Hacker News new | past | comments | ask | show | jobs | submit login
Quora User Data Compromised (quora.com)
1254 points by joebeetee 3 months ago | hide | past | web | favorite | 505 comments

This is why I hate companies that force you to sign up to gain access to content. I do not want that relationship. Sooner or later those systems will be legacy and then maintaining them will be a pain. Bitrot will set in and sooner or later there will be a breach.

One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then that disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately. Healthcare, HOA, insurance, payroll etc., every bloody two bit player requires you to log-in to their oh-so-secure service rather than that they send you your stuff. Which requires a ton of overhead and - sure enough - sooner or later they get hacked because by then the amount of data they hold on to is more valuable than their security could reasonably be expected to defend.

I use privacy.com and Lastpass to help with this problem. Any time there is a service I have to have a business relationship with that I don't trust to keep my info secure, I use a unique password and a unique credit card number with a tight limit. What's nice is that they tie the card to a single vendor too.

For example, the water company. I know the water bill is usually $50 or less, so I set the limit to $60/mo. As it turns out, they did get breached. I got an alert about someone who isn't the water company trying to hit the card for 80 cents. Most card runners use amounts under $1 because most credit card spending alerts have a $1 minimum. But privacy.com warned me, so I warned the water company, who was very thankful. Turns out their 3rd party provider had been breached and they were grateful for the alert too. Ended up saving a few thousand of my neighbors a lot of headache.

Lastpass has been going downhill with every acquisition and had gotten to the point where autofill failed on the majority of sites and the "copy password" menu item disappeared, bringing clicks-to-login from 1 to ~10.

A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.

If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)

LastPass is one of my least liked most used tools. Everything about the implentation feels second rate; slow, unreliable login capture, unreliable form fill, occasional inability to edit records, buried password copy, clunky UI, inappropriate modal nagging in browser and app... Most times I use it I am cursing it.

I tried to switch to pass, and I'm not sure if it was something to do with how I imported but it didn't list my passwords and the browser plugin was clunky and didn't work. Anyone had success with pass/gopass.

Bitwarden seems like a happy Medium, I'd rather not do my password ops. The pricing seems fair (and rather optional). I'll try it, thanks.

LastPass has corporate mismanagement written all over it. It's ridiculous how bad their product is considering how big they were.

It is puzzling. My feeling is that for quite some time they had a lead on features (cross-platform, browser overlay, secret sharing) - particularly the combination of features whereas competitors always seemed to have a subset. That's what reluctantly kept me with them. The software quality does just seem quite bad though.

I have the same disappointing experience with LastPass and have grown tired of it. One of these days I will do something about it!

Check out Keepass! Rather than syncing directly into a Cloud, it allows you to store a database file into any location. It supports MFA (e.g. by combining a password with a secret file, or a Yubikey). And everything is open-source.

I like the model a lot, because it solves the "database ownership" issue, where your Password provider (be it LastPass, 1Password, etc) becomes in itself a weak link.

I'm a super happy user of KeePass too, and KeePass2Android is the best password management app I've ever used.

I used to use KeePass but the lack of a proper crossplatform UI eventually broke it for me; KeePassX on linux looked and performed terribly, the Android app was just bad, etc etc etc.

I switched to 1password which - at least at the time - offered a web-based fallback hosted from your own dropbox. Plus at the time you owned the data and were responsible for storing and syncing it. Dropbox support came out of the box but if you want you can use a local file.

KeePassXC works great for me on Linux, Windows, Mac, and Android.

Have another look at KeePass. They recently got a native Mac implementation, and I seem to recall seeing a new one for Linux at the time.

On the Mac, KeePass now feels like a better experience than having to pay a subscription for 1password.

Or MacPass for macOS, which was a very slick alternative to the KeePass application at the time.

Yeah you're right, I believe it's based on .NET so on Linux you'll have to use Mono. For the plugin ecosystem, that's suboptimal because you'll have to rebuild a lot of plugins from scratch.

I used to be a 1password user, but they were pushing their premium, cloud-based offering a lot and lacked Yubikey support so I switched away.

Keepass is great, but it is somewhat slower and more clicks to get passwords into forms as opposed to 1Password or LastPass.

I have used Keypass for years. It is not as convenient as some of the alternatives, but I trust it more.

I'm in the same boat. The user experience on it is terrible now.

The worse thing that happens to me is if I generate a password, and then Lastpass doesn't save it! It feels like a 50% shot it will actually save the generated password.

I have nearly 1000 passwords stored in it now, so it's going to be a huge pain to migrate.

This is by far the worst. I have LP set up with a shortcut + fingerprint tap on my MBP, which works great until I'm generating a password, which never gets saved. I have to remember to get my vault page open ready to fill in before I generate the password, because if I generate one from the toolbar dropdown I'll never see it again. Ugh.

LastPass Mobile UI seems to be intentionally crippled ( https://vgy.me/9r29bm.jpg ) I assume because they want you to download the app, pushing you to purchase their license.

If you load the same site using "load desktop site" the UI gets fixed.

The Android app is still very frustrating to use.

Access through the apps has been free for a couple of years now.

Bitwarden is best. I hope they will not get bankrupt from free users. Its funny it is cheapes but also works the best out off all managers i tried. Dashlane is good but its so much more expensive. Bitwarden will slowly kill most of the managers if they keep up the great work.

Has anyone tried ButterCup (https://buttercup.pw/). I've been looking at the codebase and it seems really solid.

I will add this to my password manager binge (because I know how to party). I did find the NPM build a bit frightening though - module 956/1xxx built...

Also that site looks like it should be selling something but I see no money hole - should I be worried?

This looks really nice. Wonder if there are any security reviews, I'm tempted to try it.

I use 1password regularly, tried bitwarden, found it lacking in various quality of life features & polish that 1p has, so I didn't migrate.

This is kind of yikes for a password manager too: https://github.com/bitwarden/core/issues/399

But it's also pretty much the only polished open source password manager there is out there.

For now I'll be sticking with 1password, but might check out bitwarden again once they have tests and more maturity as a password manager.

Just for the record, I don't believe that 1Password has unit tests either. I was unable to find evidence of unit tests, but I did find this: https://discussions.agilebits.com/discussion/comment/156429/...

We have a tendency to compare opaque with transparent and balk at what we find, but I question what you would feel if you could see through the opaque.

That is true, but at least they have code review and multiple people ;) I'm just estimating from my experience that after a certain point, most companies start writing automated tests.

And if you look at their jobs page, one of the job description points is "Create unit tests for existing code to run faster and more reliably.": https://1password.com/jobs/droid-builder/

They might even have a few QA people AFAIK!

I understand why the single founder / engineer of bitwarden doesn't have tests. When you're a startup not writing tests can speed you up significantly. But after a certain point they are going to need automated testing, especially for something as vital as this.

For me, the lack of open source in 1p has been a sticking point, and I was planning to migrate after the audit. But seeing no tests, 1p documenting their security model and bitwarden not being good enough compared to 1p in UI has me sticking to 1p for now. I have high hopes that bitwarden will get to that maturity point one day.

I found the same thing with their client apps, should have checked core to see if there weren't any there as well.

I switched over about a week ago and find it pretty solid, but it's missing alot of the quality of life features that last pass had. You can't just hit command + c whilst on a entry and have it copy the password, they haven't implemented the new ios 12 features that make password managers much better on ios.

I'm running them both right now as I'm not fully committed to the switch over, but I'll see how the features get added over time.

I moved from LastPass to 1Password recently. Had been using LastPass for several years, but filling failures, the lack of copy password in FF (and no binary workaround for Linux), and generally unhelpful support when I contacted them prompted me to move.

Very happy with 1PasswordX (the browser-only version) - filling is much better, copy is supported out of the box, support have been very helpful when I've reached out. Much better customer experience.

I was a 1Password fan for many years, until the big push to go subscription. For now I'm just using Apple's keychain until I decide what tool to use next. If you're in Apple's ecosystem, keychain actually works pretty well.

You can still purchase a standalone license, even for v7. Sure they want you to rent access to your data, but that's not the only path. I also recently taught KeePassXC to read the 1P on-disk vault format, so you can continue to use 1P even in Linux, and even if AgileBits goes under.

Loving Safari / iOS 12's improved integration with Keychain.

However. Still can't uninstall 1Password. Haven't figured out where to store notes (meta) in Keychain. Stuff like "Name of your first pet?".

Have a look at KeePass. There's a native OSX client now.

Do they support automatically adding/updating sites yet?

It will prompt you to do so.

Not on page submit, but you can do it when the form is still visible before you submit.

My 1Password always prompts me after I submit a form if I want to save the credentials used in that form.

Might be different with 1PassX?

I would like to recommend keepass. It's open source as well.

Yep, I use KeePass synced over my selfhosted nginx server. But you can use Dropbox/Google Drive/etc. just as easily.

I would like to also recommend the Firefox extension 'Kee' for autofill. On Android there is the 'Keepass2Android' app. Both are open source and work well.

I also recommend the KeePass plugin 'Yet Another Favicon Downloader'. It downloads favicons from websites for your password entries.

Also 'Keebuntu' is a plugin that makes 'minimize to tray icon' work for me on Linux.

Agreed, a very functional manager for me, though I am using the KeePassXC [1] version on macOS (via brew cask) and Ubuntu (via snap).

1: https://keepassxc.org/

+1 to this :)

+2, keepass and plain google drive / dropbox / icloud file sync to have it available in several machines.

+3 Though I sync it on my synology instead of teh cloud.

I've thought about setting up a personal NAS for this purpose. But I'm concerned about having a single point of failure/loss in the event of a house fire or burglary. Any chance you've addressed this risk in your implementation?

I'm also a happy Bitwarden customer. I especially like that it is all Free Software (combination of GPL 3 and AGPL across various parts), which to me is important for security and privacy related software. I've also had good experiences with Bitwarden support from Kyle, the lead developer and founder.

I have been using Pass [0] with passff [1] and been pretty happy about it. Simple and offline password management where passwords live in gpg encrypted files. Additional features I like are tracking changes with git, bash completion and copying passwords to clipboard for few seconds temporarily, and a few very useful extensions.

[0] https://www.passwordstore.org/ [1] https://github.com/passff/passff#readme

Another pass user here. Simple and understandable, two strong positives for that type of application.

Pass is awesome. I use it in combination with a YubiKey to store the pgp key. Because every password is stored in an independent encrypted file and every decryption needs a press on the YubiKey even a stolen database and keylogger does not provide access to all passwords.

I use pass with keyboard Maestro on the mac it just gets a autofill input for the password I want, them opens a terminal and asks for the master password if needed and puts in the clipboard. Very friendly way to use it.

Pass ist definitely not as polished, but it's so dead simple, just a thin wrapper over gpg and git.

I second this. I was a long term LP user that switched to Bitwarden this year and haven't looked back.

Install the LastPass binary, and you get copy password back in Firefox.

I tried that on Win10, and it didn't work for me. It was the last straw. Honestly, why on earth do they need it anyway? HTML5 has had a Clipboard API for a while now.

I've used both extensively and Bitwarden is just a dramatically higher-quality app it's not even funny.

Not on Linux, and we've waited too long. 1Password supports it direct from the extension.

Weirdly, I have been using Lastpass in Firefox on Linux and seem to have copy/paste.

(Not that this whole thread hasn't had me re-evaluating whether there's a better solution for me now.)

Ah good to know. Does anyone know the reason they removed it from the Firefox addon?

I believe it had to do with the change from the old addon format to the new one in Firefox.

Bitwarden doesn't seem to have any problem copying passwords using a new-style extension with no binary install.

I recall that the initial release of the Web Extension support was a bit threadbare, and/or that they had to change the extension ID or something of that sort, but it's also possible it was left out for existing design reasons/as a cudgel. In either case this whole thread has been useful for alerting me that I should re-evaluate if Lastpass is the optimal solution for me.

I switched to LastPass from 1Password because I hated their whole mobile sync thing where you had to be on the same wifi and start your Mac app to sync etc. I understand that it's more secure that way, but that trade-off was not worth for me. Has that changed in the meantime?


I migrated over from Lastpass to Dashlane a few years ago. Couldn't be happier. It integrates with everything and as far as I understand their encryption is better than Lastpass, although I couldn't say how.

Another vote for Dashlane. The password management is stellar, it even alerts you about breaches and prompts you to change compromised passwords.

I run a unique password for every site so it doesn't matter if a provider gets rumbled, and I don't reuse passwords or have to remember multiple ones.

The form autofill is pretty awful compared to Lastpass, but I can live with that.

I do love lastpass but since switching to Firefox 100% away from Chrome, the lack of copying a password to the clipboard without seeing it first really stings. What if someone is sitting next to me, or someone is grabbing screenshots or streaming my screen? It's like having this super secure electrified iron door installed but neglecting to lock it.

Is anyone aware of a technical reason that copy to clipboard is absent in Firefox, or is just laziness? If laziness, I'll dump them tomorrow.

Install the lastpass binary in addition to the browser plugin. It re-adds that functionality back.

I'm using lastpass with firefox nightly and I don't have this issue. copying the password to clipboard without seeing it works out of the box using the browser extension.

In bitwarden it works out of the box, so I think it’s just laziness.

The clipboard can be accessed by any other application.

I've never used any other password manager but just wanted to say I love Lastpass. It very rarely fails on autofill for me, it saves all my passowords nicely, has secure notes, organizational sharing for teams. I find it to be really great.

Hmmm, I have been using the Keepass + Dropbox combo. Wanted to change to a more streamlined experience. The current choices of 1Password, LastPass and Dashlane didn't seem to attract me.

I will give Bitwarden a try.

This is what I do too. Biggest complaint is the lack of official apps for mobile devices. I’ve used MiniKeePass in the past but am hesitant because there doesn’t seem to be much active development and I don’t see the source code anywhere.

Do you access kbdx files on mobile devices? If so, what do you use?

Source code lives here: https://github.com/MiniKeePass/MiniKeePass

The biggest problem with MiniKeePass, in my opinion, is that it doesn't support the new iOS autofill API and that it doesn't support even basic syncing. You always have to make a manual copy of the database file and you can't really create logins on mobile because of that.

There's a fork of MiniKeePass called KeePass Touch, but they don't publically host the source code anywhere. You have to email them to ask for a copy of the source code, which is technically GPL-compliant, but a bit annoying.

On Android: keepassx2android offline app is pretty good.

I am using Keepass Touch in iOS

I personally use keeanywhere to streamline my experience. It allows me to just log in and select my db

+1 for bitwarden. Not a security professional, but it seems to be a good tradeoff between security and usability. Definitely better than lastpass on both counts.

Something about storing every password in a single cloud service to improve security sounds counterintuitive to me.

The passwords are all encrypted with the master password and ideally an additional salt such as in the case of 1password.

What do you do?

Are you in paid bitwarden? For Premium and/or family?

I've been looking into password managers for my team/department, and bitwarden has some good looking stuff, but they seem to only invoice in USD, which creates constant friction for recurring IT bills at my company.

+1 recommendation for Bitwarden

I looked over privacy.com - specifically their security page[0] which reads impressively. As I looked at my "dashboard" I couldn't help but notice (according to uBlock Origin) that privacy.com, ironically, connects to facebook (.net) and google (fonts, apis, gstatic).

I'm certain none of those 3rd-party connections are necessary and yet... like muscle-memory... devs continue to thoughtlessly invite tracking.

[0] https://privacy.com/security

I've seen people include such tags on the logged in areas for cancer patients in medical websites without batting an eye and wondering why that's a bad thing.

Haven't looked very closely, but how do you think they make money by offering virtual credit cards for free? I bet they will track all your purchases and resell them for marketing later.

Fonts and other stuff from google and facebook is just a small piece of the puzzle.

They detail it on their website, but basically they keep part of the interchange fees for each transaction.

I use keepassx, a local password manager. I don't trust centralized online password managers with browser extensions. Huge attack surface. I copy and paste usernames and passwords.

Same. Where do you keep the db file? Mine's in the cloud and I can't help but think it reduces security, but then I need access to this data from various locations.

I worry about this too. I store the database itself in Dropbox, and I also use a keyfile alongside the password to open it. I can easily recreate the keyfile on any computer, but it never goes anywhere near the internet.

In addition to that, for my really critical "gatekeeper" accounts, I don't put the full password in the database. Just a reminder that this is a "special" password, which needs to be combined with another bit of info in order to work.

I just live with the fact that I can't use this system on my phone, and for my usage patterns, that's fine. There's nothing I need to do that's so urgent that it can't wait until I'm back in front of my computer.

Why can't you use it on your phone? There are various apps for Keepass available.

On my laptop. I synch to my phone and tablet using Syncthing. I write into the file only on the laptop.

I keep my db in my own freenas box and sync it between devices using resilio sync.

I use BitWarden, and they let you self host the service if you want. I haven't done it yet, but I'm definitely considering it. However, passwords are encrypted on your machine then uploaded, so it's a bit more secure than them managing everything on the server.

I also do that (almost, keeweb + dropbox) and copy paste logins, but a serious problem is that you need to clear the clipboard after, otherwise any other site you visit can read it.

Dunno about Keeweb but KeePass automatically wipes the clipboard after a configurable number of seconds.

Same here! Except I use Keychain (without icloud) from OSX, as it's built in.

I can't trust a website to keep all my passwords.

I basically decided to trust Apple’s privacy and security teams so iCloud Keychain is the one service that I use it syncing.

Its unfortunate that privacy.com is only for US residents. Does anyone know of a similar service that's available for Europeans as well? Specifically the virtual card feature. Most of the services that I've seen to offer something like this are for EEA residents only. This seems to be a new restriction imposed by Visa/MasterCard.

Not sure about EEA only, but Revolut might work for you and it has virtual cards.

Would be nice to have privacy.com more widely available.

At Revolut you can only have one disposable virtual card active at any moment and they cannot be used for subscriptions/recurring payments.

You can have up to 5 non-disposable virtual cards.

Looks great, but they don't offer the service in my country :(

What makes you trust LastPass that they won't sell/leak/expose your passwords from some backdoor or under the table deal? I'm asking because this is not a public company or an entity that can be held responsible in any way for such an act. It's just another startup obligated to make their investors 10X returns. I haven't read their agreements but I'm pretty sure any lawyers of such companies have enough clause to absolve them of any such acts.

They don’t have your passwords

They do store your "vault" on their server. It's encrypted though using key that doesn't leave your computer. However I can easily imagine deliberate as well as innocent "mistakes" in browser plugins and other weak links in architecture that would expose the master key and hence your vault.

That can pretty much happen to any software provider you download software from.

You don't have the time to:

- audit the source code

- check every auto-update hash matches the main hash list "just in case" you get a special update just for you

If you turn off auto-update, you will eventually get hacked because of bitrot

They don't, officially. Nothing is stopping them from updating the client to siphon your passwords or the encryptuon key, though. This is a problem all password managers have.

It would be nice to have some kind of communication protocol that could be provably restricted from passing whatever the company wants.

I’m happy with privacy.com

I’m using two personal domains fo host my own email. One domain is purely for registration/junk purposes and it forwards *@junkemail.com —> junk@myemail.com.

The same server uses nextcloud for calendar/contacts/webdav

I use the password manager Enpass which can sync via webdav across my devices.

Everything selfhosted and emails/credit cards disposable

What bank/card allows you to create unique credit cards with separate limits? The one I was using (Swedbank/visa/mastercard) stopped providing this service last year.

Privacy.com allows you to create virtual credit cards once you connect a source of payment to your account. Can be bank or debit card. I personally create one credit card for every paid subscription I have with the limit set on the amount that's supposed to be debited (eg. Monthly limit on Tidal charging $20).

Privacy is a game changer for online transaction security imo. An additional benefit is the ability to subscribe to "try free for a month but oh wait we need your credit card info first so when you forget to cancel we'll keep charging you". Simply create a virtual card with single time spend limit $1 less than the monthly subscription charge, and you can rest assured that your one month trial is a one month trial.

Privacy.com is US only though.

Is it only for US persons or does it just require a US bank account?

Because then you can get one from transferwise.

Thanks, unfortunately not enough.

In order to use Payment Services, you must be at least 18 years old. You confirm that you are either a legal resident of the United States, a United States citizen or a business entity authorized to conduct business by the state(s) in which you operate and that you are an authorized signatory for the business you represent.


any decent international(EU) alternative?

Citibank offers virtual credit cards. Once they are used by one merchant, they can not be used by any other merchant. On top of that, you can optionally give them money and time limits.

I rather like this feature from CitiBank. I hate the interface, but the feature is great. I can use it to sign up for monthly services that I'm unsure about. If I don't want to go through the hassle of canceling the service, I just don't renew the cards.

I also use it with sites I don't necessarily trust, like a random auto parts store. If it were a tad easier to use, I'd use it for nearly everything.

Revolut standard account (w/o monthly fees) gives you a Virtual Card which I use when I don’t trust the site I’m buying from and after the purchase I just freeze it.

With the premium cards on top of other perks there’s also Disposable Cards which creates a virtual card for every transaction you want and as soon as that card gets used, it’ll destroy it and create one brand new.

For separating limits you can create multiple virtual cards each with limits once met will freeze the card.

LastPass is not helping you with privacy here. From their tos


> You may use our Services only as permitted in these Terms, and you consent to our Privacy Policy at https://www.logmeininc.com/legal/privacy, which is incorporated by reference.


> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.

> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.

> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.

> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").


> Some specific examples of how we use the information:

> * Conduct research and analysis

> * Display content based upon your interests

> * Market services of our third-party business partners


> 4. Information Sharing

> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure and (d) as needed for legal purposes.


> Examples of how we may share information with service providers include:

> * Sending marketing communications


Yow, that is precisely the last thing you want from a company whose job it is to store passwords. Thanks for the heads up.

That's so awful. Which password managers are not like that? I assume KeepassXC is good since its open source

I haven't even tried to use these services, can someone please explain why centralizing all your online activity helps with privacy?

The traditional pitch from security experts is "Using a password manager is better than reusing the same password on lots of sites, or using low entropy passwords, or saving your passwords in an excel spreadsheet, which is what you were probably doing before"

Apart from shoulder-surfing wouldn't an encrypted spreadsheet be equivalent (not Excel, as I imagine MS might randomly send that data home, eg of there's a crash)?

In both cases once there's physical compromise, if they have the "master" password you're screwed?

I presume they use clipboards for the pasting, or do typing that could be captured bya keylogger.

It doesn't. It helps with usability, it seems, because if you have multiple devices it's easier to manage them.

I have a hard time trusting _any_ of the password services that host my passwords.

Single point of failure. Even if they claim they're "encrypted so that even THEY can see them", it's so easy to mess up encryption, it makes it a single point of failure.

I still share passwords between my devices though, but instead I use KeePass along with the Android app. For less critical passwords I let Chrome keep them; I _mostly_ trust Google, and non-critical passwords are exactly my level of trust of Google.

And I also trust Google to share my (encrypted) KeePass file with my devices. But now it's two points of failure: Someone would have to break into a private Google Drive, get my KeePass file, and break the KeePass encryption.

And I trust _both_ KeePass _and_ Google more than I trust Lasspass to get security right.

I can’t trust privacy.com. I refuse to give some company direct access to pull money from my bank. Only a matter of time until they’re breached too.

How do you buy online?

With a credit card... I have protection against fraud on those.

Directly credit card online? Sorry, I don't understand...

Or offline.

What about using a completely segregated secondary account? I have a Simple account, and that's all I use it. I only ever have a couple hundred in there at any time.

You also hit on a very easy solution to for those who aren't going to go to those extremes: be sure your notifications are set up. Getting an email within minutes of every purchase or paid bill has been great.

Any one can suggest a good alternative to privacy.com for EU residents?

Interesting. I literally don't care if my CC information is stolen from a merchant -- I have zero liability for fraudulent use on all of my cards. Why do I want the friction of privacy.com?

The one thing that is cool, for items that don't have to ship in the mail, is the ability to use any name and address whatsoever with the merchant.

Same. All my passwords are 100+ characters via LastPass. Except the ones the have to be only 12 :(

Nice. Hows that occasional instance where you need to type your 100 character password into Netflix on a Smart TV?

Given the shady things people have found their smart TVs doing, I'd feel about as safe typing a password into a smart TV as I would changing the password to "hunter2".

The TV should display (or maybe email) a link that I would visit with my primary web browser and grant it permissions - or ask for a password as a very last resort for users who have no computer/phone but somehow have Netflix.

The bbc iPlayer does essentially this now. It creates a short one time code and you type it into a logged in account to activate the smart device.

Of course, when you only have one logged in device and it's tied to a different room, it's mildly irritating, but you only do it once.

Plex and Roku do this. They give you a simple one time URL like plex.tv\U23SL That URL asks you to log in (on your computer) and once it's authorized, the Roku or Plex on your TV gets the signal and continues. Easier than typing on a TV device.

Haven't had to do that yet. My uh-oh case is VR. I just typed 5 chars at a time in the headset and then looked at my phone. The occasional cost is worth it though, only adding ~30 seconds

On my Android TV, I can use my phone as a remote keyboard and copy/paste. But there are some apps which design their own inputs incompatible with the remote keyboard. When this happens I can plug in my physical keyboard directly to the TV.

I use an apple tv, so I can paste it from the mobile app on my iPhone. iOS 12 password manager integration might work too!

That's excessive. Around 80 bits of entropy (16 alphanumericals) is sufficient, especially when using unique passwords for each service. See https://security.stackexchange.com/questions/6095/xkcd-936-s...

You could just use a normal Citi or BoA or any other card that generates virtual card numbers and that'll also lock it to that vendor after the first charge. So that they couldn't even hit it for $0.80 if they wanted to.

Last time I checked, both Citi and BofA give me virtual card numbers via a Flash plugin. I really have no desire to run Flash any more. Has that changed?

virtual card #s is a great system, why did it rot?

I assume it's because the whole industry prefers data-brokering your purchase history, joined on credit-card # to establish identity.

That's one good reason, another is probably pushback from merchants. Having these virtual cards completely shuts down the "free-trial-we-hope-you'll-forget-and-let-us-ding-you-for-a-month-or-two" business model that's so popular for online services.

Not sure you need merchant pushback there - if it leads to unexpected charges then it's more likely to lead to inability to pay, or short payment, which gives the credit card companies their chance to feed off the client.

Also usability, most people just don't care enough. (which is reasonable often)

Wouldn't the bank still know your full purchase history (since they know what numbers are tied to you)? So they'd in fact get a leg up on the competition, who get a more distorted view?

But they don’t get the invoices of what you bought, just the total payment amount.

Unless they work with an analytics system that mastercard, visa & amex participate in to link card numbers to invoices for better advertising & affiliate data.

I know FB & Google purchase something like that from one or two credit card companies, so I wouldn't be surprised if merchants were in to it too.

Nope it hasn’t changed. It’s the same FIA Card Services Flash app from 2005.

Capital One gives virtual card numbers via a Firefox or Chrome extension, which you use on the check out page of the site where you want to use the virtual card. It is quite convenient.

The virtual cards don't have separate spending limits, though, so it is not quite as good as BofA or Citi for use with questionable sites.

The 80 cents didn’t go through. I got a warning instead. And my regular cards don’t offer the level of control privacy.com Does.

the real feature of privacy.com is the ability to use any address. who cares if your CC is compromised? get one just for recurring balances and another for everything else.

Outside of the top ten SFW subscription services, they are all prone to being hacked.

I don't follow your argument. Yes, any merchant is going to get hacked. My argument is, I don't care a whit about my CC being stolen. My liability is zero and I can just get a new card. The only thing I care about is the hassle of setting up a new card for recurring balances. Hence, why I need at least 2 cards.

OTOH I do care about my name, address, and other PII being stolen. That is where privacy.com is a help. But not because it protects me from CC loss.

Was the water company thankful enough to compensate you for the $X,000 consulting services you provided because they didn't set up their own security monitoring?

Given their lack of security, I’m guessing they have no idea of the value that I provided.

It’s all good though. Knowing I helped thousands of my neighbors is compensation enough. Besides, if they gave me a credit, they’d have to hike everyone’s bill to compensate!

Or give a smaller bonus to their head of security.

I know I'm a cynic, but it takes all sorts of people.

I guess the money diesn't matter to you personally at all, but they could pay a bonus from profits, or by cutting executives wages (if they're a non-profit). It's not like the only means of paying is gouging customers.

I wish privacy.com or something similar was available in my country, Entropay seems to be the only thing but it's not allowing new signups.

Does the bank not hold the liability if a credit card is used fraudulently? (I'm sure the process is a pain.)

what will happen in case of privacy.com breach?

Can you use this for one time purchases?

Yep! You can create "burner" cards that become invalid after one use. I actually never use that feature, because sometimes vendors screw up and have to put the charge through a second time or whatever. Instead I set a lifetime spending limit $1 higher than the purchase I'm making.

> This is why I hate companies that force you to sign up to gain access to content

I always found Quora's use of dark patterns and baiting you in from search engines then blocking the content particularly egregious. Always made me surprised anyone held that site to such a high standing and I can only imagine it's because the advocates never knew how awful the experience was without an account.

I feel Pintrest is very similar in that way.

And linkedin. But they get away because their founders are well connected or wellknown in SV.

The deliberate positioning of logout at obscure locations was definitely part of it.

This is exactly what has me excited about the new content model for the web Eich proposes. I just commented in another thread [1] but essentially:

1. enable donations / tips / subscriptions to sites using a browser-native crypto wallet

2. use ZKP anonymity

This enables a publisher / subscriber business model of 'dollars without data'. Which should really be the Minimum Viable Product for a publisher.

PII data for marketing is the icing on the cake for publishers, but the bar is high (and getting higher) around sharing that, and many of us want to support sites, but don't want to go through N+1 payment gateways and digital identity forms just to read some content.

From this perspective I see Brave and BAT as enabling a very old model: I give you a quarter, you give me your newspaper. End of story.

[1] https://news.ycombinator.com/item?id=18595792

I'm very excited about Sovrin and other Self-Sovereign Identity solutions. As one of the engineers at Mainframe (we're building decentralized, unstoppable apps that keep data and relationships in control of the user) I think what you're talking about is one of the top two value-adds for decentralization for western societies.

Brave and BAT are attempting the same thing from a slightly different direction than we are--they are attempting to bring privacy to partially-decentralized apps; however, I don't think this will ultimately succeed--privacy is broken by the weakest link. As soon as you allow some connection to some server somewhere that's exfiltrating your interests, you now have advertisers lining up to buy that data and exfiltrate more. As far as I understand the "hybrid decentralized app" model, where DNS and web2.0 are allowed, you permit these weak links to exist.

A better solution to this is incorporating https://universallogin.io/ imo.

Companies hate users who don't want to sign up. They do not want that relationship. So it's a win-win if you dont' sign up. Why would companies feel obligated to generate content for free?

If their systems get hacked and they have your snail mail address, they get your snail mail address as well. Email doesn't change that story.

Quora is all user-generated content that they monetize. They actually pay users to post questions (but not answers).

Is that why question quality is so low there?

Yes. The strategy is to generate SEO for every possible question someone could ask on Google and then link it to Quora.

It had amazing content in the early days and still has great answers but the sheer number of nonsensical or slightly tweaked but endlessly repeated question is driving away writers. Paying people to post these questions is just backwards.

Snail mail is already gotten. I get junk mail from 8 different past tenants at my unit, and I'm sure I'm still getting junk mail at all my old addresses. Google your name right now, and I guarantee you will find your address and other personal info on one of those dime a dozen background check sites, because companies have operated under the philosophy that your phone numbers and physical addresses are public facing information that you could find in a phone book, and are free to sell or pass along.

They (Quora) don't hate you if get to their site via a Google referer. That's really shameful.

How do you know?

Tried it.

Quora does not generate content, it's users do.

If your main concern is the sheer number of username/unique password combos, pick a good password manager that works well across the devices you use. I’ve literally stopped caring about this aspect of my family’s online life thanks to 1Password. That iOS 12 added OS level integration for the service was the icing on the cake for me.

Using a password manager (which I do) is a valid coping mechanism, but does not fix the root concern: for 90% of these cases, one shouldn't even need an account. I don't want personalization. I don't want some new identity to manage. I don't want a relationship with your service. I just want to browse the goddamned web! How did we get to this point where in order to use the Internet you have to sign up for all these free accounts and generate all these ridiculous username/password combinations?

Oh, and OAuth is a similar coping mechanism. You shouldn't need to log in to something to browse the web!

How did we get to this point where in order to use the Internet you have to sign up for all these free accounts and generate all these ridiculous username/password combinations

We stopped using sites built by amateurs in their spare time and demanded "beautiful user experiences" that we didn't pay anything for. That costs money, so people who wanted to solve that "pain" looked for business models that meant they could deliver what people want without charging directly. Hence we have an Internet driven by advertising and privacy violation.

I propose the alternative view: we did no such thing.

We didn't demand shit. We only chose from what was available. People trying to make money on-line have, over time, perfected both the design and the business models. At every step of the way, we had a choice between status quo and this new service that's prettier and offers more, for free, with user-hostile monetization scheme that wasn't immediately apparent. Step by step, we've been had, like the frog in the boiling frog fable.


This model doesn't seem bad, advertising without tracking.

The web started to decline when we moved away from JQuery, and personal homepages. And when Google started to use brand name as a ranking factor.

That's only part of it. The other part is that - invariably - they get hacked.

Worth noting that they encrypted end-to-end encrypted. So they would have to get their storage system hacked as well as push out malicious clients to collect secret keys in order to obtain your passwords.

That’s called life. There are risks. And, no one forced you to use such a platform, just look for another place

Agreed. I never would have thought that the problem that motivated Persona would have been solved this way... but the combination of TouchID/Face ID and 1Password has made account setup/maintenance sufficiently frictionless.

> This is why I hate companies that force you to sign up to gain access to content. I do not want that relationship.

I felt validated when I received the email from Quora about the hack to a fake email address and addressing me by a fake name.

This should be a service by password managera. Not just password generation but fake emails and details too.

Quora does not only want you to sign in, they want you to show your real identity instead of a handle or another pseudonym. For a simple online service, it should never be necessary to use your real identity, if only as a privacy-enhancing measure.

As a reminder: Last year, Quora moved to 'new anonymity', i.e., no more anonymity. I had received the following message on 16 March 2017:

Hello! We will be moving to the new anonymity on Quora experience very soon. If you would like to edit or delete your existing anonymous content in the future, please provide your email here before March 20, 2017. You are receiving this message because we have not yet received an email from you. Please note that if you do not provide your email by March 20, 2017, you will need to contact us using our Contact Form and selecting “I need help with my account.”

newanon would make great newspeak if someone rewrote 1984 for the modern world.

Suggestion: If you want to prevent the next leak from affecting your personal data then close your account (if you have one) and send them a GDPR Erasure Request: https://opt-out.eu/?company=quora.com#nav

Just last week I wanted to look up how much I bought some appliance for, five years ago. In the e-mail I see a link that is supposed to let me download the invoice... which of course no longer works because they have updated their ordering/billing system.

Also snail and email invoices automatically provide you with your own copy they cannnot delete. In contrast to “past 12 months viewable online”.

Past 12 months viewable until we stop getting enough ROI to maintain the portal.

For that reason they normally provide download/print links. Sending invoices/statements/pii through 3rd-party corporations through email is a privacy concern. Companies need to be able to control the entire loop to ensure privacy, which is why they are moving to the portal model with email alerts.

I got an email that included “personalization data” in the list of data types that were stolen. The help page also says that information on “actions” was stolen.

Does this mean that every question or answer I’ve viewed is now in the hands of the attacker?

This is what I am wondering. Quora will email you after viewing a question with something to the effect of, “Still looking for answers to ____?”

Your email address and hashed password being exposed is one thing. That information plus your search history is quite another.

Very likely. They had really poor privacy practices. At one point, a 'feature' was displaying in a sidebar who all were looking at a given question. Great for people looking for resources on gay rights, domestic violence etc. /s

That's because a few years ago a website that let you login meant it was a "real" website. Look at phone systems. Every one you have to deal with says please listen carefully as our menu options have changed. Then they lead you through an audio menu with the same bullshit that turns a 15 second interaction into one that could last hours over multiple phone calls.

My point is people do cargo cult everything. Could the service be BETTER without forcing the user to sign up? Inconceivable! Everyone knows you should force users to sign up.

Use a social login. If you for example use gmail for email, then it makes no sense to create a password as opposed to just logging in with your google account instead.

I always do that when possible because I am lazy and it works too damn fine, but it is a nightmare from a privacy point of view.

> One new development is that you used to be able to get your invoices mailed via snail mail. Then that disappeared and you got your invoices mailed via email. Then that disappeared and now you have to create an account on some portal so that you can download your invoice. So that's one userid/password combo per business relationship or service that you use privately.

It's annoying being on the other end of this: management deciding, for cost reasons, that snail mail is out and email is in.

Somebody else then worries about the risks of emailing documents that contain private information.

I think a case can be made that some kind of email token login is the simplest solution here: passwords only introduce another attack vector since you can usually reset them by email.

Are there more elegant solutions to this problem?

Some thoughts cross my mind:

- what doesn’t get hacked? Isn’t life a continuous trade-off between risks and chances

- If you’re afraid you’ll expose private information, then just don’t use a platform like that?

- these platforms use user generated content, true. But they provide the platform and the product. I think that is a fair deal.

This is an example where they decided their business model trumped user security. It’s hard to monetize an easy to access collection of free data. I hope we can find better ways to fund internet services than by consuming data from the users.

Annoying as it is, it’s better than sensitive data in cleartext email attachments.

No, it is not. My email account is - obviously to say 'secure' as a binary proposition is inappropriate, but about as secure as anything on the Internet ever gets for most people. Training people to click an email link and type their password into the resulting page, by contrast, basically throws the entire concept of security out the window.

Email can be encrypted. Besides that most of the time these very same services have (broken) password reset processes that rely on that email address anyway so the security improvement is nil in practice.

No medical practice, HOA, etc. is ever going to ask its patrons to fiddle around with PGP. The receptionist is not going to ask my grandmother for her public key before her hip replacement. Email functionally cannot be encrypted unless all parties to the conversation are in a tiny cohort of computer enthusiasts.

Password reset is a noisy, active attack compared to eavesdropping somewhere in the path of an email.

They provide login with Google and Facebook too.

Would it be possible those logins are more secure?

physical mail is hardly more secured than email. 'literally anybody' could is in front of your house and fish all the mails straight from your mailbox while you are at work.

It's more secure in that stealing mail off endpoints requires the physical presence of, and personal risk to, the thief, and it's not scalable short of getting an army. By contrast, email can be stolen in bulk by one person anywhere in the world, from the comfort of their home or office.

In 2013 a quora moderator contacted me and demanded that I provide my real name, and information that my name is real or they would ban my account. I tried reasoning with them, that I just wanted to view content and did not attend to write answers or interact etc, plus, they had a valid email address and facebook profile (also fake name on facebook). They fought back "we actually want proof of your real name like a scan of ID". I danced around and did not end up giving them a scan of my id, but I changed it to my real name.

Today my information is probably leaked. Information I didn't want to give and that they threatened me for it.

Where is the apology Quora? From all the recent leaks this is the one that pisses me off the most, because it's the one that was forced unto me.

> I tried reasoning with them, that I just wanted to view content and did not attend to write answers or interact etc, plus, they had a valid email address and facebook profile (also fake name on facebook). They fought back "we actually want proof of your real name like a scan of ID". I danced around and did not end up giving them a scan of my id, but I changed it to my real name.

I don't understand why you bothered arguing with them instead, I dunno, creating a new fake account?

This is exactly what I did. I had even provided my real name already, it just didn't fit in the Western firstname-lastname format that they assumed everyone had, and so they disabled my account. I tried showing them that this was the cultural norm here, but they wanted a govt ID scan to "prove" it - all for a glorified social network.

Instead, I created a new email ID, gave a fake name, and registered with that. I gave up on the site soon anyway, but now I'm glad they forced me into registering with fake details.

Let me write an apology for them: "the security and privacy of your information is our utmost priority"

Feel better, don't you?

And it must end with "-The Quora Team"

Because we will leak your data, but we won't bother designating a responsible spokeperson be it security officer, cto, vp of engineering or principal architect. It will be the all nebulous quora team.

I feel like you're criticising just for the sake of it.

Firstly, this post is signed by Adam D'Angelo, the CEO and co-founder. If you had opened the link you wouldn't even have had to scroll down, it's literally on the second line, right after the headline. So clearly Quora doesn't do what you've accused them of doing.

Secondly, what good does crucifying one person do? I'm sure if they had written it such that one person was responsible for everything, a similar comment would have been written - "why make one person the scapegoat? The entire team should take responsibility!!"

I don't know anything about your experience working in software, but when there's a fuck up like this, it doesn't do any good to pin the blame on one person. You figure out where your systems failed, and fix the system after conducting a blame free review. If you start pointing fingers within the team, you'll never get anything fixed.

The email I received from about my real-name being leaked was signed with "The Quora Team". That's kinda ironic, don't you think?

But still, it is not about finger pointing and blaming one individual. It is about a spokeperson for the public.

The guarantee that things will improve. Someone who will handle announcements and communications with the public and will vouch using their real name and reputation that things will improve. Someone who will explain what went wrong and what actions are taken to ensure this does not happen again. Employee training in place? Tier'ed access of data and information to employees. Stricter policies, eg you can't take a database backup home? etc etc.

Again, no crucifixation required, but pinning an identity can be good, because you know that there is someone and who that someone is that puts all their energy into fixing this mess.

Think of someone like Stamos at facebook. I don't know if his contribution in the end was a net positive or not, but it is good to know that there is someone that is focused on the issue.

Per your second comment, that's fine as long as you have a flat responsibility structure (which usually means a flat pay structure too).

If you have a CEO they get paid more (supposedly) because they take on responsibilities. So, the buck should stop with the highest ranked officer who has responsibility (eg signs off payments/work) in that area.

If you don't assign blame, you can never improve your team, as there's no feedback. Assigning blame might mean retraining, it doesn't have to mean sacking (but could).

The email they sent out to actual users was signed "The Quora Team"

Can I ask why you wanted to view Quora's content so much? They flood Google search results but I've never seen a single substantial answer on there - it's like an off-brand Stack Overflow with an even worse "I know programming so I'm smart about every subject" problem.

My experience with Quora answers has been that they are blatant ads from people working on different companies.

Just search for anything like "what is an open source alternative to X" and the results will be a lot of people trying to justify why their Y paid option is a good solution for your problem.

I quickly stopped using Quora after finding the answers consisted solely of scam software (just didn't work), adware or stolen & rebranded software.

It seems to be popular with scammers and they have taken over.

In other areas it seems like it's people working on their craft of writing fiction, notably erotic fiction. Questions like "What's the naughtiest thing you've done at work?" generate those kind of responses. Which is fine, just don't expect me to believe it really went down like that.

They have a lot of great anwesers, especially by experts in the field. In the early days around 2011, I would spend hours just reading everything I could on the site.

These days the growth has masked all the good stuff with a layer of spam and general crap that’s hard to get past. Inevitable consequence of growing users but it has been managed poorly.

How did they know? Was your name obviously fake? My favorite feature of DuckDuckGo is that if you search "random name", it will actually generate a random name (e.g. "Marlon Lonzo"). So I use these random unique names on all websites that require one.

I've been known as John Smith, born 1/1/1970 for decades now

I'm starting to get lots of end of life planning service targeted ads as a result of using 01/23/45 as a birth date since forever ago.

Nice try, HAL9000 - you cant fool me

starts removing module cards

1000x this. Nextdoor did this to my parents. It's fairly ridiculous.

The state of personal data regulation in the US is abysmal. Unfortunately, if Cambridge Analytica wasn't enough to spur new regulation, I fear nothing will.

I can understand NextDoor at least. It’s very neighborhood based, and they need some way to verify that you live where you say you live. If people keep seeing membership in their neighborhood has included those who don’t love in their area, the main attraction of NextDoor will disappear.

I think you're trying to start a different conversation than what I had intended to point out by adding another anecdote to the original comment I was responding to.

Right now there is relatively little liability in gathering personal data about customers but huge benefits to doing so. I believe that there should be regulation governing punishments and protections for consumers whose data may be compromised or mishandled by corporate entities.

As it stands right now a company can leak personal data from their customers and face very few consequences. Rather, the negative consequences of customer data leaks are felt by the customer rather than the corporation that mishandles their data. This is a similar externality-effect as pollution, where a bad actor's malfeasance generates a larger negative impact than what is directly born by the bad actor itself.

We could discuss whether or not NextDoor has a legitimate use for personal identification data, but that's a tangential discussion. My point was supposed to be that any firm that gathers personal data should be assuming a greater amount of liability than they currently are.

The sad things is that even if you received and apology, it would mean nothing, empty words repeated over and over and over.

Companies are not people and cannot have human attributes

Well, according to the US government, companies are in fact people for a wide variety of important purposes.

Repeating this is either willful misunderstanding of the law or parroting of outrage propaganda. We would all be much worse off if not for corporate personhood. There are aspects of it that are debatable (Citizens United ruling, which is the source of this tired meme), but without it you couldn't enforce contracts with a corporation after the employee who signed it left.

I got the same. And when I looked into it and found out the company was founded by former Facebook guys, I knew they couldn't be trusted and knew enough to jump ship.

It's so inconsistent. I was a Quora member for years and wrote a lot of answers as well as participating in a lot of discussions. Despite this I was never asked to confirm my identity!

I deleted my account last year (got cold feet as I was using my real name and picture and people I know IRL had started to stumble across some of my answers) but I'm sure my data is probably involved in this breach somewhow.

Well that is a bit of a disconnect then. My 'name' on Quora was 'Pappy Butthead'[0] since ~2015. In fact, until I got the email from them yesterday, I had no idea I was even a user still, I'd completely forgotten I had jokingly signed up. I'd never gotten any spam from their team that harassed me into providing anything.

[0]not my actual user name, but something similar.

This attitude of theirs is what made me stop using Quora. I deactivated the account almost one year ago.

Never went back to that site.

If you have all this documented you have a good standing in court! They failed to provide you reason why they want your ibfi and now its leaked and will cause you damage. File a small claim court this will add then some extra headache that they don’t need right now.

Haha I never give it to them as well. Never put your real name, no matter what. They are ridiculous with these requirements. I'm waiting until the day they'll make a credit check to open an account

Really? Are you sure this was actually Quora and not a scammer?

Edit: Sorry if stupid question, but that would be throwing major red flags if I got such an email.

Just don't read it.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact