I’m using proton services and now the Pass password manager as well. I never let any managers save my bank data such as credit cards or login credentials being sort of afraid to.

Is this concern still valid? when using a manager like Proton Pass that has e2e encryption? what’s your opinion on holding bank data in managers like this?

  • ddnomad@infosec.pub
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    As a rule of thumb, do not put all your eggs into one basket. No software is infallible and vulnerabilities can be uncovered and exploited in both open and closed sourced applications.

    That’s being said, as long as you don’t store all information necessary for a successful login in your password manager, you should be fine.

    So storing credentials for your bank account is fine, as long as it is also protected by MFA and you do not use the same password manager for handling that.

    You can store PIN codes from your debit cards in the password manager as long as you do not store card number / expiration / CVV2 there too.

    Personally, I keep passwords in a password manager, MFA tokens in a separate authenticator, MFA recovery codes go to FIPS 140-2 certified encrypted USB sticks (3 separate copies). I do store debit card PIN codes in my password manager, but only alongside the last 4 digits of the card number.

    • UnfortunateShort@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      This. Saving 2FA codes in password managers is one of the dumbest trends in security for sure. Like, ok, take the 2 out of 2FA, great job T_T

    • KrisND@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      This is also largely based on threat model as something is better than nothing. I don’t believe the average person is going to, much less successfully, implement full layered security.

      If more people could just:

      • Use long passphrases
      • Never reuse passwords for more than one service
      • Use an encrypted password manager
      • Enable 2FA (Preferability via app not SMS)

      It would solve a large majority of the issues. It’s important to note that most stolen logins are actually from data breaches and malware. Before Proton Pass I stored everything in KeePass, we’re talking many years. I have yet to ever have unauthorized activity or login on any of my accounts, I’ve even been lucky not to show up on any data breaches.

      Sure, I got a “FIPS 140-2 certified encrypted USB” which really can just be done with VeraCrypt for FREE (Supply Chain Prevention), used for archive backups, but otherwise just not clicking on links in random emails or visiting sketchy websites.

      • ddnomad@infosec.pub
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        I agree with you on most of the points. Some security is better than nothing. More security is better than less, layers and all.

        Regarding data breaches and malware, and threat models in general. We should not forget phishing too. People voluntarily entering their credentials on a website masquerading as their bank etc.

        With all of that, having your credentials split over multiple applications and devices actually saves you from an endpoint compromise and evil maid attacks, at least in a sense of limiting the fallout.

        Regarding VeraCrypt and “FREE”. While it is, again, better than nothing, VeraCrypt is fiddly, not always works consistently on all operating systems (I look at you, MacOS), and is susceptible to key logging. I prefer actual certified hardware with physical keypads instead. It is not free and has its own downsides, but it is just something I find more appealing.

    • prwnr@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      that are good suggestions. my bank accounts all require two steps authentications, with the second one being mostly auth via mobile app, so that part is enforced and always keeps the account secured better.

      I do have one concern with the Proton account itself, as you wrote “no all eggs in one basket” rule of thumb. With the Pass, I have the 2FA integrated together with passwords (not for bank accounts) - a little risk in here with a gain on convenience.

      Though I certainly do not store my Proton password in it, keeping it memorable and more than 40 characters long makes me feel safe. Im not sure what 2FA app to use for the Proton tho, would you recommend anything? I cannot use a physical key, as my devices have different USB connectors and I cannot have a one key for all.

        • prwnr@programming.devOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          that are two separate keys? or that’s one key that has USB + NFC on it? cause that would be kinda good, as all my devices have USB except for the iPhone, but it has NFC so that would be sufficient enough

            • prwnr@programming.devOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              ok, I see some on my country sites with a reasonable price. thanks for the tips! if you don’t mind I would like to ask one more question in regards to the keys.

              How does they work in pairs? Like, I see an auction where I can buy one key separately, but to dont get locked out of account I would rather want to buy two. Should I look for auction with bundle of two? or I can set up two separate keys to be used for the same authorizaion?

              • KrisND@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Yes, it is recommended to purchase 2. It literally makes them identical in case you lose your primary. 1 in a safe and 1 on your key ring kinda thing.

                Some websites may not allow recovery if you lose your key, so yes a 2nd one is useful if possible. And yes, you would be able to use both interchangeably.

                • prwnr@programming.devOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  thanks for your help! gotta get them then for my Proton account to keep it safe and handle all the other auths with passwords and TOTPs I guess.

      • ddnomad@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        For MFA apps, Google Authenticator seems to be the norm.

        I personally use OTPAuth with sync disabled and regular backups. Mostly because it is easier to organise and back up.

        Regarding hardware security keys as part of MFA, you can either get yourself dual USB-C / Lightning or USB-C / USB-A keys from Yubikey. Then just buy a USB-A to USB-C dongle (or vice versa) and keep it on your key chain. That’s mostly what I do, not ideal but does the job.

        I also use OnlyKey for some passwords, especially encryption passphrases on some servers and laptops. I usually need to enter them on boot, and it just takes too long to do that manually and I’m lazy.