undefined | Better HN

0 pointsstaticassertion2mo ago0 comments

> My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.

I agree.

> Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.

Can you be more specific about the attack that your password manager doesn't solve that your TOTP does? The attack I'm suggesting is already solved by your password manager.

0 comments

2 comments · 1 top-level

erikerikson2mo ago· 1 in thread

I've believe I've already written that but it is that my password manager gets compromised. It is not perfectly secure and has failure points. Given that it is separate from the second factor a successful attack against the password manager still leaves an attacker unable to login without a separate compromise of my TOTP code. Of course that can also be compromised but two compromises is strictly more difficult than one.

staticassertionOP2mo ago

Right, so it's "password manager is compromised" or "password is reused", right? I'm pretty skeptical of these mattering relative to phishing, which is radically more common.

j / k navigate · click thread line to collapse