The Reading Ape

Share this post

The Reading Ape
The Reading Ape
The Privacy, Security, and OSINT Show 284 - Password Managers & 2FA Revisited
Copy link
Facebook
Email
Notes
More

The Privacy, Security, and OSINT Show 284 - Password Managers & 2FA Revisited

Jan 03, 2023

Share this post

The Reading Ape
The Reading Ape
The Privacy, Security, and OSINT Show 284 - Password Managers & 2FA Revisited
Copy link
Facebook
Email
Notes
More
Share

Primer: What are password managers useful for? What should you take note of when selecting one? In this episode of the OSINT show, host Michael Bazzell provides his recommendations for password managers and revisits his thoughts on 2FA.

Recommendations For Password Managers

Previously

  • Have always recommended KeePassXC or Bitwarden:

    • KeePassXC: A completely offline tool. Reserved for extreme scenarios

    • Bitwarden: A secure password manager that synchronizes your password database across multiple devices

Now

  • Online password managers have advanced quite a bit

  • Every reputable password manager encrypts everything on your machine before it goes into the database

  • Does not recommend LastPass, 1Password, Dashlane

  • For people new to password managers, he would recommend Bitwarden

Usage Of A Password Manager

  • A password manager is used to:

    • Generate all your passwords

    • Maintain all of these passwords

  • If you have a weak password policy, this is a bad practice. At some point, you are going to get breached

  • Some people have passwords that are 250 characters long. This is overkill

  • For him, his passwords have a minimum of 20 characters

  • A lot of those older financial legacy websites ignore everything over X number of characters

  • When these websites make a change and look at the first X number of characters of your password against what they have on file, it could cause issues

  • He doesn’t use special characters on a lot of his passwords. Bank accounts might not be able to read special characters

  • The only thing you need to remember is the master password for the password manager

Benefits Of Bitwarden

  • Their free package suits most new users

  • It has multidevice sync

  • Works on multiple devices such as Mac, Linux, Windows, Android, etc.

  • It is completely open source — people are able to scrutinize their code

  • Audits from third party auditors

  • Their paid plan costs $10 a year. Needing a paid plan comes down to whether you need hardware token two-factor authentication

“I don't trust any of the companies. I trust the encryption, I trust the audits, I trust the security.”

- Michael Bazzell

Two-Factor Authentication (2FA)

  • In the past, he said that your 2FA provider has to be separate from your password manager

  • The order of 2FA are still the same:

    • If an online service allows you to use a hardware token, then use the hardware token first

    • If not, then use a software-based token that is not SMS

Authy

  • Authy is still a good product even though it’s not open source

  • They require a phone number

  • Can use a VoIP phone number to synchronize your stuff

  • If you don’t like Authy, you could consider Standard Notes

Bitwarden

  • Bitwarden can handle 2FA codes within the application itself

  • If someone gains access to your Bitwarden account, they gain access to both your passwords and your codes. So there’s a need to properly secure it

  • First, have a paid plan so that you can secure your Bitwarden account with a hardware token

  • Next, you have to be picky about the accounts which are not stored (e.g. primary email account) in the password manager. Could use a hardware token to secure your primary email account instead

  • Finally, you have to export your seed code offline

Should You Use Browser Plugins?

  • Not a big fan of browser extensions

  • Recommends people to install the desktop application on their device instead of relying on the website version of the password manager

Sharing Account Data

  • Bitwarden has the advantage over other providers

  • Can be split into 2 camps:

    • Families

    • Companies

  • For families: If it’s just 2 people, the free plan should work fine. If you need the family plan, it would cost more

  • For companies: Can have an entire team needing certain passwords

  • He has helped elderly clients to set up their Bitwarden accounts to automatically release their credentials X days after their death

  • Both parties have to have a Bitwarden account. One party has to send the other a request to be their emergency contact, with the other party approving that request

  • When the former dies, the latter could submit a request from their Bitwarden account to the former’s Bitwarden account to get the data

Conclusion

  • You have to identify the best path for yourself to take

  • You do not need to take the most extreme method

All information presented above is for educational purposes only and should not be taken as investment advice. Summaries are prepared by The Reading Ape. While reasonable efforts are made to provide accurate content, any errors in interpreting and summarizing the source material are ours alone. We disclaim any liability associated with the use of our content.

Share this post

The Reading Ape
The Reading Ape
The Privacy, Security, and OSINT Show 284 - Password Managers & 2FA Revisited
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 TheReadingApe
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More