Re: [UCLUG] Digest for uclug@googlegroups.com - 2 updates in 1 topic

[Edward Comer]

I use KeyPassXC on my Linux machines (Manjaro on Desktop and Mint on Laptop). I use Keepass2Android on my Samsung Galaxy S10e smartphone and an old Chromebook. The single database is kept in the cloud on my Google Drive. Everything syncs and works fast and cooperatively except for the Chromebook, which is SLOW because there is no local copy. I've used this arrangement for years and find it very reliable. Both apps are open source. 

On Mon, Jan 2, 2023 at 8:13 AM <uc...@googlegroups.com> wrote:

uc...@googlegroups.com

Google Groups

Topic digest
View all topics

• Password manager recommendation? - 2 Updates

Password manager recommendation?

MIKE MAJOR <jmi...@bellsouth.net>: Jan 01 02:21PM I’ve been using Last Pass for a few years. I had looked at Bit Warden and concluded it was windows only or didn’t have mobile or something. I’ll have to look again.  Thanks for the update.  I’ve started having it generate gibberish usernames for new accounts. That way the user and password are both random.  If anyone is self hosting, are you doing that on a cloud server or…? Mike     Sent from AT&T Yahoo Mail for iPhone     On Saturday, December 31, 2022, 3:22 PM, lyrics.sandfish335 via Upstate Carolina Linux Users Group <uc...@googlegroups.com> wrote:   Dec 31, 2022, 12:12 PM by uc...@googlegroups.com:   I also use 2FA as a secondary level of security. However, Review Geek claims that they are susceptible to phishing attacks.   It depends on the type of 2FA being used. One-time passwords (OTP), yes, typically are vulnerable to phishing.   For example, if you get an e-mail from "Amazon" that links to a site that looks just like Amazon, asks you for your username/password and then your OTP but you didn't notice it wasn't actually Amazon's site. The attacker can then proxy the info you gave them to access your real Amazon site. This would go for both OTP that is SMS based (i.e. those codes sent to your phone) and time-based one-time passwords (TOTP) such as Google Authenticator, Authy, etc. The problem here is there is nothing stopping you from providing the OTP to the wrong person/site.   There are other 2FA methods that are not susceptible to phishing. For example FIDO2/WebAuthn that is authenticated with something like a Yubikey. This is a challenge/response protocol so the right authorization can only happen when used on the correct site. The cheaper "Security Key" series they sell is sufficient for most folks, is easier to use than OTP methods and is more secure.   If the $25 (often on sale at certain times of year) is too much the next best solution to avoid phishing it to put your TOTP seeds in your password manager. Bitwarden supports acting as a TOTP client so it can provide those codes. Since the database entry is tied to a domain it will only prompt you with the code on the correct site. This should be a clue that you are on a phishing site if your password manager is not trying to provide you the TOTP code. Just make sure to secure your password manager with some form of 2FA. Otherwise you don't really have two factors since all someone needs is your master password to access both your passwords and TOTP codes.   Eric   -- You received this message because you are subscribed to the Google Groups "Upstate Carolina Linux Users Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to uclug+un...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/e2d70a3a3aebfe5437a837b241b26b6d%40mailer.me.

Kevin Tollison <ktol...@gmail.com>: Jan 01 10:40AM -0500 I have been using 1Password for years. Always been happy with it. I use YubiKeys for MFA too.   Using the business version for a few customers. The audit trail and shared vaults are great. They also include a free family license with each business subscription. Not the cheapest but I feel fairly confident in the integrity of company. They only make the one product.   I moved from LastPass just before LogMeIn bought it. Felt like it would get lost in a company like that and surprised this didn't happen sooner.   On Jan 1, 2023, at 9:21 AM, MIKE MAJOR <jmi...@bellsouth.net> wrote:    I've been using Last Pass for a few years. I had looked at Bit Warden and concluded it was windows only or didn't have mobile or something. I'll have to look again.   Thanks for the update.   I've started having it generate gibberish usernames for new accounts. That way the user and password are both random.   If anyone is self hosting, are you doing that on a cloud server or…?   Mike   Sent from AT&T Yahoo Mail for iPhone   On Saturday, December 31, 2022, 3:22 PM, lyrics.sandfish335 via Upstate Carolina Linux Users Group <uc...@googlegroups.com> wrote:   Dec 31, 2022, 12:12 PM by uc...@googlegroups.com:   I also use 2FA as a secondary level of security. However, Review Geek claims that they are susceptible to phishing attacks.   It depends on the type of 2FA being used. One-time passwords (OTP), yes, typically are vulnerable to phishing.   For example, if you get an e-mail from "Amazon" that links to a site that looks just like Amazon, asks you for your username/password and then your OTP but you didn't notice it wasn't actually Amazon's site. The attacker can then proxy the info you gave them to access your real Amazon site. This would go for both OTP that is SMS based (ie those codes sent to your phone) and time-based one-time passwords (TOTP) such as Google Authenticator, Authy, etc. The problem here is there is nothing stopping you from providing the OTP to the wrong person/site.   There are other 2FA methods that are not susceptible to phishing. For example FIDO2/WebAuthn that is authenticated with something like a Yubikey. This is a challenge/response protocol so the right authorization can only happen when used on the correct site. The cheaper "Security Key" series they sell is sufficient for most folks, is easier to use than OTP methods and is more secure.   If the $25 (often on sale at certain times of year) is too much the next best solution to avoid phishing it to put your TOTP seeds in your password manager. Bitwarden supports acting as a TOTP client so it can provide those codes. Since the database entry is tied to a domain it will only prompt you with the code on the correct site. This should be a clue that you are on a phishing site if your password manager is not trying to provide you the TOTP code. Just make sure to secure your password manager with some form of 2FA. Otherwise you don't really have two factors since all someone needs is your master password to access both your passwords and TOTP codes.   Eric   --   You received this message because you are subscribed to the Google Groups "Upstate Carolina Linux Users Group" group.   To unsubscribe from this group and stop receiving emails from it, send an email to uclug+un...@googlegroups.com.   To view this discussion on the web visit   https://groups.google.com/d/msgid/uclug/e2d70a3a3aebfe5437a837b241b26b6d%40mailer.me   .   --   You received this message because you are subscribed to the Google Groups "Upstate Carolina Linux Users Group" group.   To unsubscribe from this group and stop receiving emails from it, send an email to uclug+un...@googlegroups.com.   To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/142406038.2311466.1672582878880%40mail.yahoo.com.

Back to top

You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to uclug+un...@googlegroups.com.