Fuck password stores too. Use some basic cryptography. One salt on disk, one salt generated from a master password via pbkdf2 (memorized), the site name. Hash it all together. Use the charset used by lastpass to encode. Now you have passwords of arbitrary length. No need to synchronize as long as you have that disk salt somewhere. Your computer can burn to the ground and you lose nothing.
I don't know why no one has published that software. You can code it in 5 minutes.
Better would be if no sites used passwords at all. Since we are in a situation where we need managers outside the browser anyway you could just use one to sign a phrase with asymmetric cryptography. Now you don't have to trust that sites manage passwords correctly. If you have to trust another party to do anything correctly that's bad security.
The connotation of this is that a data breach occurred on servers holding login credentials. When reading the article:
Fowler, who described the find as one of the most dangerous in his career, noted that the database likely resulted from infostealer malware, such as Lumma Stealer or Redline, which harvests data through techniques like keylogging. Unlike typical breaches tied to a single company, this dataset appears to be a compilation, possibly collected by cybercriminals for sale on the dark web.
So there are just keyloggers keylogging, as they've always done since the beginning of keyloggers. Nothing to see here for anyone who knows to not run random exe's they downloaded after clicking an ad for free boner pills...
Phishing emails: Lumma Stealer emails impersonate known brands and services to deliver links or attachments. These campaigns involve expertly crafted emails designed to evoke urgency, often masquerading as urgent hotel reservation confirmations or pending cancellations. The emails lead victims to cloned websites or malicious servers that deploy the Lumma payload to the targets’ environment.
Malvertising: Threat actors inject fake advertisements into search engine results, targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these poisoned links leads users to cloned websites that closely mimic legitimate vendors but instead deliver the Lumma Stealer. Drive-by download on compromised websites: Threat actors were observed compromising groups of legitimate websites, typically through a particular vulnerability or misconfiguration. They modify site content by inserting malicious JavaScript. The JavaScript runs when sites are visited by unsuspecting users, leading to delivery of a payload, intermediary script, or displaying further lures to convince users to perform an action. Trojanized applications: In many campaigns, cracked or pirated versions of legitimate applications are bundled with Lumma binaries and distributed through file-sharing platforms. These modified installers often contain no visible payload during installation, executing the malware silently post-launch. Abuse of legitimate services and ClickFix: Public repositories like GitHub are abused and populated with scripts and binaries, often disguised as tools or utilities. A particularly deceptive method involves fake CAPTCHA pages, commonly observed in the ClickFix ecosystem. Targets are instructed to copy malicious commands into their system’s Run utility under the pretense of passing a verification check. These commands often download and execute Lumma directly in memory, using Base64 encoding and stealthy delivery chains. Dropped by other malware: Microsoft Threat Intelligence observed other loaders and malware such as DanaBot delivering Lumma Stealer as an additional payload.
[ + ] Thedancingsousa
[ - ] Thedancingsousa 1 point 1 dayMay 28, 2025 20:46:59 ago (+1/-0)*
Fuck password stores too. Use some basic cryptography. One salt on disk, one salt generated from a master password via pbkdf2 (memorized), the site name. Hash it all together. Use the charset used by lastpass to encode. Now you have passwords of arbitrary length. No need to synchronize as long as you have that disk salt somewhere. Your computer can burn to the ground and you lose nothing.
I don't know why no one has published that software. You can code it in 5 minutes.
Better would be if no sites used passwords at all. Since we are in a situation where we need managers outside the browser anyway you could just use one to sign a phrase with asymmetric cryptography. Now you don't have to trust that sites manage passwords correctly. If you have to trust another party to do anything correctly that's bad security.
[ + ] Deleted
[ - ] deleted 0 points 23 hoursMay 29, 2025 01:55:05 ago (+0/-0)*
[ + ] No_way_oy_vey
[ - ] No_way_oy_vey 0 points 1 dayMay 29, 2025 00:05:02 ago (+0/-0)
So there are just keyloggers keylogging, as they've always done since the beginning of keyloggers. Nothing to see here for anyone who knows to not run random exe's they downloaded after clicking an ad for free boner pills...
Malvertising: Threat actors inject fake advertisements into search engine results, targeting software-related queries such as “Notepad++ download” or “Chrome update.” Clicking these poisoned links leads users to cloned websites that closely mimic legitimate vendors but instead deliver the Lumma Stealer.
Drive-by download on compromised websites: Threat actors were observed compromising groups of legitimate websites, typically through a particular vulnerability or misconfiguration. They modify site content by inserting malicious JavaScript. The JavaScript runs when sites are visited by unsuspecting users, leading to delivery of a payload, intermediary script, or displaying further lures to convince users to perform an action.
Trojanized applications: In many campaigns, cracked or pirated versions of legitimate applications are bundled with Lumma binaries and distributed through file-sharing platforms. These modified installers often contain no visible payload during installation, executing the malware silently post-launch.
Abuse of legitimate services and ClickFix: Public repositories like GitHub are abused and populated with scripts and binaries, often disguised as tools or utilities. A particularly deceptive method involves fake CAPTCHA pages, commonly observed in the ClickFix ecosystem. Targets are instructed to copy malicious commands into their system’s Run utility under the pretense of passing a verification check. These commands often download and execute Lumma directly in memory, using Base64 encoding and stealthy delivery chains.
Dropped by other malware: Microsoft Threat Intelligence observed other loaders and malware such as DanaBot delivering Lumma Stealer as an additional payload.
[ + ] puremadness
[ - ] puremadness 0 points 1 dayMay 28, 2025 22:58:43 ago (+0/-0)
First time I saw the words 'single sign on'
I knew you were all fucked.
[ + ] Trope
[ - ] Trope 0 points 1 dayMay 28, 2025 18:41:07 ago (+0/-0)
And like always, I’m going to ignore it because I don’t care about Apple or Google enough.