One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then that disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately. Healthcare, HOA, insurance, payroll etc., every bloody two bit player requires you to log-in to their oh-so-secure service rather than that they send you your stuff. Which requires a ton of overhead and - sure enough - sooner or later they get hacked because by then the amount of data they hold on to is more valuable than their security could reasonably be expected to defend.
For example, the water company. I know the water bill is usually $50 or less, so I set the limit to $60/mo. As it turns out, they did get breached. I got an alert about someone who isn't the water company trying to hit the card for 80 cents. Most card runners use amounts under $1 because most credit card spending alerts have a $1 minimum. But privacy.com warned me, so I warned the water company, who was very thankful. Turns out their 3rd party provider had been breached and they were grateful for the alert too. Ended up saving a few thousand of my neighbors a lot of headache.
A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.
If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)
I tried to switch to pass, and I'm not sure if it was something to do with how I imported but it didn't list my passwords and the browser plugin was clunky and didn't work. Anyone had success with pass/gopass.
Bitwarden seems like a happy Medium, I'd rather not do my password ops. The pricing seems fair (and rather optional). I'll try it, thanks.
I like the model a lot, because it solves the "database ownership" issue, where your Password provider (be it LastPass, 1Password, etc) becomes in itself a weak link.
I switched to 1password which - at least at the time - offered a web-based fallback hosted from your own dropbox. Plus at the time you owned the data and were responsible for storing and syncing it. Dropbox support came out of the box but if you want you can use a local file.
On the Mac, KeePass now feels like a better experience than having to pay a subscription for 1password.
I used to be a 1password user, but they were pushing their premium, cloud-based offering a lot and lacked Yubikey support so I switched away.
The worse thing that happens to me is if I generate a password, and then Lastpass doesn't save it! It feels like a 50% shot it will actually save the generated password.
I have nearly 1000 passwords stored in it now, so it's going to be a huge pain to migrate.
If you load the same site using "load desktop site" the UI gets fixed.
Also that site looks like it should be selling something but I see no money hole - should I be worried?
This is kind of yikes for a password manager too: https://github.com/bitwarden/core/issues/399
But it's also pretty much the only polished open source password manager there is out there.
For now I'll be sticking with 1password, but might check out bitwarden again once they have tests and more maturity as a password manager.
We have a tendency to compare opaque with transparent and balk at what we find, but I question what you would feel if you could see through the opaque.
And if you look at their jobs page, one of the job description points is "Create unit tests for existing code to run faster and more reliably.": https://1password.com/jobs/droid-builder/
They might even have a few QA people AFAIK!
I understand why the single founder / engineer of bitwarden doesn't have tests. When you're a startup not writing tests can speed you up significantly. But after a certain point they are going to need automated testing, especially for something as vital as this.
For me, the lack of open source in 1p has been a sticking point, and I was planning to migrate after the audit. But seeing no tests, 1p documenting their security model and bitwarden not being good enough compared to 1p in UI has me sticking to 1p for now. I have high hopes that bitwarden will get to that maturity point one day.
I switched over about a week ago and find it pretty solid, but it's missing alot of the quality of life features that last pass had. You can't just hit command + c whilst on a entry and have it copy the password, they haven't implemented the new ios 12 features that make password managers much better on ios.
I'm running them both right now as I'm not fully committed to the switch over, but I'll see how the features get added over time.
Very happy with 1PasswordX (the browser-only version) - filling is much better, copy is supported out of the box, support have been very helpful when I've reached out. Much better customer experience.
However. Still can't uninstall 1Password. Haven't figured out where to store notes (meta) in Keychain. Stuff like "Name of your first pet?".
I would like to also recommend the Firefox extension 'Kee' for autofill. On Android there is the 'Keepass2Android' app. Both are open source and work well.
I also recommend the KeePass plugin 'Yet Another Favicon Downloader'. It downloads favicons from websites for your password entries.
Also 'Keebuntu' is a plugin that makes 'minimize to tray icon' work for me on Linux.
I've used both extensively and Bitwarden is just a dramatically higher-quality app it's not even funny.
(Not that this whole thread hasn't had me re-evaluating whether there's a better solution for me now.)
I run a unique password for every site so it doesn't matter if a provider gets rumbled, and I don't reuse passwords or have to remember multiple ones.
The form autofill is pretty awful compared to Lastpass, but I can live with that.
Is anyone aware of a technical reason that copy to clipboard is absent in Firefox, or is just laziness? If laziness, I'll dump them tomorrow.
I will give Bitwarden a try.
Do you access kbdx files on mobile devices? If so, what do you use?
The biggest problem with MiniKeePass, in my opinion, is that it doesn't support the new iOS autofill API and that it doesn't support even basic syncing. You always have to make a manual copy of the database file and you can't really create logins on mobile because of that.
There's a fork of MiniKeePass called KeePass Touch, but they don't publically host the source code anywhere. You have to email them to ask for a copy of the source code, which is technically GPL-compliant, but a bit annoying.
I'm certain none of those 3rd-party connections are necessary and yet... like muscle-memory... devs continue to thoughtlessly invite tracking.
Fonts and other stuff from google and facebook is just a small piece of the puzzle.
In addition to that, for my really critical "gatekeeper" accounts, I don't put the full password in the database. Just a reminder that this is a "special" password, which needs to be combined with another bit of info in order to work.
I just live with the fact that I can't use this system on my phone, and for my usage patterns, that's fine. There's nothing I need to do that's so urgent that it can't wait until I'm back in front of my computer.
I can't trust a website to keep all my passwords.
Would be nice to have privacy.com more widely available.
You can have up to 5 non-disposable virtual cards.
You don't have the time to:
- audit the source code
- check every auto-update hash matches the main hash list "just in case" you get a special update just for you
If you turn off auto-update, you will eventually get hacked because of bitrot
It would be nice to have some kind of communication protocol that could be provably restricted from passing whatever the company wants.
I’m using two personal domains fo host my own email. One domain is purely for registration/junk purposes and it forwards *@junkemail.com —> email@example.com.
The same server uses nextcloud for calendar/contacts/webdav
I use the password manager Enpass which can sync via webdav across my devices.
Everything selfhosted and emails/credit cards disposable
Privacy is a game changer for online transaction security imo. An additional benefit is the ability to subscribe to "try free for a month but oh wait we need your credit card info first so when you forget to cancel we'll keep charging you". Simply create a virtual card with single time spend limit $1 less than the monthly subscription charge, and you can rest assured that your one month trial is a one month trial.
Because then you can get one from transferwise.
In order to use Payment Services, you must be at least 18 years old. You confirm that you are either a legal resident of the United States, a United States citizen or a business entity authorized to conduct business by the state(s) in which you operate and that you are an authorized signatory for the business you represent.
I also use it with sites I don't necessarily trust, like a random auto parts store. If it were a tad easier to use, I'd use it for nearly everything.
With the premium cards on top of other perks there’s also Disposable Cards which creates a virtual card for every transaction you want and as soon as that card gets used, it’ll destroy it and create one brand new.
For separating limits you can create multiple virtual cards each with limits once met will freeze the card.
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
> Some specific examples of how we use the information:
> * Conduct research and analysis
> * Display content based upon your interests
> * Market services of our third-party business partners
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure and (d) as needed for legal purposes.
> Examples of how we may share information with service providers include:
> * Sending marketing communications
In both cases once there's physical compromise, if they have the "master" password you're screwed?
I presume they use clipboards for the pasting, or do typing that could be captured bya keylogger.
Single point of failure. Even if they claim they're "encrypted so that even THEY can see them", it's so easy to mess up encryption, it makes it a single point of failure.
I still share passwords between my devices though, but instead I use KeePass along with the Android app. For less critical passwords I let Chrome keep them; I _mostly_ trust Google, and non-critical passwords are exactly my level of trust of Google.
And I also trust Google to share my (encrypted) KeePass file with my devices. But now it's two points of failure: Someone would have to break into a private Google Drive, get my KeePass file, and break the KeePass encryption.
And I trust _both_ KeePass _and_ Google more than I trust Lasspass to get security right.
The one thing that is cool, for items that don't have to ship in the mail, is the ability to use any name and address whatsoever with the merchant.
The TV should display (or maybe email) a link that I would visit with my primary web browser and grant it permissions - or ask for a password as a very last resort for users who have no computer/phone but somehow have Netflix.
Of course, when you only have one logged in device and it's tied to a different room, it's mildly irritating, but you only do it once.
I assume it's because the whole industry prefers data-brokering your purchase history, joined on credit-card # to establish identity.
I know FB & Google purchase something like that from one or two credit card companies, so I wouldn't be surprised if merchants were in to it too.
The virtual cards don't have separate spending limits, though, so it is not quite as good as BofA or Citi for use with questionable sites.
OTOH I do care about my name, address, and other PII being stolen. That is where privacy.com is a help. But not because it protects me from CC loss.
It’s all good though. Knowing I helped thousands of my neighbors is compensation enough. Besides, if they gave me a credit, they’d have to hike everyone’s bill to compensate!
I know I'm a cynic, but it takes all sorts of people.
I always found Quora's use of dark patterns and baiting you in from search engines then blocking the content particularly egregious. Always made me surprised anyone held that site to such a high standing and I can only imagine it's because the advocates never knew how awful the experience was without an account.
I feel Pintrest is very similar in that way.
1. enable donations / tips / subscriptions to sites using a browser-native crypto wallet
2. use ZKP anonymity
This enables a publisher / subscriber business model of 'dollars without data'. Which should really be the Minimum Viable Product for a publisher.
PII data for marketing is the icing on the cake for publishers, but the bar is high (and getting higher) around sharing that, and many of us want to support sites, but don't want to go through N+1 payment gateways and digital identity forms just to read some content.
From this perspective I see Brave and BAT as enabling a very old model: I give you a quarter, you give me your newspaper. End of story.
Brave and BAT are attempting the same thing from a slightly different direction than we are--they are attempting to bring privacy to partially-decentralized apps; however, I don't think this will ultimately succeed--privacy is broken by the weakest link. As soon as you allow some connection to some server somewhere that's exfiltrating your interests, you now have advertisers lining up to buy that data and exfiltrate more. As far as I understand the "hybrid decentralized app" model, where DNS and web2.0 are allowed, you permit these weak links to exist.
If their systems get hacked and they have your snail mail address, they get your snail mail address as well. Email doesn't change that story.
It had amazing content in the early days and still has great answers but the sheer number of nonsensical or slightly tweaked but endlessly repeated question is driving away writers. Paying people to post these questions is just backwards.
Oh, and OAuth is a similar coping mechanism. You shouldn't need to log in to something to browse the web!
We stopped using sites built by amateurs in their spare time and demanded "beautiful user experiences" that we didn't pay anything for. That costs money, so people who wanted to solve that "pain" looked for business models that meant they could deliver what people want without charging directly. Hence we have an Internet driven by advertising and privacy violation.
We didn't demand shit. We only chose from what was available. People trying to make money on-line have, over time, perfected both the design and the business models. At every step of the way, we had a choice between status quo and this new service that's prettier and offers more, for free, with user-hostile monetization scheme that wasn't immediately apparent. Step by step, we've been had, like the frog in the boiling frog fable.
This model doesn't seem bad, advertising without tracking.
I felt validated when I received the email from Quora about the hack to a fake email address and addressing me by a fake name.
Hello! We will be moving to the new anonymity on Quora experience very soon. If you would like to edit or delete your existing anonymous content in the future, please provide your email here before March 20, 2017. You are receiving this message because we have not yet received an email from you. Please note that if you do not provide your email by March 20, 2017, you will need to contact us using our Contact Form and selecting “I need help with my account.”
Does this mean that every question or answer I’ve viewed is now in the hands of the attacker?
Your email address and hashed password being exposed is one thing. That information plus your search history is quite another.
My point is people do cargo cult everything. Could the service be BETTER without forcing the user to sign up? Inconceivable! Everyone knows you should force users to sign up.
It's annoying being on the other end of this: management deciding, for cost reasons, that snail mail is out and email is in.
Somebody else then worries about the risks of emailing documents that contain private information.
I think a case can be made that some kind of email token login is the simplest solution here: passwords only introduce another attack vector since you can usually reset them by email.
Are there more elegant solutions to this problem?
- what doesn’t get hacked? Isn’t life a continuous trade-off between risks and chances
- If you’re afraid you’ll expose private information, then just don’t use a platform like that?
- these platforms use user generated content, true. But they provide the platform and the product. I think that is a fair deal.
Password reset is a noisy, active attack compared to eavesdropping somewhere in the path of an email.
Would it be possible those logins are more secure?
Today my information is probably leaked. Information I didn't want to give and that they threatened me for it.
Where is the apology Quora? From all the recent leaks this is the one that pisses me off the most, because it's the one that was forced unto me.
I don't understand why you bothered arguing with them instead, I dunno, creating a new fake account?
Instead, I created a new email ID, gave a fake name, and registered with that. I gave up on the site soon anyway, but now I'm glad they forced me into registering with fake details.
Feel better, don't you?
Because we will leak your data, but we won't bother designating a responsible spokeperson be it security officer, cto, vp of engineering or principal architect. It will be the all nebulous quora team.
Firstly, this post is signed by Adam D'Angelo, the CEO and co-founder. If you had opened the link you wouldn't even have had to scroll down, it's literally on the second line, right after the headline. So clearly Quora doesn't do what you've accused them of doing.
Secondly, what good does crucifying one person do? I'm sure if they had written it such that one person was responsible for everything, a similar comment would have been written - "why make one person the scapegoat? The entire team should take responsibility!!"
I don't know anything about your experience working in software, but when there's a fuck up like this, it doesn't do any good to pin the blame on one person. You figure out where your systems failed, and fix the system after conducting a blame free review. If you start pointing fingers within the team, you'll never get anything fixed.
But still, it is not about finger pointing and blaming one individual. It is about a spokeperson for the public.
The guarantee that things will improve. Someone who will handle announcements and communications with the public and will vouch using their real name and reputation that things will improve. Someone who will explain what went wrong and what actions are taken to ensure this does not happen again. Employee training in place? Tier'ed access of data and information to employees. Stricter policies, eg you can't take a database backup home? etc etc.
Again, no crucifixation required, but pinning an identity can be good, because you know that there is someone and who that someone is that puts all their energy into fixing this mess.
Think of someone like Stamos at facebook. I don't know if his contribution in the end was a net positive or not, but it is good to know that there is someone that is focused on the issue.
If you have a CEO they get paid more (supposedly) because they take on responsibilities. So, the buck should stop with the highest ranked officer who has responsibility (eg signs off payments/work) in that area.
If you don't assign blame, you can never improve your team, as there's no feedback. Assigning blame might mean retraining, it doesn't have to mean sacking (but could).
Just search for anything like "what is an open source alternative to X" and the results will be a lot of people trying to justify why their Y paid option is a good solution for your problem.
It seems to be popular with scammers and they have taken over.
These days the growth has masked all the good stuff with a layer of spam and general crap that’s hard to get past. Inevitable consequence of growing users but it has been managed poorly.
starts removing module cards
The state of personal data regulation in the US is abysmal. Unfortunately, if Cambridge Analytica wasn't enough to spur new regulation, I fear nothing will.
Right now there is relatively little liability in gathering personal data about customers but huge benefits to doing so. I believe that there should be regulation governing punishments and protections for consumers whose data may be compromised or mishandled by corporate entities.
As it stands right now a company can leak personal data from their customers and face very few consequences. Rather, the negative consequences of customer data leaks are felt by the customer rather than the corporation that mishandles their data. This is a similar externality-effect as pollution, where a bad actor's malfeasance generates a larger negative impact than what is directly born by the bad actor itself.
We could discuss whether or not NextDoor has a legitimate use for personal identification data, but that's a tangential discussion. My point was supposed to be that any firm that gathers personal data should be assuming a greater amount of liability than they currently are.
I deleted my account last year (got cold feet as I was using my real name and picture and people I know IRL had started to stumble across some of my answers) but I'm sure my data is probably involved in this breach somewhow.
not my actual user name, but something similar.
Never went back to that site.
Edit: Sorry if stupid question, but that would be throwing major red flags if I got such an email.