I’ve only used Bitwarden, so I can’t speak to the others, but Bitwarden does, yeah.
But to the average person, “password manager” is whatever their browser does for them, and I’m not sure those have much more functionality beyond username/password and ID fields.
You replied to the wrong guy, but I think they rather meant it as “unless you’re using a password manager (…because password managers are generally capable of storing extra data)”. 😅
I mean, even if it can’t store extra data in one entry, you could still create multiple entries for a single account and just name the entries similarly.
it probably doesn’t hurt to save it, but at the same time, for a keepass user, if you lost the primary password, it probably means you don’t have the wallet for whatever reason.
Well, there might be other reasons to need them. For example, I once got locked out of an account, because I had lost the 2FA credentials (which I did not have in KeePass, incidentally). The webpage let me back in with a recovery question.
Well, technically, it was a recovery code which was just random symbols I had been provided upon account creation, but kind of the same thing in the end.
that is shitty implementation. circumventing 2fa with 1fa method that can be easily intercepted is pinnacle of stupidity.
if the protected source is so important that it warrants using 2fa, then the recovery after losing it must really verify the identity and sending some random code doesn’t cut it.
another thing is the spreading of 2fa to anything where it doesn’t really need to. that is cancerous in itself.
You can also store these in a password manager like KeePass…
KeePass is very good all encrypted data is local, and no server interaction
Doesn’t every password manager have a “notes” field these days?
I’ve only used Bitwarden, so I can’t speak to the others, but Bitwarden does, yeah.
But to the average person, “password manager” is whatever their browser does for them, and I’m not sure those have much more functionality beyond username/password and ID fields.
You replied to the wrong guy, but I think they rather meant it as “unless you’re using a password manager (…because password managers are generally capable of storing extra data)”. 😅
I mean, even if it can’t store extra data in one entry, you could still create multiple entries for a single account and just name the entries similarly.
And to give an example of a password manager intentionally kept so simple that, well, there is a solution, but it is somewhat choose-your-own-adventure: https://www.passwordstore.org/#organization
(You can get GUIs for it, which may have a premade solution after all, for example: https://f-droid.org/packages/app.passwordstore.agrahn )
if you use password manager, you should never need to use recovery questions.
Well, I’d rather write down anything I enter, in case I do ever need it. But yeah, generally speaking you shouldn’t need the answers.
it probably doesn’t hurt to save it, but at the same time, for a keepass user, if you lost the primary password, it probably means you don’t have the wallet for whatever reason.
Well, there might be other reasons to need them. For example, I once got locked out of an account, because I had lost the 2FA credentials (which I did not have in KeePass, incidentally). The webpage let me back in with a recovery question.
Well, technically, it was a recovery code which was just random symbols I had been provided upon account creation, but kind of the same thing in the end.
having 2FA in place and then letting you in based on “security question” is the peak clown show.
(this is not attack on you, but wow…)
They’s talking about 2fa recovery codes, which are specifically made for when one loses their phone, for example. And are typically random.
that is shitty implementation. circumventing 2fa with 1fa method that can be easily intercepted is pinnacle of stupidity.
if the protected source is so important that it warrants using 2fa, then the recovery after losing it must really verify the identity and sending some random code doesn’t cut it.
another thing is the spreading of 2fa to anything where it doesn’t really need to. that is cancerous in itself.
I get it that recovery codes could be leaked just like passwords, but not sure what you mean by ‘easily intercepted’.