How smart is it to store TOTP tokens right next to your password?

Community Feedback
1

Hi,

I’m wondering how smart it is to store the TOTP token right next to the password. Let’s assume someone manages to hack my PB account. Then the 2FA security gain is zero.

Of course, I have secured my PB account with 2FA, the private key is well secured, and the password is not ‘secret1234’ :wink: So the hurdle to break into my PB account is pretty high.

But is that enough? Or am I worrying too much? I would be interested to hear your opinion on this.

Best regards, Frank

2

Hi Franck,

Is TOTP even useful when using strong passwords generated by a password manager?

In my opinion, even if passbolt generates strong passwords by default, on the target system you will want to have TOTP in place, if there is no stronger alternatives like device-bound passkeys. It will help in the scenarios where an attacker can brute force or phish the target system password.

Should You Store TOTP and Passwords Together?

Pro: Keeping your passwords and TOTP codes in one password manager makes life easier. It speeds up login, simplifies onboarding and backups.

Con: Storing both in the same place means your passbolt is breached, attackers get password and second factor.

Then the questions becomes:

How hard is it to breach Passbolt itself?

To successfully compromise Passbolt, an attacker would typically need to:

  • Bypass 2FA (if enforced),
  • Steal the user’s private PGP key,
  • Steal/Deduce the associated passphrase

This is generally done by compromising the client, most likely by successfully installing malware/keylogger on the machine running passbolt browser or mobile app.

How hard is to to breach a TOTP app?

This is also generally done by compromising the client. So if your TOTP app (e.g., KeePass, Google Authenticator, or Aegis) lives on the same device as Passbolt, then realistically, breaching both becomes a single operation for the attacker.

I want a yes or no answer dammit, Yes or No?

It depends :slight_smile:

Storing TOTP and passwords together isn’t automatically a bad practice, it depends on how well the whole setup is protected. If you’re aiming for higher assurance, consider isolating TOTP on a separate device than where passbolt is running and wherever possible use hardware-based methods (e.g., FIDO2, YubiKey) that resist phishing and local compromise.

2 Likes
3

If the problem can be solved, why worry? If it can’t be solved, worrying will do no good. Easier said than done. :wink:

1 Like