sedimentary's recent activity
-
Comment on What programming/technical projects have you been working on? in ~comp
-
Comment on What password management solution do you use and why? in ~tech
sedimentary While I have my reservations (and I am actually considering using a cloud service now), the fact is they are still relatively secure. What happened to LastPass was very high-profile, however, that...While I have my reservations (and I am actually considering using a cloud service now), the fact is they are still relatively secure. What happened to LastPass was very high-profile, however, that data was still encrypted when it was stolen. This means that while the event was still a massive security failure on their part, any given user's master password would have to be brute-forced to gain access to their information. Yes, this data is now in a location where brute-forcing is possible without restrictions, however, it will take them a very long time to crack any given one, much less all of them.
From what I understand about 1Password, their 2SKD (two secret key derivation) means that breaching and stealing the encrypted databases from their cloud will achieve nothing, as they would then have to target every single user to be able to retrieve their "Secret Key," which is a 34-character 128-bit entropy string that you save onto a device or wherever you prefer to keep it. They cannot simply brute-force your master password and gain access. I find this extremely useful personally, which is why I have been weighing cloud options since this post.
-
Comment on What password management solution do you use and why? in ~tech
sedimentary They have come a very long way from whenever you may have last considered them. As mentioned by @steel_for_humans, it is always accessible via the browser. There is essentially nothing that can't...They have come a very long way from whenever you may have last considered them.
Question: how does it work if you need to access an account while not having your vault?
As mentioned by @steel_for_humans, it is always accessible via the browser.
Also, what accounts/devices can't be secured this way?
There is essentially nothing that can't be. Even if you're just creating an entry to save a password with no user or whatever, if it has a password you can create one for it, no matter if it can autofill or not.
Will a password manager be able to save and enter WEP keys?
Depends on which one you choose. After research, it seems 1Password for example allows entering WiFi credentials for auto-filling. It still stands that it can store a stronger password even if you can't auto-fill.
I know there's browser extensions for sites, but, what about other applications like Steam?
Several password managers these days have it so their apps can autofill when keyed. The KeePass family of apps, for example, allow you to set a shortcut to trigger it where it will then read the titles of your entries to find a suggestion to present or allow you to select if it can't find one or finds the incorrect one. When it comes to mobile, almost all password managers can associate an entry with a specific app allowing you to autofill within the app itself.
It seems like your perception of them has not left your very first impression which you yourself admitted was "when they were just appearing." These days, they are not only extremely robust but provide security that you simply cannot match yourself, assuming the security of the service/manager is implemented correctly (and 9 times out of 10, it is).
-
Comment on What programming/technical projects have you been working on? in ~comp
sedimentary While it's a rather obscure need for your average person, I have started developing a Windows Active Directory password filter titled sediment (hence the username). The goal of a password filter...While it's a rather obscure need for your average person, I have started developing a Windows Active Directory password filter titled sediment (hence the username). The goal of a password filter is to provide a custom need beyond the standard AD settings for password requirements, allowing an installed DLL to accept or deny a given password. I have reached an "operational" state in that it works by design, and I am currently in the process of cleaning up the existing code, implementing some best practices, and then creating the MSI installer which will be used.
Side note: I have loved the use of a binary fuse filter for maximum performance given a large dataset of known-compromised passwords, such as the haveibeenpwned set. After some modification to the crate I was using, I managed to drop my benchmarks from 8ms per password, to ~80µs.
-
Comment on What password management solution do you use and why? in ~tech
sedimentary It is negligible at best. It's either a cloud provider that would be extremely difficult to attack just for one individual, or in my case a physical file that would require my devices to be...It is negligible at best. It's either a cloud provider that would be extremely difficult to attack just for one individual, or in my case a physical file that would require my devices to be specifically targeted and subsequently scraped to find the database, only to still require brute forcing to break. It's a bit of a reach to say it's bad opsec.
-
Comment on What password management solution do you use and why? in ~tech
sedimentary I'm curious about the issues you've had with KeePassDX and syncing? I haven't had it cause any trouble once, and I primarily find myself editing the database on my phone rather than my PC.I'm curious about the issues you've had with KeePassDX and syncing? I haven't had it cause any trouble once, and I primarily find myself editing the database on my phone rather than my PC.
-
Comment on Are we stuck on a innovation plateau - and did startups burn through fifteen years of venture capital with nothing to show for? in ~tech
sedimentary While I agree, it's very easy to look back into history and say "that was absolutely revolutionary!" when, being in that period yourself, you would have thought as all did that innovation was...While I agree, it's very easy to look back into history and say "that was absolutely revolutionary!" when, being in that period yourself, you would have thought as all did that innovation was stagnant. It's easier to see things negatively, especially when you can't be aware of all the different innovations going on.
-
Comment on Recommendations for credit cards in the USA with cashback rewards? in ~finance
sedimentary While others are recommending the Citi Double Cash, I would personally steer you toward the Citi Custom Cash instead. It's a 5% rewards card on your biggest spending category for the previous...While others are recommending the Citi Double Cash, I would personally steer you toward the Citi Custom Cash instead. It's a 5% rewards card on your biggest spending category for the previous month, i.e., use it primarily for online shopping and you will always have 5% rewards in online shopping. If it's not the 5% back category, you get 1% rewards on everything else.
It's important to note the rewards versus cash back distinction though. You can use it as cash back at a rate of 1 point = 1 cent, or you can use the points with various vendors they've partnered with (for gift cards, travel, etc.).
-
Comment on What password management solution do you use and why? in ~tech
sedimentary On the topic of "military-grade encryption," keep in mind that is just an industry standard and is in many ways only the basics. When services advertise security as "military-grade" it is...On the topic of "military-grade encryption," keep in mind that is just an industry standard and is in many ways only the basics. When services advertise security as "military-grade" it is marketing at best.
-
Comment on What password management solution do you use and why? in ~tech
sedimentary Passkeys are a good topic I forgot to mention in the main post. Have you used theirs much yet? I believe they have already released a beta. If you have, what has the experience been like...Passkeys are a good topic I forgot to mention in the main post. Have you used theirs much yet? I believe they have already released a beta. If you have, what has the experience been like (especially when combatting the others as you mentioned)? The contention I'm seeing would be Google refusing to accept passkeys from a manager like 1Password, even though it would be preferable.
-
Comment on What password management solution do you use and why? in ~tech
sedimentary This is a neat feature I was not aware of about it! That does sound very useful, especially as an alternative to something like HashCorp's Vault solution for those situations.This is a neat feature I was not aware of about it! That does sound very useful, especially as an alternative to something like HashCorp's Vault solution for those situations.
-
What password management solution do you use and why?
For a long time now, I have been using KeePassXC for desktops and KeePassDX for Android. I keep everything synchronized neatly with Syncthing, which can be configured to operate over your WiFi or...
For a long time now, I have been using KeePassXC for desktops and KeePassDX for Android. I keep everything synchronized neatly with Syncthing, which can be configured to operate over your WiFi or the internet through their gateways. This allows me to share a single KeePass file with another individual, provided I tell them the password.
I have a co-worker who is loving 1Password and while it looks great, something irks me about paying monthly for a password manager. I looked into Bitwarden for a "local cloud" and have seen very mixed results as well as not being sure if I could trust my own security configurations to do so.
I am primarily wondering what everyone else is using in search of something a bit more convenient (I'm not opposed to using the cloud) that has an app like KeePass that I can use for desktop apps, and not just in the browser (though I don't use that function often, truthfully).
Edit: Passkey support was mentioned in this comment and made me realize how important such support will be in the coming years. For those of you with password management solutions supporting it, how has it been?
107 votes
That will actually be user discretion through AD GPOs. I intend on having optional "features" such as normalizing the password before checking if it's compromised (to prevent
p@ssword
ifpassword
is compromised, for example), checking for the existence of banned words or user attributes (such as their display name), and possibly others. It is open source after all!