That’s just scratching the surface. Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. So that ‘almost always’ ain’t right regardless.
The goal of 2FA is to be ‘something you have’ like an authenticator device or auth app on your phone, working as a secondary verifier that you are who you say you are to the ‘something you know’ being your password. So if you store 2FA codes with your password then you just have two sets of ‘something you know’ which is far less secure - and leaves you more vulnerable.
Of course, it doesn’t matter much with stuff like a low value forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It defeats the purpose.
Feels like everyone has forgotten when LastPass was breached, and that was barely three years ago.
Any affected LastPass users storing their 2FA backup codes in with the rest of their login data got a rude awakening.
Anyone who had them separate was at least able to rescue those accounts. But hey do what you like people, I know convenience usually trumps security.
As far as I know, passwords and TOTP keys were never leaked by LastPass. Regardless, I did say almost always.
That’s just scratching the surface. Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. So that ‘almost always’ ain’t right regardless.
The goal of 2FA is to be ‘something you have’ like an authenticator device or auth app on your phone, working as a secondary verifier that you are who you say you are to the ‘something you know’ being your password. So if you store 2FA codes with your password then you just have two sets of ‘something you know’ which is far less secure - and leaves you more vulnerable.
Of course, it doesn’t matter much with stuff like a low value forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It defeats the purpose.