Hacker News new | ask | show | jobs
by phyller 2680 days ago
Consider this. I am in a coffee shop. Someone walks by and grabs my machine. This is a huge annoyance, need to replace and setup a new machine vs. (with my password manager getting hacked) my life is basically over because as far as anyone is concerned the thief is more me than I am. Depending on who took it, I might as well move to the forest and live in a mud hut because I am never going to be able to clean this up.

This actually happened to someone at my company. But their passwords weren't compromised. If they were, I can't even imagine, the guys who took the machine were really trying to do whatever they could to ruin him and the company.
2 comments
dasil003 2680 days ago
Hold on, are laptop thieves skilled in cracking encrypted password managers? Even if they are I think you'd have time to rotate passwords.
link
pvg 2680 days ago
my life is basically over

You make it sound like there's no mitigation at all for a password being compromised which isn't the case in practice.

link
phyller 2680 days ago
The problem is 200 passwords being compromised, including my emails which are used to reset everything else. I can't fix it faster than the thief can wreck my digital life, and everything is digital now. I couldn't even start until I somehow convince my email provider who I am and to change the password for me.

If this ever happens, best plan would probably be to change your email password immediately, banks next, and freeze your credit as soon as possible.

link
pvg 2680 days ago
A better, simpler-sounding plan is to enable better 2FA on your critical accounts. Doesn't this mostly fix your catastrophic scenario?
link
graeme 2680 days ago
Oftentimes 2fa backup codes are slso stored in the password manager.
link
spydum 2680 days ago
Or the password recovery for lost 2fa is secret questions (this is so awful,but see it often). And chances are those secret questions/answers might also be in the vault
link
graeme 2680 days ago
Does anyone have a good solution to these issues for non techncial users? 1password etc + 2fa is great for even not super technical people.

But if it's ever breached I have no idea how you would get clear.

link
pvg 2680 days ago
Sure but that's roughly equivalent to disabling or not having 2fa. You can still avoid the catastrophic scenario by not-doing that.
link