The TOTP changes every time. For modern totp hashing I’m not sure how many sequential codes a keylogger would need but I’m guessing more than I will ever enter.

Edit, asked ai for an answer to that because I was curious (maybe it’s right):

Start AI

That being said, if an attacker were able to collect a large number of TOTP codes, they might be able to launch a brute-force attack to try to guess the private key. However, this would require an enormous amount of computational power and time.

To give you an idea of the scale, let’s consider the following:

Assume an attacker collects 1000 TOTP codes, each 6 digits long (a common length for TOTP codes).
Assume the private key is 128 bits long (a common length for cryptographic keys).
Assume the attacker uses a powerful computer that can perform 1 billion computations per second.

Using a brute-force attack, the attacker would need to try approximately 2^128 (3.4 x 10^38) possible private keys to guess the correct one. Even with a powerful computer, this would take an enormous amount of time - on the order of billions of years.

My bank uses a TOTP and they not only block paste, they also block all typing. Instead they popup a modal with a 0-9 digit keypand and the location of each number changes every time.

Effing obnoxious.

Bots don’t paste. If it a selenium related bot it would inject the value or type out each keypress.

It only causes real users pain

Hah, I installed Postiz just yesterday, interesting to see this thread. It’s like buffer or one of the other paid tools to schedule your social media posts and track engagement. Of course, of particular interest to our community, Postiz is self hosted.

It doesn’t have as many features yet as the major SaaS businesses, but the software is looking good and quite usable right now. I’m sure the more people who use it and support the developer, the more this tool can grow.

For example you can plug in your OpenAI API key and get an LLM chat interface inside the software while writing social posts. But I don’t think it learns your style or creates posts using any kind of system prompt yet unless you type it in each time.

Another thing I couldn’t figure out so far is how to limit which social media channels individual users can see. For example my business has several different units and there’s a different marketing team on each unit, so they shouldn’t be able to post into other channels.

If you’re in the business of needing to post regularly on a lot of channels I think postiz is worth checking out.

Training takes more resources.

Querying takes less resources.

Python developer here. Venv is good, venv is life. Every single project I create starts with

python3 -m venv venv

source venv/bin/activate

pip3 install {everything I need}

pip3 freeze > requirements.txt

Now write code!

Don’t forget to update your requirements.txt using pip3 freeze again anytime you add a new library with pip.

If you installed a lot of packages before starting to develop with virtual environments, some libraries will be in your OS python install and won’t be reflected in pip freeze and won’t get into your venv. This is the root of all evil. First of all, don’t do that. Second, you can force libraries to install into your venv despite them also being in your system by installing like so:

pip3 install --ignore-installed mypackage

If you don’t change between Linux and windows most libraries will just work between systems, but if you have problems on another system, just recreate the whole venv structure

rm -rf venv (…make a new venv, activate it) pip3 install -r requirements.txt

Once you get the hang of this you can make Python behave without a lot of hassle.

This is a case where a strength can also be a weakness.