Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.gamedev.place is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server focused on game development and related topics.

Administered by:

Server stats:

5.6K
active users

mastodon.gamedev.place: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.5

#passwordmanager

9 posts8 participants1 post today
Public
gtbarry

US seizes $23 million in crypto linked to LastPass breaches

U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.

#LastPass #PasswordManager #cryptocurrency #crypto #ripple #databreach #security #cybersecurity #hackers #Hacking

bleepingcomputer.com/news/secu

BleepingComputer · US seizes $23 million in crypto stolen via password manager breachBy Sergiu Gatlan
Continued thread
Public
Fossery Tech :debian: :gnome:

FOSS NEWS

Firefox 136 released with vertical tabs, official ARM64 Linux binaries, hardware video decoding for AMD GPUs on Linux, new HTTPS-First behavior for upgrading page loads to HTTPS, support for copying PNG images out of the browser etc.:
9to5linux.com/mozilla-firefox-

Firefox 137 beta available with HEVC playback support on Linux, ability to identify all links in PDF documents and turn them into hyperlinks etc.:
9to5linux.com/firefox-137-ente

Thunderbird 136 released with dark mode toggle for messages, new Appearance setting to control message threading and sorting order globally, bug fixes and security patches:
omgubuntu.co.uk/2025/03/thunde

KeePassXC 2.7.10 released with support for importing passwords from Proton Pass (only unencrypted JSON files, no Passkeys currently), support for KeePass2 TOTP config settings, support for generating passphrases using a mix of uppercase and lowercase words ("MIXED case"), UI improvements etc.:
9to5linux.com/keepassxc-2-7-10

/e/OS 2.8 released with LineageOS 21 base, privacy policy linked in account manager, App Lounge gets a refined warning message for manual updates and a more readable format for F-Droid app descriptions, software updates, bug fixes:
alternativeto.net/news/2025/3/

Internxt Drive becomes the first cloud storage with post-quantum encryption:
news.itsfoss.com/internxt-driv

(Linux news in original post)

#WeeklyNews#News#FOSS
Replied in thread
Public *
Erik van Straten

@sophieschmieg @neilmadden

IMO we need to stop coming up with algorithms to securely store "derivatives" of typically weak passwords, as

IT WILL FAIL.

From akkadia.org/drepper/SHA-crypt.:

In addition, the produced output for [...] MD5 has a short length which makes it possible to construct rainbow tables.

Please correct me if I'm wrong, but even in 2025 suggesting that a rainbow table is feasible for (lets cut a few bits for MD5 weaknesses) random numbers of 120 bits in length is BS (in order to create FUD).

If I'm right about that, the least bad thing to do is:

1) Everyone should use a password manager (pwmgr) because people simply do not have the ability to come up with a sufficiently strong password that is *unique for each account*, let alone for multiple accounts (sometimes hundreds), to remember them absolutely error-free, and to recall which password was chosen for which account.

Note: IMO password *reuse* currently is the biggest threat. Entering a reused password on a fake (phishing) website may have devastating consequences, because (when a password is reused for multiple accounts) chances are that ALL those accounts are compromised. Note that the complexity and uniqueness of the password are IRELLEVANT. And, what KDF is used on the server, is IRRELEVANT as well.

2) Let the pwngr generate a (cryptographically) random password, as long and with as much entropy as allowed by the server.

3) Use a strong master password and NEVER forget it (typical beginner failure).

4) Make sure the database is backed up in more than one place, and make a backup after each modification.

5) Make sure that the device the password mamager is used on, *never* gets compromised.

6) Double check that https:// is used. Better, make sure to use a browser that blocks http:// connections and warns you (Safari on iOS/iPadOS now supports "Not Secure Connection Warning"). In all browsers such a setting is OFF by default: ENABLE IT!

7) On a mobile device: use "Autofill". The OS then transfers the domain name (shown in the browser's address bar) to the pwmgr. If a matching domain name is *not found* in the pw database, assume that you're on a (fake) phishing website! In that case: DO NOT ATTEMPT TO LOG IN by looking up credentials yourself. Reasons for 7, two examples:
----
fake: circle-ci·com
real: circleci.com
----
fake: lîdl.be
real: lidl.be
----

If people would follow this advice (which is not just mine), even MD5 for storing a one-way derivative of the password on the server would be fine.

HOWEVER: don't use MD5 - because "never use MD5 for whatever" is easier to remember than "don't use MD5 if preimage attacks are possible".

P.S. I'm not a cryptographer (although I'm quite interested in the matter).

#MD5#PasskeysStillSuck#PasswordManager
Replied in thread
Public
Giacomo Tesio
@gcsolaroli@clipperz.is

Guarda, come sviluppatore web con ormai quasi 25 anni di esperienza, apprezzo l'architettura descritta qui: https://clipperz.is/security_privacy/

E sono ovviamente felice di trovare un italiano impegnato in questo tipo di progetti.

Bello che #Clipperz possa girare offline (seppur in modalità readonly) e, se non sbaglio, gli basti PHP e MySql (che versioni) lato server.
Suggerirei di integrare anche Sqlite, ma direi che sarebbe offtopic qui.

In #selfhosting, o ospitato presso un provider fidato, potrebbe essere una buona soluzione... se non fosse per la dipendenza dal browser.

Non me ne volere, ma i browser contemporanei sono complicatissimi colabrodi dal punto di vista della sicurezza e della privacy.

Per quanto buono sia il vostro codice (non ho ancora fatto un giro di debug, ma di default mi aspetto sempre il meglio da progetti #opensource tanto delicati), avete costruito sulla sabbia.
O meglio, il Web è diventato una palude sotto i vostri piedi.

Comprendo bene che, nel 2007 quando siete partiti, i browser (e l'informatica tutta) erano molto diversi da oggi.

Per cui, per quanto apprezzi, in astratto l'architettura e gli obiettivi, continuo a preferire #passwordmanager offline, che riducono notevolmente (pur non azzerandola) la superficie di attacco.

Detto questo, è un piacere poter discutere, in italiano, con persone competenti di questi temi!

@devol@mastodon.uno @sicurezza@diggita.com @quinta@mastodon.uno @clipperz@clipperz.is
clipperz.isSecurity and privacy - clipperz - online password manager
Public
MystSafe

Ever wonder if your password really keeps you safe—or just gives away who you are? Discover how 12-word secret phrases can protect your privacy and boost security in my new post. mystsafe.com/post/passwords-vs #Crypto #Privacy #Cybersecurity #PasswordManager #Blockchain #OpenSource

Mystsafe · Passwords vs. Secret Phrases: Understanding the Key DifferencesEver wonder why typing in your go-to password can feel like telling a story everyone already knows? That’s because a traditional password almost always goes hand in hand with a username or an email address—so, right from the start, you’re revealing who you are. Compare that to a secret phrase, where there’s no separate login at all. It’s the ultimate “sole credential”: nobody knows who you are, just that you possess the phrase.But here’s the thing: in many cases, you actually can choose which me
ExploreLive feeds
About