Recent searches

No recent searches

Search options

Only available when logged in.
digitalcourage.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Diese Instanz wird betrieben von Digitalcourage e.V. für die Allgemeinheit. Damit wir das nachhaltig tun können, erheben wir einen jährlichen Vorausbeitrag von 1€/Monat per SEPA-Lastschrifteinzug.

Administered by:

Server stats:

832
active users

digitalcourage.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.3

#passwordmanager

3 posts3 participants0 posts today
Te Weta 🏴‍☠️

Can anyone recommend a good password manager? I've been using 'keeper' mainly because I drunk clicked the two year subscription a while back... That's coming to an end in a few months and they inform me they are hiking up the price to include a testicle. I'm looking at Bitwarden and liking what I've seen so far, but it pays to ask around.

#privacy#infosec#passwordmanager
passbolt

📢 Final Call for Votes!

Today is the last day to vote in the 20i FOSS Awards, and passbolt is in the running for Best Open Source Password Manager!

Your vote can help us win this year. Vote here 👉 20i.com/foss-awards/category/p

Thank you for your continued support and contribution. ♥️

20i FOSS Awards
20i20i FOSS AwardsThe 20i FOSS Awards are here to celebrate the contribution self-hosted Free Open Source Software makes to our lives every day. The 20i FOSS Awards are your chance to recognise all the hard work that goes in to developing the tools we rely on so much.
#FOSS#OpenSource#PasswordManager
Replied in thread
*
Erik van Straten

@smartphone : if the device you use to login to a server is compromised, it is game over anyway - regardless where the OTP comes from.

How it works: to prevent that you have to log in again for each transaction with the website, immediately after logging in, the website sends a 1FA session cookie (or "JWT") to your browser. Your browser will include that cookie in any request or instruction sent to the server, so that the server "knows" that it's you - who has already logged in.

So such a 1FA session cookie replaces your MFA login credentials!

Note that there are hardly any websites that bind (bind server side) session cookies to the client's IP-address. As a result, if an attacker with backdoor access to your device copies (or steals) a 1FA session cookie from your compromised device, they can use that cookie (from any client IP-address) to access your account. That is, without having to log in, i.e. without having to enter your password, nor any 2FA (T)OTP code.

Furthermore, most people are not aware that a TOTP app is a STUPID password manager: shared secrets (stored on both the server and client) need to be backed up in a secure manner (which is not typical) while such apps do not detect fake AitM (Attacker in the Middle) websites: they're not phishing resistant.

Therefore:
1️⃣ Make sure your client device and browser never get compromised (that would mean "game over').

2️⃣ Use a password manager that only reveals the correct credentials if the website name (aka domain name) matches the one stored in the password database. On Android and iOS/iPadOS, "Autofill" helps do just that - without requiring a browser add-on. Note: do NOT manually search the password manager database if a there is "no hit" because of an unrecognized domain name, i.e.
mailchimp-sso dot com
is NOT
mailchimp dot com
(see troyhunt.com/a-sneaky-phish-ju).

3️⃣ Use a strong (long, unpredictable, not re-used but memorable) master password for your password manager and prevent "forgot it" lock-out (you may want to write it down on paper somewhere and/or share it with someone you trust).

4️⃣ Make sure you back up the password manager's database after each change, preferably in multiple locations, at least one offline. Including TOTP data in the password manager database *does* increase the risk of compromising all at once, but making sure you have access to secure backups reduces the risk of account lock-out. It's always about balancing risks.

5️⃣ Slightly unrelated: use a browser that supports "https only" and enable it. Said "https only" is a misnomer: it means "warn if http is used because https is not possible".
NOTE: never share any confidential info with, or trust content from, a website via a non-https connection. Also note that https (including the required certificate) do NOT AT ALL warrant a trustworthy website. In fact https only guarantees a secure connection (E2EE) between your browser and the website whose "name" (domain name) is shown in your browser's address bar. Unfortunately, in case of "Men in the Middle" proxies like CloudFlare, the shown domain name may NOT point to the actual webserver (in such a case, Cloudflare knows your password as well).

@rodsilva @eff

#Passwords#PasswordManager#OTP
2something

Fedi, I have another tech question, this time about password security.

Let's say someone steals my laptop. I have my encrypted Keepass vault on my computer. How many bits of entropy does my keepass password need to prevent an attacker from being able to unlock my vault?

When I type my password into Gnome Secrets to unlock it, there is a 1-2 second delay between when I type the password and when it unlocks. I am guessing this is due to the hash slowing it down? Can an attacker bypass this?

#Security #PasswordManager #Keepass #GnomeSecrets

passbolt

Passbolt is heading to TechEx 2025!

The team will be at RAI, Amsterdam from 24 - 25 September, 2025. Join us for a live product demo, fun conversations about open source password manager, cybersecurity or really anything.

If you're attending, stop by at Stand 261 and you could walk away with some cool freebies. 🎁

#TechEx#TechExEurope#OpenSource
Who Let The Dogs Out 🐾

#vulnerability #clickjacking #passwordmanager

Исследователь Марек Тот обнаружил (marektoth.com/blog/dom-based-e), (marektoth.com/blog/dom-based-e) что расширения для браузеров 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, RoboForm и Apple iCloud Passwords уязвимы для атак типа clickjacking, которые могут привести к краже конфиденциальных данных.

Эти расширения достаточно популярны, их общее число активных установок составляет около 40 миллионов, согласно данным официальных репозиториев расширений для браузеров Chrome, Edge и Firefox.

При этом некоторые поставщики уже устранили уязвимости, но для Bitwarden 2025.7.0, 1Password 8.11.4.27, iCloud Passwords 3.1.25, Enpass 6.11.6, LastPass 4.146.3 и LogMeOnce 7.12.4 исправления все еще не выпущены. Несмотря на то, что поставщиков оповестили о проблемах еще в апреле 2025 года.

Результаты своей работы Тот представил на конференции DEF CON, также опубликовал отчёт в своём блоге.

marektoth.com/blog/dom-based-e

marektoth.com · DOM-based Extension Clickjacking: Your Password Manager Data at RiskSecurity Researcher | Ethical Hacker | Web Application Security
🐦‍🔥nemo™🐦‍⬛ 🇺🇦

🚨 New vulnerability alert! 🛡️ Researcher Marek Toth reveals that browser extensions of popular password managers can be exploited via DOM-based clickjacking to steal your access data. Several managers have patched it, but update yours now & follow best practices for protection! 🔐🖥️ #CyberSecurity #PasswordManager #DataTheft heise.de/en/news/Password-mana
#newz

heise online · Password manager: Browser extensions can enable data theftBy Dirk Knop
knoppix

⚠️ Major password manager extensions—1Password, Bitwarden, LastPass, Enpass, iCloud Passwords & LogMeOnce—are vulnerable to clickjacking attacks that risk exposing login credentials & sensitive data. 🔐🕵️‍♂️

Bitwarden patched the flaw ✅; others lag behind. Users should update extensions & disable autofill until fixes. 🛡️🔄

@1password
@bitwarden

techspot.com/news/109149-lastp

#CyberSecurity#Privacy#Security
TrendingLive feeds
About