As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):

  • Don’t use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)

Here is a nice article with some e-mail forwarding providers to get you started

  • Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won’t divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.

Some passvault suggestions:

  • Passbolt (self hosted)
  • Bitwarden (self hosted and hosted options)
  • Vaultwarden (unlocked self hosted alternative to bitwarden)

These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.

  • dbx12
    link
    fedilink
    581 year ago

    You could add keepassxc as an option for those who don’t want a hosted service at all. You can still exchange the storage file with other computers if you have to (via USB stick, mail, nextcloud etc)

    • @[email protected]
      link
      fedilink
      131 year ago

      I second this option. I use it because there’s an app that supports the file format for pretty much every platform.

      • @Sheltac
        link
        English
        51 year ago

        What do you use in iOS?

        • @Dnn
          link
          English
          71 year ago

          deleted by creator

          • misery mansion
            link
            English
            11 year ago

            I also use keepassium and sync with Drive

          • @Sheltac
            link
            English
            11 year ago

            Thanks, I’ll have a look!

        • Karcinogen
          link
          fedilink
          English
          31 year ago

          Check out Strongbox. I can’t say I’ve used it, I’m on Android, but it seems good.

          • @Sheltac
            link
            English
            11 year ago

            Yeah strongbox is what I use and it’s very very good, albeit pricey. Just wondering if something else was around!

    • kurikai
      link
      71 year ago

      And can use syncthing to sync between your devices

      • @[email protected]
        link
        fedilink
        1
        edit-2
        1 year ago

        My setup right here. I’d rather use my own tools to sync passwords instead of a cloud database

    • @[email protected]
      link
      fedilink
      51 year ago

      Do you know of a “keepass for dummies”? I’ve tried to figure out how to use it, but reading the readme on GitHub just makes me feel like an idiot.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        Was there anything particularly confusing? I can try and clear it up.

        You can go on the KeePass downloads page and find a client that works for you. I like using Keepassium on my iPhone and KeePassXC on my laptop.

        • @[email protected]
          link
          fedilink
          English
          21 year ago

          I finally figured it out. I’m using KeepassXD on Android and it’s not very user friendly. I still haven’t figured out what the unlabeled teardrops are that can be “enabled” or disabled.

    • Łumało [he/him]
      link
      fedilink
      51 year ago

      You can also add to that pass which names istelf the “standard UNIX password manager”, altough it’s just a nice frontend for gpg.

      • dbx12
        link
        fedilink
        21 year ago

        Don’t forget that git is doing the archiving here ^^ And pass is great when your need to share a password store with someone. Just add their hog key and let them checkout the git repo

    • @[email protected]
      link
      fedilink
      31 year ago

      I feel like this option is honestly worse for most people. You have the new security problem of having to transfer the file everywhere, but now the huge inconvenience of potentially losing it or not having it on a new device.

      • dbx12
        link
        fedilink
        11 year ago

        I don’t think transferring the file is a security problem, with hosted services you need to transfer the secrets somehow as well. And cannot choose how they are synced and must rely on the server being secured (in case that component is not hosted by you). Since it is synced to all devices, you are basically having a distributed backup of it already. But I agree, initial setup is a slight bit more work.