7/3/2023 0 Comments Enpass reddit![]() Any password manager has a giant target sign painted on it. LastPass used to have functionality that helped do this sort of audit but I found out they removed it (previously I just thought it had moved/been renamed and I just needed to find it) and that in particular infuriates me because it's so boneheaded and user hostile on LastPass's part.īreaches happen and should be expected. But I also don't think I ever trusted LastPass as much as others seem to have. I personally don't think the LassPass breach is a drop everything and change all the hundreds of passwords immediately emergency. The first thing I looked for after updating the important passwords was a way to sort all passwords by age and just do ten of the oldest at a time. I think the main thing will be a routine of updating passwords. We have to place our trust somewhere because we can't know everything.įor me, the breach got me dwelling on password and vault age. The possibility of them locking themselves out becomes too great, and the potential fall out from that (distrust of password managers, lack of convenience) would only make things worse.īest thing we can do is use tools that have been vetted by experts. However, I don't think its a good choice for a less tech savvy user (unless they're very motivated to learn). Offline password managers are great (I personally use KeepassXC and Syncthing now after dropping Lastpass). I don't think there's a fundamental issue with cloud based password managers in general. Some of us missed this happening or procrastinated switching until it was too late. But lots of time has passed and they haven't kept up and/or they stopped caring about security in the way they should. The filtering of the information from experts to the general public is slow, and it's not surprising that many otherwise reasonable and smart people simply never learned these about these pretty basic security failures.Īt one point in time, Lastpass was considered fine, security-wise. At some point we have to rely on experts. The issue is just that a regular user can't be expected to understand or keep up with technical details. And it's failures were publicly available. The goal should be, even if my vault is stolen, this company implemented reasonable security policies, and I shouldn't have to worry because the probability of getting cracked in a short enough period of time is sufficiently low. The problem was that their system was incompetent. Lastpass getting breached in itself wasn't the main problem. But I don't think that's the most important thing for people to consider. Personally I think having the TOPT secret inside my password vault defeats the purpose of 2FA.It's true that any online service could suffer a breach. A checkbox for enabled 2FA/TOTP so I don't see these logins in the "Inactive 2FA Report" without having to store my TOTP secret alongside my password.Option to change custom fields from "Text" to "Hidden" since a lot of the imported items had text fields in enpass marked as "sensitive" which are now not "Hidden" in Bitwarden and I have to copy them to new hidden fields and the delete the text ones.If my backup strategy fails and all is lost, is there a way to set up a new instance with same hostname, register a user with the same mail-address and then connect a not-logged-out client to the new installation? Will the local cached logins get pushed onto the new server?.Which URLs are needed by the APP and the browser extensions? Would it be possible to add HTTP Auth to / (Web Vault) but not to /api/ and so on? I'll also give fail2ban an go. So either I move my installation out of the DMZ and behind a VPN (which would work but make life more complicated) or I add another layer of security (2FA is already enabled). I still don't feel comfortable with having all my accounts online and accessible via a web-ui.So what am I missing here? :) all I found was a old post here: I even went premium to see if the indicator is somehow connected to the "weak passwords report" feature available with premium. I'm missing a kind of indicator for password strength like shown in the TOTP screenshot on would be an essential feature in my point of view.I still have to figure out a robust and fool-proof backup scenario but so far I really think I could be happy with Bitwarden. ![]() ![]() Importing the data from enpass JSON was a little unnerving with 500+ items and a lot of attachments and notes (O hai ) but finally it worked. So I deployed an instance of Bitwarden on a RasPi, liked what I saw, started another on a proper test server and finally on my "production" server. Never heard of Bitwarden before and in general I'm not the "store sensitive data in the cloud"-kind of guy but I like the self hosted approach. Since enpass forced their new version 6 onto everybody and I experience massive problems with this version I was looking into alternatives. ![]()
0 Comments
Leave a Reply. |