Programmer Humor

37243 readers

122 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 6 years ago

MODERATORS

cat_programmer@lemmy.ml

AgreeableLandscape@lemmy.ml

795

The OTP you want to use was already used (lemmy.ml)

submitted 2 years ago by Dirk@lemmy.ml to c/programmerhumor@lemmy.ml

31 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] andreluis034@lm.put.tf 3 points 2 years ago* (last edited 2 years ago) (1 children)

That’s not quite right though, there’s the factor you know (password to your vault), and the factor you have (a copy of the encrypted vault).

That would be true for offline vaults, but for services hosted on internet I don't think so. Assuming the victim does not use 2FA on their Bitwarden account, all an attacker needs is the victim's credentials (email and password). Once you present the factor you know, the vault is automatically downloaded from their services.

This is something I hadn't thought until know, but I guess password managers might(?) change the factor type from something you know (the password in your head) to something you have (the vault). At which point, if you have 2FA enabled on other services, you are authenticating with 2 things you have, the vault and your phone.

[–] meteokr@community.adiquaints.moe 3 points 2 years ago

It works for self hosted vaultwarden mostly also. Since you would need a way to acess the login page itself, which could be behind a VPN or other authentication service like Authentik.