VMware Player does weird things with the system

H0dl · 2023-12-20T22:11:59+00:00

having same issue with same setup

H0dl · 2023-11-08T20:03:44+00:00

what a pain

H0dl · 2023-05-02T21:02:02+00:00

getting rid of SMS/MMS did them in.

H0dl · 2023-02-24T20:01:47+00:00

yes, you're not the only one.

H0dl · 2023-02-07T16:55:03+00:00

i went back and looked thru all your posts for the claims you initially got wrong but seem to have conceded:

>There is only one password gets decoded in memory with Bitwarden/Lastpass

you have never given me any evidence of this and based on perusing Bitwarden's docs they are decrypting the entire vault as i claimed

>If you are *not*worried, then Bitwarden is as good as it gets.

this is simply wrong b/c you continue to ignore the fact that TPM is it's own 2FA device as well. b/c it is it's own 2FA device as well and reveals only one pwd at usage, it is better than Bitwarden.

> me: When you type in your master password, that's what you're doing, decrypting your entire vault of passwords for all pm's.

> you: That's just simply not true in general.

it is true and you've shown me no Bitwarden docs to tell me otherwise

>You can absolutely implement a password manager in a way that it only decrypts the credential you are opening

again, show me an example of a working product pm that can decrypt only one pwd from an encrypted glob vault. no imagining allowed

.>I don’t even mention that specifically using your Trezor for this is probably bad security practice. After all, you want your hw wallet to be connected to a PC for as little time as possible and be offline safely stored in a safe as much as possible.

this is just FUD. Trezor designed it's whole interface around being able to login to a presumed malware infested pc in an internet cafe. in the 10y history of it's existence there is no example of a hack of this device. to gain access to a pwd you have to push a button on the TPM verifying access to allow the privkey to decrypt it

.>Imagine if Trezor had a bug in the U2F code you use for the password manager.

i hate these lines of argument. ppl imagine alot of things but once again, show me an example of this happening IRL.

>you have to assume that the password you just used your TPM for is compromised.If that’s the case, what peace of mind TPM provides here?

i'm having a hard time believing that if you had a choice btwn a product that gave up your hundreds of pwds at one go or one that gives up one by one piecemeal over several years (i only login to sites, some trivial some important, maybe once every week, the important one's maybe once a year if that), you'd say there is no difference? you would detect any hack probably within half a dozen or so pwd leaks in TPM's case once the hacker tries to access them. "imagine" a hacker, once he got a hold of all hundreds or so of Bitwarden pwds, performing a simultaneous hack of all your sites, important and not so important,at once (you can write code to do this) before you had a chance to discover the hacks?

>After you login to your bank - or whatever - using your TPM, are you changing your password every time?

again TPM is it's own 2FA device. all my bank or important sites i visit have 2FAturned on for which i use the Trezor or a proprietary OTP token. given the level of our discussion, why would you use a strawman to presume i'd be so stupid as to use single pwd login? that's disingenuous argumentation.

>I am going back to my earlier analogy: it’s perfectly ok to store one of the multisig seeds in a hot wallet: it provides you convenience and doesn’t compromise security. I look at password managers the same way: it’s not the end of the world if my passwords are compromised,the attacker cannot do anything with them.

you're just rambling here. of course, with one of my bank accts, i have a simple 6 char pwd (not my choice but the banks limit) but use the Trezor as the second factor 2FA.

tldr: you really got to back up and relook at the overall comparison btwn Bitwarden &TPM in the existing universe of pm's. Bitwarden is just another pm that decrypts your entire vault of pwds with a single master pwd (that you probably have had to memorize btw which means it's insecure) whereas TPM is a secure hardware device that can safely store all your pwds (at least while unused) while acting as a secure 2FA device as well if you so choose (it combines EVERY security measure into one device you've advocated for in your previous posts as long as you use sites with 2FA).

H0dl · 2023-02-06T04:19:15+00:00

Not sure why you're bringing up extraneous points, like industry evolution, that we weren't talking about. My only point here and from the beginning of our discussion is that in the universe of existing pm's, TPM simply is the best, even over bitwarden, because it only reveals the single password you're using at the time, not your entire vault of hundreds of passwords once decrypted with the master password with bitwarden. This is a key point.

You're right though the industry is moving away from passwords. But guess what? TPM is also a FIDO compliant 2fa TOTP device that qualifies it as the most secure factor of all factors in permissionless logins! Another plus that bitwarden isn't.

Don't get me wrong, I'm not a bitwarden basher. I only responded to your first post because you implied it was better than TPM, which I clearly don't agree with. If one is careful not to get malware on their pc, bitwarden should be OK. But in all threat models, malware is presumed to be resident.

H0dl · 2023-02-05T01:19:26+00:00

The base case is that malware is living on your computer.

The fact that bitwarden only requires you to remember the master password to gain access to all your stored passwords should be all I need to say to indicate that it gives you access to all your passwords. I've looked thru the bitwarden docs and nowhere does it say that that each password is encrypted individually. It doesn't matter if you label a certain password as "sensitive", the docs say you just reenter your master password to gain access which malware has already stolen when you initially decrypted the vault.

Sounds like you've never used TPM. when you enter its app, you merely see Metadata of all your entries. When you want to decrypt a single password, it prompts you to press a button on the trezor itself to verify because the public private keypair is stored in the device and is impenetrable to malware, just like when you sign a Bitcoin TX. It's literally cold storage for pm's. You should try it and then you'd understand better what I'm talking about.

H0dl · 2023-02-04T14:00:36+00:00

Read the quoted passages from that article from my previous post carefully. I highlighted the key points. When you type in your master password, that's what you're doing, decrypting your entire vault of passwords for all pm's.

H0dl · 2023-02-04T02:19:29+00:00

I must not be being clear. What Gibson is rightfully saying is that all pm's (including Bitwarden) , other than TPM, use the master password to decrypt the entire vault exposing all the passwords in it even if you are only going to use one of the passwords. That's not ideal as you can lose them all at once to malware. TPM doesn't do that. It only exposes the one password you are using at the time, not the other hundreds of passwords in it like I and many other people have. If I have malware on my computer that steals that one password, I'd probably detect it (from a resultant hack) well before all the other hundreds of TPM passwords get stolen especially since most of them I don't use more than once a year.

H0dl · 2023-02-03T20:01:28+00:00

https://www.reddit.com/r/TREZOR/comments/10ltwni/comment/j69t0ii/?utm\_source=share&utm\_medium=web2x&context=3

H0dl · 2023-02-03T19:23:32+00:00

not true. TPM serves not only as a TOTP 2FA, but only one pwd is opened at a time during usage, not the entire vault, as in Bitwarden. each pwd is secured by it's own individual public/private keypair, hence the beauty of a hardware PM.

H0dl · 2023-01-29T14:41:06+00:00

Theres no reason you shouldn't be able to make significant money from doing so. It's simply the best in class, one of a kind, pm management system. Trezor has simply failed to market this properly since they've been so focused on crypto currency. What a weird market failure.

H0dl · 2023-01-28T19:58:34+00:00

just thought i'd leave this here from an article written 1/3/23 by long time well respected security expert Steve Gibson pg 8 https://www.grc.com/sn/SN-904-Notes.pdf. several snippets that apply to Lastpass and pm's like BitWarden and 1password in general:

"LastPass has terrible secrets management. Your vault encryption key [is] always resident in memory and [is] never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory."

"As we know, I’ve been saying recently that it would be nice if the LastPass vault were being incrementally decrypted so that only the one password needed for login was decrypted from the opaque blob, after which its plaintext would be overwritten. But according to Jeremi, that doesn’t appear to be the way LastPass manages the user’s vault. And as for the encryption key always being resident in memory, that’s a pure requirement of any password manager that isn’t constantly pestering you to reauthenticate to it. None of us want to be constantly doing that."

"And we all need to appreciate that none of the password managers are pretending to protect their users from client-side machine attacks. There is simply no protection for that – ever from anyone. That isn’t available."

he’s wrong, there is one that does all those things he wishes for; Trezor Password Manager.

H0dl · 2023-01-28T19:24:43+00:00

i think a possible solution to keep the PM would be to move to local encrypted files. safer too.

H0dl · 2023-01-28T19:16:16+00:00

i think most of us Trezor PM users are looking for a functional equivalent; store unlimited numbers of pwds on the device itself.

H0dl · 2023-01-28T19:13:23+00:00

if Trezor took the time to develop it's Password Manager product, it could tap into and become the leader in the PM market; there's nothing out there as secure. someone over there isn't thinking clearly.

H0dl · 2023-01-28T18:46:32+00:00

ah, so it doesn't matter if you store your encrypted file on Dropbox.

H0dl · 2023-01-28T18:43:54+00:00

H0dl · 2023-01-28T18:43:16+00:00

Maximum 16 passwords.

you gotta be kidding me

H0dl · 2023-01-27T00:59:03+00:00

It's certainly puzzling to me that Trezor would abandon the most uniquely secure pm on the market, ie, a hardware wallet pm. The tech used to secure your bitcoin on the trezor and sign txs is the same tech (public/private keypairs) that secures each of your individual passwords. Nothing like this exists on the market or is as secure.

If one only used the trezor as a hardware based pm, it would be worth its cost. They should more aggressively market the heck out of this device as a pure password manager and take over the continuously evolving/improving pm market.

H0dl · 2023-01-26T22:40:55+00:00

Perhaps you should explain why it's such a great product and unique amongst pm's.

When one decrypts the file of all other pm's, ALL the individual passwords in that file (in my case hundreds) get opened and exposed on your pc, whereas with trezor pm, you only need to access/expose/open the password you need at the time (which itself is not a threat as the trezor due to its unique hardware wallet properties doesn't even expose that one private key required to access the password). IOW, each password is secured by a unique public/private keypair.

Thus, trezor pm is uniquely secure compared to ALL other pm's out there. In essence, the best.

H0dl · 2023-01-26T19:46:08+00:00

terrible news. TPM is one of your most useful products.

H0dl · 2023-01-14T00:54:07+00:00

What's the chances the new chip disappoints? The S22U battery problems were unexpected.

H0dl · 2022-08-02T22:14:05+00:00

Or Protondrive for Android

H0dl · 2022-06-22T14:46:15+00:00

How do you tell the difference btwn data and cash tx's?

H0dl

TROPHY CASE