Password Managers?

[SauRoNZA]

I prefer Authenticator Plus that offers choice of cloud storage providers for backup and syncing purposes. I have yet to find something else that offers this.

Technically that super open source one, I think KeyPass or something similarly named let’s you drop the database anywhere you like.

 

[AdrianH]

Technically that super open source one, I think KeyPass or something similarly named let’s you drop the database anywhere you like.

I'm check it out, thanks

 

[SauRoNZA]

I'm check it out, thanks

Oh no I wasn’t recommending it. It’s very open source in the all DIY kind of way.

 

[Pandam0nium]

It’s very quick and painless to export from one password manager into another.

Haven’t done LastPass to Bitwarden specifically, but done a few others into Bitwarden without issue.

Couple of minutes of effort.

****

You can load Microsoft account, the only compromise is that you lose the prompt option.

But the Microsoft Authenticator also offers backups so you are sort of half way there.

Bitwarden actually has built-in 2FA support but I’m yet to try it out.

From a security point of view I’d prefer to keep them separated anyway.

I switched yesterday from Lastpass to bitwarden and it was a smooth transition, with Authy its a perfect combo.

 

[SueC]

Google Chrome because it is free

I had my passwords on google chrome and got hacked… as far as I can see they got access to ALL my passwords. I was changing my password to IG every day because my hacker logged in and would change it again (they could no doubt get the new PW by checking my chrome!) . Then they got my Netflix PW… so now I have Bitwarden and am changing everything!

 

[AdrianH]

Thinking about it, my biggest issue is getting my 40 odd TFA tokens into Authy or similar. Really don't want to have to disable and enavled each account one by one just to get them into Authy.

 

[Speedster]

Thinking about it, my biggest issue is getting my 40 odd TFA tokens into Authy or similar. Really don't want to have to disable and enavled each account one by one just to get them into Authy.

And if you lose your current device, what then?

 

[Pineapple Smurf]

I had my passwords on google chrome and got hacked… as far as I can see they got access to ALL my passwords. I was changing my password to IG every day because my hacker logged in and would change it again (they could no doubt get the new PW by checking my chrome!) . Then they got my Netflix PW… so now I have Bitwarden and am changing everything!

I have just downloaded Bitwarden, Thank You

 

[AdrianH]

And if you lose your current device, what then?

As I said, I use Authenticator Plus which has multi-device syncing by using cloud storage. Even then, as mine is backed up in Dropbox, I can just install app on another device, link it up to Dropbox, and enter the master password for it to sync.

My concern is just that the app hasn't been updated since December 2018 which is my concern, I think developer has gone awol.

 

[DA-LION-619]

Thinking about it, my biggest issue is getting my 40 odd TFA tokens into Authy or similar. Really don't want to have to disable and enavled each account one by one just to get them into Authy.

Why? If you’re backing up the secret then all you’d need to do is create a QR code with the secret and scan it.

 

[AdrianH]

Why? If you’re backing up the secret then all you’d need to do is create a QR code with the secret and scan it.

I can export them into text. Are you saying I can create a QR code for each one? Is there a tool you know of?

 

[DA-LION-619]

I can export them into text. Are you saying I can create a QR code for each one? Is there a tool you know of?

There’s a Notepad++ plug-in.

GitHub - vladk1973/NppQrCode: Notepad++ plugin allows to create QR-Code from selected text

Notepad++ plugin allows to create QR-Code from selected text - GitHub - vladk1973/NppQrCode: Notepad++ plugin allows to create QR-Code from selected text

github.com

The TOTP format for the QR code should be like below.

otpauth://totp/{service}:{username}?secret={base32-encoded-secret}&issuer={issuer}&algorithm=SHA1&digits=6&period=30

You’ll know you’re on the right path if your current app and Authy display the same code.

And if you lose your current device, what then?

This is why the backup codes are important. Almost no service will remove 2FA from your account even with a password reset.
It’s always a human involved process that takes weeks.

 

[SauRoNZA]

I had my passwords on google chrome and got hacked… as far as I can see they got access to ALL my passwords. I was changing my password to IG every day because my hacker logged in and would change it again (they could no doubt get the new PW by checking my chrome!) . Then they got my Netflix PW… so now I have Bitwarden and am changing everything!

Anything can be hacked if your master password was dumb.

It’s not the service at fault.

Also, why didn’t you have 2FA? Password Managers are pointless without it.

 

[SauRoNZA]

Thinking about it, my biggest issue is getting my 40 odd TFA tokens into Authy or similar. Really don't want to have to disable and enavled each account one by one just to get them into Authy.

Why disable each account?

Just add another factor with Authy in slow time as you use things.

Better yet, get a Yubikey.

 

[DA-LION-619]

Why disable each account?

Just add another factor with Authy in slow time as you use things.

Better yet, get a Yubikey.

The only way to get the TOTP secret in plaintext is to disable and re-enable, unless you’ve stored them in plaintext which is normally not the case.
Even if you were to move from Authy to Yubikey you’d have to follow the same process, but since the secrets are now on the Yubikey(not the blue security key) if you lose the Yubikey you can’t generate codes.

The factors since I last checked are:
Something you know
Something you have
Something you are

You can combine them up anyway you like. Changes to FIDO etc. Have slightly complicated things with the introduction of residential keys to enable passwordless flows.

 

[SauRoNZA]

The only way to get the TOTP secret in plaintext is to disable and re-enable, unless you’ve stored them in plaintext which is normally not the case.
Even if you were to move from Authy to Yubikey you’d have to follow the same process, but since the secrets are now on the Yubikey(not the blue security key) if you lose the Yubikey you can’t generate codes.

Yeah but what I mean is he doesn’t instantly need to dump the old app or disable anything.

Just add another 2FA option in slow time as you log into services. Next thing you know they are all moved.

 

[DA-LION-619]

Yeah but what I mean is he doesn’t instantly need to dump the old app or disable anything.

Just add another 2FA option in slow time as you log into services. Next thing you know they are all moved.

AFAIK you can only have one TOTP option, I haven’t come across any service with two or more.

 

[Speedster]

AFAIK you can only have one TOTP option, I haven’t come across any service with two or more.

Nah, you can have the same code activated on unlimited devices / apps.

 

[DA-LION-619]

Nah, you can have the same code activated on unlimited devices / apps.

Yup, one secret. The secret is trusted not the device or generator.
Once confirmed in that QR scanning process, the secret will never be shown again to you.

 

[SauRoNZA]

AFAIK you can only have one TOTP option, I haven’t come across any service with two or more.

I have multiple TOTP/2FA/FIDO options on most of my accounts.

Some of them don't allow more than one for sure, but it's a minority.

I generally can login with TouchID first, then Yubikey failing that and then TOTP as a last resort.

****

Oh and the old SMS/Email option as well of course.