fsebugoutzone.org:9999

       Post Ab0ZvB1ReROyfpN8V6 by moritzdietz@mastodon.social
 (DIR) More posts by moritzdietz@mastodon.social
 (DIR) Post #Aaz7xRVoK1V0WJuKyu by adam@hax0rbana.social
       2023-10-21T05:24:52Z
       
       0 likes, 0 repeats
       
       If someone unlocks their password manager on a machine that was compromised, would their passwords be safe?I&#39;m trying to better understand people&#39;s expectations here, not debate the &quot;correct&quot; answer. I&#39;m especially interested in what #infosec people think about this one.
       
 (DIR) Post #AazAX5Fkl1sBooWH8i by fthy@mastodon.green
       2023-10-21T05:53:40Z
       
       0 likes, 0 repeats
       
       @adam Compromised, however if e.g. securedesktop prevents keyloggers from getting the master-password, the process-memory is isolated and the attacker only was able to grab screenshots, not all keys might be affected.I‘m in favor of raising the (security) bar for attackers to get to the passwords of a password-manager even if they have access to a client. The harder its for them and the louder they have to get, the better. And: Fido2 and MFA help in this case :)
       
 (DIR) Post #AazBagSSzDaC1ykM64 by mathaetaes@infosec.exchange
       2023-10-21T06:05:35Z
       
       0 likes, 0 repeats
       
       @adam Oversimplified polls like this drive old people like me nuts.  The answer, as with most things, is “it depends”.However, whether the password was actually compromised or not, I imagine most seasoned folks will treat it as compromised regardless and react accordingly.Once you’ve lost integrity of a system, no aspect of it can be reliably trusted.
       
 (DIR) Post #AazLUa2yuOyHx3YRhg by h3lx@infosec.exchange
       2023-10-21T07:56:31Z
       
       0 likes, 0 repeats
       
       @adam As others have said, this very much depends on the access gained by the hacker. If it&#39;s simply surface level (remote viewer etc) and your passwords aren&#39;t stored in clear text they *should* be safe. If there&#39;s a keylogger installed then the hacker now has your master pword and anything stored in the manager should be considered compromised. It would always be safer to assume the worst in situations like this.
       
 (DIR) Post #AazbkeZFT5Bjs5KjAm by adam@hax0rbana.social
       2023-10-21T10:58:43Z
       
       0 likes, 0 repeats
       
       👆 FIDO2 is really does shine here, at least if it&#39;s a hardware solution. The pure software implementations fall into the &quot;maybe&quot; category, IMO.MFA is good too as long as it&#39;s not also stored in a password manager on the same machine (e.g. TOTP).@fthy
       
 (DIR) Post #AazwzFMZYeZX5ACirQ by adam@hax0rbana.social
       2023-10-21T14:56:42Z
       
       0 likes, 0 repeats
       
       @h3lx I&#39;ll probably post the poll again after this one closes and specify non-root/Administrator access to see if people&#39;s expectations change.It seems pretty much everyone who replied has implied that there are some situations where they think the passwords would/should still be safe.
       
 (DIR) Post #Ab0ZvB1ReROyfpN8V6 by moritzdietz@mastodon.social
       2023-10-21T22:12:50Z
       
       0 likes, 0 repeats
       
       @adam @meejah Water is wet.