this post was submitted on 17 Mar 2025
106 points (100.0% liked)
Fediverse
32163 readers
974 users here now
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to [email protected]!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Your password manager's login can also get compromised
So we should make a remote single point of failure, maintained by someone who probably isn’t a security expert or working on it full time?
No, this is unfortunately the opposite of what we should be doing.
EDIT: I should also add that people who make password managers literally focus on only that. They understand what they are making is a huge target and any of them worth their salt have independent audits and spend much of their time on design decisions related to security. Point being: typically the weakest link in a password manager is you. Set a good password, use a YubiKey or some other device, use 2FA, etc.
Not a single point but multiple points. Anyway I'm not gonna pretend I'm an expert in security! I just think it's a feature worth exploring.
If someone runs an auth server, and I use it to identify me, and then it goes away, then I’m out of luck, my account is gone. This is the same problem we have now (with logins being tied to instances), except that it introduces a new place for a failure to occur. Rather than just relying on a lemmy instance, I also need to rely on an auth server to be maintained, safe, and secure.
If I went to another auth server, then it’d give me a different identity and that would not make much sense.
It can, but is it likely to? To get my passwords, you'd need my KeePass database itself, which is only stored on computers I own. To unlock my password database, you need my password, which I have not stored digitally anywhere, and you'd need to have the keyfile. Oh which of the hundreds of thousands of files on my system is the keyfile?
So you've gotten my password database open. Critical things like my lynchpin email address and banking accounts just aren't in there. Those I memorize only. All of the "This would be bad if this got compromised" accounts have 2-factor authentication.
Compared to breaking into a retailer or bank's servers and getting hundreds of thousands if not millions of credentials, that's a lot of effort to get one guy's Lemmy account deets.
Yeah it can. But then they have only my passwords. If they steal a database from a large identity provider, they have millions if not hundreds of millions of passwords. For monetarily motivated crime, my password manager is not a realistic target.