WingNews logo WingNews
top | item 42854899

(no title)

sesky | 1 year ago

So to mitigate lockout risk, you keep multiple Yubikeys, store recovery codes in multiple physical locations including presumably a fire-proof safe bolted into your home (at your expense), and use obscurity to store the TOTP secret on random places in the internet, presumably relying to external services or a self-hosted solution, which are themselves dependent on regular credit card payments going through.

Okay, I grant that you've reasonably mitigated the lockout risk. But I don't want to do any of this, and is it really reasonable to expect the everyday person to understand or implement all this? What happens in practice is that many users will not realize anything is wrong until they get locked out with no recourse.

This makes it hard for me to recommend Bitwarden to my friends who use typical insecure practices like password reuse or post-it notes.

discuss

order

alt227|1 year ago

> But I don't want to do any of this

Security has either been easy and weak, or difficult and strong. It will never change and so you will always have the option of weak security if you dont want to jump through the hoops for the peace of mind.

> my friends who use typical insecure practices like password reuse or post-it notes

IMO people who do those things will never change. Its like the environment, everybody knows what they should be doing but no-one cares enough to do it.

favorited|1 year ago

So Bitwarden should offer 2FA for users who want the additional security – they should never force users to enable it. It would be like refusing to save "password" as a password, because it is insecure.

rsync|1 year ago

A better way to mitigate lockout risk is to use a 2FA mule:

https://kozubik.com/items/2famule/

jjnoakes|1 year ago

If someone is locked out of their password vault, they are likely also locked out of their email...

rcxdude|1 year ago

If you have literally no other option than SMS 2FA because of bad support from websites, maybe. Otherwise it's probably one of the worst options (though I suppose unlike using your main number at least it's harder to discover the number for the 2FA phone to attack it with social engineering).

lxgr|1 year ago

Since Bitwarden can directly email 2FA codes, this arguably would be needlessly complicated in this context.