Re: Password Manager opinions and recommendations

[Ángel <debian-user@debian.16bits.net>]

On 2018-03-25 at 19:47 +0100, Brian wrote:
> 1 day after the breach your data had been compromised. Changing your
> password 10 days later on in your 1 month cycle doesn't seem to me to
> be reactive security. Better than nothing, I suppose, but closing the
> door after etc.
> 
> In any case, your 20 character, high entropy password was your ultimate
> defence. (Not unless Yahoo! didn't hash).


Sure. If someone stole your password, be that by compromising and
injecting a password-stealing javascript server side, due to a sslstrip
you didn't notice on that free wifi, perhaps just someone looking at the
keys you pressed when entering your password, etc. the data you had up
to that point in that service should be considered compromised.

However, if the password was changed N days/months later, as part of a
periodic password change, that would mean that data processed after that
date would no longer be in risk, whereas otherwise the account would
continue being accessible by the bad actors for years (assuming that you
are not using a pattern that removes the benefit or rotating the
password!).

Regards