That depends on the manager. Good ones won’t have access to your stuff outside of an encrypted blob. Still, it’s generally better to use a separate authenticator.
That makes it a single point of failure yes, and the rest of the comment you’re replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.
But if a password manager is compromised then doesn’t the attacker also get the TOTP key which is what generates the codes in the first place?
It wouldn’t matter if it expires in one minute because they’ll have the token to generate the next code, as well as now knowing the password.
That depends on the manager. Good ones won’t have access to your stuff outside of an encrypted blob. Still, it’s generally better to use a separate authenticator.
That makes it a single point of failure yes, and the rest of the comment you’re replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.