|
|
|
|
|
|
by eschatology
714 days ago
|
|
|
if your network is compromised I can read your password but not totp if I hacked a website you’re registered to and you had reused your password I got your password but not totp if I broke through your computer and password manager then yes it’s all over, but this is not the only threat model and frankly the least i am worried about |
|
|
What part of my network? The password is being encrypted in my browser, sent over an encrypted and authenticated connection, and decrypted by the service I’m logging in to.
The only real place to compromise here is before the “browser sends this to SSL library” part in which case you’re already on my local machine and you can just grab everything in my password manager when I unlock it.
> if I hacked a website you’re registered to and you had reused your password I got your password but not totp
If you’re not using a password manager and a different password for each service, then yes, using TOTP provides a large security benefit.
If you’re using a password manager it is probably specifically to avoid password re-use, so this doesn’t apply in most cases.
> if I broke through your computer and password manager then yes it’s all over, but this is not the only threat model and frankly the least i am worried about
If you’re on my computer, yeah, you’ve got both and the TOTP, they do nothing.
So there’s no scenario here where “password manager for passwords + TOTP” is decreasing my risks in any meaningful way.