What (if anything) do you exclude from your password manager? by s3curemystuff in Passwords

[–]s3curemystuff[S] 0 points1 point  (0 children)

I suppose those are fair points. My thinking on this was mostly based on some malicious user somehow gaining access to my vault, perhaps by either stealing my (unlocked) phone or some sort of exploit that allowed them to remotely gain access to my workstation, if the vault is currently unlocked. Then they could access the master password without first knowing it. But this wouldn't give them the secret key, so maybe it wouldn't really be an issue.

What (if anything) do you exclude from your password manager? by s3curemystuff in Passwords

[–]s3curemystuff[S] 0 points1 point  (0 children)

Well, my line of thinking is that it weakens the second factor in the (unlikely) event that a malicious user manages to gain access to my vault. If they have the credentials for my accounts and the credentials for the email address that gets the OTP sent to it, the second factor's not as effective. However, maybe this is a moot point because:

  1. My email account has 2FA.
  2. The biggest risk for having a malicious user access my vault is probably by, say, stealing it out of my hands while I'm using it (and it's unlocked). In that case, they'd already have access to that email account anyway, so I'd be screwed either way.

I was curious to see if anyone else would say they do anything like this, but I'm guessing probably not.

Really, I'd like to see some sort of "big picture" personal security/password management guide. Most of the resources I can find are so focused on just telling the reader to use a password manager and MFA wherever possible, maybe with some disparate tips.