Save your 2FA keys!

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
13,870
#41
Surely Bitwarden can generate passwords for you otherwise it'll be pointless just offering a vault? I'll stick to Lastpass thanks specially after reading this https://medium.com/@davis.a.brandon/bitwarden-doesnt-care-about-security-59e2ef87870a. Lastpass and Lastpass Authenticator is free whereas with Bitwarden you have to pay for TOTP.
Bitwarden can generate passwords of course. The link you provided discloses up front that the issue is resolved. I didn't switch to Bitwarden for extra security (although I'd assume it's at least as good as LastPass). I switched for the easier to use UI. It used to be a constant PITA to copy passwords, whereas it's incredibly quick and easy with the Bitwarden browser extension. Bitwarden also lets me use my fingerprint on mobile, whereas LastPass refused to. To me, that's not an acceptable balance of convenience vs. security. If my fingerprint is good enough for mobile payments it can also be used with my password manager.

Paying $10 a year is less than half the LastPass Premium cost, and more than reasonable to support quality development. I don't need any fantastic service I use to be free, as it often begs the question as to how the provider is generating revenue.

In any case, using any password manager with a YubiKey 4 makes it exceptionally unlikely that you're going to be hacked. The comfort of the nice Bitwarden UI and a USB/NFC authentication key to cement the level of security is all any consumer is likely to need.

Well, mixing browsers up with secure logins is already a problem. On that site I linked, passwordgenerator that have this in big bold writing further down

8. Do not let your Web browsers( FireFox, Chrome, Safari, Opera, IE ) to store your passwords, since all passwords saved in Web browsers can be revealed easily.

In that article:

I can hear a tiny alarm bell going off inside my head just reading what that guy did. Yes the functionality should be rock solid but I'll tell you what, I just do not.....trust......browers.
Yeah, it's pretty dumb to use password management features in any browser. Also, there's no way of knowing if Bitwarden, LastPass, 1Password etc. are going to get hacked or not. By all indications, they seem to be extremely secure. There's only so much you can do for your online security as an ordinary consumer without greatly inconveniencing your life. Personally, I rate everyone:

- uses any mainstream password manager like Bitwarden
- has USB/NFC 2FA like a YubiKey 4 (which can be acquired cheaply by signing up for WIRED magazine)
- has any of the top performing antivirus solutions on their system
- blocks ads in their browser
- ensures their operating system is up to date
- don't use pirated software and games

Those simple steps give you a unique nightmare password for every website, make gaining unauthorised access to your vault extremely unlikely and largely eliminate your exposure to the most common vulnerabilities like user data hacks on random websites, malicious browser ads and local network malware and viruses.
 

IOPS

Well-Known Member
Joined
Oct 2, 2016
Messages
426
#42
This hasn't had a reminder bump in a while, so doing just that.
Be responsible, save your 2FA keys.
 

ghoti

Karmic Sangoma
Joined
Jan 17, 2005
Messages
45,667
#44
If you have 2FA enabled on exchanges and you lose your phone - life is a lot easier with the account key in your posession. Once you scan the QR code and enable 2FA you don't get access to the key again so back it up (write it down) before enabling 2FA.

If you've already enabled 2FA and you don't have the keys...disable 2FA in your exchange account and log out. Log back in to make sure 2FA has been removed, only then remove that sites account from your phone and re-enable 2FA taking note of the key this time.

View attachment 462177
(Not mine, just a pic from google)
Very good advice, I thought it was something google accounts would backup and restore. I was wrong. Took a long time to fix some of the issues caused by that.
 

Honey Badger

Honorary Master
Joined
Apr 30, 2010
Messages
18,568
#45
This hasn't had a reminder bump in a while, so doing just that.
Be responsible, save your 2FA keys.
I did the responsible thing a d saved my 2FA Bittrex key... in a notepad file on my office PC.

This was around a year ago. After the crypto bubble I stopped trading and just left the coins on Bittrex.

In around September or October our IT Support sent out a mail for us to all move our important documents to one of our network drives as they're. rolling out Win10 as well as replacing our local hard drives. Genius that I just, I moved the contents of My Documents.

You'd think I'm making this up, trust me, I'm not. :)

On 28 December, yes last week, one of my kids messed with my phone which caused my phone to go into a boot loop, I thought I'll just reset to factory settings, "everything is backed up".So I did just that and selected the most frequently used apps from the play store to reinstall. The others, I thought, I'd download as I needed them as I had too many unnecessary apps on my phone anyway.

Today, I checked my bank balance and remembered that January is two months long and I need to look for all my sentjies. The last I thought of was my crypto. So I head over to Bittrex and Chrome autocompletes my details... then we got to the page requesting you to enter the 6 digits from the Authenticator app. Ah, that's easy, I thought, I downloaded it and opened it up. "Product Key", it prompted.

I remembered I saved it in a file on my desktop at work so I log on and start looking around in the folders on my desktop. Hmmm, maybe I've got the name wrong so I try again, and again only after about 5 minutes did I get a lightbulb moment.

And I was like FFFFUUUUUU!! :D

I'm pretty sure I should have around 500 USD on there. Eish
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
1,572
#46
You can contact bittrex to get account unlocked for loss of 2fa. They have steps to work through it, just contact them dont just write off what you have on there.
 

phly

Expert Member
Joined
Mar 13, 2013
Messages
1,067
#49
Not long ago - about a year or so I decided to be a millennial kid and use what kids are using these days in terms of security. 2FA was the in thing. And since I had accounts on several exchanges I went round adding them onto this simple yet apparently secure app called google authenticator.

A few months later I got the genius idea to wipe my IOS phone and just start afresh with less junk and apps I dont use. I figured I will be able to get all the apps I need from the app store. Halfway into restoring my apps I installed google authenticator expecting to see all my apps only to see it blank. My heart froze for a few seconds. I did not have much in crypto. But i had use it for services such as discord and even google - so to login it asks for a 2FA code before i can view my emails.

Luckily I had done a backup of my phone and reverted back to it with immediate effect. Not all apps got restored but luckily my authenticator app too was restored WITH all my codes. Began to despise 2FA since that day it raised both my blood pressure and glucose levels. And also realizing that if you dont have the backup key/code you are screwed whilst you reckon your account is super secure.

Lesson Learnt - Backup your 2FA Keys!
 
Top