This isn't 2FA then.I use KeepassXC over original only because of integrated TOTP. I think there are TOTP plugins but I don't know which one to use. I guess there's always WinAuth but that's and archived project. I just hate using my phone for 2fa.
This isn't 2FA then.
No matter if you use a plugin for KeePass or a 2FA program/ app for PC (from e.g. Windows Store).
If you use the same device on which you save your passwords, that isn't by definition a second factor. So if you don't like using phone for that, you can use hardware token which are best solution anyway.
I can highly recommend Nitrokey.Thanks for clarification. May have to look into hardware token at some point then.
Good choice.I used Bitwarden for some time too and moved from it to 1Password. The reason for me was more on a Database matter on how the security concept is implemented.
Popular password manager could have a critical vulnerability
Researcher argues auto-updates could allow for remote code execution
A security researcher has discovered a new vulnerability in a popular password manager that could allow for remote code execution.
The password manager in question is Bitwarden and the vulnerability resides in the company's desktop app which automatically downloads updates and replaces its own code with these updates without user intervention.
Co-founder of Keytern.al Jeffrey Paul argues that the company's developers could leverage its automatic updates to install backdoors into every single installation of the password manager and steal all of the passwords stored in every desktop user's database.
theres been interesting discussion and it seems most use online password managers as a quality of life from my understanding.Looks like it's "let's bash on Bitwarden" week.
But to be honest - this is pure bs as it does apply to the majority of the software we have installed and it updates automatically.
I am not worried at all. I am not BW developerAlso dont worry
Another potential issue arises:
Popular password manager could have a critical vulnerability
Researcher argues auto-updates could allow for remote code executionwww.techradar.com
Windows updates are being downloaded via an insecure connection, but they are digitally signed and UAC verifies certificates online, when they are ran.To be fair, I guess this would be considered a major vulnerability in Windows too?
Windows updates are being downloaded via an insecure connection, but they are digitally signed and UAC verifies certificates online, when they are ran.
Not sure, how Bitwarden verifies its updates once downloaded, whether it trusts them blindly, just like CCleaner did or checks at least hashes as AMD does.