Search content
Sort by
Showing 8 of 8 results by Ux
https://support.logmeininc.com/lastpass/help/where-is-my-lastpass-data-stored-on-my-computer-lp070008
LastPass is non custodial aswell lol
I personally prefer lastpass due to the modern UI
Yes, they are stored in your PC for convenience (so you can still access them when offline). But why do you think you can log in from anywhere with your email and password to see your data? Because it is custodial LastPass is non custodial aswell lol
I personally prefer lastpass due to the modern UI
Just because they offer a cached offline access doesn't mean that they don't store your data. lol
Maybe check this?
https://support.logmeininc.com/lastpass/help/how-is-lastpass-safe-lp010089
The aforementioned managers are only as secure as you make them, keepass and lastpass are not cloud based, as stated before, they are non custodial and the data is stored on your PC.
I'm pretty sure LastPass is actually cloud-based?KeePass is great and doesn't store anything anywhere (other than in a file on your PC) unless you download an specificy plugin to make it sync with cloud storages (Drive, Dropbox, etc...). But Lastpass is fully online.
LastPass is non custodial aswell lol
I personally prefer lastpass due to the modern UI
Completely valid point. Hypothetically lets say you have a work email, which you also use for your finances. Due to your work email being your business contact, it will be easily connected to your online persona, anyone who gets a hold of your email will know exactly who you are in the real world. This becomes a problem because when you are stripped of your anonymity, you become more vulnerable to different forms of online attack, such as targeted phishing, doxing and extortion, if your pockets are big enough you may even be vulnerable to being simswapped/having the port out scam done on you.
@OP Another useful thing you might wanna include is + tags.
+ tags are essentially a way to make 1 email in to many.
If I register for a service, lets say coinbase on the email Ux123@gmail.com (Not my actual email), then I can't register another email on that.
By using + tags, you can, If I wanted to register another account, I could simply register it under Ux123+coinbase@gmail.com, it would recognize it as a seperate email, but all emails from coinbase in regards to the account registered on the +coinbase tag would still be delivered to me. Using + tags also makes it harder to find out if its actually your email or not, because more often than not in forgot password forms, you have to enter the email. If I don't have a coinbase account on Ux123@gmail.com but I do have one on Ux123+Coinbase@gmail.com, simply inputting UX123@gmail.com in to the field in the forgot password form will give any matches or send an email, meaning unless the account that the hacker has attempted to acquire was on a social network that was freshly breached, they won't even think you have a coinbase account.
Hopefully I was able to actually get my message across, I haven't slept in like 2 days.
Anyways, great point OP.
@OP Another useful thing you might wanna include is + tags.
+ tags are essentially a way to make 1 email in to many.
If I register for a service, lets say coinbase on the email Ux123@gmail.com (Not my actual email), then I can't register another email on that.
By using + tags, you can, If I wanted to register another account, I could simply register it under Ux123+coinbase@gmail.com, it would recognize it as a seperate email, but all emails from coinbase in regards to the account registered on the +coinbase tag would still be delivered to me. Using + tags also makes it harder to find out if its actually your email or not, because more often than not in forgot password forms, you have to enter the email. If I don't have a coinbase account on Ux123@gmail.com but I do have one on Ux123+Coinbase@gmail.com, simply inputting UX123@gmail.com in to the field in the forgot password form will give any matches or send an email, meaning unless the account that the hacker has attempted to acquire was on a social network that was freshly breached, they won't even think you have a coinbase account.
Hopefully I was able to actually get my message across, I haven't slept in like 2 days.
Anyways, great point OP.
The HaveIBeenPwned website was mentioned on this forum before but I remember a post by one user who said that the site could also be a way for a malicious user to get a new list of emails that are still in use and have some sort of importance to their users.
For example, lets say that the site is hosted by someone with bad intentions. He could easily check which email addresses have been searched on his site. Those emails were probably entered because they are important enough for their owners to check if they got hacked or not.
The owner of the HaveIBeenPwned site now has a new list of email accounts that he can use and investigate further.
Valid concern, but HaveIBeenPwned is very trusted and has hundreds of thousands of lookups on it.For example, lets say that the site is hosted by someone with bad intentions. He could easily check which email addresses have been searched on his site. Those emails were probably entered because they are important enough for their owners to check if they got hacked or not.
The owner of the HaveIBeenPwned site now has a new list of email accounts that he can use and investigate further.
It is transparent and if I remember correctly there was an external audit of the website's source.
if you don't feel comfortable using haveibeenpwned, you can look you email up straight in the source, the actual leaked databases themselves, but that would take extensive space on your computer to download literally terabytes of leaked data haha
And just to add to this, make sure your master password is also actually secure. If your online accounts' password are secure while your password manager's password is unsecure, it defeats the purpose. If anything, it could be worse. Make sure your master password is difficult enough to guess and difficult enough to bruteforce[1].
and also, if possible, use the max number of characters for your online accounts(mostly 40 as far as I know). Your password manager generates it anyway so there should be no difference in terms of user experience.
[1] https://en.wikipedia.org/wiki/Brute-force_attack
Generating your own passwords is usually a bad idea, as humans are bad at being random, and create things which are easy to remember. The best solution to this problem is simply to use a password manager, something like KeePass for example. It will securely generate a different long and random password for every site you need it to. All these passwords are encrypted and stored locally, and can be protected with a combination of a master password, a key file, and 2FA.
As an aside, in your examples above I would disagree with your second example (orange text) being "okay". This practice is only trivially better than using identical passwords across sites. I would probably rename the first two categories to "very bad" and "bad", and remove "okay" altogether.
I have taken your feedback in to account and adjusted the post accordingly, thanks for the help As an aside, in your examples above I would disagree with your second example (orange text) being "okay". This practice is only trivially better than using identical passwords across sites. I would probably rename the first two categories to "very bad" and "bad", and remove "okay" altogether.