![]() Just to mention this, because I don’t think that it really has been in this thread. In such cases, the risk is not whether the vault is in the cloud the vault can not be cracked (without a quantum computer), All that’s needed is a website login page that looks legitimate and this human will reveal the sought-after website password (even without a wrench ). If the password to the vault is good and the cryptography is implemented correctly, then the human who knows the vault password is the weak link. The site not only has to look like the legitimate site, but it also has to have to correct certificates.Īnd that’s why, in the article I cited, Twillio, which used OTP, was breached in August 2022 but Cloudflare, which used U2F, wasn’t. This makes it difficult for a hacker to do a MITM attack. It makes sure doesn’t allow our fake website to get codes for. The browser checks the certificates of the website, before it asks the security key to generate any codes. This is going to be taken care of by the YubiKey and the browser working together. We relieve the human the burden of identifying between fake and real sites. If the human is the biggest vulnerability in a phishing attack, then we should just remove the human in the process. If such an attack involves a MITM, then U2F may thwart the attack and thus help secure your password to a website that does not support U2F.įor details, please see this article that I cited and scroll down to “U2F and Security Keys,” which begins with: (Please note that I said “may”-as in “under some circumstances”-and not “will.”)ĭid you read either of the articles that I linked to? Here’s the TL DR synopsis.Įven if your Enpass password can’t be cracked, the passwords (to websites that do not support U2F) in your vault are still vulnerable to phishing attacks on YOU, the person who knows the Enpass password. Nevertheless, U2F may still help prevent unauthorized logins to your account on sites that do not support U2F. (That’s why I prefaced the remark you quoted with the word “Ideally,” which you did not include in your quote.) ![]() Yes, you are correct U2F hardware keys can’t be used to log into sites that don’t support them. How would a hardware key work with web sites that don’t apparently support them … Should have a FIDO2 compliant (U2F) hardware key standing between your passwords and the world, AFAIK Local storage, multiple vaults, multiple clouds supported, full vault encryption, browser plug-ins, mobile app, cross platform, speedy, templates, tags, notes, local backups, no back door, strong security, WiFi-sync, backwards compatibility for several years of OS versions, etc. I’m still new to it, but Enpass.io is looking pretty good so far. Moving forward, I’m very interested to hear everyone’s experiences with the other available password managers that still include a full feature set as 1P v6 & 7 did. So sad, as 1P has been one of my very favorite & most used softwares. … until v8 when they removed important features, required all passwords to be stored in their cloud, making it impossible for security professionals and similarly minded folks to continue using it. In the past I have recommended 1P to thousands of people. LastPass current supports OTP but neither U2F nor the newer WebAuthn, which underpins macOS 13 Ventura’s Passkeys.Īs a very long time 1Password user & advocate, from v2 or maybe even v1, and PasswordWallet before that - I’ve seen PasswordManagers grow to better fit the use cases.ġPassword has been almost perfect. I feel like a features analysis is not enough I need to check for security issues as well.Ĭan you recommend a trustworthy source for security reviews of password managers?Īpparently, one of the security features to look for is FIDO’s Universal 2nd Factor (U2F)Īs opposed to One-Time Password (OTP) in order to prevent the user mistakenly typing a OTP into a phishing site thereby facilitating a Man-In-The-Middle (MITM) attack. My master password is strong but that’s not sufficient because of security implementation issues, some of which security experts have known about since at least 2015. My problem with LastPass is not features it’s security, which as you pointed out most TidBITS users (including me) can not evaluate for themselves. I can make a list of features that are important to me and LastPass has them. … each user needs to do their own analysis of which features are important to them, then see which have those features and the choices get narrowed down pretty quick.Īre not encryption or security experts…so users need to pick their poison based on features they require…and then make sure the master password for their vault is good enough…
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |