Absolutely. 2FA codes (and 2FA ‘single use codes’ / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.
That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.
Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. It’s not just services mishandling their data that people should consider as likely vectors.
I do agree about evaluation - it doesn’t matter much with stuff like a forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It weakens your protection if something does go wrong.
I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I’m creating a simplelogin email for each of the ones I’m keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don’t want/need anymore, and then setting up 2fa on Aegis if they don’t accept a hardware tokens.
But it’s an intense and long process, though absolutely worth it. With work and personal life, I’m guessing I can be done in a couple of weeks.
Absolutely. 2FA codes (and 2FA ‘single use codes’ / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.
That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.
Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. It’s not just services mishandling their data that people should consider as likely vectors.
I do agree about evaluation - it doesn’t matter much with stuff like a forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It weakens your protection if something does go wrong.
I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I’m creating a simplelogin email for each of the ones I’m keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don’t want/need anymore, and then setting up 2fa on Aegis if they don’t accept a hardware tokens.
But it’s an intense and long process, though absolutely worth it. With work and personal life, I’m guessing I can be done in a couple of weeks.