top | item 13517642

(no title)

Thank you so much for this list, it's more concise and useful than any corporate security lecture I've ever received! Some questions:

> 10. Install a password management application that doesn't store your secrets in the cloud.

Great recommendation, but how do you handle syncing passwords between your computer and phone?

> 2. Enable "code-generating" or "authenticator app" 2FA on all your accounts, particularly email (this is called "TOTP").

Do you recommend using the TOTP feature of 1Password, or would you consider storing your password / TOTP together a loss of the "2nd Factor"?

discuss

passivepinetree|9 years ago

1Password has a WiFi sync option that syncs your passwords between your computer and phone when they're both connected to the same WiFi network. I've been doing it Mac --> Android for quite some time and never had any issues.

quanticle|9 years ago

    Great recommendation, but how do you handle syncing passwords between your 
    computer and phone?

I use KeePass to encrypt my passwords and store the password vault in Dropbox. It's not a perfect system, in that an adversary can gain access to my password vault and try to brute-force my master password. But it's "safe enough", if you make sure to use a strong passphrase as the master password for the vault.

jaredklewis|9 years ago

How is brute-forcing a concern?

Your password might be a guessed in a dictionary attack if you have a weak password. Or if at some future date a KeePass specific vulnerability is discovered, someone might be able to use that.

But someone trying to brute-force your password isn't a problem anyone needs to worry about.

To my mind, the real downside to using dropbox to store encrypted stuff is that the existence of the encrypted stuff is not a secret. And recently it seems the spooks look upon encryption with ever increasing suspicion.

avn2109|9 years ago

I do this too but it conflicts with tptacek's injunction above to "not use Dropbox."