You Should Know
YSK - for all the things that can make your life easier!
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must begin with YSK.
All posts must begin with YSK. If you're a Mastodon user, then include YSK after @youshouldknow. This is a community to share tips and tricks that will help you improve your life.
Rule 2- Your post body text must include the reason "Why" YSK:
**In your post's text body, you must include the reason "Why" YSK: It’s helpful for readability, and informs readers about the importance of the content. **
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding non-YSK posts.
Provided it is about the community itself, you may post non-YSK posts using the [META] tag on your post title.
Rule 7- You can't harass or disturb other members.
If you harass or discriminate against any individual member, you will be removed.
If you are a member, sympathizer or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people and you were provably vocal about your hate, then you will be banned on sight.
For further explanation, clarification and feedback about this rule, you may follow this link.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- The majority of bots aren't allowed to participate here.
Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.
Rule 11- Posts must actually be true: Disiniformation, trolling, and being misleading will not be tolerated. Repeated or egregious attempts will earn you a ban. This also applies to filing reports: If you continually file false reports YOU WILL BE BANNED! We can see who reports what, and shenanigans will not be tolerated.
Partnered Communities:
You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.
Community Moderation
For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.
Credits
Our icon(masterpiece) was made by @clen15!
view the rest of the comments
I hate this so much. My Bitwarden password is the one thing I know. I'm not confident I could ever learn another password, especially one I barely ever need.
And 2FA? What if my phone breaks? My 2FA recovery codes are in Bitwarden.
Ugh. I have no idea what I'm going to do.
I can tell you what most are going to do. Same password for both the vault and the email provider. Which is counter productive to everything.
Print or write down your recovery codes, and stash them in a safe spot. And don't store your primary email password in bitwarden either.
With your current setup, you're one keylogger away from losing all your stuff.
With keyloggers as a malware, the malware could just steals the contents of the vault when you unlock it, even if you have 2FA.
Physical keyloggers are extremely unlikely, since you would be using your devices most of the time, and if your adversary can put a physical keylogger, they probably would also put malware in your computer, again, they'd steal the contents of your vault when you unlock it, 2FA or not.
This is dramatically unlikely for FIDO2 MFA services. It’s possible, but would require the device you’re using to remain connected to both the vault and the attacker infrastructure long enough for the data to be scraped. It happens, but nowhere near as frequently as just stealing the login credentials and using them asynchronously from the origin.
The strawman here would mostly apply to high value targets, which most people aren’t. At the scale of the internet, most cybercriminals are going to pivot to stealing accounts that don’t require additional investment to harvest. It’s simple economics. Having MFA is an essential part of using the internet for anything you actually care about.
Strong passwords are rapidly becoming worthless when we’ve been building ever more powerful compute farms for several decades. What used to take months or even years to crack in 2010 can be done in seconds today. But all of that info neglects that it’s irrelevant because most passwords are lost due to social engineering, malicious software, or the leading cause….. password reuse.
Sure but they still wouldn't have my email password or recovery codes, which was my point.
Using different apps for password management and for 2fa is good for your security and good for redundancy. If your vault is compromised, you don't want your OTP info compromised with it. I personally use Aegis.
That said, Aegis is still an Android app and while I have a backup of it's data, I think I'm still out of luck if my phone breaks until it gets repaired or replaced. I've been trying to figure that one out, because it doesn't seem like there's a lot of good options with desktop support.
Maybe you could use an Android VM and install Aegis into it
Option 1: Set Email password same as Bitwarden Password (probably not a good idea, but technically an option 😉)
Option 2: Make a Keepass Vault with the same password as Bitwarden, and put your Email password in it. Make sure to backup the keepass vault file to many different Hard Drives, SDDs, and cloud (file is encrypted so its probably safe in cloud)
Option 3: Move every password into Keepass.
Hurry, time is ticking, February is in a few days. (I'm moving to Keepass btw, already have my Email password in Keepass and the vault is backed up)
I've never used bit warden, but I migrated from Nordpass to keepass, I currently use a private key for my second form of Authentication so even if my vault is stolen it can't be decrypted cuz they would need the private key along with it
It's a stupid simple setup, because I use syncthing to synchronize my Vault across all systems, and I have syncthing set up that way it keeps three or four versions of the Vault active at a time so if I somehow managed to corrupt The Vault I can just use an older version, this way I only have one account that I'm locked out of instead of all accounts.
As for 2fa, yeah I do the same thing as the other guy my 2fa is stored in my vault. I used to use authy for everything, then they decided that it wasn't secure to have a desktop app, and since I don't have my phone on me at all times I decided just fuck it and threw it all in one location. It's less secure but there isn't a decent desktop 2fa app available that I know of. Technically I could make a seperate keepass vault only for 2fa but that would be a second password to remember
Recovery codes. Take them seriously. Some I trust have them for glass break.