8
votes
What would be a good security setup for me?
So:
- I keep all my passwords in my password manager (Bitwarden)
- All my 2FA codes are generated by AndOTP on my phone.
- My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
- I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
- Is there anything I'm forgetting here?
I recommend you ask yourself what threats you're protecting against. You'll want to take different precautions if you're worried about state actors at one end of the scale vs random script-kiddies with a password list at the other.
Personally I tend to print off my recovery codes and keep them in a safe place. Not under lock and key as such but you'd have to be actively searching to find them. I figure if a malicious actor is running around unsupervised in my house I've probably got bigger problems. Passwords all go in Bitwarden.
Beyond that I make sure I password protect all my devices (Phone, desktop, laptops) and never leave them unlocked when they're unattended. That'll stop opportunists from snooping around my stuff while I'm in the next room.
I keep personal data off of my company laptop and vice versa, although since my work laptop is encrypted good luck getting my personal data off of it in the case where I'm fired.
I figure that level of security will keep me safe from opportunists and random amateur attacks against my various accounts. If you're worried about local government agencies or foreign state actors then there's a whole bunch of other stuff you probably want to do but you should talk to someone with more experience in that sort of thing than me.
Also think of some sort of emergency kit. Bitwarden is your single source of thruth, if you host it yourself or use their service, do you have backups of your Bitwarden DB and can you access it in the worst case scenario? (service not available, etc.)
1Password provides this emergency kit template which is a good idea/starting point I think. Then you need to find a secure place to store this, like in a bank deposit box.
Hm, I'd say this is secure enough. I see 2FA as protection against guessed/cracked passwords. And besides, when someone gets into your BitWarden account, aren't you fked up even if you didn't have 2FA there? I don't know how many accounts you have secured with 2FA, this is genuine question. I keep backup 2FA codes together with my bitwarden password written down in safe, and nowhere else. I feel that this is the most secure option - and because I never had to use any of these, very convenient so far.
I don't personally use bitwarden 2FA, as I don't store 2FA tokens there, all my important accounts are with 2FA, and whoever cracks my 32-48 character password (not going to tell the exact length :-) deserves access to the 80 shitty websites I used twice.
I used to have the same concern as OP about storing my 2FA codes with my passwords until I realized the point you made which is that you're still protected from password leaks, keyloggers, etc.
Right, but it sounds like their Bitwarden is using 2FA too ("I have my Bitwarden 2FA backup code in my wallet and in a safe at my house"), so the question is whether there's a (realistic) case where someone gets access to the Bitwarden second factor but not the other ones.
That's what I was thinking.