Thread 106387910

Why was password manager so insecure piece of shit, Look. they found an clickjacking vulnerabilities in browser password managers

Time to write passwords in the paper notebook and keep it private. So nobody could see it!

>>106387910 (OP)
Wff is a click-jacking vulnerability?

Just use KeepassXC everything else is retarded. Why do normies insist on using some proprietary browser hijacking extension for their passwords?

>>106387910 (OP)
Click-jack a dictionary, you illiterate nigger m

>>106387915
fpbp, use keepassxc or write part of the password on a note and the rest in the manager if you're that bad at using them

https://github.com/browserpass/browserpass-extension
thoughts?

>>106387910 (OP)
I am just smart and nothing bad will ever happen to me

>>106387950
Also your 2FA should be on another device and another app, ideally a security key but even TOTP would've been good enough here

>>106387929
Because local storing comes with strings attached such as setting up a sync service across devices if you use more than one device.

>>106387965
I never got this argument. Having to share a single file with another device shouldn't be too hard. It's not like normies don't use cloud storage anyway.

>>106387958
I only ever see websites use TOTP. What well known online service lets me use security keys as 2FA?

>>106387995
Isn't that just a cloud password manager with extra steps?

>>106388004
It's a cloud, which means it's inherently untrustworthy, but it's storing an encrypted database of your passwords, so it doesn't matter if the cloud gets compromised as nobody will be able to decrypt the database. So you could say it's extra steps, but it's infinitely more security too.

>>106388016
Are you implying that let's say, bitwarden, stores unencrypted passwords on their servers?

>>106387996
There was one site that listed different services that accept fido, i forgot what it's called

>>106388004
Not really, cloud pms normally suck ass and you could just delete the file afterwards

>>106387965
Local storing cave cat is that your device is internet connected anyway.
You need a separate device just for passwords, and even those can be snooped if you're PWNED.
Saving your passwords to a 3rd party, why?
I do get it, because I found myself having to re-login at times without my password's only laptop, but...
It's not like one can't steal a browser session(on some websites)?

>>106388087
snooped out of your internet connected device as you type it*

>>106388087
>a browser session
it's not like I visit bitwarde.com just to check my passwords. the extension has a local copy of the passwords that works offline. I'd probably feel safer if their servers simply acted as relay nodes for my devices meaning nothing is permanently stored on their servers but one can't expect normal people to care about all this shit

>>106387995
>Have one file shared across two devices
>Scheduled to sync password once everyday
>One Password is deleted on device A at 11:00 AM
>Another account and password added on Device B at 4:00 PM
>Both files are now modified
How do you resolve this sync conflict?

>>106388178
Don't sync it in a scheduled manner but everytime you make a change. Also adding one account and password shouldn't be too hard.
>What if it's lots of devices
Don't make changes from different devices
>What if it's lots of password/accounts added
Don't add too many at once or check if your program allows you to only add them
>What if...
Versioning

>>106388166
Nah the problem is you still have to store the secret to unlock the password.
Then they can get your private key password snooped through keyloggers/spyware.
Thing is it's way safer to have a dedicated password device, but you also cannot expect people to do so.
That's why it's kinda OKAY.

>>106388200
>>How do you resolve the conflict
>You can't. [...]
Here, saved you a lot of typing.
The syncing algorithm HAS to be baked into the application, it's not possible to just synchronize files.

>>106387965
>literally any free cloud service
>save encrypted keepass file
>sync to phone, open with FOSS keepass apk
if that's too difficult you're ngmi

>>106387910 (OP)
>deceptive overlays
>yes saar I am asking for master password saar please enter saar
lol

>>106388439
>The syncing algorithm HAS to be baked into the application,
Incorrect, it just needs versioning if you are too dumb to do it on your own

>>106387925
When you click on something expecting it to do one thing and it does something else.
It's pretty simple people log into their database when requested like cattle. I never do this personally I use keepassxc and while it has a browser extension I always manually unlock the db I dont use the addin. For browser only things it should be the same. Never prompt a user to login to their DB let them do it themselves.

>>106387910 (OP)
>Clickjacking
Imagine getting pwned by something DNS solved 30 years ago. Lol

>>106387910 (OP)
Why there is no KeePass on the list?

>>106387965
You don't have Google drive or Dropbox or similar?

>>106388448
convince your brother, mother, dad, cousin, coworker, friend, girlfriend or whatever and come back to me. I think you need a reality check for what's easy AND convenient

Never got the point of granting a web browser full access to all my pws

>>106388758
Who said anything about your family? Take your meds

>>106388970
Then read the reply chain before replying you absolute mongrel

>>106388993
Is that reply chain in the room with us right now?

>>106388564
The list is probably for only the retarded online password managers

>keepass2 not affected
Why would I care?

>>106387910 (OP)
>one minor issue happens
>we must ditch everything and go back to the stone age
Why are some people here like this?

>>106388758
>I think you should walk more often, it's good for your health
>BUT WHAT ABOUT THE PEOPLE WHO DON'T HAVE LEGS HUHH????? THINK ABOUT THEM!!!

>>106388178
Pretty sure keepass merges "conflicts" like this just fine

>>106387965
>sync service
Syncthing works just fine. Phone is always online, so the rest of devices always have a server to pull the latest database from.
Obviously I'm not using it solely for KeePass.

>>106387910 (OP)
>autofill only activates on domains with passwords saved
How exactly does clickjacking have any affect at all? My password manager doesn't just dump passwords into every website I visit
Unless it relies on "hi user, please manually open your password manager, unlock it and paste the password into this box"

Use Excel, the greatest piece of software ever written.

>>106387910 (OP)
>techlore
>keepassxc not affected or even mentioned
Why am I surprised. This faggot does nothing but pedal troonware cloud subscription password managers then get surprised when they get hacked. BTFO

>>106391747
(KeePassXC-Browser requires explicit confirmation from the native app before any info is shared with the JS extension, and only shares the entries you select -- troonware password managers share everything with the JS extension with no perm checks)

>>106387958
>Also your 2FA should be on another device and another app
still not buying a (((smartphone)))

>>106387910 (OP)
Come home white man

>nothing about keepassxc
whatever. thanks for wasting my time :/

>>106393108
>>106393125
it was vulnerable too https://marektoth.com/blog/dom-based-extension-clickjacking/#test-results

You people know that you can self host bitwarden vaults right?
Besides this exploit won't protect you from keypass if you input the info in the compromised overlay no?

>LastPass actually fixed it before 1Password
And here I was gonna rotate my company data into 1Password

>>106387929
Corporate password shares, credit cards, etc. Most of the normalfag users want it to work on a phone easily.

>>106387965
You can't choose both security and convenience. Pick what's more important to you.

>>106393465
If a site is compromised and allows an overlay injection it seems like game over anyways. This is how /b/ got all those myspace passwords back in 07. Kinda wondering how many sites would be vulnerable to injected HTML overlays, since you'd think that sort of basic thing was resolved a long time ago, or it's some modern way of doing it that's more complicated or a wordpress thing or something stupid like that.

>>106387910 (OP)
Just use an offline pw manager you spastic, fucking keepassx has even a browser addon if you're so damn lazy that even copy-pasting your shit when logging in your cuckhold porn account is too fucking much. Wtf is wrong with you retards?

>>106393510
It makes it easier when I'm working with my self hosted applications I think after seeing like this I'm going back to this policy

>>106393362
No it's not. He checked the "remember" box when prompted, to allow that website to access the entry, or he disabled the permission prompt entirely. Because by default KeePassXC will pop up a native dialog from the app to grant the browser permission to access the record at all every time.
Also the demo site doesn't work on my machine but might be because of Firefox or one of my internet condom extensions is blocking it. It just quickly toggles between username and password field and doesn't autofill.

>>106393362
>use auto-type
>never be vulnerable to clickjacking

>>106388166
Just host it yourself, accessible only through your also selfhosted vpn if your schizo

My bitwarden runs at home on a rpi, accessible only through my self hosted vpn

all they have to do to fix passwords is using biometrics for everything. every website gets a private salt added to your bio uuid and bam now you get safe passwords everywhere

>>106393362
>keepassxc was vulnerable too
Fuck. This is bad:
https://websecurity.dev/video/keepassxc.mp4

>>106393060
Ok, get a security key then

>>106387910 (OP)
I use an old pocket computer to organize and store my passwords.

>>106393786
So the vuln is that website x can get the uname and password for website x? I assumed that was possible already.
>credit cards
you are an absolute retard if you store this in your browser, let alone some rinky dink extension.

>>106393362
>>106393786 (Me)
>>106393669
You can prevent your shit being stolen from the keepassxc browser extension by going to the browser tab in database reports, then selecting the entries, and then removing all plug-in data.

i always check the extension if login prompt comes up because why wouldn't i? who just enters passwords into prompts without double checking?

>>106387910 (OP)
>clickjacking
Wow, are they also vulnerable to me calling you up on the phone, introducing myself as an employee of the Federal Password Census and asking you to spell out your password to me? Jesus.

>>106387910 (OP)
Why would anyone use a BROWSER password managers?