I guess someone could video you typing your password in and get it that way, but what on earth are you doing typing in your password if someone is videoing you! Personally I do not keep passwords on my phone except for brief periods if I need access while traveling.Īs I stated previously you should NEVER type your password in front of others, and it should be long enough and complex enough that it cannot be remembered if someone did see it. It is hard to get a good number for how vulnerable they are but I have read a research paper (not some internet webpage of unknown source) which was showing figures of 90% of bank crime is now via hacked phones.
#Kypass ios keyfile android
So malware can access anything which is not separately encrypted (like a locked password vault).īoth Android and iOs are not secure. If you are logged in to your computer, then by necessity you can read / write to the drive. I use a password much longer than you examples, and typing it is very quick, simply due to practice. A complex password takes no more time to type than a simple one, and in fact because you type it often it is easy to remember a complex password.
You assume people will use a short simple password just because they have to type it a lot. Regardless of what manager you use you need a long complex password. However lets stop the flow of incorrect information: There is no point using a password manager you do not feel comfortable with. If you feel more comfortable with having the secret key then go with 1passwword. At that point the only thing protecting your passwords from whoever possesses your password “file” will be your master password. At some point bitwarden will be hacked (just like any other password manager service). The combination of the above two mean that your secret key will be many times more secure than just a password that you type frequently and in front of others.įinally, 2FA doesn’t add any security at all over a compromised server-side. On ChromeOS there shouldn’t be a way to get access to the raw files unless there’s an unpatched vulnerability. On Android and iOS this should be very secure. AFAIK Chrome encrypts the local storage and the encryption is based on the OS. This makes it much simpler to brute force because the password that you type frequently won’t be “6Gs&XIaC/ but something like the point of “malware will always be able to get your local stored key”, that isn’t necessarily true and it depends on your OS and browser. The reason that the secret key is important is that a password that you have to type frequently is more of a pin than a password. In summary, use 2FA, and have a long complex password.įWIW, I picked 1password over bitwarden because of the lack of the secret key. A high percentage will lose the key file. Most people are bad with backups, really bad. You have to wait until you get back to another one of your devices. You can’t access your passwords on a new phone or a friend’s laptop to log out the old phone / disable accounts etc. Example you are traveling away from home and your phone is stolen. You cannot access your passwords from a new machine. Even if they get the password remember they have to get onto your device to use it as 2FA will stop them downloading it to their machine. Besides you shouldn’t be typing in an important thing like a master password if someone can see you. If you have a decently complex password they will not remember it anyway. Basically if you have malware on your machine it is “game over” as they can access almost anything. So once they know you are using a key file it is trivial to transfer that, though it is more likely that they will just grab the unencrypted passwords from memory. They also capture the clipboard, screen capture and allow file transfer both ways. Modern “keyloggers” do not just log key strokes. “Keyloggers” (or other malware on your machine): A much more likely attack vector. As I mentioned above the key file will provide some protection for those who are using weak / reused master passwords, for everyone else they are not getting into your vault. Hacking BW servers: If you have a long complex password it is going to take centuries to brute force the vault. Let’s look at some of the attack vectors and concerns from above. For web based password managers like BW 2FA is the way to go. The only benefit you get is if you use a weak master password, then it reduces the chance of someone breaking into your vault with a “stolen passwords” list. This is where 1Password came from (before they brought in syncing through their servers) but rather than remove this largely ineffective functionality they decided to market it as a security enhancement, and it looks like it worked. The key file is a way of adding a function like 2FA to a web sync “offline” password manager. I am amazed how many people have been convinced of the need for a key file by 1Password marketing.
0 kommentar(er)
