[kwlug-disc] 2FA Google Authentication and Best Practices with passwords

Paul Nijjar paul_nijjar at yahoo.ca
Fri Feb 4 16:13:02 EST 2022 

On Fri, Feb 04, 2022 at 06:21:26AM -0500, Darren Pond wrote:
> 
> Seeking Best practices with documentation & Password?
> 
> I recently cracked my cell phone display losing access to it.
> At last I was prepared for this as just the previous weekend I had updated
> my password collection, 190 and counting which I keep on a Libr spreadsheet
> in KDE Linux vault and second paper copy at my brothers house.
> Long story longer. When my father passed away last January he also was
> attempting to keep track of passwords. Only his mental state had both
> slided & his method of recording was totally random and has taken months to
> clean up.
> Or another simple issue is my not so tech friendly wife should also have
> access to PW's
> 
> What is everyone doing about Passwords and documentation?

I think there are two issues here. The first is how to keep track of
passwords. I personally think an encrypted master password list in
LibreOffice is good enough for this. You can have backups of it that
you keep offsite. I would put a backup on a USB flash drive in a
safety deposit box, or stored with a trusted individual, and then make
sure that gets refreshed every couple of months. If you use strong
passwords on your accounts (and you really should) then printing the
password list out seems to be of limited use. Depending on how much I
trusted the KDE vault vs the built-in LibreOffice encryption, my own
inclination would be to password-protect and encrypt the spreadsheet
directly. That means that if you are ever in crisis and need access to
your backup spreadsheet, you don't need KDE installed in order to
access it. But this is a tradeoff that could go either way. 

As Cranky suggested, if you want to go the hosted password list route,
then BitWarden is popular. The advantage here is that you can access
your passwords from many different devices without needing to
synchronize a password list. 

Alternatives to a LibreOffice sheet are a real password manager like
KeepPass. Depending on how much you trust the encryption on a
LibreOffice spreadsheet then I do not know how much extra this buys
you, other than autofilling passwords. I use a terminal-based password
manager called yapet, but this does not sound like a good fit for you.

The second issue is multi-factor authentication. I (still!) do not
have a cellphone, so my solution to this has been the Yubikey.
Yubikeys are a good solution in that they work and make MFA secure.
But you are correct that they are a single source of failure. My
solution was to purchase two Yubikeys, in the hope that if I lost one
I would not lose access to my accounts. 

(I am lying here, because in fact I do not use my Yubikey unless I am
forced to use multi-factor authentication. Instead I rely upon
randomly generated passwords, but I think this is not best practice.)

Now that I have written these things others will find all the ways my
advice is terrible and correct me, and then you will get better
advice. 

- Paul

-- 
Events: https://feeds.off-topic.kwlug.org 
Housing: https://unionsd.coop
Blog: http://pnijjar.freeshell.org

More information about the kwlug-disc mailing list