@tychotithonus : if anything, people should stop making up passwords themselves.

Here's what they should do (IMHO): https://infosec.exchange/@ErikvanStraten/113022180851761038; with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557.

If max. allowed password length < 20 characters: DO complain!

For people interested in dumb password rules: check out https://dumbpasswordrules.com or follow @dumbpasswordrules (it's an automated account, replies are probably not read by them).

Tip: use a password manager. Let it generate a unique password for each account. Make frequent backups of the database. On android/iOS/iPadOS, use AutoFill!

More info: https://infosec.exchange/@ErikvanStraten/113022180851761038; with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557.

@tychotithonus

@jana that's a standard feature on #Enpass, #KeePassXC / #KeePassDX...

@mikarv : I understand why you'd want that for input fields other than credentials on Android.

For passwords, using Autofill (on both Android and iOS) is a lot safer if you use a password manager (see https://infosec.exchange/@ErikvanStraten/113022180851761038 for details).

I've not yet ran into websites where logging in using Autofill did not work, but I've not knowingly tested sites that block paste into credential fields.

@jschauma considering the fact that #BitWarden was never #FLOSS to begin with (unlike #KeePassXC & #KeePassDX!) I'm not surprised.

@Chigaze @rmondello @chrisgervais also good #PasswordManagers will support exporting & importing #CSV / #TSV files...

My recommendations are #Enpass and #KeePassXC / #KeePassDX ...

W.r.t. password managers (pw mgrs):

1) Make sure that you *NEVER* forget your master password.

2) Make an *OFFLINE* backup of the (encrypted) pw database after each modification. For example, rotate between multiple USB storage media.

3) Use a pw mgr that can generate strong (random, long, unguessable) passwords. Use that functionality to generate a unique pw for each account.

LAST BUT NOT LEAST
4) At least on mobile devices, configure the OS and pw mgr to locate your credentials *automatically* based on the domain name of the website you're visiting (using "autofill", which lets the OS pass the domain name –as used by the browser– to the pw mgr).

EXAMPLE WHY
If you receive an email (with SPF, DKIM and DMARC all fine) from:

    whomever@circle-ci.com

that instructs you to revalidate your 2FA settings in, e.g.:

    https:⧸⧸circle-ci.com/revalidate

Then a properly configured pw mgr will not come up with ANYTHING - because the record is for (without the dash):

    https:⧸⧸circleci.com

The deja vu after the 2022 attack (https://github.blog/news-insights/company-news/security-alert-new-phishing-campaign-targets-github-users/), described in https://discuss.circleci.com/t/circleci-security-alert-warning-fraudulent-website-impersonating-circleci/50899, is still alive and kicking since March this year (see https://crt.sh/?q=circle-ci.com and https://www.virustotal.com/gui/domain/circle-ci.com/detection). The fake site even looks better than the original one (I don't know whether it is actually malicious, or will just warn users who attempt to log in).

NOTE: if your pw mgr does not find a matching record in the pw mgr database, do NOT manually locate the "circleci.com" record. If you do: do NOT autofill or copy/paste your credentials for https:⧸⧸circleci.com to https:⧸⧸circle-ci.com! Using those creds, the fake site may immediately log in to the authentic website AS YOU - pwning your account.

WHAT I'M USING
I'm using KeePassium on iOS and KeePassDX on Android; they work just fine (disclaimer: I'm not in any way related to their authors, and do no warrant their reliability).

@steelefortress

@AT1ST @JessTheUnstill @mkj @WhiteCatTamer @pfriedma or you'd self-host the storage & sync.

#KeePassXC, #KeePassDX, #pass and #Enpass support using any arbitrary storage, including #NAS and #SFTP / #SSHFS - mounted storage...

@tasket wrote:
<<< Using password managers is great. But having them directly interact with web browsers is a dubious proposition [...] >>>

Most people nowadays use smartphones (in particular in airplanes and in airports where these attacks happened).

Both iOS and Android have an autofill feature that works great. The user can use any PWM (password manager) they want; no browser plugins are required. The OS takes care of interfacing between the browser (or any app that shows a page with fields apparently meant for supplying user credentials) and the PWM.

I've been testing KeePassDX on Android and KeePassium on iOS, and I'm getting more and more comfortable with them (disclaimer: use at your own risk). They work fine with every browser on those OSes that I tested.

Compared to passkeys, there are some caveats:

1) If the user tries to log in to a fake site, the PWM will not find the domain name of the fake site in it's database. In that case the user should NOT be tempted to search the database for the domain name of the real site and have the PWM fill in those credentials on the phishing site (passkeys simply will not allow you to do that, but they have a zillion of disadvantages that PWMs do not have).

2) The user must confirm that an https connection is used (passkeys mandate this by themselves). If not, then the domain name shown in the browser's address bar may be spoofed.

3) Obviously the user must also make sure that the PWM's database is backed up after each change, and that unlocking it requires a strong password that the user does not forget - in particular when not typing it regularly, because of using Touch ID or Face ID to unlock said database (effectively retrieving the actual password from secure storage in the phone - after authenticating with biometrics or, alternatively, a screen unlock code).

@tychotithonus How about no?

Personally, I dislike #1Password and can recommend #KeePassXC & #KeePassDX as well as #Enpass since they just work on #Linux.