1

I use several browsers for several reasons (surfing, downloading files, logging into accounts...) but I prefer Chrome for doing "risky" things like browsing websites which I don't know whether they are safe or not, and I installed several extensions on it to gain a higher safety level: ScriptSafe, Adblock plus and Ghostery. I don't use any sandbox tool.

For I use the same pc and OS to browse the internet and logging into my accounts, I would like to install a password manager to be more safe and I trust it may help if someone enter my system and looks for saved passwords somewhere in my pc.

But let's consider the following scenario: a keylogger attacks me and is able to read what I'm typing on the keyboard; as far as I enter a master password to use my password manager I have to type one. Well, some password managers allow the password-free authentication option (means you don't have to remember a master password) and for the scenario above it seems to me a safe option.

My question is: while configuring a password manager, is it safer to set the password-free authentication to avoid typing the master password and being vulnerable to keyloggers? Or should I consider any other threats which make safer setting a master password?

Improve this question

2 Answers 2

Reset to default
2

The question of keylogger is a bit out of way with password managers, because once you operate on already compromised system you are not save with basically any operation, some trojans may steal data from forms in the split second managers enter it, they will also most likely save everything you have in your clipboard. Other attack vectors may be taking the password from screenshots...

Basically no password manager can help you if you are on a compromised system, because attacker doesn't need to rely on separate authentication, he can just use you. Compromised system isn't an attack vector a password manager can protect you from (and they aren't designed to).

For the question of which authentication, best option would be a two-factor authentication with password and a confirmation on a separate device, but as most managers won't let you add new device without separate authentication you should be decently safe with a single master password (of course not reused anywhere else...). Biometric authentification on usual user devices isn't very secure, so I wouldn't rely on that in front of a long and secure password.

Improve this answer
1

Coming from personal experience using Lastpass, I set-up the personal master password and set-up 2FA with Google Authenticator. Yes, it's a pain in the ass for me at times as I need to pull my Auth. codes but, it's safer and gives me a warm and fuzzy.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .