Opisek

It's actually even outright discouraged by NIST.

For those who don't see the reason why, forced password resets lead to users using predictable passwords like "password2025october", "password2025november", etc.

Good parenting! I hate to see most parents nowadays give their children unsupervised access to the mindless brainrot boxes that are smartphones or tablets. Personally, having grown up with computers (and an analogue screentime limit), figuring things out through one's own curiosity is the way to learn about how things work and how to solve problems on your own.

Hi I'm not a millennial, yet I do enjoy my beloved pdftk.

Though it may have to do with a suspected level of neurodivergence.

I don't know if amazing or just privileged. Shouldn't someone stand up in the face of injustice and human rights violation?

Actual gestapo. Can't wait to see them all face a trial. (I do still hope that fascism can be defeated again.)

What's wrong with beinhalten?

Why yes I always dreamed of writing code like a full on novel.

Quellcodeanglizismussubstastivbeispielersatzgroßschreibungsregel

Seven bald eagles and three units of freedom

Well, they're not a bad thing per se, it's just important to remember that by doing that you are essentially delegating the access security (including any means of MFA) from the target website to the password manager. I.e., instead of inputting password and 2FA code for example.com, you have to input your password and 2FA code for the password manager itself. This has the same security guarantees, so long as you don't set your vault to—for example—never lock automatically.

For the case of passkeys, using Bitwarden, even with 2FA does reduce the security level in my eyes somewhat, since I'd argue passkeys to be a more secure measure than password + OTP. Unless, of course, you use a different passkey to authenticate yourself to Bitwarden.

TLDR; be careful about putting everything inside Bitwarden. You'll be fine if you make sure to protect your password manager adequately, but if you put OTP secrets (or passkeys) for other website inside Bitwarden AND only use password authentication for Bitwarden without any MFA, then you are effectively reducing your MFA back to a single factor (the Bitwarden password).

I'm afraid user authentication on the internet is broken beyond salvation. It's already complex enough to grasp fully for tech-savvy people, meanwhile we've taught the general population to use password123 for all their accounts and write it on a post-it for a good measure.

If it's alright with your threat model, you can put the time-based OTPs into your password manager of choice, like Bitwarden. Upon filling your username and password, it places your OTP in your clipboard, so that you can simply paste it in. This does of course reduce the security of the system slightly, since you centralize your passwords and your OTPs. When opting for this method, it is therefore imperative to protect your password manager even more, like via setting up 2FA for the password manager itself or making sure your account gets locked after something like 10 minutes of inactivity. The usability aspect is improved by using a yubikey or another similar physical key technology.

You, kind sir, are giving me ideas...