Re: Digital hygiene: Passwords
Just wanted to take a moment to comment on Herman's post, Digital hygiene: Passwords.
There are lots of great password managers out there like Dashlane, 1Password, or Bitwarden. I'm quite partial to Apple's built-in password manager because it syncs between my devices and integrates seamlessly with Apple's biometric authentication, making every login a simple fingerprint scan.
Even when I was all in with the Apple ecosystem, I didn't use Apple's built-in password manager because it's just another way Apple traps you in their walled garden. Back then I used 1Password. But now I use KeePass because I use Android, Linux, and Windows. To back up/sync my password database, I use the Synology sync app.
The biggest obstacle I find when talking about passwords with normies is they don't see the reason to use a password manager. They don't feel targeted at all, and who cares if someone hacks their Instagram account?
I'm going to say something quite controversial here: I think it's okay to back up your recovery codes in your password manager.
While it does mean that if your password manager is compromised, then all of your accounts (including the ones protected by MFA) are exposed, MFA is generally there to protect against compromised login details and not against a compromised password manager. If your password manager is hacked...I'm sorry. You're going to have a tough time.
This is a no for me dawg. No shade to Herman, we all have different requirements, but if I'm going to take steps to secure my accounts and practice security best practices, then I'm going to go ahead and do all the things correctly.
- I do not store my recovery codes in my password manager (KeePass). I send my recovery codes to my printer, then collect the printouts occasionally, put the sheet into a binder, and put the binder in our fireproof safe.
- I do not use my password manager for TOTP codes. I use 2FA on my phone.
- I do use hardware keys for some of my accounts. The most important one in my mind is my email account because if your email gets compromised, then the attacker basically has the keys to your kingdom and can password reset any account they want.
With all that said, that's just how I do my passwords and authentication. Password reuse is the single biggest security vulnerability for most people, so if you're not using a password manager already, for the love of God, please start!