Conversation

Notices

1. Marcus Hutchins :verified: (malwaretech@infosec.exchange)'s status on Saturday, 24-Dec-2022 04:51:10 JST Marcus Hutchins :verified:

   The reason online password managers use client side encryption is so that if they’re hacked, the attacker can’t do anything without bruteforcing the master password for every account. Even in the worst case where your master password is cracked, you at least get time to lock down your accounts. If your threat model is based on websites never getting hacked then lol

   • Adrian Cochrane repeated this.
   • Kazinator (kazinator@mstdn.ca)'s status on Saturday, 24-Dec-2022 04:52:00 JST Kazinator

     in reply to

     @malwaretech

     A user's password going plaintext to the remote server of an online password manager has to be unthinkable; it's a nonstarter.

     (Under "cleartext", I'm including through HTTPS; I'm referring to the other side getting the plaintext of the password from the request and then manipulating it.)

     Password managers should be mostly local. Those that are "online" should just provide cloud distribution of the encrypted blob that holds your passwords, so it's available on multiple devices.

   • Peter Ellis (almostconverge@kozterulethasznalatienge.day)'s status on Saturday, 24-Dec-2022 04:52:13 JST Peter Ellis

     in reply to

     @malwaretech it's almost like they've thought it through