You are right, but is so comfortable using the browser add-on! 
Why you think the browser add-on is more vulnerable than standalone app?
I guess the main problem arises from the fact that you enter your credntials tenths time a day for using the password manager because when it reaches a timeout or close the browser is requires again the sign-in
always good to be a bit paranoid.
that is a common way to get hacked.
i use firefox, the only addon is the mult-container, written by moziila.
as for passwords, i never save them with firefox, only keepass
keepass has a feature called auto-type, so i do not need to copy/paste passwords
and also, on android, use keepass.
yes, that is correct. no big deal, using auto-type with keepass.
for example, if i am looking at my browser, at the rclone forum login webpage.
i simply press a hotkey, that activates keepass to copy/paste the login info, including username, password and MFA token.
this is the auto-type sequence
{USERNAME}{TAB}{PASSWORD}{ENTER}{delay 3000}{KPOTP}{ENTER}
currently I don't use browser password manager, but the chrome extension of bitwarden. It is very similar to the keepass.
Me too on bitwarden copy and paste. How about in your opinion the google password manager (passwords.google.com)? Sometimes I used it also...
to be clear, it is not copy/paste. keepass types the information for me, does not use the clipboard.
you just got hacked. really, it is up to you to protect your information.
even if i used google products, i would never store passwords that way.
I understand. I would like to understand which is the main reason why you consider Keepass more secure than Google passwords from a technical perspective.
And why you think using Keepass is a way to protect your information.In other words, why you think using Keepas keeps you away from any hacking issue?
I think the really important part is to ensure that your don't loose your important accounts in case someone should happen to compromise your password manager (whatever you use).
That is 2FA on all important accounts (especially the mail account linked to your other accounts) and then make sure the 2FA tokens are stored somewhere else - preferably another device.
Feel free to call me super paranoid, but this protects me even if one of my devices get compromised and somebody manages to snif my master password.
I do however tend to leave my rclone forum account logged in, so I am also into being comfortable 
the internet is full of advice, not to trust google/chrome/addons/cloud with passwords, maybe read up on that.
and why keepass is to be trusted, tho nothing is 100%
KeePass has none... So why are there seven embedded trackers in the LastPass Android app?
if you any rclone questions or comments on the security tips and iam polices i posted, please let me know.
What I realized now is that I had unfortunately S3 acces as root user as I did not generate a IAM user!
When I created the S3 bucket I did not investigate that much about the difference between IAM user and root user...
I guess in that way hacking the 2 AWS acces Key the user has the possibility to buy domains, change the reference email, add another credit card and so far, right?
So the hacking mechanism could have been that one.
Do you agree?
sorry, no, as this has already been discussed a few times.
we have offered a range of reasons from
--- old fashioned hacking, for example, using a password manager extension INSIDE chrome.
zero chance to secure that contraption.
Web browsers are fairly easy to break into, and lots of malware, browser extensions and even honest software can extract sensitive information from them.
--- new newfangled hacking, to quote @Ole 
"Your https communication was compromised by a quantum computer"
1 Like
because the AWS root user email can only be changed using the AWS Management console:
Source: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html
and access to the AWS Management Console requires your root username/email and password (and MFA).
The root user name can be found from the access keys in your rclone config, but not the password.
So something else was (also) compromised to get your AWS root user password (and MFA).
Ok. Thanks.
Antway I didn't have MFA activated. So you are saying that the access keys allows to identify AWS username?
So, in this case they have just to guess or hack the password in some other way. Is that right?
ignore this post
Yes, I guess you can find it using the AWS CLI:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-access-key-info.html
@asdffdsa Perhaps you can test?
I find it highly unlikely that someone has be able to guess or hack your password, if it was strong and followed the AWS best practices (random generated):
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_change-root.html
AWS probably also have some measures in place that will block/throttle repeated unsuccessful attempts to log into an account.
My best guess is that one of your devices used to access Bitwarden or the AWS Management Console was compromised (and perhaps still is).
Edit: ...or someone got access to your email account and requested a password reset at AWS (I guess they send a confirmation email like everybody else).
good discussion all around,
as you were posting, i was about to post this.
not sure what a root user name is, do you mean Account Name
i wanted to better understand what happens when using rclone + access.keys for root user.
tl;dr - so far, using rclone, the only info i could obtain is:
<Owner><ID>redacted</ID><DisplayName>redacted</DisplayName></Owner>
DisplayName in rclone debug log seems to be the Account Name in aws console.
i created a dummy account at aws and set it up in the least secure manner.
- created access.keys for root user. no MFA
- create a bucket. allow ACL, allow public access.
- for that bucket:
--- enabled public access.
--- uploaded a file
--- set public access for that file.
then i ran these commands, did not see username, owner or anything beyond access_key_id, which is expected.
even secret_access_key is not displayed.
rclone copy file.ext remote: --s3-decompress --s3-disable-http2 --dump=auth,headers,bodies,requests,responses
rclone lsf remote: --format="pM" --s3-decompress --s3-disable-http2 --dump=auth,headers,bodies,requests,responses
then i ran
rclone backend list-multipart-uploads remote: --s3-decompress --s3-disable-http2 --dump=auth,headers,bodies,requests,responses
and did see
<Owner><ID>redacted</ID><DisplayName>redacted</DisplayName></Owner>
I mean email or similar that can be used to login together with the root user password.
Edit: ...to buy additional AWS services.
those links are for STS, which my scripts uses as all users have MFA enabled.
rclone itself cannot create the STS token.
as this point, i am done testing, learned what i needed to.
in practice, this topic should not apply when using this setup, as i do.
--- set account name to dummy value.
--- never login using root
--- never store root login info using password manager
--- never create access.keys for root
--- force MFA login for root user.
--- force MFA login for all IAM user.
with this enabled, rclone, own its own, cannot perform any operations.
have to use customs scripts to create a temporary MFA token, use that MFA token to create a temporary STS token and then feed that STS token to rclone using --s3-session-token
"Statement": [{"Effect": "Deny","Action": "s3:*","Resource": "*", "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "false"}}}]
--- bucket: disable acl, public access, force MFA delete, limits s3 permissions, use lifecycle/compliance.
Sorry,
I enabled the rclone.config encryption, but now, of course when I try to use my original scripts for rclone they fail because rclone.config is encrypted.
I read the wiki https://rclone.org/docs/#configuration-encryption but really it is not very clear to me how I can manage rclone to run with the crypted rclone.config file.
The wiki tals about a paswordstore tools which is not available in my asuswrt system (I have a Asus RTAX88U router) nor in entware distribution.
Can you help me to understand how to run the rclone script with encrypte rclone.config file?
This is my current script:
#!/bin/sh
mv /mnt/NAS/linux/rclone_nas.log /mnt/NAS/linux/log/rclone_nas_$(date +%F).log
/opt/bin/rclone sync -v /mnt/NAS /mnt/NAS2 \
--backup-dir /mnt/SCRATCH/TEMP_BACKUP/NAS/`date -I` \
--log-file /mnt/NAS/linux/rclone_nas.log \
--delete-excluded \
--size-only \
--min-age 30 \
--max-duration 4h \
--bwlimit 5M \
--filter-from /jffs/myscripts/rclone_nas_filter.txt
wait
/jffs/myscripts/mail_rclone.sh NAS /mnt/NAS/linux/rclone_nas.log
@ole wrote this and i agree:
Synology may have had a good reason to remove the Entware software....
It could be related to the developers of Entware living in Russia. I therefore advise healthy skepticism
The answer heavily depends on your current situation and objective.
How do you think your AWS credentials was stolen?
Have you eliminated all hidden backdoors established by the attacker into your email and/or compromised devices? How?
Do you consider your router to be a safe environment?
What kind of attack are you trying to protect against?
What version of rclone are you using? Please post the output from rclone version
What have you tried?
Sorry Ole,
my question was related on how to use rclone in my script after have encrypted the rclone config file.
Anyway I also respond to your questions:
My best guess is that username is easy to be found because is an email address used in many situation. The same email address is used for example for bitwarden. Password may be found with brute force attack starting from similar passwords they may have hacked on one of many websites where I registered using the same email
As I told you before I have no evidence of any violations on email or other devices. Anyway, to be sure I added a 2FA on bitwarden and changed all the relevant passwords stored to random ones.
Looking to the router logs I don't see any intrusion to my router. In any case I changed the password, disabled the VPN running on router, encrypt the rclone config file
I have no evidence of any attack
please see the starting point of this thread for this information