Things that may be less important such as homelab test environments, gaming and streaming services, etc I still enable MFA wherever I can when possible.
Also don’t fall victim to spear-phishing attacks.Īnything important, such as financial, production network, social media accounts, etc is stored in a separate dedicated authenticator app. In my opinion a password vault secured with a good strong passphrase with high entropy that is only used for that service, and secured with 2FA is secure enough for most cases. I personally don’t see much of a need to pepper passwords as it could be quite cumbersome as mentioned but YMMV depending on your individual situation. Though this does add an additional step and many use password managers for their balance of security and convince. This would mean even if someone got into your password vault they would still not have the additional pepper needed to login to any sites. if your pepper phrase was “ Christmas”, and the stored password in Bitwarden was something like “ eVhtn$QMG8rm&x84”, then the full password used to login would be “eVhtn$QMG8rm&x84 Christmas”
One may take a word or phrase to add somewhere to the generated passwords. One way to avoid this is the practice of “peppering” your passwords, in which the full password generated by and stored in your Vaultwarden instance is not the full password used at login.
Then they could easily export all vault data such as password and TOTP secret seeds. spear-phishing attack, some unknown vulnerability, etc. As you are correct if someone was able to successfully gain access to your password vault, i.e. You can absolutely be creating a single point of failure and putting “all your eggs in one basket” so to speak. Really depends on your threat model, there are different schools of thought on storing TOTP codes with your password manager.
0 kommentar(er)
