undefined | Better HN

0 pointsmdaniel5y ago0 comments

I have that debate inside my head often, but ultimately it boils down that "security" is a spectrum and convenience is on one end of the spectrum. Having all passwords be "asdfasdf" is massively convenient, massively insecure. Having to carry my titan key with me all the time (assuming my suck ass financial institutions even allow WebAuthn) is massively inconvenient, and pretty secure.

I'm 100% on board with not using 1P's TOTP for guarding the AWS Master Payer Account for my company, but my GitHub account is not a nation state threat, so having 1P autofill the code after it autofills the long password is very convenient

I have also experimented with passwords in one manager, TOTP in another, but ... as I said about that convenience spectrum

---

Kind of related to that last item, I also have gotten a lot of mileage out of KeePassXC's autotype feature for having it type my GPG pass phrase into pinentry. It stays out of the clipboard, I only have in use it within the pinentry timeout, and it's convenient. I wish 1P had similar behavior on sane OSes (1P will autotype into certain fields on Windows 10 but that convenience extends only to my gaming accounts because I'm not going to use Windows)

0 comments

7 comments · 1 top-level

Ajedi325y ago· 6 in thread

But wouldn't it be even more convenient to just not use 2FA in the first place? If you're just going to store your TOTP seed in the same place you store your password, why even bother?

kstrauser5y ago

If a crappy website’s user database gets attacked, the hacker may have my plaintext password stored in it. They may not have my 2FA seed, so there’s at least a chance that the attacker still may not be able to access my account.

I think this is much more likely than an attacker cracking my 1Password vault.

plibither85y ago

Your point is true, but it is highly unlikely that a website providing 2FA would also be storing passwords in plaintext.

Ajedi325y ago

Wouldn't the TOTP seed be stored in the same breached database? Where else would they store it?

lnl5y ago

In my case, I actually enable 2FA mostly for convenience, rather than security. I often log in from different country IPs (VPN), I auto delete cookies, often use private mode, etc., so some websites are frequently suspicious about my login and ask me for an additional step to verify, e.g. by asking an additional question or sending an email with a verification code. There is usually no way to manually disable this additional check; nor do websites seem to learn that logging in from different IPs with no cookies is my usual behavior. Enabling 2FA makes websites have more trust in my login, so I get none of those additional verifications, with no additional inconvenience as 2FA stored in password manager and typed automatically just like the password. So in a way I enable 2FA in order to disable 2FA.

mtone5y ago

I would think 2FA-in-masterdb still protects you against some website hacks, most browser exploits and phishing sites, using your password on other potentially compromised devices (public wi-fi, work, etc.) and probably some keylogger scenarios that would miss the database content.

mdanielOP5y ago

It seems your threat model just doesn't match mine, and I'm glad you have the emotional energy to pull out your phone to auth to every website. Yes, sure, if some rando joker exfiltrates my 1P vault and keyloggers my machine, fine, they get all the things for all the things, but that's Security Darwinism at work if I allow that to happen

j / k navigate · click thread line to collapse