Michael Tsai Blog - Is It Safe to Store Passwords and 2FA Codes Together? - eviltoast
  • jollins@programming.dev
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    There’s a balance between convenience and security and IMO storing both on 1Password is fine. An attacker getting into your 1PW account would require them having

    • your username

    • and your password (which should be unique to only 1PW)

    • and your secret key

    • or physical device access with your 1PW password or biometric auth credentials

    in which case an attacker really wants your stuff, has your device, and you have bigger issues.

    I feel like this is similar to saying “is your front door lock strong enough?” when a thief is at your door and really wants to get inside, regardless of level of effort required.

    • bookworm@feddit.nl
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      I agree for the most part but it doesn’t entirely defeat the purpose. If someone got a hold of your password for a website it would still protect you. And let’s be honest, that’s the most likely scenario. But yes if someone got into your password manager then it’s completely game over. A scenario where having a separate 2fa device would still protect you.

    • kamin@lemmy.kghorvath.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      It defeats the purpose in the scenario that your vault is stolen and decrypted. But it still protects you in the much more likely scenario that a data breach exposes your password somewhere else.

    • ebits21@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      edit-2
      1 year ago

      It definitely defeats the purpose. If you store them together there’s only one factor!

      Things you know, have, or are.

      It just becomes two things you know.

      • glacials@l.twos.dev
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Password managers do have two factors: the vault (have) and the master password (know).

          • glacials@l.twos.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            It depends on your password manager and sync method. With most if I take all your devices away from you, you can’t go to any public computer and access all your passwords using only what you know. You need to have one of your physical devices.

  • TORFdot0@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    How hard is it to use a separate password manager and MFA app? I personally don’t keep any MFA codes in keychain because it’s not convenient to retrieve the passcode in most cases.

    • basskitten@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      You’re posting this on an Apple forum so I have to ask: how is not convenient? If you use iCloud Keychain + Safari everywhere, it’s ridiculously convenient. I went through some contortions in order to migrate my Symantec VIP codes to iCloud Keychain just so I could have that sweet code integration.

      • TORFdot0@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I can’t use my 2FA codes on devices that aren’t connected to my Apple ID, my work devices use Apple Business Manager apple IDs. I have a PC I use for Sony Vegas, etc.

        • basskitten@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          you can still view the generated codes in the settings app on your devices that are signed into your personal apple ids. not super convenient but possible.

          • TORFdot0@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I know that I can, it’s just worth it to me to maintain a separate MFA app. (In my case DUO because my work requires it for PC logins anyways)

        • somas@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          @TORFdot0

          @Ansgar @basskitten

          I’m on all the betas so I can’t be sure if it’s available to everyone but apple’s keychain gives you the option of using Authy or google chrome 2FA codes so, at least on Mac, your codes will auto-populate

  • signofzeta@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I don’t know, the article summed it up perfectly. Of course, I do it anyway. If someone steals and decrypts my laptop, and decrypts my password vault, they’ve earned the contents of my bank account.

    • basskitten@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      as one of the comments on that post said, even easier is they just call the bank pretending to be you and get them to reset your password. they don’t need any of your devices or vaults in that case, just some easily discovered personally identifying info (which was probably leaked in a data breach)