I think for a while leading up to the recent session stealing hack, there has been a massive amount of positivity from Lemmy users around all kinds of new Lemmy apps, frontends, and tools that have been popping up lately.
Positivity is great, but please be aware that basically all of these things work by asking for complete access to your account. When you enter your Lemmy password into any third party tool, they are not just getting access to your session (which is what was stolen from some users during the recent hack), they also get the ability to generate more sessions in the future without your knowledge. This means that even if an admin resets all sessions and kicks all users out, anybody with your password can of course still take over your account!
This isn’t to say that any current Lemmy app developers are for sure out to get you, but at this point, it’s quite clear that there are malicious folks out there. Creating a Lemmy app seems like a completely easy vector to attack users right now, considering how trusting everybody has been. So please be careful about what code you run on your devices, and who you trust with your credentials!
1password is probably the most valuable subscription I pay for.
If anyone’s looking for a free and open source option, Bitwarden is also great.
You two have no idea do you? lol
When you pass your password into an app, it can just copy and store it. If at any point you put a password through, even once, its compromised and no password manager will help in the slightest.
I make bobApp, you download bobApp, if you put a password into it, you are done.
edit: answering both of you.
Then i misunderstood. After i typed this I noticed others said what you meant. My bad.
I think their point is password managers make it very easy to have completely unique passwords, and if your Lemmy password is compromised you can change it without worrying about any other accounts being compromised. Not that a manager would magically protect you from ever being compromised.
I think you misunderstood us lol… we’re not saying your password will not get leaked by the app… we’re saying it’s gonna be unique and random bullshit generated so the hacker won’t be able to get to your other accounts since passwords are different.
You’re correct, but by maintaining distinct passwords with a password manager you make sure only the one account is compromised. 2FA also helps, you may have the username and password, but the 2FA code that you were given needs to be used immediately or else it will expire, and an expired 2FA code won’t allow you to successfully breach the account you’re trying to break into to.
KeePassXC is free and completely offline
And if you want it to be online, you can just share your .kdbx file between your computers using Syncthing or whatever.
Also Password Store! Syncs over Git and on Android you can use a Yubikey so that the private key isn’t even on your phone.
But yes, KeePassXC is way more user friendly. Anything touching PGP/GPG is an automatic red flag for family.