I think for a while leading up to the recent session stealing hack, there has been a massive amount of positivity from Lemmy users around all kinds of new Lemmy apps, frontends, and tools that have been popping up lately.

Positivity is great, but please be aware that basically all of these things work by asking for complete access to your account. When you enter your Lemmy password into any third party tool, they are not just getting access to your session (which is what was stolen from some users during the recent hack), they also get the ability to generate more sessions in the future without your knowledge. This means that even if an admin resets all sessions and kicks all users out, anybody with your password can of course still take over your account!

This isn’t to say that any current Lemmy app developers are for sure out to get you, but at this point, it’s quite clear that there are malicious folks out there. Creating a Lemmy app seems like a completely easy vector to attack users right now, considering how trusting everybody has been. So please be careful about what code you run on your devices, and who you trust with your credentials!

    • pizzahoe@lemm.ee
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      If anyone’s looking for a free and open source option, Bitwarden is also great.

      • nekat_emanresu@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        You two have no idea do you? lol

        When you pass your password into an app, it can just copy and store it. If at any point you put a password through, even once, its compromised and no password manager will help in the slightest.

        I make bobApp, you download bobApp, if you put a password into it, you are done.

        edit: answering both of you.

        Then i misunderstood. After i typed this I noticed others said what you meant. My bad.

        • jiji@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          ·
          1 year ago

          I think their point is password managers make it very easy to have completely unique passwords, and if your Lemmy password is compromised you can change it without worrying about any other accounts being compromised. Not that a manager would magically protect you from ever being compromised.

        • pizzahoe@lemm.ee
          link
          fedilink
          arrow-up
          9
          ·
          1 year ago

          I think you misunderstood us lol… we’re not saying your password will not get leaked by the app… we’re saying it’s gonna be unique and random bullshit generated so the hacker won’t be able to get to your other accounts since passwords are different.

        • TheSaneWriter@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          You’re correct, but by maintaining distinct passwords with a password manager you make sure only the one account is compromised. 2FA also helps, you may have the username and password, but the 2FA code that you were given needs to be used immediately or else it will expire, and an expired 2FA code won’t allow you to successfully breach the account you’re trying to break into to.

      • grue@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        And if you want it to be online, you can just share your .kdbx file between your computers using Syncthing or whatever.

      • steltek@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Also Password Store! Syncs over Git and on Android you can use a Yubikey so that the private key isn’t even on your phone.

        But yes, KeePassXC is way more user friendly. Anything touching PGP/GPG is an automatic red flag for family.