2020 - Still keePass
:-)
I did start using BW as advised here (thanks) and even got a premium account and added the entire family. I’m quite happy with it. I’ve been concerned ever since I received one of these emails complete with a genuine old email and password combo I used years ago.
I noticed it also supports storing payment methods. I never did that with Chrome. Do you guys use it for this purpose?
No, but I don’t think it’s a security risk to do so. Don’t use it for storing your TOTPs though.
Bitwarden just added MacOS TouchID and Windows Hello authentication to their desktop apps. It isn’t in the browser extensions yet, but they posted on their forums that it’s coming very soon too. Good stuff!
Yeah I finally made the switch from Lastpass and it is pretty slick!
Top of the Pops?
Time-based One Time Password (most popular 2-factor authentication method)
Yeah, this had me confused when stusser mentioned it. Why would you go about storing something that will expire within the next 5 minutes. I assumed he meant the 3 digit security code.
Most TOTP systems provide backup codes in case you lose access to your MFA device, so I assumed he’s talking about storing those.
No, the codes you get out of Authy or Google Authenticator or whatever use TOTP on the backend. There’s a seed that tells it what numbers to present at a given time. The time part refers to when they change every 60s or whatever.
I wouldn’t put those backup codes in my password manager either though.
Where would you put them? Print them out old-school? Encrypt in the cloud somewhere?
I used to keep the backup codes in the ‘secure notes’ in LastPass. Not very good if LastPass itself requires 2fa to access, and you lose your 2fa though!
Lately I haven’t been too concerned with those codes, since I’m using the Microsoft authenticator which backs the 2fa up to cloud.
I keep them in a text file local to my desktop.
I use Authy for the same thing.
What if you need the 2FA to unlock LastPass to get your MS account password to get your 2FA? Yeah that’s why you want backup codes.
Well, I think the MS password is the other password I commit to memory, along with the BitWarden one. :)
All good, unless you take a shot to the noggin. But I would still keep the recovery codes somewhere.
One of the things i like about OneDrive is it has a Personal Vault area. It’s encrypted and can only be decrypted locally for short periods of time. I store mine in there.
Interesting, I never used the vault before. How does that work if you lost your MS password? It needs 2FA to unlock doesn’t it?
I password protected a 7z and stuck it in Onedrive, so it’s local as well as backed up.
But then I’d probably have forgotten my BitWarden password as well so the codes wouldn’t help! ;)
Yeah decryption is tied to your windows account, not an arbitrary password. I don’t even enter my password in actually I tell it to log me in and 2fa on my phone (via Microsoft Authenticator) has my phone authorize me. Probably less secure than in a password manager but its’ at least recoverable and it’s not storing password + TOTP backups in one spot.
Yeah same here, the authenticator on the phone just asks you to allow access, or sometimes match a number. And windows login is just a pin.
I guess we’re really talking about recovering everything in the very unlikely situation of losing your phone and Windows install at the same time. At that point I think you’d need your Windows password to access anything that was in Onedrive?
Yep, but Onedrive isn’t end-to-end encrypted so there’s some way to get access back from Microsoft, although I expect they don’t make it easy.
Has Yubi finally made One Key That Can Rule Them All?