this post was submitted on 13 Mar 2026
1247 points (98.2% liked)

Programmer Humor

30720 readers
2472 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
1247
I love password based login (infosec.pub)
submitted 2 weeks ago by bdjegifjdvw@lemmy.world to c/programmer_humor@programming.dev
176 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Fiery@lemmy.dbzer0.com 16 points 2 weeks ago (2 children)

It's not actually reduced to one factor, just a single point of failure. If their password manager gets taken it's a problem, however the generated TOTP is worthless in 1 min. So this will protect the login from cases where the password is known like a compromised website or a reused password.

[–] TheObviousSolution@lemmy.ca 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.

[–] Fiery@lemmy.dbzer0.com 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

A full hack of every part of the service is not the only way a user's password could get known to an attacker. Could be MiTM, could be typo-squatted, etc

If a site is that compromised no measure of auth is gonna help, so little use worrying about it.

[–] TheObviousSolution@lemmy.ca 1 points 2 weeks ago* (last edited 2 weeks ago)

A lot of the technology you use to connect over VPNs or over the Internet already addresses MitM. If it's typo-squatted, you are sort of using password managers wrong. You do have the option of setting up TOTP elsewhere like on your phone authenticator so the point of failure isn't on your side, I just think it's sort of funny how easily you can make it be one.

[–] Coleslaw4145@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

But if a password manager is compromised then doesn't the attacker also get the TOTP key which is what generates the codes in the first place?

It wouldn't matter if it expires in one minute because they'll have the token to generate the next code, as well as now knowing the password.

[–] Fiery@lemmy.dbzer0.com 8 points 2 weeks ago (1 children)

That makes it a single point of failure yes, and the rest of the comment you're replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager

[–] Coleslaw4145@lemmy.world 3 points 2 weeks ago

Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.

[–] JcbAzPx@lemmy.world 1 points 2 weeks ago

That depends on the manager. Good ones won't have access to your stuff outside of an encrypted blob. Still, it's generally better to use a separate authenticator.