steal the password from a specifically named element when that element is destroyed), TCP driver, etc). browser extensions/plugins, Win32 message hooking (e.g. Most keyloggers are embedded somewhere on the HTTP stack (e.g. Particularly when the goal is automated data theft (rather than a dedicated attacker targeting you personally). Keyloggers don't literally "log keys." A stream of typed keys with no context is utterly useless. That's just a justification for his password manager which has no other way to transfer passwords. > Bruce Schneier still recommends using copy and paste to transfer passwords from a password manager to the browser Bonus points if it doesn't require Mono too. I would absolutely love and be more than happy to spend some money on a polished app that's cross platform and is 'batteries included' so you can setup two factor auth & use devices like yubikeys without any extra screwing around. I don't mean to denigrate any of the contributions or work people have done in this space (in fact I am incredibly thankful), but it does feel like some leadership to put all these pieces together is badly needed. Setting up two factor access to KeePass is also pretty obtuse and requires tracking down blog posts and such to figure it out. Frankly I don't even know if most of the KeePass apps are compatible with each other, and that kind of scares me. Right now from what I see it's a horrible mish-mash of different apps on different platforms written by different people with an unknown level of support for each of them. After looking into KeePass and kicking the tires a bit I really, really wish someone would step in and make a nice cross platform version to simplify setting up a password store with two factor auth and other best practices (long pass phrases, etc.). I'm actually going through and setting up KeePass with two factor auth (just using Google's Authenticator app for now, maybe a yubikey in the future) right now and have a similar question. What do you use and what do you like/dislike about it? I've been looking at 1Password but I was turned off by their lack of meaningful 2FA support (Yubikey), and their exposure of data if used in any sort of convenient fashion (I would like access from my phone, which is part of the reason I want Yubikey support). I have been trying to use it with very fast autologout policies but it very annoyingly asks for a password twice (once to login, once as a reprompt) as well as the Yubikey for every single site. Sure, it would slow down unsophisticated attackers, but you don't need to be that sophisticated to change the type of an input. I find it misleading that LastPass even offers a reprompt option, since it is so easy to retrieve passwords from the application when it is logged in, even if a reprompt is required. Well, if that model is broken, I don't want to use it. I opened a support ticket about the obvious password breach detailed above, and they say it's an inevitable consequence of Chrome's broken security model in extensions. However after noticing () that LastPass' vault is easily broken into when open, even with strict reprompt settings, I'm starting to trust their security model less and less. I am becoming increasingly paranoid about the applications I use - LastPass is a big part of my daily workflow and I really enjoy it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |