Lemmy is not going to be Reddit. It will not inherit the reactionary behaviours. Ensure civillity and disengage if uncomfortable. Have a good time!

Started using xmpp recently because messaging apps sucks . I want to see if anyone use this thing .

I have a specific issue I want to solve right now, but the topic is phrased more generally as I would love the answer to this as well. But this might be an XY-problem because of this, so here's the actual problem I want to solve: I am using LibreWolf as my main browser, and it has WebGL disabled by default to avoid fingerprinting. I would like to keep it this way, but I am currently also making some internal tools for myself that requires WebGL (map renders with Plotly in Dash). Is there a way to tell LibreWolf to enable WebGL only for specific sites, so that I don't have to manually toggle this when I want to look at my maps? My initial thought was that this could be solved with a site-specific about:config.

The app seems fairly small in size compared to orbot which is really old and also invizible pro seems to do a ton of things that including firewall vpn etc . So does it connect to tor network properly and pass all your traffic through it as good as orbot and completely block internet acces to not whitelisted services as good as rethink do ? Or does it cut cornors and do all the things but do all of them horribly ? Is it audited or atleast watched by enough people to be secure ? Anyway share your thoughts . I think if the app does everything it boasts to do perfectly its one in a kind and unmatched and probably would make any android really really safe but i'm really skeptical . I have tried it out a month ago but ditched it after reading that its firewall does not work that well but idk if that is true or not anyway share your thoughts .

VLC's is broken atleast for me and i would like to know if any of the other video player from fdroid's main repo jad a good subtitle browser/downloader inbuilt . Searching got me nowhere and I'd rather not download try uninstall every video player from fdroid . So if anyone uses any do recommend as there is a fuckton of video players and i really can't download and test each and every one of them . Maybe not the appropriate sub or c or whatever but i know mx player has one and I'd rather not turn to it (or anything outside fdroid) and i hope this post is alright here if not feel free to reach me about removal or if any mod wants to remove it also feel free . But just incase that i could get some answers don't down vote anyway cheers .

cross-posted from: https://lemmy.today/post/9850201 >  > Late January, the U.S. Department of Commerce published a notice of proposed rulemaking for establishing new requirements for Infrastructure as a Service providers (IaaS) . The proposal boils down to a 'Know Your Customer' regime for companies operating cloud services, with the goal of countering the activities of "foreign malicious actors." Yet, despite an overseas focus, Americans won't be able to avoid the proposal's requirements, which covers CDNs, virtual private servers, proxies, and domain name resolution services, among others.

from the passcodes-ftw dept

I never consent to give my data away or being tracked, but how do you deal with so called legitimate interest? I tried several times to untick them but it is a long list (in fact at the bottom there is a "vendors" link with even longer, much longer list. It took me 10 minutes to get to the bottom of it once). My questions: -how can we trust these so called legitimate interests when they are self defined by companies whose business model relies on your data? -how can we find out what these legitimate interests are and what data it collects? -are such companies controlled in any way? -is this kind of consent form compliant with EU gdpr? (normally opt out is to be as easy as opt in, and there is no "refuse all" for these so called legitimate interests). -what are your strategies against such sites tracking you? Or am I just being paranoid? The sheer amount vendors is daunting, the Internet really turned into crap Edit: when clicking Preferences at the bottom the content of the legitimate interested is spelled out for each vendor, so this replies one of my questions. 

It finally happened. My 'dumb' TV died for good. Looking for recommendations on a new TV. I'll be hooking it up to a media PC anyway, but I still want a TV with a good panel and absolutely no microphones, cameras, or baked in ads (Looking at you roku). If anyone knows any good 'dumb' TV's too, I'd be very interested in looking at those.

It was at the Securedrop website. How did I end up there ? I read something about Sequoia and encryption and then wanted to see what Securedrop entailed. Meanwhile I've raised the security settings. Still, today someone in this community (?) mentioned that Tor browser does not protect the remote to check for the OS, and now this. Color me surprised.

If you notice your chat messages show up in the chat feed but don't appear on the streamers in-screen chat, you have been shadowbanned. Twitch will still take your money for donations, subs, etc, but your feedback won't be seen by anybody but you. This shadowban does not appear in the appeals page and can be applied randomly and intermittently. You are never informed about this by the way. You'll likely be talking in a chat and assuming you're being ignored. Hop into a private tab and load up the stream where you'll be able to notice if your messages are missing in chat. From my observations, there seems to be some type of algorithm/system that determines who to shadowban. I'm assuming it assigns extra points for factors like VPN usage, Linux, and adblockers. Once you've been shadowbanned, switching one of those three will not work to unban you until some arbitrary timer expires. I'm posting this in case anybody else has experienced this and felt frustrated and isolated. You're not being ignored (unless you're a twat and are being ignored). You're just being punished by Twitch for being privacy conscious.

It seems possible that Brave are building Brave Pro, which looks like its a subscription based service of some kind. A note on the Android implementation of the project [reads](https://github.com/brave/brave-browser/issues/37128) (GitHub link): "Implement the required runtime changes (profile settings, chrome flags, group policies, etc.) with the appropriate values that enable the Brave Pro experience. Using Brave in this mode with its default settings and making changes to the Brave Pro defaults require an active paid subscription. When the browser has no active credentials for Brave Pro, the panel UI will promote the service and include the initial payment CTA. When credentials are present the panel UI will include the appropriate toggles for making changes to the default settings." It also links to a private Google Doc.

Abstract Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic” – it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing. There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent. Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems – people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale. In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary – an on/off switch – but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious. Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

Banks, email providers, booking sites, e-commerce, basically anything where money is involved, it's always the same experience. If you use the Android or iOS app, you stayed signed in indefinitely. If you use a web browser, you get signed out and asked to re-authenticate constantly - and often you have to do it painfully using a 2FA factor. For either of my banks, if I use their crappy Android app all I have to do is input a short PIN to get access. But in Firefox I also get signed out after about 10 minutes without interaction and have to enter full credentials again to get back in - and, naturally, they conceal the user ID field from the login manager to be extra annoying. For a couple of other services (also involving money) it's 2FA all the way. Literally no means of staying signed in on a desktop browser more than a single session - presumably defined as 30 minutes or whatever. Haven't tried their own crappy mobile apps but I doubt very much it is such a bad experience. Who else is being driven crazy by this? How is there any technical justification for this discrimination? Browsers store login tokens just like blackbox spyware on Android-iOS, there is nothing to stop you staying signed in indefinitely. The standard justification seems to be that web browsers are less secure than mobile apps - is there any merit at all to this argument? Or is all this just a blatant scam to push people to install privacy-destroying spyware apps on privacy-destroying spyware OSs, thus helping to further undermine the most privacy-respecting software platform we have: the web. If so, could a legal challenge be mounted using the latest EU rules? Maybe it's time for [Open Web Advocacy](https://open-web-advocacy.org) to get on the case. Thoughts appreciated.

Proton: "Introducing Dark Web Monitoring for credential leaks" [https://proton.me/blog/dark-web-monitoring](https://proton.me/blog/dark-web-monitoring) [@privacy](https://lemmy.ml/c/privacy)

Hello everyone, with the unfortunate passing of the FISA expansion, I was left with a few questions. I tried to research it, and to me, it *seems* like they are beefing up surveillance with routers and ISPs (correct me if I'm wrong.) Aside from having businesses stalk you when you use their WiFi (connected with ISPs.) And if that's the case, should I just always use a VPN? And furthermore, shouldn't you have always used a VPN prior to this anyways? That's why I'm confused because I already thought that other businesses were collecting data and our ISPs were already sending our data away, so I'm partially confused about what the real change here with FISA is. Any clarification and advice is greatly appreciated, thank you.

Hiya, just quickly wondering if anyone know about a good tool for comparing Privacy policies against each other? Im currently downloading each PP, then using self-hosted StirlingPDF to compare 1 on 1. However, I am looking for a more efficient tool, to compare multiple at the time, if there are any. Any tool that can handle multiple PDFs or HTML files and look at the differences between them kinda tool. Appreciate any suggestions! 🕵️

Hi other privacy people :) I am currently looking for a fitness tracker that at least doesn't need a proprietary app to get the data out of it. Haven't really found any recent articles that look into that aspect of fitness trackers, any advice? I know about the bangle.js but wanted to know if there is more. Also, if you have this device and use it to track your running, I would be happy to read your review! Thanks in advance! Edit: Solution for me was to adjust the settings of opentracks. Before it recorded only every 10 metres. Additionally I ordered a chest strap for my heart rate. Brand is Polar, they seem to be good about not needing their own app to get your data.

Just for the context GUR is Ukraine's Main Intelligence Agency. Practically like the CIA is in the US. *** The relevant part, translated: BBC: You recently spoke about Telegram being a problem for Ukraine. Kyrylo Budanov: I can repeat that again for you. It is a huge problem. BBC: And what can be done about it? Kyrylo Budanov: Or, as they say, to put it in order - at least legally force everyone to register, so it is clear who is behind which media resource, and Telegram has already definitely acquired the status of media. There is no question of influence or pressure - the issue is not about that. If you want to promote your position - and it may not please someone and that is normal in a democratic society - take responsibility. What are you afraid to say who you are? BBC: So you're talking about anonymous Telegram channels? Kyrylo Budanov: They are all anonymous. Do you know a single Telegram channel that openly said I am this person? That's the answer. BBC: Could their closure become a solution to this problem? Blocking? Kyrylo Budanov: Temporarily yes, but I still believe they need to be forced to register. This will not be pressure on the press. In a democratic society, I say again, you cannot simply exert pressure... Why am I even telling you this? You are a media representative. Would you be very happy if someone came to you and said: that's it, from now on you write like this? Of course, that would be abnormal. But being afraid to say who you are is also wrong. And throwing anything into the ether on behalf of an anonymous person, excuse me, paid from completely different parts of the world is also abnormal. *** "We're not pressuring them, we are merely holding them accountable"

Hi guys! I'm setting up a recently wiped phone, and just finding out that in order to use gTranslate, not only you need the app Google Translate, you ALSO need the app Lens, with its own permissions, and then ALSO force feeds you the app Google. Is there a way to avoid this? Or an alternative that allows live image translation (from Chinese if possible) from what the camera is seeing? As, for a travel trip, so I can read signs and texts on the street. Thanks!

>Hundreds have joined a UK class action lawsuit against LGBTQ+ dating app Grindr, seeking damages over a historical case of the company allegedly forwarding users' HIV status as well as other sensitive data to third-party advertisers. >This data included a user's HIV status and their last test date, their sexual preferences, and their GPS location – all of which were added to public profiles by users and later gathered up by Grindr's trackers. >The Norwegian Data Protection Authority (NO DPA) fined Grindr 65 million Norwegian kroner in 2020 ($5.9 million at today's exchange rate) for violating GDPR's consent rules. NO DPA's case didn't mention any violations regarding the sharing of HIV data or information about a user's sexual preferences. However, it ruled that third parties had received a user's GPS location, IP address, advertising ID, age, gender, and the fact that they used the app, and concluded that Grindr had disclosed user data to third parties "for behavioural advertisement without a legal basis." >The Electronic Privacy Information Center (EPIC) said in October last year it was pushing for the FTC to probe the app maker after finding that it was retaining user data even after accounts were deleted – a practice Grindr's privacy policy explicitly says it wouldn't do. - [Related Mozilla Research Report: Data-Hungry Dating Apps Are Worse Than Ever for Your Privacy.](https://foundation.mozilla.org/en/privacynotincluded/articles/data-hungry-dating-apps-are-worse-than-ever-for-your-privacy/)

I have an extension that can individually disable all the most useless/addicting components of the Youtube site, such as shorts and whatnot. On the search page, I have turned on: > hide Shorts > hide For You > hide Trending > hide 'People Also Searched For' > hide Search Categories > hide Promoted Videos > hide Promoted Websites > hide Suggested Products Do you know what Youtube has started doing? They are now inserting engagement slop DIRECTLY into the search results, as seen in the image above. It's literally a short, yet it's inserted like a video so you're **forced** to see it. The only possible way to remove it is by using a privacy frontend, as even on incognito mode, Youtube will look at the three videos you've watched and start inserting shit based off that. Louis Rossman is right, they all have rapist mentalities... "just let me stick it in"

> Large part of USA citizens may have had their private medical > data stolen :( UnitedHealth says files with personal information that could cover a “substantial portion of people in America” may have been taken in the cyberattack earlier this year on its Change Healthcare business. The company said Monday after markets closed that it sees no signs that doctor charts or full medical histories were released after the attack. But it may take several months of analysis before UnitedHealth can identify and notify people who were affected. UnitedHealth did say that some screen shots containing protected health information or personally identifiable information were posted for about a week online on the dark web, which standard browsers can’t access. The company is still monitoring the internet and dark web and said there has been no addition file publication. It has started a website to answer questions and a call center. But the company said it won’t be able to offer specifics on the impact to individual data. The company also is offering free credit monitoring and identity theft protection for people affected by the attack. UnitedHealth bought Change Healthcare in a roughly $8 billion deal that closed in 2022 after surviving a challenge from federal regulators. The U.S. Department of Justice had sued earlier that year to block the deal, arguing that it would hurt competition by putting too much information about health care claims in the hands of one company. UnitedHealth said in February that a ransomware group had gained access to some of the systems of its Change Healthcare business, which provides technology used to submit and process insurance claims. The attack disrupted payment and claims processing around the country, stressing doctor’s offices and health care systems. Federal civil rights investigators are already looking into whether protected health information was exposed in the attack. UnitedHealth said Monday that it was still restoring services disrupted by the attack. It has been focused first on restoring those that affect patient access to care or medication. The company said both pharmacy services and medical claims were back to near normal levels. It said payment process was back to about 86% of pre-attack levels. UnitedHealth said last week when it reported first-quarter results that the company has provided more than $6 billion in advance funding and interest-free loans to health care providers affected by the attack. UnitedHealth took an $872 million hit from from the cyberattack in the first quarter, and company officials said that could grow beyond $1.5 billion for the year. Minnetonka, Minnesota-based UnitedHealth Group Inc. runs one of the nation’s largest health insurers. It also runs one of the nation’s largest pharmacy benefits management businesses, provides care and offers technology services. Company slipped nearly $3 to $488.36 in midday trading Tuesday while broader indexes climbed.

Is it safe to use to protect from social media trackers?

Usually I rely on my network & haven’t needed this kind of document in ages, but I’ve been tasked with creating a résumé for myself. I’ve grown more privacy-conscious every year & I think it’s weird that we are expected to give out so much information about ourselves to companies that lie about their culture & don’t want you sharing salary information with your coworkers. I have read stories about how these documents & information can sometimes get leaked & shared on the web which is pretty sketch. TIL about “functional résumés” which it appears are usually meant to cover up your lack of work experience, but I like the idea of covering up a lot of my specific history as it is the *skills* that should matter more, no? Do you give out all of your info?

I have read quite a few posts about preventing account password takeover from various malicious ways, and many OPSEC measures are there to prevent it from happening. Consider a case where you face a total blackout or technical failure. Now, you need to log in to your password manager, which requires either OTP on email or TOTP. You don't have access to the TOTP app because the backup is stored in cloud storage, whose email login also requires OTP. How would you prevent such from happening?I haven't found a satisfactory solution or explanation for that yet.

So, this is probably naive of me, but so far I haven’t really been able to find the answer on the web. Recently I subscribed to a personal info removal company called Incogni, only to find out that they sent a staggering 123 removal requests on my behalf. I never imagined there were that many companies in that business. So far in 20 days, 70 requests have been fulfilled, but 53 are still pending. Which made me wonder… given my personal data seems to be sold, re-sold and re-re-sold without my express consent, or ability to opt out… if I knew I’ve informed my legit service providers, plus those I have legit obligations to (employer, state, etc.)… how easy would it be to obfuscate it on a regular basis, by simply providing a new, creative address, to entities I don’t get mail communication, or deliveries, from? So, has anyone tried to trace the map by which a new address, cell phone number, etc. makes its way through the 123 or so data brokers? What are the ‘input nodes’ to that graph?

I live in Canada. My girlfriend is Chinese (also living in Canada), and while we are able to communicate via SMS, her mobile carrier isn't the best, and so there have often been issues for us with regular texting. She expressed a strong preference to use WeChat, at least as a backup option for when texting fails us. While I have some pretty significant reservations, it's not the hill I want to die on. So my question is: what can be done to use WeChat without compromising my whole phone? I'm okay with it if our conversations aren't private, but I'd like to know that I'm not giving unfettered access to all of my phone's systems and data to the CCP. What can be done to limit the reach of this ubiquitous app on my device?

>Political campaigns tap into the same intrusive adtech tracking systems used to deliver online behavioral ads. We saw a glimpse into how this worked after the Cambridge Analytica scandal, and the system has only grown since then. >In 2020, Open Secrets found political groups paid 37 different data brokers at least $23 million for access to services or data. These data brokers collect information from browser cookies, web beacons, mobile phones, social media platforms, and more. >These political data brokers make a lot of promises to campaigns. TargetSmart claims to have 171 million highly accurate cell phone numbers, and i360 claims to have data on 220 million voters. They also tend to offer specialized campaign categories that go beyond the offerings of consumer-focused data brokers. Check out data broker L2’s “National Models & Predictive Analytics” page, which breaks down interests, demographics, and political ideology—including details like "Voter Fraud Belief," and "Ukraine Continue." The New York Times demonstrated a particularly novel approach to these sorts of profiles where a voter analytics firm created a “Covid concern score” by analyzing cell phone location, then ranked people based on travel patterns during the pandemic. >As streaming video services integrate more ad-based subscription tiers, that likely means more political ads this year. One company, AdImpact, projects $1.3 billion in political ad spending on “connected television” ads in 2024. >Political ad spending on Google (mostly through YouTube) is projected to be $552 million, while Facebook is projected at $568 million. >Managing the flow of all this data might feel impossible, but you can take a few [important steps](https://www.eff.org/deeplinks/2024/04/how-political-campaigns-use-your-data-target-you) to minimize what’s out there. The chances you’ll catch everything is low, but minimizing what is accessible is still a privacy win.

Inspired by [this post](https://lemmy.ml/post/14688671), I decided to see if I could identify any single points of failure in my own setup. # Prerequisites There are two notable systems that should be mentioned: #### [The 3-2-1 rule](https://en.wikipedia.org/wiki/Backup#Storage) The 3-2-1 rule can aid in the backup process. It states that there should be at least 3 copies of the data, stored on 2 different types of storage media, and one copy should be kept offsite, in a remote location (this can include cloud storage). 2 or more different media should be used to eliminate data loss due to similar reasons (for example, optical discs may tolerate being underwater while LTO tapes may not, and SSDs cannot fail due to head crashes or damaged spindle motors since they do not have any moving parts, unlike hard drives). An offsite copy protects against fire, theft of physical media (such as tapes or discs) and natural disasters like floods and earthquakes. Physically protected hard drives are an alternative to an offsite copy, but they have limitations like only being able to resist fire for a limited period of time, so an offsite copy still remains as the ideal choice. #### [The factors of authentication](https://en.wikipedia.org/wiki/Authentication#Authentication_factors) The ways in which someone may be authenticated fall into three categories, based on what is known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity before being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority. Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of the elements of each factor are: 1. Knowledge: Something the user knows (e.g., a password, partial password, passphrase, personal identification number (PIN), challenge–response (the user must answer a question or pattern), security question). 2. Ownership: Something the user has (e.g., wrist band, ID card, security token, implanted device, cell phone with a built-in hardware token, software token, or cell phone holding a software token). 3. Inherence: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifiers). # What KeePassXC offers [KeePassXC](https://keepassxc.org/) is an open-source cross-platform password manager. It mainly stores password databases locally, but [you can simply store the file on the cloud for cloud sync](https://keepassxc.org/docs/#faq-cloudsync). However, this method is botch-y at best, and adds the additional complexity of storing the credentials for the cloud drive. The database can be protected with any of the following: **Password**: This is something the user knows. It can be a password or a passphrase. This can be written down to become something the user has physically, or stored in a file to become something the user has digitally. Storing it in a file is generally not safe due to temporary file leaks. **Key File**: This is something the user has. This is stored digitally. This file should either be kept on a separate drive, encrypted with something like LUKS or [VeraCrypt](https://veracrypt.fr/en/Home.html), or both. It is possible to convert it to readable text and print it as a physical copy, but reversing the process every time you want to unlock your database would be cumbersome. **Hardware Key**: This is something the user has. This is stored physically. You can use hardware security keys such as the [YubiKey](https://www.yubico.com/) or [OnlyKey](https://onlykey.io/) for this. **Quick Unlock**: This is something the user is. [Quick Unlock](https://keepassxc.org/docs/KeePassXC_UserGuide#_quick_unlock) is only available on Windows and macOS as a form of biometric authentication. It is only available for devices that have a built-in biometric scanner, or by using an attachable biometric scanner. There is most likely a way to achieve this on Linux, but the documentation is scarce. Any combination of these methods can be used to protect a KeePassXC database. At least one must be used. However, if you use multiple methods, all of them must be used to unlock the database (e.g. if you set up a password and a key file as the methods to unlock the database, you can't only use the password or only use the key file to unlock it, you must use both.) # The problems Each method has a single point of failure, and the fact that you can't set up multiple methods of authentication but choose one to unlock the database means that the more methods you choose to protect your database with, the likelier it will be that one method fails. **Password**: This can be forgotten, lost or stolen from a piece of paper (if it's written down), keylogged or [shoulder surfed](https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)), leaked through temporary files or stolen (if it's stored digitally), corrupted or permanently encrypted (if it's stored digitally), have the drive physically lost or stolen (if it's stored digitally), unconsciousness (if you only stored it mentally and needed someone else to unlock it for you), or forced our of you with torture. **Key File**: This can be leaked through temporary files (if not stored properly), hacked and stolen, corrupted, permanently encrypted (if you are unable to decrypt it), or have the drive physically lost or stolen. **Hardware Key**: This can be damaged, stolen, or lost. **Quick Unlock**: This can be spoofed (if not set up properly), damaged, general failure to authenticate, damage to you (e.g. facial damage in a fire), or hacked with [zero-day vulnerabilities](https://en.wikipedia.org/wiki/Zero-day_vulnerability) (since Windows and macOS are proprietary). If any one of these fails, the database is permanently locked. # Some solutions There are some improvements that you can use to mitigate some of the single points of failure. All methods of authentication can be redone if something happens, but you need to unlock the database to do so (e.g. you can change your database password if it gets leaked, but you need to be able to unlock the database first, so it doesn't help if you lose your password). **Password**: You can store your password using something like a [password card](https://www.passwordcard.org/en). Passphrases are also easier to remember than passwords. Both passwords and passphrases can be safely written down on paper by [enciphering](https://en.wikipedia.org/wiki/Cipher) them first. However, this introduces new complexities and single points of failure if you are unable to decipher the password. **Key File**: The use of the 3-2-1 rule can help make sure the key file never gets lost, but extra care should be taken to make sure the file never gets stolen. **Hardware Key**: You can set up multiple hardware security keys in order to make sure if one gets lost you can use the other. One key should be kept with you at all times, and the other should be safely stored somewhere else (such as a safe deposit box). **Quick Unlock**: I have never used this feature, but assuming it's anything like FaceID, you should set up multiple people (such as trusted friends and loved ones) to be able to unlock with biometrics. This ensures that if something happens to you, someone else can unlock it in an emergency or other reasons you may need someone to unlock it for you. # Plugins While I may be wrong, [KeePassXC does not support plugins directly](https://keepassxc.org/docs/#faq-general-plugins). Ideally you should be able to have plugins for things such as proper cloud sync, TOTP database protection, and changing the all-or-nothing nature of unlocking the database. However, since KeePassXC is open source, someone could make a fork of KeePassXC that supports plugins (please, call it KeePlugXC). # Database syncing Besides not being able to unlock your database, your database file itself is largely subject to the same single points of failure as a key file. The difference is the database is completely encrypted, and is safe (although not ideal) if it gets leaked. You can store your database in as many places as you'd like, to make sure it never gets corrupted, but the issue is syncing the database as that would be a manual task. The solution presented is the botched cloud storage, but for those who want a local solution, that is not ideal. # Final notes and questions KeePassXC is very feature rich, so there are other things that can be used to aid the process of preventing database lockouts; but even so, it's a very difficult task. How is your KeePassXC database set up? Are there any single points of failure? How have you fixed some of the issues listed here? Is there a perfect or near-perfect system for eliminating lockouts?