Most people seem to think it needs to be accessible online. Remote Access =/= Internet Access. Self hosting an external vault, using VPNs, and requiring MFA access make the vault tricky to get to in the first place. You’re machine would need to be compromised first for an attacker to even connect to it—and at that point you’re compromised (and probably keylogged).
If you’re actively under attack no Password Manager, mental algorithm/ password pattern, Yubikey, or MFA will prevent someone from just using your authenticated session(s).
Does that mean we shouldn’t use these mechanisms? Of course not. When the risk is only realized with full compromise—saying XYZ could pose a threat is moot from a security perspective.
> Self hosting an external vault, using VPNs, and requiring MFA access make the vault tricky to get to in the first place.
ok but that also is prone to a weakness in any part of that chain assuming you even set it up properly in the first place. each piece is another layer that can be hacked or improperly setup.
If you’re actively under attack no Password Manager, mental algorithm/ password pattern, Yubikey, or MFA will prevent someone from just using your authenticated session(s).
Does that mean we shouldn’t use these mechanisms? Of course not. When the risk is only realized with full compromise—saying XYZ could pose a threat is moot from a security perspective.