Non--browser-integrated password managers with 2-factor authentication are one o...

Guvante · on Dec 21, 2013

I am curious, is there a way to do OTPs with offline databases?

I tried poking around with the add-in, but couldn't quite determine whether the implementation could properly protect from replay attacks, most notably whether a copy of the xml file used and the matching old OTP would be enough to unlock a newer database file.

ryan-c · on Dec 21, 2013

It's impossible to use OTP as part of an encryption key without some sort of oracle that could do the decryption without the OTP.

Guvante · on Dec 23, 2013

I know you can always backdoor it with the root key, and I decided to give up on this line because of that.

In theory you could guarantee the OTP going forward, but it would be impossible to protect going backward, which kind of kills the whole point.

crdoconnor · on Dec 21, 2013

I bought a yubikey with the intention of doing exactly that, but then it occurred to me...

What the hell happens if I lose the yubikey? Or indeed anything else that substitutes as the 2nd factor?

y0ghur7_xxx · on Dec 21, 2013

Why NON--browser-integrated? What's wrong with the one integrated in the browser?

euank · on Dec 21, 2013

Read the article - each attack it mentions only applies to browser-integrated ones.

If instead you mean "browser-integrated" as in the default "remember my password", well, those are not what this paper discusses and are generally better, though they are still not as desirable as a standalone less-privileged manager.

The idea that the password manager should be separate is practically common sense. Browsers provide more surface are for attack. Browsers are made to share content and work with network data. Ideally, your password manager should never touch the network ever. It has no need to.