Konto erstellenAnmelden

Frühere Suchanfragen

Keine früheren Suchanfragen

Suchoptionen

Only available when logged in.
troet.cafe ist Teil eines dezentralisierten sozialen Netzwerks, angetrieben von Mastodon.
Hallo im troet.cafe! Dies ist die derzeit größte deutschsprachige Mastodon Instanz zum tröten, neue Leute kennenlernen, sich auszutauschen und Spaß zu haben.

Verwaltet von:

Serverstatistik:

7 Tsd.
aktive Profile
Mehr erfahren

troet.cafe: ÜberProfilverzeichnisDatenschutzerklärung

Mastodon: ÜberApp herunterladenTastenkombinationenQuellcode anzeigenv4.2.19

#Keepassium

0 Beiträge0 Beteiligte0 Beiträge heute
*
Erik van Straten

@killua99 : the least insecure solution is to use client certificates, because they make MitM attacks harder. That is an advantage and sometimes a disadvantage: a fake website with a fraudulent but correct cert will prevent authentication, but so will a virusscanner or network device that does "TLS inpection".

However, considering all the extra trouble and risks associated with hardware keys and passkeys, for average/ordinary users my advice is to use a password manager that checks the domain name (Autofill on Android and iOS do help a lot).

Essential is that the user does not make the same mistake as Troy Hunt did, from troyhunt.com/a-sneaky-phish-ju:


I went to the link which is on
mailchimp-sso·com
and entered my credentials which - crucially - did not auto-complete from 1Password. I then entered the OTP and the page hung.

With Android screenshot: infosec.exchange/@ErikvanStrat; all details in infosec.exchange/@ErikvanStrat.

Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
#Autofill#PasswordManager#Evilginx2
serenity

Na toll, #Strongbox, eine der wenigen brauchbaren #KeePass Apps unter iOS, iPadOS und MacOS, ist aufgekauft worden:

heise.de/news/Keepass-Client-S

Ich habe mir das Vorgehen bei anderen Käufen der Firma angeschaut und beschlossen, dass ich ihr NICHT vertraue.

Sofort gewechselt zu #KeePassium. Mindestens genauso gut und #EuropäischeAlternative und #OpenSource. Arbeitet über #NextCloud mit #WebDAV hervorragend mit #KeePassXC zusammen.

keepassium.com/

heise online · Keepass-Client Strongbox aufgekauft – Nutzer beunruhigtVon Leo Becker
Erik van Straten

@tychotithonus : if anything, people should stop making up passwords themselves.

Here's what they should do (IMHO): infosec.exchange/@ErikvanStrat; with Android screenshot: infosec.exchange/@ErikvanStrat.

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)W.r.t. password managers (pw mgrs): 1) Make sure that you *NEVER* forget your master password. 2) Make an *OFFLINE* backup of the (encrypted) pw database after each modification. For example, rotate between multiple USB storage media. 3) Use a pw mgr that can generate strong (random, long, unguessable) passwords. Use that functionality to generate a unique pw for each account. LAST BUT NOT LEAST 4) At least on mobile devices, configure the OS and pw mgr to locate your credentials *automatically* based on the domain name of the website you're visiting (using "autofill", which lets the OS pass the domain name –as used by the browser– to the pw mgr). EXAMPLE WHY If you receive an email (with SPF, DKIM and DMARC all fine) from:     whomever@circle-ci.com that instructs you to revalidate your 2FA settings in, e.g.:     https:⧸⧸circle-ci.com/revalidate Then a properly configured pw mgr will not come up with ANYTHING - because the record is for (without the dash):     https:⧸⧸circleci.com The deja vu after the 2022 attack (https://github.blog/news-insights/company-news/security-alert-new-phishing-campaign-targets-github-users/), described in https://discuss.circleci.com/t/circleci-security-alert-warning-fraudulent-website-impersonating-circleci/50899, is still alive and kicking since March this year (see https://crt.sh/?q=circle-ci.com and https://www.virustotal.com/gui/domain/circle-ci.com/detection). The fake site even looks better than the original one (I don't know whether it is actually malicious, or will just warn users who attempt to log in). NOTE: if your pw mgr does not find a matching record in the pw mgr database, do NOT manually locate the "circleci.com" record. If you do: do NOT autofill or copy/paste your credentials for https:⧸⧸circleci.com to https:⧸⧸circle-ci.com! Using those creds, the fake site may immediately log in to the authentic website AS YOU - pwning your account. WHAT I'M USING I'm using KeePassium on iOS and KeePassDX on Android; they work just fine (disclaimer: I'm not in any way related to their authors, and do no warrant their reliability). @steelefortress #Passwords #PasswordManagers #PasswordManager #KeePassium #iOS #iPadOS #KeePassDX #Android #Autofill #DomainName #DomainNames #DomainNameCheck
#KeePassDX#KeePassium#Autofill
EntdeckenLive-Feeds
Über