-
If someone is sophisticated enough to use the Authy timecodes AND compromise my passwords then they're welcome to my account. I'm definitely more paranoid than a 'normal' person but I'm no Snowden.
-
I have only 2 super strength passwords that I know: LastPass and Authy.
Both store credentials encrypted and centrally, and there is theorhetical risk there. But it really depends on who you are defending against. It's unlikely to be a state actor, because if you are in that category you are using hardware tokens, signing up to nothing, given API access to nothing in Google, etc? Only a small number of people need that level paranoia.
I consider that I'm defending against lazy hackers, the kind who purchase dumps of compromised sites and will brute force all permutations against multiple other sites.
For those, the best defences are:
- A password manager like LastPass, One Pass, KeePass, etc
- Software 2FA like Authy, Google Authenticator, etc (even if they get your password it's still useless to them)
Combining those with 2FA methods is good enough for the vast majority of people. It being far better that those two are routinely used for everything that they can be used for... over shooting for an unattainable level of security that isn't used or ever gets disabled.
Google Authenticator is in the inconvenient class, forces disabling and using backup codes. As the code can only be in one instance of their app, and if you lose your phone you have to use a backup code, disable 2FA and start over.
LastPass + Authy is, for me, the right balance between paranoid level security and the convenience to use them always.
- A password manager like LastPass, One Pass, KeePass, etc
You are reading a single comment by @Kirth and its replies.
Click here to read the full conversation.
hippy
aggi
Velocio
@Kirth
@aggi @hippy is there a security risk having it centrally stored like that ? It would make life a lot easier that's for sure