I just genuinely do not trust any password manager thing, feels like I’m giving my car keys to a stranger in the parking lot and hope they don’t drive off
as for a physical key, feels like its not a good idea with my tendency to loose all my flash drives never to be seen or end up damaged beyond function so I’d be perma-locked out
again, you can self-own your data with password managers. This is local only.
I do not trust that still even if it is local only, and I do not have the coding knowledge to triple check the code to make sure there really is no secret backdoors any moment I am plugged to wifi
I have no words.
All I can tell you is, as a security professional. I trust keepassXC. You can deploy it on an airgapped computer and watch the network traffic and you’ll see it doesn’t have any. If your paranoia stops you from using tools that have security and privacy awards, I can’t help that.
okay sure, on a different note then; how would I even go about setting the same thing for mobile if that’s even a thing? do I even need to? Since my usage is split quite 50/50 between a few devices, keeping the ability to log in on all of those would be preferred
This user earlier answered that.
I appreciate the lesson on security and the response to a threat a user has demonstrably faced on this very platform. The move is not surprising to me. But I see myself having practical issues with this move. I am still going to setup MFA (and perhaps the admin can see that I have already done that), but I would like to summarize my concerns since I see that other folks are echoing some of them. Since this is a porn website, tying my irl identity to this forum is the main thing I personally want to avoid, especially as a user instead of a seller of some good/service.
- Friction: [See [Meta] The super simple 50 step guide to advanced masturbation!; for a summary, this is adding a 51st step in an already long and tedious process.
- Passkeys: I hear you, passkeys do remove the burden of step 1. However, for me personally passkeys are an issue because they leave a fingerprint on my device. The app storing my passkey will note the domain name of the website. I personally am not comfortable with that. With my scenario, I don’t wish to leave any details on my machine that can be traced to this site (to a reasonable degree; I am not going to zero my drive just to remove all data). I know this is not the case for everyone. But for me personally, passkeys are not a (good) solution. I don’t have the concern about facial recognition or whatever; you don’t need to use that for passkeys, you can just use a password to unlock your passkeys if you are so concerned about it. I have thoughts on how this issue of passkeys can be fixed, but a) the wider web is not really going to listen to me, and b) this is hardly the place to argue for it.
- Overkill: Yes, I know I want to be anonymous, but personally, I don’t really care if someone got access to my account or wrote messages in my name because there’s nothing tying my real identity to this account, not even my email id. This is certainly not the case for every user, I understand that.
All this said, like I said earlier, I am still moving to MFA. Token Authentication gets around the naming of domain part since I can just use any name I want. I also understand that this website does require trust between users since it is a sensitive website; don’t want someone to snoop or impersonate.
Question for @VladTheImplier, I am confused about certain terms here. Can you clarify whether Token based MFA along with password is sufficient?
As far as I understand, MFA => Multi-factor authentication (i.e. use two security secrets to authenticate yourself), and Passkeys => Using the public-private key protocol to authenticate.
My understanding based on your previous texts is that you can use either a) Passkey, OR b) Token MFA with password — is this right?
Short answer: token MFA is required, passkeys are optional, but highly advised for maximum security and convenience.
Long Answer
Idk how technical you are in the context of authentication security, but passkeys are different from FIDO2 credentials. FIDO2 Creds are the pub/priv key protocol you’re talking about.
Passkeys are a specific implementation of strong authentication. They’re powered by FIDO2 credentials, require 2 or all the factors of MFA, and require proving intentionality (intending to authenticate)
There was a discussion on another thread where I go over this in more detail
Im not sure if you’re referring to the private key or your literal fingerprint on device. Neither of these would compromise your privacy in any way. No one can identify you based on a passkey, they can’t even ask you for a specific key without having prior knowledge of the domain.
This is actually half-true. The domain is part of the crypto chain in the process
For ex. My usb key (U2F/FIDO2), I can’t view the passkeys stored in it until I unlock it with a pin.
The pin encrypts each record, each record does contain the url, credential id, and the username (username is often a comment + public key)
So technically yes, the URL is recorded, It’s encrypted until you unlock it with your pin (or biometric) This is the same for password managers, though password managers often store the domain outside the passkey as well
tl;dr - I am only enforcing TOTP
There’s no way around it — since you’re using something that belongs to others, you naturally have to follow their rules, unless you don’t use it, or you have your own parking lot.
This is actually half-true. The domain is part of the crypto chain in the process
For ex. My usb key (U2F/FIDO2), I can’t view the passkeys stored in it until I unlock it with a pin.
The pin encrypts each record, each record does contain the url, credential id, and the username
Yes, this is what I was talking about, although I knew it would be encrypted. While more sophisticated attacks are feasible when you assume physical access to device, my worry is far more simple — it is a shared device that anyone can access, unlock, and read the passkeys (of course, I understand this is an absurd scenario very specific to me
). At any rate, I am happy with the MFA solution I have set up.
Short answer: token MFA is required, passkeys are optional, but highly advised for maximum security and convenience.
Great! Thank you!
I managed to set it up, but at the cost of Google (Authenticator) now knowing that I use this site and which email I used to register here, linking my anonymous online profile to my actual personal Google account. ![]()
Right. It’s much better if a porn platform operator forces MFA on people and when trying to enable it, presents them with a QR code which adds the detailed platform name and email address used to register here to Google Authenticator.
It’s much better if the big corporations take away our anonymity than the governments take away our rights ![]()
Um, you don’t have to tell Google Authenticator the platform name and email address; you just needed the key (which, while tedious to copy, is better than using a QR code). Anything else, you can just change (I just named my key w for example).
You also don’t have to use Google Authenticator.
I also named mine differently, but that just affects how the key is displayed on here. In Authenticator it shows the full site URL. And the QR code is so prominently placed that obviously everyone will use it.
It’s literally the first and biggest thing you see when you click “+ Add Authenticator”.
I blame server ops for not changing the data in the QR code to something unsuspicious, just like every sex toy vendor avoids shipping their toys in boxes labelled with the company logo or even some product designs printed on them.
Some KeePass setup guides, videos etc. Yes, you can save your MFA/2FA in there too, just make sure to also set it up on another device (e.g. smartphone, by copying the KeePass files) to have a backup.
KeePass is not the only option, there are also other alternatives like e.g. Bitwarden/Vaultwarden. Paid options and cloud synced options exist as well.
Upside of KeePass is that it has been around and supported for a very very long time, is open-source and functional offline (no reliance on third party infrastructure).
Actually, I don’t trust this site anymore.
The switch from criticising Discord for collecting user data to actively exposing users to Google via QR codes makes me believe that Vlad himself was hacked and someone is now using the account to expose the members of this board.
Be careful everyone!
Edit: The fact that the Delect My Account button does nothing except tell you to contact a staff member to do it is just
![]()
If it’s not obvious, I want my account and all my posts and replies deleted @VladTheImplier
The trust in private for-profit companies, who are by nature amoral (distinct from unmoral but can also be and increasingly are both) and their proprietary solutions or just general practices is also my main gripe with a lot of solutions. It gets more dangerous when the state works with these entities in unison to undermine rights instead of protecting them against their attacks.
It’s unfortunately the price many seem willing to pay for convenience or out of sheer necessity. Of course there are free and open source options as gooner29 outlined, with which privacy and safety can be maximal, but they usually require a minimum level of tech understanding and skills to set up correctly or you might sacrifice one or the other. But we don’t need to be maximalist about it and still get there over time.
Reading through this topic, I think that there is a misunderstanding more generally of the difference between actual security and privacy and the dystopian political measures masquerading as such being enforced more and more. And I speculate, that it is this feeling of anything of this being a nuisance and the experience of privacy (and other basic) rights eroding despite or because of these measures, that is tragically preventing people from moving to more secure and privacy-respecting solutions. And it is making this issue more emotional than rational. As many replies imply, many users have never used MFA or especially Passkeys except for when they are forced to by banks for example and harbor hostility towards it.
To make the distinction with current issues:
Discord is telling us to give them either our bio-metrics or other sensitive information like our passports, so they can make sure we are of legal age, despite there being methods to do that without all this data. And we have no control over how they handle all that information. We are absolutely right to be very skeptical given how data is routinely actively misused or handled in an irresponsible manner within the tech world and their close ties to authoritarian governments.
Vlad is asking us to make our accounts harder to hack, therefore improving our combined security and anonymity by offering no additional personal data to him. There are possibilities where there’s no data handled by untrustworthy tech companies at all. And on top of that there are methods that are even more user-friendly than using passwords + email. These two are not comparable. Not by a long-shot.
I will admit, that I had not done that on this forum either, because I completely missed the Passkey option, but have done so within a minute after finding out about it. I also already have KeePass and Device-Syncing (with all but one device) in place, which made it a quick and easy process. And since I’m self-hosting it, I don’t have to trust big tech getting or handling any data. (Can’t wait to fully ditch Windows for Linux as software compatibility is rapidly improving.)
The idea that using a second or third email-address for everything anonymous and probably also securing it with weak and reused passwords because no one can do anything with my account anyway may seem anonymous and unimportant intuitively, but is actually the opposite.
We could go into SMTP and especially IMAP or talk about the fact, that you need to place trust into the email-provider, -client and OS (and ISP and service providers for that matter) you are using, or plain-text overhead metadata getting sent around that all can compromise anonymity and/or safety, but to make it topical: You allow for easy attack vectors on other users. And are open to easy attack vectors through other users with poor security. And allow attack vectors through other sites with poor security, but use the same address or - even worse - also the password.
There is also the perspective of how interesting it is to hack the database as a whole. If we theoretically all had to use Passkeys, then there would be nothing interesting to get for a hacker. MFA alone prevents some forms of attacks, and of course combined with other good practices like using unique passwords it improves safety and with it anonymity. Anonymity counter-intuitively does not come without security. (The famous quote with freedom and security referred to financial security because of a dispute btw, not this understanding of security). If security is compromised then it is a matter of time until anonymity is as well.
So enforcing at least MFA is quite prudent imo, especially for “just a porn-forum”. I wish that this was more prevalent.
Additionally, a Q&A with an experienced Cyber-Security expert, is an offer we should take in a heartbeat, since all of that knowledge can and should be applied not just to this forum, but to our online habits as a whole. Especially in times of authoritarian policies and completely unhinged economic actors. We are being offered to replace our misunderstandings and fear with knowledge and with it competence.