Some older, inactive Mastodon accounts are being turned into spam accounts.

Every account I've checked has been in the database, i.e. the spammers are using breaches from other websites and randomly trying e-mail/password combinations to get access to those accounts, insert spam links in the bio and start following people.

An exceptionally simple defence against this happening to you is using two-factor authentication. Check your account settings to see how to enable it.

On a more fundamental level, you should not be using the same password on different websites, and use a password manager like KeePass to generate and keep track of the passwords.

@Gargron The problem is keeping track of enviorments. Is keepass for Windows(Edge), Google(Chrome), Apple(Safari)? for Computers, Tablets, phones? Or do we have to choose alternative password managers for each? At the end of the day, having the same password for the accounts I use the most is just quick and simple.

@DrunkenWolf keepass has a desktop application for windows, and a phone app for apple called minikeepass, however, as far as I know, there is no android phone app, and you will have to manually transfer the password database

@keearis I figured as much. Wish it was as simple as one universal thing called keepass that you can apply to any device you're using. But that's just not reality.

@DrunkenWolf I think that’s what keepass is trying to do, but hasn’t quite achieved if you want to read more about it here’s the site

@DrunkenWolf @keearis
- KeePassXC (Win, Mac, Linux)
- KeePassDX (Android)
- KeePass Touch (iOS)

keep your database synced with something like dropbox or syncthing

nonfree but more convenient alternative: enpass ($10/life to use more than 20 passwords on mobile, but otherwise unlimited, works on basically every platform and includes browser extensions, also includes one-time passcode generation for 2FA, autofill with a click)

That is no excuse. Some form of Keepass is available for virtually any platform

@frainz @Gargron I can use password managers in general but my issue is lets say I have an iphone. I let Keychain generate my passwords and save them. But then I go home and I just happen to have a windows laptop. Now what? I use my iphone like if it was a computer, so everything is in Keychains. Do i really have to manually passover all usernames and passwords from iphone to whatever password manager Windows uses? Laziness will be my downfall.

Many people use nextcloud to sync their databases. Or if you're really lazy, you can use something like bitwarden with built-in sync

@frainz Hmmm... I'll look into that. nextcloud is easy to remember... bitwarden not so much lol.

@DrunkenWolf @frainz I recently switched from LastPass to Bitwarden. It's great. Yes, maybe lazier than syncing your database file yourself, but it's great. And I legit have over 600 saved accounts, and every one has a different password.

@DrunkenWolf @Gargron There are versions of KeePass for Windows, Linux, Android, iPhone, macOS, and plugins for all major browsers, including Firefox, Chrome and Safari. You just need to sync your database between all your devices. More info: There are also online password managers, and some of them are open source and can be self-hosted, like Bitwarden ( ). Really, there is no real excuse to using the same password!

@berberjs @Gargron Ok, Ok you win. There really is no excuse... I lied. I'll just keep blaming it on the liquor :)

@DrunkenWolf @Gargron The nice thing about Keepass and KeepassXC is that they make use of a common storage format that's supported by a great bunch of apps.
So there are apps for nearly all plattforms that can read your password database. And the desktop program *can* be integrated but doesn't have to, as it also works well without that due to so-called "AutoType".

@schmittlauch I was thinking more along the lines of having a password manager generate passwords for the user and saving them I believe Keychains for the macbook does this. But then thats only within apple products. To be honest I haven't used it to see what happens if I tried to sign in to the same accounts on Edge or Chrome.

@schmittlauch I guess the best thing for me right now is just to stick to one environment and apply that to all my devices. So if its apple then its macbook, iphone, ipad, imac etc.. and save myself the headache.

@DrunkenWolf If that wasn't clear: The same works with the Keepass ecosystem. You generate passwords and store them into an encrypted file.
This file can be read by various programs and apps for your desktop or mobile. You just have to sync the file between devices, e.g. via Nextcloud, Dropbox or other services.

@DrunkenWolf so while you may have different apps for different environments, they all can use the same password data.
And the different apps can specialise better for each environment than a single cross-platform app could do.

@DrunkenWolf @Gargron is a fork of Keepass that is available on Mac, Windows and Linux and is sync-able with and other services.

It is connectable to most browsers, is actively maintained and is a quality build.

@DrunkenWolf you can use the same password with variations. For example mypassword-forgoogle, mypassword-formastodon, mypassword-forapple, ... Then you only need to remember your single password and your scheme.
(In this case, [password] `dash` for[website])

@DrunkenWolf @Gargron LastPass works for Linux, MacOS, Windows, iOS, and Android! As a mostly Linux user, I always look for things that are fully cross-platform.

@dheadshot KeePass is a program that stores passwords in an encrypted file on your machine behind a master password (the only password you need to remember henceforth)

I prefer EnPass. It supports sync between multiple platforms and browsers, and the encrypted wallet file can be stored on my own cloud.

@Gargron I prefer Bitwarden. It's FOSS and works on every modern browser, as well as Android and iOS.

@popekingjoe I’ve been using 1Password to manage my family’s passwords, but since I’m trying to move to self-hosted services Bitwarden makes more sense! Thanks for the suggestion!

@ahyoussef no problem! I switched to it from LastPass months ago and I love it. Works everywhere I use it better than LastPass did and doesn't nag you about its premium tier.

@popekingjoe @Gargron I totally agree here - Bitwarden is a much better option for most people, especially less technical folks. The free tier they offer on their own hosted product is super generous in comparison to others, too, more than enough for most uses.

@Gargron talking of which, is there any chance to get Webauthn support into Mastodon? I saw the issue in Github but it seems to be stalled.

@Gargron I would if I could use SMS for it, I don't have any time for any modern smartphones, so can't run those authenticator apps.

@ZoeyGlobe SMS is bad for two-factor authentication, because it can be spoofed. That's how Jack Dorsey's (Twitter CEO) account was compromised.

@ZoeyGlobe @Gargron Well if you had SMS two factor, you'd have a false sense of security which is a dangerous thing to have. Feeling like you're secure without being secure. But I get what you mean. And it might seem better to have X than nothing at all, but having X can make you too comfortable with X and then you'd have the trouble of convincing people to move from X out of their comfort zone etc. Better just do it right from the beginning, is what I mean.

@Gargron I was wondering, because all accounts contained genuine content and profile metadata. I might announce such measurements as well to my users.

@Gargron could you imagine in future versions of Mastodon the ability to require end users to have two factor on?

@Gargron - well there not only weak user passwords out there, but very old and apparently unmaintained and insecure instances. According to my federations statistics like 25% are running a Mastodon version <=2.8.0

@Gargron have you seen what basecamp did earlier this year about a similar issue? Maybe the main instance could do something like it idk

@gargron Make 2FA Auth a requirement after signup?

only instance admin able to disable this setting in general / for single people who don't have a phone etc.

@Gargron Or not use the same password that you used on MySpace after it was breached.

@carey @Gargron Huh, neat. But in all seriousness, people should use a non commercial password manager. It seriously saves so much trouble.

@Gargron is that why I suddenly gained a bunch of followers a couple nights ago?

@Gargron Another way to reduce spam accounts is to make mastodon users less incentivized to create more than one accounts.

Some people, including me, join an instance because it specializes around a topic (Art, games, socializing, computers) but people have more than one interest. So we create an account per instance that strikes our hobbies.

Reddit has subredits, this solves needing multiple usernames for subscribing to different topics. We need something like that...

@Gargron ....The more accounts someone has, the more likely those accounts can be abandoned because the users interests have changed.

This need for multiple accounts also creates stress for the users, now they have to perform their character more than once, keep up with different paswords and splitting their "self".

A simple way to create subreddit-like communities is to make the /public timeline of an instance searchable like hashtags...

@Gargron you can create an account on, search for on the mastodon app and see the public timeline of, now you can interact with linuxy people and feel part of their community, despite being from another instance.

Just like an American teen can find a connection with an European band or artist. I may be a citizen of but I can relate and interact with people from another server....

@Gargron ...Some people on the GitHub issues think this features is not needed since anyone can go to any instance on a logged out web browser and add /public to the URL to preview a foreign community. But the problem is not if we can preview an instance or not, the problem is users are incentiveized not to bond with people outside of your followers and local instance.

This is not a matter of ease of use alone, it's about creating inclusive communities. We need to open up!

@Gargron Would be good to be able to close unused Mastodon accounts. Last I checked this wasn’t possible?

@Gargron To be fair, almost everyone is in HIBP at this point.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!