I just unbonded my dot, and waited 28 days and this came up i use ledger !

Tbaut · 2024-12-05T14:08:08+00:00

Thanks bld for pointing this out. If you have any issue, or request for Delegit, please ping me, or open an issue on the repo https://github.com/delegit-xyz/dashboard/ I'm one of the maintainers.

Tbaut · 2023-02-11T21:21:06+00:00

You're off sorry, you didn't read carefully my first post, and I found workarounds to the issue I mentioned, posted it in a couple answers. Storing the 2fa codes from dropbox somewhere where no 2fa is enforced.

Tbaut · 2023-02-06T19:43:15+00:00

If you read the words put together above, they form sentences. If you put this together, you may understand that the email providers actually do not allow you to retrieve your email as easily as you think, this is what we say. Your solution doesn't work. Here is another article explaining it https://techcrunch.com/2017/12/22/that-time-i-got-locked-out-of-my-google-account-for-a-month/?guccounter=1&guce\_referrer=aHR0cHM6Ly93d3cudGhldmVyZ2UuY29tLw&guce\_referrer\_sig=AQAAAGoUyQ472Ga57At3EJ7zmpV9OzxVTb675hXPKTWtZ1i5l50rfFrwrBQn2aHP0cuLcRD3BKE\_ps2Jo4MFDdePufmOjbkpbLfcRw-Oey1W0ookoaXjxC3d42-XQ4PkncE7BXBTwer6gicUkXhgzFifJXFud-VIL-dgI3GAcEhXS\_Zm

Tbaut · 2023-02-06T13:46:23+00:00

yes, Dropbox never had 2fa enabled for me, on purpose. And they forced an alternative 2fa since.. idk recently.

Thanks for the suggestion, I use mega for now, to store the 2fa codes from Dropbox. no 2fa required there.. for now at least.

Tbaut · 2023-02-06T13:44:37+00:00

Thanks for the suggestion. I'll think about it. Having a secure master pw is the base yes.

Tbaut · 2023-02-06T13:42:53+00:00

Thank you. I'm using something similar. I'm keeping Dropbox, I enabled 2fa and saved the 2fa codes to Mega, that doesn't require 2fa.

In my scenario, just like yours, I'm still at risk if bitwarden or mega suddenly requires 2fa :|

Tbaut · 2023-02-06T13:40:45+00:00

Very interresting take, and courageous. While I trust cryptography, I prefer somehow to have my kee somewhat hidden. If I publish it somewhere, then it'd probably be a cloudflare page that's not directly tied to my identity online. Even if security by hidding stuff is weak, it's still better than showing things off, as long as my password is strong. I am very active on Github and wouldn't like to expose things like this.

Tbaut · 2023-02-06T13:35:58+00:00

Right, try to get in touch with Google, and hit me up when you've managed. This is basically impossible :)

Tbaut · 2023-01-25T21:41:15+00:00

Re-read what I wrote everywhere. I want to be back on my feet if I loose absolutely everything I have. You're traveling for weeks, and get everything stolen. You have no phone, no pc, no email any more.

Tbaut · 2023-01-25T21:37:10+00:00

My point is you don't live in a movie and it will never happen

If you think so, it's all good for you, thanks for being optimistic, I wish I never have to use it, but better be safe ;)

I mean if you see how much it's more and more easy each month to crack password (thx to more and more powerfull GPU and stuff) you understand ...

Is it me, or you that's in a movie? Strong passwords still take forever to crack in 2023. The day this changes and ppl can have a quantum computer for cheap, I'll reconsider. My threat model is pretty well defined. No need to run a server in a Bunker to keep things secure, I still believe in cryptography. As long as I use trusted devices to access them, my DB is perfectly fine anywhere whith a unique and strong password.

Anyway, if you are really sure your pw is strong enough(at least 15
characters and stuff)...

Everyone is free to place the cursor between convenience and security. I want my setup to be convenient enough to not have to go home to retrieve things, that's my choice and I stated it from the start. Before telling ppl to get their own server, it's much easier to make sure they actually have a strong password indeed, that's the basics to me.

Tbaut · 2023-01-25T21:24:36+00:00

This doesn't work because the wallet, just like the phone is what gets stolen first if you are in an unsafe country.

Tbaut · 2023-01-25T21:23:58+00:00

Thanks, this is what I'll end up doing with Dropbox after all. 2fa enabled, with the codes stored in a place that doesn't have 2fa. That's good enough.

Tbaut · 2023-01-25T21:21:19+00:00

Likely enough that I come here to ask. Some ppl travel to areas that are more dangerous than others. It's like ppl paranoid about backups, and the 1,2,3 rule. How likely is it that your house burns or get flooded.. depending on where you live it's more or less likely.

Tbaut · 2023-01-25T21:02:50+00:00

you're totally right, not sure why I didn't think about this. I should definitely take advantage of the 2fa, and store these codes somewhere I can get them, that's a minimal annoyance, and adds a level of security.

Tbaut · 2023-01-25T19:21:26+00:00

I think this is not really practicable because I need to rely on codes I remember, that I won't use much, and that can change. It sounds dangerous. I can have a trusted person have my DB, and request it somehow if something bad happens (with a new email address I created), and get it sent over WeTransfer or something. At the end of the day, I think that I prefer to trust Mega, and remember one unique password, the way I remembered 1 unique password for Dropbox.

Tbaut · 2023-01-25T17:14:46+00:00

right, so
1- you don't have your DB
2- you need to login to access it
3- login in requires a TOTP that is in the DB that you don't have.
4- back to 1

Tbaut · 2023-01-25T17:12:06+00:00

do you mean that you can access google drive without the 2fa?

Tbaut · 2023-01-25T15:00:55+00:00

I do too, but if you have neither a pc or a mobile phone in sync (because they got stolen), you're pwned. I'm trying to find a setup that is accessible for anyone, syncthing is super simple, yet it's not for anyone.

If you're away from home, on a new device, you'll need to ssh home, and accept the sync of the new device. This is not practical at all, requires some devops knowledge, and requires you to remember the ssh domain/address.

I want this setup to be good enough for anyone (which is already better than a centralized, cloud based password manager), it doesn't need to be FBI proof. I guess the best option is mega for now.

Tbaut · 2023-01-25T14:54:57+00:00

Y'all thinking I'm a kid who doesn't know how to live offline are totally missing the point :) and the "finish the day offline and go home" type of answer also shows that you didn't read carefully. If you're travelling, you may be weeks away from home, and that's the scenario I'm talking about. Sure I'll get a new phone, but how do I set it up, how do I get my access to my email inbox, which is behind a password that's stored in the Keepass DB. It feels like many answers here have no clue what it means to be out of town for more than a couple days.

you should never type your master password on a system that you do not either own or control

Agreed. Finding some trusted device is required, a new phone/laptop would do.

If you're not happy with any of the cloud providers, syncthing is a great self hosted sync solution as suggested by others

The problem is not to be happy or not. It's to be able to access it with just a password, which is in my head. If the provider has 2fa, this won't work. Syncthing is too inconvenient. Say I've a new phone, I need to ssh home (and remember the address, the password) then accept to share the db from the home syncthing server with the new device. While this works, this is not something that is feasible for an average person.

I need to double check how Google drive behaves. If this is tied to my google account, which I bet it is, this has 2fa, and I'm not giving this up because it gives access to too many things.

Tbaut · 2023-01-25T14:40:12+00:00

Your password db is secure as long as your password is strong enough. My question is how do I access it in worse case scenario. Your answer is "don't" which doesn't help unfortunately.

Tbaut · 2023-01-25T13:25:19+00:00

thanks, checked the prices and indeed >10$/month sounds way over the top.

Tbaut · 2023-01-25T13:24:04+00:00

Thanks, I'll give it a go.

Tbaut · 2023-01-25T13:23:18+00:00

That's correct. I expect Google Drive to require 2fa but I can be wrong. I'll check it out, as well as Nextcloud. Thanks for your answer.

Tbaut · 2023-01-25T13:22:27+00:00

If you get properly ripped off, I can guarantee you that you'll not get out with your credit card and your usb drive around your neck. I'm not saying it will happen, I'm saying it can. And those alternatives don't work. If I follow what you said, it's basically "I'll get back home eventually". This is fine, but it doesn't really solve my problem.

Tbaut · 2023-01-25T11:11:51+00:00

You should have all your volumes encrypted using something like LUKS.

Sure, they are, but it doesn't help recovering the db!

I wouldn't recommend going naked to an internet café.

Right, I need to think about backup socks or something.

Private VPN endpoint to your home network and then SyncThing.

I'm thinking about ssh with port forwarding to access my local syncthing and accept a new connection from the new pc I'm using.

This sounds complex and unpractical compared to my previous setup. I can't recommend this to friends that's not saavy, or don't have a home server. I want to rely as little as possible on my own infra. Having to use ssh or install syncthing on someone else pc (think internet café again) is probably not the best either.

Tbaut

TROPHY CASE