs over Git and on Android you can use a Yubikey so that the private key isn't even on your phone.

But yes, KeePassXC is way more user friendly. Anything touching PGP/GPG is an automatic red flag for family.

this post was submitted on 11 Jul 2023
442 points (100.0% liked)

Lemmy

12579 readers
37 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS