Closed gratipay-bot closed 8 years ago
chadwhitacre
commented
8 years ago A couple things jumped out at me in this week's Downclimb:
As has been seen by Tavis Ormandy's vulnerability research against password managers lately, such as Dashlane and Lastpass, it is best to avoid using the password managers that integrate with browsers and sync remotely.
And:
We are reminded once again that SMS is as bad as using unencrypted HTTP to send confidential info.
mattbk
commented
8 years ago I've heard that one potential is to use KeePass, but sync the encrypted file through some other method (Google Drive, Dropbox, etc.).
Do two-factor authentication codes count as "confidential info"?
ghost
commented
8 years ago My 2 cents: I migrated from pass (relying on GPG) to MacPass (relying on the KeePass2 format), in order to get a more convenient solution in the everyday use and be able to separate the security of my communications and my password storage (key revocation, separation of concerns…).
I tried several commercial solutions but I find them too much centred around browser integration and mobile sync, two things I want to avoid absolutely (too much exposure for both). If you remove these two functionalities, there's nothing left: Dashlane won't even let you generate a password on their stand-alone app, you can only do it in the browser. Tough for something costing ~$40/y.
Do two-factor authentication codes count as "confidential info"?
The NIST is deprecating the usage of SMS as 2FA mechanism :-)
chadwhitacre
commented
8 years ago Hmmm ... https://keeweb.info/. Should we migrate from LastPass to that?
mattbk
commented
8 years ago Hmmm ... https://keeweb.info/. Should we migrate from LastPass to that?
It's another KeePass frontend, so it as long as you're cool with them, it shouldn't matter. (@nashe, I also use MacPass, and then the official KeePass client on Windows.)
chadwhitacre
commented
8 years ago @mattbk What about sharing logins between multiple users? That's what we're using LastPass for currently. Does KeeWeb help with that any more than MacPass would?
mattbk
commented
8 years ago Looks like it uses a 3rd party (Dropbox?) anyway, might be more integrated?
← Security Radar 27
Docs
http://inside.gratipay.com/howto/sweep-the-radar
Mission
The mission of the security team is to protect our sensitive information.
Scope
Security TeamissuesQueue
Unclear Risk
https://hackerone.com/reports/117195 https://hackerone.com/reports/161766
Severe Risk
Moderate Risk
https://hackerone.com/reports/127218 https://hackerone.com/reports/128844 https://hackerone.com/reports/143139
Mild Risk
https://hackerone.com/reports/76304 https://hackerone.com/reports/80907 https://hackerone.com/reports/90805 https://hackerone.com/reports/108645 https://hackerone.com/reports/109161
https://hackerone.com/reports/111325 https://hackerone.com/reports/117187 https://hackerone.com/reports/117739 https://hackerone.com/reports/117984 https://hackerone.com/reports/118023
https://hackerone.com/reports/123688 https://hackerone.com/reports/123697 https://hackerone.com/reports/128121 https://hackerone.com/reports/140387
https://hackerone.com/reports/140432
Theoretical Risk
https://hackerone.com/reports/78151 https://hackerone.com/reports/90777 https://hackerone.com/reports/116147 https://hackerone.com/reports/117833 https://hackerone.com/reports/123942
https://hackerone.com/reports/123897 https://hackerone.com/reports/124096 https://hackerone.com/reports/127824 https://hackerone.com/reports/127949 https://hackerone.com/reports/127995
https://github.com/gratipay/gratipay.com/issues/823 https://hackerone.com/reports/137002 https://hackerone.com/reports/138693 https://hackerone.com/reports/143139
https://hackerone.com/reports/161765