|
|
|
|
|
|
by nucleardog
856 days ago
|
|
|
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure? Key logger? I unlock my password vault frequently. I only unlock my TOTP vault to: 1. Add a new secret
2. Recover access to an account if my authenticator has died. Since I unlock my TOTP vault so infrequently, the number of hashing rounds/etc are tuned to be _much_ slower and require _much_ more memory. It uses an entirely separate set of credentials from my main vault. And you're unlikely to snag the password unless you're watching me for a long time or get very lucky. |
|
|
Wow, this might be the answer to a question that's been bugging me for a while!
It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.
But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.
But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).
Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.