You are reading a single comment by @Kirth and its replies.
Click here to read the full conversation.
London Fixed Gear and Single-Speed is a community of predominantly fixed gear and single-speed cyclists in and around London, UK.
This site is supported almost exclusively by donations. Please consider donating a small amount regularly.
Kirth
I have only 2 super strength passwords that I know: LastPass and Authy.
Both store credentials encrypted and centrally, and there is theorhetical risk there. But it really depends on who you are defending against. It's unlikely to be a state actor, because if you are in that category you are using hardware tokens, signing up to nothing, given API access to nothing in Google, etc? Only a small number of people need that level paranoia.
I consider that I'm defending against lazy hackers, the kind who purchase dumps of compromised sites and will brute force all permutations against multiple other sites.
For those, the best defences are:
Combining those with 2FA methods is good enough for the vast majority of people. It being far better that those two are routinely used for everything that they can be used for... over shooting for an unattainable level of security that isn't used or ever gets disabled.
Google Authenticator is in the inconvenient class, forces disabling and using backup codes. As the code can only be in one instance of their app, and if you lose your phone you have to use a backup code, disable 2FA and start over.
LastPass + Authy is, for me, the right balance between paranoid level security and the convenience to use them always.