Don't auto Save your login details

[Saint-loup]

An authenticator app is better, but unfortunately most people use Google Authenticator, which can be reset or have its back up codes accessed by anyone who can hack your email account.

It's the first time I read that. Where have you seen that please?
It must be a hoax. You don't need to be connected to internet to use Google Authenticator, so it can't work like that.

[1714957446]

1714957446

[1714957446]

1714957446

[1714957446]

1714957446

[o_e_l_e_o]

It's the first time I read that. Where have you seen that please?

If someone has access to your Google account, then they can generate as many back up codes as they like by following these instructions: https://support.google.com/accounts/answer/1187538

They can also transfer your Google authenticator to their phone by following these instructions: https://support.google.com/accounts/troubleshooter/4430955?hl=en#ts=4430956

Google authenticator is only as secure as your Google account. It would be better to use an open source 2FA app which you can back up with an encrypted database locally.

You don't need to be connected to internet to use Google Authenticator, so it can't work like that.

That's not how 2FA authenticators work. When you first set them up with a new site, the site generates a shared secret, which you input in to your app usually by scanning a QR code. The app then uses that shared secret and the current time (usually floored to the nearest 30 second interval) as inputs in to a hashing process to generate a code. The site in question does the same thing to confirm the code you enter is correct. All that is required is for both both your phone and the site in question to know the shared secret (which they remember from the first time you set it up), and are able to tell what time it is. No internet access is ever required.

[Saint-loup]

It's the first time I read that. Where have you seen that please?

If someone has access to your Google account, then they can generate as many back up codes as they like by following these instructions: https://support.google.com/accounts/answer/1187538

They can also transfer your Google authenticator to their phone by following these instructions: https://support.google.com/accounts/troubleshooter/4430955?hl=en#ts=4430956

Google authenticator is only as secure as your Google account. It would be better to use an open source 2FA app which you can back up with an encrypted database locally.

Yes but it's only for your Google account, this has nothing to do with the Google Authenticator app. If you use another 2FA app to connect to your Google account, you'll get exactly the same codes. Google doesn't store your Coinbase 2FA seed in any way to be clear, and nobody can access it by hacking your Google account.

You don't need to be connected to internet to use Google Authenticator, so it can't work like that.

That's not how 2FA authenticators work. When you first set them up with a new site, the site generates a shared secret, which you input in to your app usually by scanning a QR code. The app then uses that shared secret and the current time (usually floored to the nearest 30 second interval) as inputs in to a hashing process to generate a code. The site in question does the same thing to confirm the code you enter is correct. All that is required is for both both your phone and the site in question to know the shared secret (which they remember from the first time you set it up), and are able to tell what time it is. No internet access is ever required.

This is exactly what I'm saying, no internet access is ever required by any 2FA app, Google Authenticator included.

[BTCLiz]

Today, we will see how you can hack any password, but only those who will have saved the password while logging in.

Yesterday I had an opportunity to go to the internet café, I wrote the domain of Facebook.

And this thing happened:


Now this means that anyone can log in with its id, right? But what to do if you want to see the password?

Here in the picture above, you must have noticed the password is hidden, You must have seen the password everywhere, you will get this kind.

So let's start.
step #1:
Go to the website where you have (save password) or (Remember Me).

Step # 2:
Now right-click in the password box, and scroll down and click on the Inspect.

Step # 3: Now you see some codes on the right side.
for Facebook

Code:

<input type="password" class="inputtext login_form_input_box" name="pass" id="pass" data-testid="royal_pass">

Step # 4:
Change this <input type="password"
Into <input type="Text"

For example:

Code:

<input type="text" class="inputtext login_form_input_box" name="pass" id="pass" data-testid="royal_pass">

Now close the code page and see what magic happens.

Boom:


Please test it on yourself, don't harm anyone

Interesting. In Germany saving passowrd at official PCs is not legal.

[henrydezeden]

You can also see the saved passwords in the setting of browsers. I think this issue is simple that everyone just know. But you're when notice people not to save the information.

[Saisher]

Check if the public computer has a defreeze option most of the public computer now has defreeze install on every computer to prevebt malicious files from being dowloaded in their computer, if there is then your login info will be cleared or erased when you log off in the computer.

[Pmalek]

Good advice OP, I wasn't aware of this trick.
You should never save your login credentials in your browser or on your hard drive anyway. The reasons why have already been mentioned so no reason to repeat those.

Google keeps a file for login details on your device. This file contains the URLs, IDs and encrypted passwords for all sites you visit. This data shouldn't be on any computer.
They used to keep them in the below location, not sure if that is still the case.

C:\Users\$username\AppData\Local\Google\Chrome\User Data\Default.

https://www.askcybersecurity.com/where-are-my-saved-passwords-in-chrome/

[Ryushin]

It's stupid to safe passwords on others notebook or PC, they can easily login behind your back, password saving is only good on your private computers not public computers

[LFC_Bitcoin]

I use public WiFi in cafes and libraries all the time, but I would never use a public computer there. I bought an HP Netbook, and a Logitec keyboard for my phone, and both of those allow me to use my own equipment. Neither of them cost much money, so I can't see the point in using a public computer. The only time I have done it is to assess a library printer, and you need to scan a library membership card to do that.

How safe is this?

If person X used a laptop that held some of their bitcoin’s over public WIFI is there any chance at all that somebody could for example steal their wallet.dat &/or see what their wallet password is.

Nobody else has access to person X’s laptop ever but is there a chance at all that somebody could access their laptop via the public WIFI if they’re online using it at the same time?

[OK Con De]

Don't click save password when you use a public computer, that's all. Auto save login details on personal computer helping a lots. More careful, you can use a password manager, Lastpass is good, i recommend it.

[o_e_l_e_o]

If person X used a laptop that held some of their bitcoin’s over public WIFI is there any chance at all that somebody could for example steal their wallet.dat &/or see what their wallet password is.

It depends on the rest of your security set up and what kind of wallet you are using, but there are other risks too.

An attacker can use an unsecured WiFi network to spy on the data you send across it. This could include usernames and passwords if they aren't otherwise encrypted, and they could use this to access web wallets or exchange accounts. An attacker can use a WiFi network to distribute malware. This could be in the form of a keylogger to record your login details to a web wallet, could be clipboard malware to change the address you have copy and pasted, could be designed to send your wallet.dat to them, or could be to change the destination of any transaction you try to sign.

Even if you are using a hardware wallet you are not completely safe. Although you wouldn't be susceptible to any of the attacks above (provided you double check what shows up on the screen of your hardware wallet), it is conceivable that an attacker could set up a man in the middle attack, and change a bitcoin address which is being displayed to you. For example, if you were connecting to a service to deposit some bitcoin, the receiving address of the service could be changed to the address of the attacker before you even see it. So even if you confirm everything is correct on the screen of your hardware wallet, you are only confirming against an already altered address.

I would recommend never using public WiFi for anything truly sensitive or valuable, and never log in to any accounts via one. If I ever do have to use one, I use a Live OS which is wiped afterwards and Tor with HTTPS.

[LFC_Bitcoin]

@oeleo

Thanks for the detailed response.