![]() A strong master password (80+ bits of entropy) and secure implementation of a KDF on the part of the password manager developers should completely prevent this attack. The attacker obtains a copy of your database from cloud storage, or a discarded backup, and cracks your master password. ![]() Specifically, how can your database and master password be breached? Either: The second case deserves some additional consideration. The first case cannot be helped regardless of where your TOTP seed is stored. A stolen password database and master password.Social engineering of customer service/tech support of the website owner.Things which are NOT guarded against include: *Phishing/social engineering of you, the user Network captures on open WiFi networks, etc.Keyloggers on untrusted computers (on which I assume you will not actually run your password manager, but rather read a password off a trusted device and type it in manually).Password breaches of the website where you hold your account. ![]() With the seed in your password database, TOTP will still guard against: Think about what threats you're trying to guard against by using TOTP, and think about what attack scenarios are made easier (or not) if storing the TOTP seed in your password safe. I don't think it's as bad an idea as you assume. This stack exchange answer I think is helpful. Went ahead and paid $10 for the service and started using the file storage feature. I got everything in one spot and feels pretty good. Now I don't bounce between 2 managers and browsers anymore. I even made use of the Authy app I've had and turned on 2FA on several sites. ![]() Then imported everything clean into Bitwarden. Then I went through to each site and changed email addresses (to have a majority of my sites with a common email) and updated passwords that were the same on quite a few accounts. I was even using Chrome, Safari and Firefox built in password saver. Didn't realize I had accounts I never used so I went and deleted accounts on whatever company websites. Exported LastPass (which I started using for work, then mixed in personal stuff) and 1Password (since I moved to Mac for my personal stuff, but still used LastPass since work didn't allow me to install 1Password client) to. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |