[charlietran]

Thank you so much for this list, it's more concise and useful than any corporate security lecture I've ever received! Some questions:

> 10. Install a password management application that doesn't store your secrets in the cloud.

Great recommendation, but how do you handle syncing passwords between your computer and phone?

> 2. Enable "code-generating" or "authenticator app" 2FA on all your accounts, particularly email (this is called "TOTP").

Do you recommend using the TOTP feature of 1Password, or would you consider storing your password / TOTP together a loss of the "2nd Factor"?

[passivepinetree]

1Password has a WiFi sync option that syncs your passwords between your computer and phone when they're both connected to the same WiFi network. I've been doing it Mac --> Android for quite some time and never had any issues.

[quanticle]

    Great recommendation, but how do you handle syncing passwords between your 
    computer and phone?

I use KeePass to encrypt my passwords and store the password vault in Dropbox. It's not a perfect system, in that an adversary can gain access to my password vault and try to brute-force my master password. But it's "safe enough", if you make sure to use a strong passphrase as the master password for the vault.

[jaredklewis]

How is brute-forcing a concern?

Your password might be a guessed in a dictionary attack if you have a weak password. Or if at some future date a KeePass specific vulnerability is discovered, someone might be able to use that.

But someone trying to brute-force your password isn't a problem anyone needs to worry about.

To my mind, the real downside to using dropbox to store encrypted stuff is that the existence of the encrypted stuff is not a secret. And recently it seems the spooks look upon encryption with ever increasing suspicion.

[avn2109]

I do this too but it conflicts with tptacek's injunction above to "not use Dropbox."

[quanticle]

I'm not sure why tptacek specifically warns against using Dropbox. My guess (and I emphasize that this is just a guess) is that you can't rely on Dropbox (or Google Drive or Microsoft OneDrive) to keep your data out of the hands of a state-level adversary. However, encrypting your data before putting it into Dropbox should address that concern. Is there something I'm missing? Is it that cloud folders like Dropbox make it too easy to accidentally share information in cleartext?

[xenophonf]

Why paint a target on your back?

If you have a device that's relatively well hardened against attack, why subvert those protections by giving a copy of your secrets to a third party who isn't (and can't be, from a legal standpoint) as well protected?

Why give a copy of your secrets to an adversary that's 10 to 20 years ahead of the rest of the world, crypto-analytically speaking?

In short, make them work for it.