Need 2FA/security advice

[Simar]

I’m a little paranoid due to the recent 3070 scam and wanted advice regarding 2FA and security since I feel like an absolute newbie when it comes to that.

I currently use Bitwarden and have generated strong passwords for every login. Along with that, I use Authenticator for 2FA. However, if my email somehow gets compromised, I’d be screwed considering my Authenticator has a cloud backup and they could just login using my email. Do you guys recommend using another auth app or just using Authenticator without an account, effectively creating a local-only version and exporting my codes using a QR, which I store elsewhere in case I lose my primary device?

I also wanted to ask for advice regarding my Bitwarden master password. I feel uncomfortable/paranoid every time I enter it, assuming the possibility of a keylogger on my system.

On a side note: Funnily enough, my mom had installed a web protection thing to block websites on my device ages ago when I was a kid, and I used a keylogger to overcome that. So my paranoia is partly caused by me lol.

Any other security advice apart from this would be welcome!

 

[nRiTeCh]

I’m a little paranoid due to the recent 3070 scam and wanted advice regarding 2FA and security since I feel like an absolute newbie when it comes to that.

Huh> Link to the scam..

I currently use Bitwarden and have generated strong passwords for every login. Along with that, I use Authenticator for 2FA. However, if my email somehow gets compromised, I’d be screwed considering my Authenticator has a cloud backup and they could just login using my email. Do you guys recommend using another auth app or just using Authenticator without an account, effectively creating a local-only version and exporting my codes using a QR, which I store elsewhere in case I lose my primary device?

I'm also using these exact two things. Now getting your email compromised is totally in your hands, either you have a very weak password or someone already knows how to recover your password in ahem situations.
So keep shuffling/changing your secret questions etc.

I also wanted to ask for advice regarding my Bitwarden master password. I feel uncomfortable/paranoid every time I enter it, assuming the possibility of a keylogger on my system.

I use bitwarden on all browsers and my phone and office laptop and as far as you have enabled 2fa with a really strong password, it snot easy for someone to sniff and fiddle!

On a side note: Funnily enough, my mom had installed a web protection thing to block websites on my device ages ago when I was a kid, and I used a keylogger to overcome that. So my paranoia is partly caused by me lol.

How old are you and how tech savvy is your mom? Does she controls all the access etc. does she operates firewalls and routers around?

Any other security advice apart from this would be welcome!

Even if you sit in the prison of Scotland yard police or in a safe of Swiss bank, if your passwords themselves are primarily weak with guessable secret then only God might save you from all the evil eyes!

 

[Tracer_Bullet]

Look at yubikey - you can use it with gmail to improve gmail security. totp as backup, that i dont use but keep it with yubikey and print out secret key/qrcode and also backup codes.
I removed sms from 2 factor.

keylogger - cant do much. Maybe have a dedicated encrypted os or a separate machine for sensitive stuff and don't expose that to anything beyond minimum.
yubikey / passkey will protect against it somewhat though i think. You can also setup passwordless login with it, dont see how keylogger will hack that. But your session cookies can be stolen

https://www.reddit.com/r/yubikey/comments/s06ujw/do_keyloggers_beat_security_keys

I use keepassxc for storing passwords . We can also use it with yubikey and make it more secure. We can use 2 yubikeys or atleast print out the secret as backup.
Alternately just use long passphrase and mix some stuff in it.

What yubikey does is that someone will need physical access to key and know your pin to login.

See below for tips on how to config keepassxc and protect against brute force gpu attacks etc.

Security - KeePass

keepass.info

Also make a habit of logging off once done rather than keeping it online, that will reduce session cookie risk.
passkeys will make it easier to login while being more secure, yubikey is quite nice.

See this thread -

T

Thread 'Securing gmail account - options ?'

Mar 10, 2025

So i am looking at how to better secure my gmail account, which has become a link to all major accounts ( including financial) these days.

Current setup -
2nd factor through sms.
Used by 2 devices.
Device remembered, so i don't really need to login again. I guess this increases risk of session hijacking from malware. Has never happened to me, yet.
I always use bookmarks/saved url in keepass to go to any account page, so phishing risk seems to be not an issue.

How to improve ?
I am looking at using AWS/ec2 in near future, which also brings some additional risk of its own as they don't...

• Tracer_Bullet
• security
• Replies: 7
• Forum: Websites, Apps, and E-Commerce

 

[Simar]

Huh> Link to the scam..

Here's the link to the scam - https://techenclave.com/threads/possible-scammer-dont-trade.227092/

I use bitwarden on all browsers and my phone and office laptop and as far as you have enabled 2fa with a really strong password, it snot easy for someone to sniff and fiddle!

Is your master password very strong as well, like Bitwarden-generated passwords? If so, how do you input it every time? I have a manually created "strong" password that's long and has the typical combinations, but I want to go with the former. Just seems like a hassle storing it physically instead of plaintext and inputting it every day.

How old are you and how tech savvy is your mom? Does she controls all the access etc. does she operates firewalls and routers around?

Haha, this was like 18 years ago, if not more. A tech-savvy relative set it up, but that wasn't going to stop "kid me" lol.

Look at yubikey

Thanks for the YubiKey recommendation. Not sure how I feel about a physical device that can be lost/stolen/broken, but I'll have to check it out to know more.

make a habit of logging off once done rather than keeping it online, that will reduce session cookie risk.

I rarely do this, but it makes a lot of sense. There's a convenience and security tradeoff, but I think it should be worth it if I'm so worried about my credentials being compromised.

See this thread -

T

Thread 'Securing gmail account - options ?'

Mar 10, 2025

So i am looking at how to better secure my gmail account, which has become a link to all major accounts ( including financial) these days.

Current setup -
2nd factor through sms.
Used by 2 devices.
Device remembered, so i don't really need to login again. I guess this increases risk of session hijacking from malware. Has never happened to me, yet.
I always use bookmarks/saved url in keepass to go to any account page, so phishing risk seems to be not an issue.

How to improve ?
I am looking at using AWS/ec2 in near future, which also brings some additional risk of its own as they don't...

• Tracer_Bullet
• security
• Replies: 7
• Forum: Websites, Apps, and E-Commerce

This seems helpful. I'll give it a read. Thanks for all the recommendations.

 

[Tracer_Bullet]

Not sure how I feel about a physical device that can be lost/stolen/broken, but I'll have to check it out to know more.

1) You can protect it with upto 60+ character pin. It does not allow bruteforce and will have to be reset after 8 tries.
So not much anyone can do if stolen. And you will know and then can change paswords

2) They recommend using 2 keys with 1 as backup. I don't like depending on just one thing, so i enable backup methods too - TOTP for example in gmail and generically you have backup codes too for 2fa.
I dont save TOTP in authenticator (for example), instead i ll just print out the secretkey/qrcode and keep file in some offline usb keys. This seems enough to me.

I am pretty happy with this now. Convenient too. It protects against phishing as well.

 

[nRiTeCh]

Is your master password very strong as well, like Bitwarden-generated passwords? If so, how do you input it every time?

I use PIN option not password thus it becomes way easier.