Erik van Straten<p>W.r.t. password managers (pw mgrs):</p><p>1) Make sure that you *NEVER* forget your master password.</p><p>2) Make an *OFFLINE* backup of the (encrypted) pw database after each modification. For example, rotate between multiple USB storage media.</p><p>3) Use a pw mgr that can generate strong (random, long, unguessable) passwords. Use that functionality to generate a unique pw for each account.</p><p>LAST BUT NOT LEAST<br>4) At least on mobile devices, configure the OS and pw mgr to locate your credentials *automatically* based on the domain name of the website you're visiting (using "autofill", which lets the OS pass the domain name –as used by the browser– to the pw mgr).</p><p>EXAMPLE WHY<br>If you receive an email (with SPF, DKIM and DMARC all fine) from:</p><p> whomever@circle-ci.com</p><p>that instructs you to revalidate your 2FA settings in, e.g.:</p><p> https:⧸⧸circle-ci.com/revalidate</p><p>Then a properly configured pw mgr will not come up with ANYTHING - because the record is for (without the dash):</p><p> https:⧸⧸circleci.com</p><p>The deja vu after the 2022 attack (<a href="https://github.blog/news-insights/company-news/security-alert-new-phishing-campaign-targets-github-users/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.blog/news-insights/comp</span><span class="invisible">any-news/security-alert-new-phishing-campaign-targets-github-users/</span></a>), described in <a href="https://discuss.circleci.com/t/circleci-security-alert-warning-fraudulent-website-impersonating-circleci/50899" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">discuss.circleci.com/t/circlec</span><span class="invisible">i-security-alert-warning-fraudulent-website-impersonating-circleci/50899</span></a>, is still alive and kicking since March this year (see <a href="https://crt.sh/?q=circle-ci.com" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?q=circle-ci.com</span><span class="invisible"></span></a> and <a href="https://www.virustotal.com/gui/domain/circle-ci.com/detection" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/domain/circ</span><span class="invisible">le-ci.com/detection</span></a>). The fake site even looks better than the original one (I don't know whether it is actually malicious, or will just warn users who attempt to log in).</p><p>NOTE: if your pw mgr does not find a matching record in the pw mgr database, do NOT manually locate the "circleci.com" record. If you do: do NOT autofill or copy/paste your credentials for https:⧸⧸circleci.com to https:⧸⧸circle-ci.com! Using those creds, the fake site may immediately log in to the authentic website AS YOU - pwning your account.</p><p>WHAT I'M USING<br>I'm using KeePassium on iOS and KeePassDX on Android; they work just fine (disclaimer: I'm not in any way related to their authors, and do no warrant their reliability).</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@steelefortress" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>steelefortress</span></a></span> </p><p><a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://infosec.exchange/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManagers</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/KeePassium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KeePassium</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iPadOS</span></a> <a href="https://infosec.exchange/tags/KeePassDX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KeePassDX</span></a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://infosec.exchange/tags/Autofill" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Autofill</span></a> <a href="https://infosec.exchange/tags/DomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainName</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/DomainNameCheck" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainNameCheck</span></a></p>