• eerongal@ttrpg.network
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

    They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…

    • ebits21@lemmy.ca
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      1 year ago

      It’s buggy and missing some key checks to make sure it’s working when you set it up.

      Real risk of locking yourself out of your account.

        • ebits21@lemmy.ca
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          Mostly a risk on initial setup.

          I’ve been waiting a bit for it to stabilize and just using huge random passwords

          • Zetaphor@zemmy.cc
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.

            • The Cuuuuube@beehaw.org
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 year ago

              I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:

              • Bitwarden
              • KeePass
              • 1password

              And stay far the fuck away from LastPass

              • delollipop@beehaw.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                my uni is currently still recommending lastpass as of now, tho I’ve heard they might be looking for alternatives …

                • Boeman@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  LastPass has had a few security incidents lately. I do not trust them at all.

                • The Cuuuuube@beehaw.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Let your classmates know that last pass has semi permanently damaged their trustworthiness by trying to hide a security breach, and then downplaying the severity of the breach, and that your University’s security recommendations are intrinsically suspect as a result

            • ebits21@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Oh I do. Used Bitwarden for many years.

              I actually use keepass for totp codes too.

    • bdonvr@thelemmy.club
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Also I believe this was achieved through cookie stealing, which 2FA would not have helped