this post was submitted on 09 Aug 2023
97 points (100.0% liked)

Asklemmy

43817 readers
883 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

I noticed that there were some accounts that were hijacked by the instance owners. All the posts from that user were then edited to say what happened.

This kind of surprised me, I figured instances could delete posts, but not edit them. So how much control do they have?

I assume they can't see my password (hopefully). Can they post in my name? Do they have all the access to my posts to foreign instances that they do over local posts?

Edit: thanks for all the responses everyone! I've wanted my own instance for a while, but maybe I'll get on it now

you are viewing a single comment's thread
view the rest of the comments
[โ€“] static09@lemmy.world 17 points 1 year ago* (last edited 1 year ago) (2 children)

It's important to note that your password has to be stored someway, no matter what, no matter where. How it's stored can be varied, from hashed (think encrypted) to cleartext. I'm assuming lemmy is using hashed passwords, so if you're concerned about your password being available to an instance owner, admin, or potential attackers, then you'll need to follow safe password guidelines. Changing the concept from passwords to passphrases is a great start.

Always keep in mind, if the data isn't stored on your device, you do not technically own that data. You have to trust the owners to be good data custodians and treat the data you give them as if it were their own private data.

I'll leave this now internet-ancient sacred image for future passphrase converts.

[โ€“] Fuckfuckmyfuckingass@lemmy.world 15 points 1 year ago (1 children)

Understood. I am now changing all my passwords to Correct Horse Battery Staple.

[โ€“] Rouxibeau@lemmy.world 2 points 1 year ago

Hey, that's my password too.

[โ€“] sxan@midwest.social 2 points 1 year ago* (last edited 1 year ago) (1 children)

Just to be clear, you're talking about Lemmy. There are authentication mechanisms in which the instance never has access to your password, in any form.

I wish I could upvote your comment multiple times for the XKCD comic on this. And to anyone curious, there are many tools which will generate XKCD passwords for you. One's called "correcthorse", and there's another called "correctpony". A github search for "xkcd password" should turn up several.

[โ€“] karlthemailman@sh.itjust.works 1 points 1 year ago (1 children)

Why can't the admin just change the Lemmy source code to not hash anymore?

[โ€“] sxan@midwest.social 1 points 1 year ago

Are you asking why can't a bad admin change the code so that they can more easily steal the password? They could, and this is what OP was saying about trusting the admin. What I was saying was that there are client-side auth mechanisms, where the admin never has access to the password. But Lemmy could also implement OAuth, or a similar federated identity pattern, where (again) the Lemmy admin never has access to any form of the password.

I've never run a Lemmy instance; it's possible the server software supports SSO but few instances use it.