Follow

Security researcher recommends against after detailing 7

A security researcher is recommending against LastPass password manager after detailing seven trackers found in the Android app.

theverge.com/2021/2/26/2230270

reports.exodus-privacy.eu.org/

LastPass Android: Drittanbieter überwachen jeden Schritt

kuketz-blog.de/lastpass-androi

@stux Oh shit! I hope that BitWarden/KeePass are ok. If not, I switch to Pass! :)

@stux oh god, really?! you just can't win. so what do you use?

@stux @calculsoberic
Keepassdx is probably the better choice if you are using Android, KeepassXC for Windows, Linux and/or Mac.

Andotp is another, personally, good app for Android for 2fa codes.

@stux @calculsoberic
If you need otp and use Linux and don't mind using Flatpak, then flathub.org/apps/details/com.g is good. Personally use it myself for my otp's. Saves having to check the phone constantly. :apartyblobcat:

@Bunnyhammer ah, thanks! KeepassXC since I'm on Linux. My phone is Android. @stux

@Bunnyhammer Hooray!! I'm always looking to learn more about privacy and anonymity.

@calculsoberic
Hopefully I can help out with some of it. :D

Just a constant cat and mouse game to get privacy of some form without too many disadvantages. X_X

No, never used Lastpass and considering they are the company who are behind Hamachi, I don't want to touch them personally. Plus, I prefer keeping my passwords and the manager offline. :D

@Bunnyhammer Oh, I meant pass, the unix password manager: passwordstore.org/ my wife uses lastpass, though! hmmm

@calculsoberic
Haha, my bad. No, never heard of it personally, going to read up on it. :blobcattea:

@Bunnyhammer I've only been using Linux since 2019 and have been learning to use a lot of the programs that are associated with it, like Vim, bash, nmap, etc.

@calculsoberic
Ah, so very recently. I've been using Linux, on and off for several years. Although, still learning through all of it as well, so much to learn haha.

@Bunnyhammer Exactly! I used to have a cheat sheet with the commands as my wallpaper. nmap is kind of the same, trial and error...

@calculsoberic
nmap is a beast, used it a bit but it is a major rabbit hole to go down on.

You'll get used to the commands etc. The more you use the terminal, the better. :ablobcatrave:

@Bunnyhammer I agree! I use it almost daily, but there are times when it's cumbersome.

@calculsoberic
Cool. :) Another distro you may like is Linux Mint. Based on Ubuntu, although they do have a Debian version. Very user friendly, used to use them quite a fair bit in the early days.

@calculsoberic @stux protip: do not use pass on gentoo (for me it took 3 minutes to unlock password), i no longer use gentoo. just don’t use gentoo.

@wetsocks this is a pain because you have to store the passwords somewhere, don't you? I occasionally generate them in bash but it doesn't keep them for you.
@stux

@calculsoberic @stux pass has a flexible generation feature using /dev/urandom (pass generate) and the files are regular textfiles stored in a user-defined directory structure, encrypted by your gpg key.

@wetsocks ok! well, I already have a GPG key, so I'd just have to install pass! :abunsmile: @stux

@wetsocks @calculsoberic
I still use my head :blobcatgiggle: Thinking about something self hosted..

@stux I would, but I honestly can't remember all the passwords. I have a different one for each website/service.
@wetsocks

@calculsoberic @wetsocks Yup same! But many sorts! Also use prashes, much easier and also longggg!

I would not even dare to speak out most of them so discusting :blobcatgiggle:

@stux yes, for the self-generated ones I use diceware, so something like "pencil-cracker-tennis-desk-coffee-wipe-floor" (not an actual one!)
@wetsocks

@calculsoberic @stux
Never tried BitWarden, but I keep hearing people in the open source community recommending it. KeepPass is what I use, and it's ok so far. Main benefit is that you can keep the database offline, or sync it with your own solutions that don't involve the cloud. So your stuff can't get leaked by some data breach.

@stux Could a malicious tracker potentially read the passwords after decryption?

document.getElementById("very-important-password").innerHTML
or something?

@stux that's yet *another* reason to perhaps choose a different password manager than LastPass
Sign in to participate in the conversation
Mastodon 🐘

Discover & explore Mastodon with no ads and no surveillance. Publish anything you want on Mastodon: links, pictures, text, audio & video.

All on a platform that is community-owned and ad-free.
Hosted by Stuxhost.