Clarify password manager and TOTP storage (#1810)

Signed-off-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
matchboxbananasynergy 2022-09-26 00:40:55 +00:00 committed by Daniel Gray
parent 02c65f45e3
commit faf6d34ec1
No known key found for this signature in database
GPG Key ID: 41911F722B0F9AE3

View File

@ -100,7 +100,11 @@ There are many good options to choose from, both cloud-based and local. Choose o
!!! Warning "Don't place your passwords and TOTP tokens inside the same password manager" !!! Warning "Don't place your passwords and TOTP tokens inside the same password manager"
If you're using TOTP as a [multi-factor authentication](../multi-factor-authentication.md) method for any of your accounts, do not store these tokens, any backup codes for them, or the TOTP secrets themselves in your password manager, as that negates the benefit of multi-factor authentication. You should use a dedicated [TOTP app](../multi-factor-authentication.md#authenticator-apps) instead. When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device.
### Backups ### Backups