#OpSec
nostr:note1nsdtatjvt8nxdl7h9a8rmvn838n3zdmh5hgwvf8gvk4xdnsg4p8qwhl6w4
Discussion
don't fall for gamified social engineering on insta or anywhere else. tip: people are usually much easier to hack than systems
#cybersecgirl #opsec #socialengineering #insta
i would also add. don't answer password reset questions genuinely. always use unique decoy info (for each site) when answering security questions. keep them in the notes section of your password manager
Do you recommend to store 2FA secrets in a vault separate from the passwords? (Multiple points of failure?)
Yes, the minor inconvenience of using a separate app to store codes is worth the extra seconds in contrast to the pain should your pw manager get pwned.
yes. ex: bitwarden + keepass, but it depends on your threat model. most people will be significantly better off just keeping them in the same pwm
Get a Yubikey or similar and use WebAuth 2FA everywhere it's possible, then store your TOTP in the Yubikey for other services not using WebAuth. Also you should backup the TOTP setup or use backup codes when available stored separately from your main password manager, ideally on paper but I find more convenient to keep an old (degoogled) phone and have all TOTP in andOTP which allow you to export PGP encrypted backup of all your codes and can be locked with a password (on top of your unlock scheme).
I wrote a detailed article some time ago and it's still mostly up to date: https://eluc.ch/password-managers-and-authentication-tools/
All my password reset questions are "Fuck you hacker!", or I pick up anyone if you have a list and the answer is randomly generated like another password and saved in my password manager.
Once I had to answer one of these over the phone it was fun.
passphrases are great for this as well