this post was submitted on 25 Nov 2023
1 points (100.0% liked)
Ethereum
1 readers
1 users here now
Resources
- Website & Blog
- White Paper & Yellow Paper
- Documentation & Stack Exchange
- Learn Solidity
- Source Code on Github
- Bounty program
- Chat on Gitter
- Network Status & Gas Price Market
- List of DApps
- Meetups
founded 11 months ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Don’t sign shady smart contracts, enter your private key online, or store it using pictures on the cloud or a password recovery service.
Are password managers secure?
https://www.theverge.com/2023/9/7/23862658/lastpass-security-breach-crypto-heists-hackers
I wouldn’t trust them.
That’s LastPass. That company has been plagued with security issues for years. Password managers as a whole aren’t anywhere close to what they are.
Well that answers the question
No
Being “secure” is relative. Would I store my Facebook password there? Sure. Would I store the password to my life savings there? Definitely not.
Keepasss Open source
Depends on the password manager. With something like KeePassXC, only you have the encrypted passwords file and it's not on some server.
Great, but if KeePassXC is on an online device then it’s vulnerable to being hacked.
You can just store a copy of keepass along with your file on a USB and access it that way, never has not be online.
KeePass DB is vulnerable if they can crack the master password. If your master password has enough entropy that it would take so many million years to brute force, then you'll be fine.
The Keepass DB can be cracked. https://medium.com/@andreabocchetti88/unlocking-keepass-a-comprehensive-guide-to-crack-the-database-74a2593d676a
I kept a few seeds in my Keepass, I have since removed them after someone at work warned me about this.
That link describes hashcat which uses some of the methods I'm referring to, it's dependent on the password quality. Crappy password will be quick.
It doesn't decrypt it, but tries many combinations of words etc encrypted to compare against the hash.
Even with a good password, I never would want anyone storing seeds in keepass, anything on the computer is a no for storing seeds.
Anything can be cracked this way, this is just a bruteforce of the master password. It can take 300 centuries to crack using NSA servers if it's a strong password.
Nope no never absolutely not.
Just a couple weeks ago I saw a thread where keepass was the culprit.
NEVER USE A PASSWORD MANAGER
That's absurd
Edited my comment, as it was not clear what I meant.
You went from saying "absolutely never use a password manager" and further down the thread you say you're using your foreskin.
Now you're back tracking that all to pretend to be right?
That's absurd!
1Password has never been hacked and their architecture is solid. You are the weak link though.
no
you might have a key logger on your pc, so the password manager is uselss
never enter a seed phrase into a computer, always write them down fromm a hw wallet
there is no real secure option for pc only unless you formatted, linux distro, crypto wallet software install with no internet, create the wallet, write the seed phrase down, format the drive / never use it again
hw wallets just make this brain dead easy though, why is this still a conversation in 2023?
Absolutely not.
NO!
If you have stored your key on a password manager, it's time.to get a new wallet. Consider yours compromised.
People can make mistakes with everything. It's just about reducing the probability of making the mistake.
Never store a private key in a password manager
They are generally secure. Any hack on them has never gotten clear text passwords.
LastPass seems to be the one who gets hacked the most and I use that term very lightly because it's usually just user emails
Which don't get me wrong is bad because then you can be at Target of spearfishing but you should not shy away from using a password manager because at the end of the day if you use it correctly it's going to be more secure than whatever you're doing now
I have no idea what meta mask is but I’m constantly seeing posts like this. What’s making it so easy for people to lose their eth? I only use crypto for gambling so I’m probably just ignorant to whatever meta mask is used for
Metamask is a popular wallet you can use to send/receive/store your crypto on their respective blockchains. Metamask isn’t the reason people are losing their funds. It’s because people don’t properly protect their private keys.
And because they sign shady permissions left and right without thinking and/or revoking them when they are done using the platform.
And email themselves their seed phrases and their email is still xX360noskoperxX@yahoo.com with pw hunter2
Were we supposed to be able see a password, I think reddit blocked it out
The UX is terrible though. not necessarily the fault of metamask and more EVM related, but you mostly have no idea exactly what you are signing when interacting with contracts. Go tell your mom or grandma to revoke contracts after interacting with them. Is that really the web3 we want? This makes the web experience worse, not better.
Yeah, the reason for all the posts mentioning metamask is simply that it is the most popular with wallet for people who use smart contracts, and using smart contracts can be risky.
Cloud with 2 factor auth is very safe
Sadly no. LastPass was hacked last year, and a lot of people have had their wallets drained. So having your seed online is never truly safe.
Lol, all you people parroting the LP hack… if any of you read the incident report, there was only very basic metadata like company names, veiling addresses, etc which was not tied to specific users. No encrypted notes or credentials were taken at all. That’s not how PWM’s work.
How is that? Even if I give you my password for Google you won't be able to sign in to my account.
Yes, but if you have your seed phrase in an online container, and the container gets hacked, the 2FA doesn't do anything. The hacker can recreate your wallet from the seed.
I am talking about storing the seed in the Google account, aka Google keep. The likelihood of Google getting hacked is much lower than my house burning down and taking with it all cold storage.
What is the likelihood those people had either reused their master password elsewhere or that the password strength was very weak?
Google will automatically block any sign in from a new device, so even with a compromised password, access is not granted.
Lastpass hack made 2FA completely irrelevant because hacker got access to the password databases directly. They can at their leisure try to bruteforce passwords for all of these accounts.
what accounts?
Im not sure if thats the stupidest thing you saod in your life. But it definitely is the most moronic thing i have heard all month. Cloud with auth? Lol idiot.
People really have no idea about cyber security these days
You’re not convincing anyone by being snarky…
Have fun with that buddy.