• @eerongalAEnglish
    1810 months ago

    Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

    They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…

    • @ebits21@lemmy.caEnglish
      1310 months ago

      It’s buggy and missing some key checks to make sure it’s working when you set it up.

      Real risk of locking yourself out of your account.

      • @eerongalAEnglish
        410 months ago

        oh, really? maybe i’ll turn mine off then…Thanks for the heads up!

        • @ebits21@lemmy.caEnglish
          710 months ago

          Mostly a risk on initial setup.

          I’ve been waiting a bit for it to stabilize and just using huge random passwords

          • @Zetaphor@zemmy.ccEnglish
            510 months ago

            If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.

            • The CuuuuubeEnglish
              510 months ago

              I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:

              • Bitwarden
              • KeePass
              • 1password

              And stay far the fuck away from LastPass

              • @delollipop@beehaw.orgEnglish
                210 months ago

                my uni is currently still recommending lastpass as of now, tho I’ve heard they might be looking for alternatives …

              • @Zetaphor@zemmy.ccEnglish
                110 months ago

                I don’t know that 1password should be on that list. The first two are free and open source. The last one is paid and proprietary.

                Don’t put your credentials in the hand of a company that requires you to trust them to not fuck up. Everyone thought LastPass was great until they weren’t

            • @ebits21@lemmy.caEnglish
              110 months ago

              Oh I do. Used Bitwarden for many years.

              I actually use keepass for totp codes too.