Unlocking the password manager means I need to type a master password in while in a public place. Feels higher risk when it is an unimportant website but potentially gives access to all websites. Still better than the passwords being accessible on disk but having individual passwords would reduce the impact of any password leak.
I have this InputStick USB [1] dohicky that I keep with my keys shows up as a generic USB keyboard when plugged in but is also an encrypted Bluetooth dongle (part of pairing allows you to configure a shared encryption key so that only devices that know the key can use the stick, and only sticks with the key are recognized by the client apps). There's a plugin to Keepass2Android that I use to type passwords from my phone. I use that to unlock my password manager (using a giant untypable passphrase). So entering mosterous passphrases is very easy... bot only if you can unlock my phone and use biometrics to open Keepass2Android.
It really is dumb that phones can just generically play USB HID (without running custom kernels)
What if you're demonstrating a problem with a login screen? And yes, I've had to do exactly that more than once.
I wouldn't do it with a particularly sensitive password (online banking etc) but there are enough passwords I use regularly for work purposes where it wouldn't be a significant risk for others to watch me type it in, certainly if the characters aren't revealed at all while typing. Though having password fields be able to detect your screen is being shared automatically and obscure what pixels are relayed would be nice.
Sadly I think security systems will have to accommodate the possibility that someone else can see your screen. And hope that they can't see your keyboard.
I don't type passwords. My password manager fills them for me, or I paste them.
Unlocking the password manager means I need to type a master password in while in a public place. Feels higher risk when it is an unimportant website but potentially gives access to all websites. Still better than the passwords being accessible on disk but having individual passwords would reduce the impact of any password leak.
I have this InputStick USB [1] dohicky that I keep with my keys shows up as a generic USB keyboard when plugged in but is also an encrypted Bluetooth dongle (part of pairing allows you to configure a shared encryption key so that only devices that know the key can use the stick, and only sticks with the key are recognized by the client apps). There's a plugin to Keepass2Android that I use to type passwords from my phone. I use that to unlock my password manager (using a giant untypable passphrase). So entering mosterous passphrases is very easy... bot only if you can unlock my phone and use biometrics to open Keepass2Android.
It really is dumb that phones can just generically play USB HID (without running custom kernels)
[1] http://inputstick.com/
[2] http://inputstick.com/kp2a-plugin/
1password uses biometrics on my 7 year old MacBook Pro, so even if I'm out and about I still don't need to type it.
2 replies →
Oh god no, absolutely not. Always stop sharing for the duration of the password entry.
What if you're demonstrating a problem with a login screen? And yes, I've had to do exactly that more than once. I wouldn't do it with a particularly sensitive password (online banking etc) but there are enough passwords I use regularly for work purposes where it wouldn't be a significant risk for others to watch me type it in, certainly if the characters aren't revealed at all while typing. Though having password fields be able to detect your screen is being shared automatically and obscure what pixels are relayed would be nice.
Why use a good password while testing your login screen? I use "iamroot" and "password".
1 reply →
Sadly I think security systems will have to accommodate the possibility that someone else can see your screen. And hope that they can't see your keyboard.
I'm going to suggest that is correct and also unusual behavior.