Storing 2FAs & Main email password in your vault (Discussion)

[Dani]

So, I had a conversation with our company's CTO - his opinion is you should remember 2 passwords:

1. Password manager's master password

2. Your main email's password (meaning, do not keep your email's password in the vault)

His reasoning is the extra layer of security - if a hacker somehow gains access to your vault, they won't be able to reset majority of the accounts (at least the important ones - like bank and stuff) as they don't have the password for your email.

Additionally, he doesn't store 2FAs in the password manager and cringes every time i tell him i do store my 2FAs in the PM. His thoughts on this - again, extra security - use a separate app like Authy that also has a password so even if someone has gained access to your vault, they won't really be able to reset your password (no access to the email) and they don't have the 2FA.

Sounds like really paranoid to me (yes, it's secure but it's also inconvenient not to mention I tried Authy and I realized i can't get the 2FA key back, what a bummer). Currently, i do store my 2FAs & Email in Enpass. Curious to hear what are your thoughts on this?

[Manish Chokwal]

Hello @Dani,

We agree with your CTO. It makes more sense to keep passwords and 2FA codes separate. TOTP secrets are stored in Enpass as a convenience feature (authenticator with autofill, backup) requested by our users for their use cases. For example, some of them use Enpass only to generate one-time codes. To read more about this, visit the discussion. 

In addition, you can add another layer of security by using a keyfile with the master password. Enpass appends the characters in the keyfile to the master password and uses them together to encrypt your data or to unlock the Enpass app. To make it way more secure, I suggest keeping the Keyfile on a portable drive like a pen drive. visit Enpass Security Whitepaper. 

SI-2675

[Fadi]

@Manish Chokwal How do we create a keyfile? Can we generate it for already in-use database? Or do we have to create new database for keyfile to be generated?

[Manish Chokwal]

Hi @Fadi,

A keyfile can be added to an existing or a new Enpass database while changing/creating the master password. For more information, visit our Keyfile User manual. 

Let me help you with the steps to generate a keyfile:

1. Open Enpass on your desktop, click Settings > Security > Change master password.
2. Enter the master password. Click Continue.
3. At the bottom of the screen, click Advanced.
4. Click Generate keyfile.
5. Name the keyfile and save it.
6. In the Enter New password and Confirm New password fields, enter the master password.
7. Click Done.