Why do people use password managers?

> Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.

Allowing convenient use of strong, unique passwords per-account IS the job. If a user can't quickly access their passwords on all their devices, they're going to fall back on just typing it in. And in real life, that means they pick easy passwords and reuse them in lots of places. This opens them up to attackers who either guess the password, or take a password learned from one site and try the user's accounts on other sites.

A great password manager does the following:

1. Makes it easy to generate strong, unique passwords per-site every time an account is created.

2. Applies an expensive key derivation function to your vault password to make brute force impractical for all but the weakest passwords, so that stealing vaults is of minimal value.

3. Does not ever transmit your vault password off your device, so that an adversary who can intercept every vault file and every plaintext byte of traffic going to and from the server still cannot do better than a brute force attack against the vault.

4. Does all 3 of the preceding with a rigorously designed process that is regularly audited by multiple experts, and actively monitored to ensure that these things really are happening throughout the lifespan of the product.

5. Syncs across devices and integrates very well with the browser so that users have no incentive not to use it.

Lacking any one of those elements greatly compromises effectiveness. Homebrew solutions can be pretty dodgy about all of them, and #4 and #5 are particularly difficult even with a large budget and staff.

I'd say Bitwarden and 1password have earned excellent reputations for doing all 5 of these things. LastPass's reputation is not so great.

Okta isn’t a password manager. It’s an Identity Provider.

I use a password manager because I have multiple devices and a cross platform solution that I can access is a straightforward solution. A local password manager like Keepass is still vulnerable to attack by a compromised system. A well architected password manager is going to not store the decryption keys on their servers and only allow the password vault to be decrypted locally so if they get breached, they would still need to have your master password to gain access to the data. A malicious update could allow them to steal your information but so could a malicious Keepass or OS update.

Using a password manager with a strong password and multifactor authentication is mitigating so many security issues off the bat the new risks it introduces can be small.

Bitwarden has not had any of the problems you listed and can be self hosted.

> Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.

Something that does not sync between devices does not do the job.

Known password managers such as Bitwarden don't simply communicate the master password from client to server in plain text: https://bitwarden.com/help/security-faqs/, the master password is salted and hashed client-side, then salted and hashed again when stored in Bitwarden servers. Even if you managed to perform a MITM attack, you'd only be able to download your encrypted vault data, which would then require your master password to decrypt (locally). I believe talking about security consideration requires specifying a threat model, but for the average user such a setup would definitely be considered secure enough. A local only setup would definitely be more secure, but then as you said you'd lose QoL feature such as ubiquitous access, or nice UI/UX, no setup hassle, easy usage of hardware tokens and so on. If one were to attack Bitwarden, he would either have to crack the encryption scheme to attack a specific user/business or target it through other means. Ultimately I think it's a small compromise of a small security sacrifice versus a big gain in terms of usability and availability.

Given the rise of “login to do stuff”, I have little over 400 credentials with at least 350+ generating OTP.

Keepass has nice clients but some require bringing my own sync(syncthing frequently failed due to conflicts) and some apps went out of maintenance. Some supported ones like dropbox/gdrive but frequently broke integration every other month due to api changes. Also, when I want to use 2FA, a basic synced encrypted file doesn’t work and having 2-3 apps(most standalone OTP apps needs my phone number or email or credit card) scattered between different platform. Basically after 10-15 credentials, it becomes maintenance headache.

What the likes of 1Password/Bitwarden/Lastpass(naughty naughty …) does is, they provide ubiquitous experience on all of my devices and seamlessly does the sync for a very little price(bitwarden 1year is only €10/-, that is dirt cheap compared to one falafel bread cost me €6+) removing all of the maintenance and management headache.

As for security, I would trust bitwarden or 1Password more than random unmaintained keepass app with self managed syncing and random loss(fixing sync conflict on a keepass db is super risky domain of severe data loss!). Also it is their business to manage my passwords and if hackers are harvesting passwords easily from them, what makes you think that hackers can’t do that on the very website that you enter your credit card details?

Password managers are major improvement in quality of life and security. Heck, I don’t even know 99% of my password, I just click generate and autofill without having to think about all arcane 1 uppercase, one special digital rules on different websites.

—EOR—

I have many devices, and many passwords.

Using a cloud sync password manager allows me to follow best practices in having complex, unique passwords for each account.

Data breaches and password leaks at random websites are a much more common attack vector than all of your encrypted passwords being exposed via a password manager.

> Through these hackers can generally get passwords of all users of these services

I'm not sure that there's really evidence or history to back this up. As far as I know even the LastPass data breaches only exposed encrypted passwords, not decrypted ones.

For companies, the benefit is that shared credentials can be distributed to employees without people pasting them in slack, email, or other insecure services.

That access can be revoked by policy if say an employee leaves the company, and new credentials can be generated for all the employees who remain.

Small correction. They don't use hashing, as hashing is by definition a one way operation. They use encryption, which implies the ability to decrypt (2 way).

There are a few convivence features that password managers give:

1. Syncing. You mentioned it, but its actually pretty big. Its hard to do this right, and I don't trust myself. This is especially true on devices without normal OSs like phones.

2. Autofill. Just having a plain text file means I have to constantly go to it. Its a pain, I want autofill.

3. Password generation. Just a text file means I use shitty passwords everywhere. Auto-generated passwords are truly random and much more secure.

4. Recovery. My father passed away a few years ago. The fact that he had all his stuff in a password manager with me as a recovery person meant the transitional period was way easier. Instead of having to deal with tons of customer support for months I was able to manage his affairs the next day.

5. Integrations. For example some managers can plug into TOTP services and autofill that for you. I don't personally use that, I feel its too many eggs in one basket, but some people like that.

6. Team/sharing. My work uses a password manager and its useful to store creds in a secure, audited, sharable way for certain services.

When you put it all together it adds up. It CAN be done with alternative means, and if you are super security conscious you may choose to do so, but for the majority of people its a good tradeoff.

I think I'm a reasonably smart guy, but I see so many ways to mess up that DIY encrypted text file system. Does my little shell script or whatever temporarily write out the unencrypted file to the filesystem where it gets picked up in a Time Machine backup? Did I remember to exclude clipboard copies of the editor app from my clipboard manager? How am I generating the secure passwords in the first place?

This is one of those cases were putting my eggs in one highly battle-tested basket makes a lot more sense than trying to reinvent the wheel poorly.

But don't use Lastpass, OK?

Because my threat profile include script kiddies and encryptor malware from Bangalor, and doesn't include Mossad or NSA. If Mossad would want to do Mossad things to me, no local password manager will help me. If anyone has skills to MITM Lastpass or Okta, well, I concede defeat and grant technical win to that person.

You're approaching this from "what is the optimal way to securely encrypt my own passwords as an expert user". Consider these two perspectives instead:

1. I am an average user and want to store my passwords, and I don't want to have to think about them for more than 5 seconds, ever. I want some solution that will input passwords for me when I go to a website, and I don't much care about the actual security situation; I assume it's fine. From this perspective, an encrypted text file is a much worse user experience, and the potential for a data breach is not something I'm thinking about at all.

2. I am the CISO or similar security professional for a company. I can't let users just use whatever passwords they want: not only do I know it's a terrible idea, I'm bound by the controls in my security framework to do something to enforce password strength and encryption. So, I need users to do something else. Even if it's allowed by my security protocols, I am not going to trust the 500 people in this company to keep an encrypted text file of strong passwords that I have no oversight on. Most of them will use "password123" for everything, I know this for a fact. Instead, I want to enforce some password standards and rotation schedules, and have a dashboard that says "everybody has a strong password" that I can show off at a vendor security review or even just my personal performance review. That implies a SaaS product.

Before using a password manager (1Password), I often reused passwords out of convenience in order to not have to remember a lot of them. After switching to a password manager, every password is a strong randomly generated password, I get autofill, syncs across all my devices and most importantly I only need to remember only one super long complicated password. I've got hundreds of stored passwords at this point and I honestly don't think I would be able to manage without it. The 1P family plan is great, shared vaults are super useful to allow me to share certain logins with my wife. Additionally, I like the ability to store arbitrary information securely into my 1P such as credit card info, bank account numbers, drivers license and insurance details, etc. One convenient place to store all my important info with an easy way to share it amongst those who matter most to me.

I'm not going back to a life without a password manager.

Local backup strategies are often terrible and untested, if they even exist. While no service is infallible, 1Password and others seem a lot less likely to be lost/stolen/destroyed than a personal laptop.

I'm not sure why you're rolling Okta in here, but Okta can a completely different thing depending on what you're referring to.

Single sign-on (with something like Okta) makes it so that a user doesn't need to manage a dozen passwords and enables an organization to limit access of a user's account if needed.

If you use an app with Okta SWA, you (as the admin) can create a password for users so your users don't have the responsibility of making a strong password. But this is only for stuff that can't use OIDC/SAML.

Ideally you'd use Okta with OIDC/SAML with your applications so your individual users won't have static credentials, and in this case, there isn't really a parallel here to some software you'd run locally.

If you're going to use KeePass, do it right and use KeePassXC (that's what I use). It's cross platform. I sync the password file between my computers and my phone and I use KeePassXC client on my phone as well. And I use a completely different KeePassXC password file for work related passwords which I keep on my work computer. How many times have Okta and LastPass been hacked already? If you have some really sensitive passwords you could have your password file inside a Veracrypt container. Also, you can use a key file (can be anything including an image) along with your password for added security.

Because poor usability just is a vuln.

If you make life unlivable, either for yourself or for a group of people, you can expect security to fall by the wayside.

Real-world security isn't just about digraphs and compendia of named (known!) attack types, listed together with mitigations. (Although all that certainly helps!)

It is, unfortunately, also about maintaining and managing personal systems. No matter how scaled and nuanced, the security of any organization comes down to personal habits.

Password managers make it significantly easier to track, prune, maintain and manage identity across sundry & clastic platforms, and therefore, improve security.

In most cases convenience. Sometimes, you may need to share a password one-off (ex. https://support.1password.com/share-items/) with a coworker or a friend. Setting up something like that with keepass is not really possible.

If you want to manage passwords amongst family members, it's easier to set them up with one of the cloud services compared to Keepass. You also get some level of customer support, and don't have to worry as much about when your password breaks.

I personally have set up KeePass, made sure it's backed up regularly, and even set up a WEBDAV server to access it remotely. It works great for me, but I know how everything is set up. Strongbox for mobile access is the main reason I can actually use this, and this is a paid application that not everyone is willing to pay for. Experience-wise, other mobile applications for KeePass have not compared, and I have no idea how apps for Android compare, since I set up everyone with iOS devices. Sometimes, the connection to the server gets disrupted, and I have to reconnect. Not everyone wants to do this, and can have less confidence in the other supporting infrastructure.

As much as attack vectors exist, the biggest risk is you losing access to your own passwords (there's been enough lost crypto wallets you can read about on the internet). Compared to that, a cloud based service is better for a large group of people.

> Ask HN: Why do people use [cloud-based] Password Managers?

People use cloud-based password managers because they provide data resiliency. If you store your passwords locally only, you will have a day when your hard drive crashes, you've lost all of your passwords, and you will be in a very bad situation.

> The key difference here being that this is two way hashing so passwords can be decrypted.

There's no such thing as "two-way hashing". If you're worried that the master password password-hashing algorithm is crackable, that's fair, but that's only a problem if you use a weak master password. If you use a, say, 96-bit master password (e.g., 16 random base58 characters), then honestly you're pretty damn safe with even if a site only uses a single pass of SHA-256. But no one's using a single pass of SHA-256, they're using a PBKDF, which means you can use a few less chars in practice for the same security guarantee.

> In reality, there are a lot of attack vectors like MITM

The security of a remote password manager will only be as secure as the transport encryption, this is true. But TLS is pretty solid these days, the risk of breaking it is much smaller than other risks involved here.

> event logging or sometimes straight up storing data in plaintext

You will need to trust that the cloud-based provider doesn't store anything in plaintext. I trust my provider. I don't trust all of them.

I think the meta point across the other answers in this thread is that when people choose less "secure" options, it's often because they have a different set of input values for their cost/benefit calculation. Too often, I feel like security conscious folks try to convince me to do X rather than Y by explaining to me why Y is insecure, when in reality I'm just not motivated enough to make a change.

> Through these hackers can generally get passwords of all users of these services.

Assuming you mean password manager services. If they can get a copy of the vaults at all, in a well-designed system they have to attack each one individually.

They also serve business use cases for sharing, and revoking access, to other services.

> So, why don't people use local password managers?

Because synchronizing between devices is an important factor in usability, even just for an individual, not even considering groups or businesses that would share access.

Local password manager vaults can also be stolen by malware, would result in the same catastrophic loss you suggest.

> Just a txt file encrypted with "master password" should be pretty damning to break into. And the reward for breaking in would be password for 1 person. (compared to 100k businesses).

Password managers do just "do the thing you'd want them to do", and because they have a well-defined use case, they can support extensive discussion about threat models, and can easily and coherently support lots of people benefiting from the best research and security, without each having to individually roll a solution.

A hosted service without persistent compromise is likely less vulnerable to an old copy of a vault, and an accidentally disclosed master password causing catastrophic failure.

Lastpass has some issues that look egregious in retrospect. The early exceedingly low-strength vaults that were never upgraded (only possible on login).

1password publishes research and pushes forward authentication management beyond password, e.g. passkeys, in a credibly cross-ecosystem way.

I'll try my best to explain everything (trying to avoid too much security lingo, hopefully).

A password manager is a big database of passwords. There is a master password that decrypts the database and from there you can use your passwords. Notice that hashes are one-way operations thus not used in password managers. The benefits of using a password manager are that that users need to remember and handle only one password, that of their password manager, the rest of the passwords are unique and can be rotated quickly. Ideally, your password manager does a few more things, including taking precautions against leaving traces of passwords in memory etc.

There's another part of commercial password managers which is mostly convenience functionality. Passwords are synced across devices, specific members access specific passwords etc.

Some people do use local password managers, depending on their threat model (i.e., who's after them) and their level of expertise/time on their hands. Setting up something locally requires taking additional precautions (such as permissions, screen locks etc.) that are typically handled by commercial password managers.

Reg. Okta, Okta is an identity provider. In theory, identity providers can provide strong guarantees regarding a user, i.e., "I authenticated him thus I gave him those token to pass around". Strong guarantees can include a number of things, including Multi-factor Authentication, VPN restrictions etc.

Funny story: during an internal red team engagement on a previous employer of mine, we took over the local password manager of a subset of the security org, twice. The first time, they had a VNC, unauthenticated, with the password manager running and the file unlocked. The second time, a team conveniently used Git to sync their password manager file, with their password tracked.

You could do it as a single encrypted text file. The UX on it is more difficult. My password manager is frictionless and secure (I currently believe, based on best available info).

With a single keystroke, while in a web browser where the majority of my passwords are requested, I fill in the username and the password for the site I am on.

Vs. an encrypted plain text file, it has the following advantages:

- A single keystroke in the web browser, vs. typing longer commands

- No searching through hundreds of entries. At most a small handful is shown if I have multiple logins.

- No worries about wiping my terminal scrollback buffer or forgetting to remove the temporarily-decrypted file.

- Correct password for correct site, and no thread of lookalike sites

- All devices have access to same password list, via Dropbox sync of encrypted DB files.

- Can store other structured data in addition to passwords. Even binary data like images.

- Can use is as a TOTP, but that is arguably a bad practice. It's convenient though.

> Just a txt file encrypted with "master password" should be pretty damning to break into.

This is surprisingly hard for non-engineers to get right.

- Where do you put the decrypted file before you can open it up in Notepad?

- Do you copy passwords to the clipboard, where other apps can spy on them in-flight to the destination?

- How do you sync the encrypted file across machines? How do you resolve merge conflicts?

- How do you backup the encrypted file and make sure you don't accidentally upload the decrypted copy?

- How do you share some passwords with your partner, some passwords with your phone plan's virtual family, some passwords with your cofounder, and keep yet other passwords to yourself?

Engineers can solve most of these problems but average non-tech people would probably fail at all of the above.

That said, I use an almost-stateless password generation scheme that involves PBKDF2-HMAC-SHA256 on master password concatenated with domain of service, but that solution isn't for everyone.

"Obviously, this would be less convinient (sic) and wouldn't sync between devices."

You've answered your own question.

Your strategy was proposed by joel spolsky some time ago: https://www.joelonsoftware.com/2008/09/11/password-managemen...

You're missing the most important points:

* Syncs between devices. I can login to my accounts in all my devices. If I can access my Dropbox account, I can access everything else with the master password.

* Auto password generation. I don't ever even bother looking at the passwords. Just generate something like 32 characters with all ASCII characters, including "special" characters. This goes a long way.

Having used KeePass (with Dropbox sync) since ~2018 I don't even know how people operate without a password manager. It's so intensely convenient. Just dump all the info in the database. I can even take notes in my database. Write my credit card number, SSN, other private info. Put SSH keys. Put website info. Describe where I put my tax documents. Password manager is a pointer to everything else.

I use iOS and my basic reasoning is that I’m already doomed if my device encryption is breached (it has wallet info, id, keys, etc). So if someone can access all my passwords it’s not much more damage. It’s kind of like the earth is doomed if hit by a certain size comet, so cares if it’s double the size.

And I think it actually improves security as while if my phone is breached, I’m screwed, I’m now able to use unique, high entropy passwords for the 200+ accounts I have. And I’d never be able to do that without a password manager.

I use iOS instead of lasspass, etc because 1) it’s included in the phone price; 2) apple’s security record is better; 3) the above reason about having a spof. If I use lastpass now I have two spots. And one spof is better than multiples.

I used BitWarden for a while, but it didn't feel like I was in control.

These days I use KeePass but together with Syncthing to have it across all my devices. It's a bit of setup but I am in control and it works flawlessly.

Last word; check out Syncthing, it really is a ridiculously good software.

> Obviously, this would be less convinient and wouldn't sync between devices. But would do the job.

Seems like you answered your own question. While it is less secure, my password safe is synced across all devices. I can also easily share passwords with my family members and I can assist them with lockout issues. I don't think there's a nice solution for this with Keepass.

Also, a typical implementation is that the decryption is performed on your device. I don't think you send your key material to the provider but I don't know about all of them.

It is certainly a "keys to the kingdom" issue as you noticed, and I don't put 2FA reset credentials in the same place for example.

I use a browser based password manager (ie 1pass, Lastpass, Internet Explorer, Chrome/Android, Apple/Safari keychain)

The major advantage when compared to a separate application (ie encrypted text document) is that the system/browser based url/context reduces Phishing, Clipboard jacking security issues.

Why does Okta exist? Primarily for their SCIM configuration (which is different and adds a level of org management)

Why do Lastpass and 1pass exist? Likely because Android/Chrome passwords weren't trusted yet and Apple keychain doesn't has as much of a consumer interface / cross platform concerns.

What you're describing is more secure and I do know several people that do this, sometimes with syncing via Dropbox. But it's a battle against convenience and user experience and requires a fair amount of technical expertise to set up and use. While I _could_ teach my family to use a local password manager like keepass, it would be an uphill battle, whereas using 1Password, etc is _easy_ for them and means I reduce the number of tech support phone calls I get from my family (for context the most recent call was about fixing earthlink web email roughly a month ago).

Some people do use KeePass exactly because of your saying. I have multiple devices and I like the easiness of use. I do not have to remmyto perform backups etc. it's all taken care of.

KeePass is a password manager. People use other options because their usability is better.

Backup & password generation seem to be the big ones. Secondary is sharing of password and cross-device sync. Third tier is probably browser integration.

Tiers here represent the overall decrease in the security profile as you move to higher tiers.

Finally a small nit -- if it's reversible, it's not hashing. Password managers necessarily store encrypted plaintext (not hashed) passwords because you have to be able to enter your password onto a website.

No serious password manager with syncing stores your passwords in a way that gives them or anyone else with access access to your passwords. They are encrypted, so they need your master password.

People have multiple devices, so syncing is needed for usability.

Some password managers are basically local, but with end to end encrypted syncing. If you have to move passwords around, why not use a solution that already does it in a secure way?

I keep a vim encrypted file. If I need a password, I edit the file, get the secret, and then close the file.

I keep the file tidy, in a very simple grammar, and I have some shell functions that, with the passphrase available, can retrieve the secrets programmatically.

I wouldn't trust it with my 401k login. But it's handy for this week's API tokens and the pizza place's phone number.

> why don't people use local password managers?

I do use a local password manager, personally. The disadvantage to doing so is that I don't get autofill of passwords and have to enter them by hand. I consider that a good thing, though, because it means that I end up memorizing the 3 or 4 passwords I use the most in a couple of days after generating them.

> So, why do people and companies use Okta, Lastpass, 1pass etc?

Your answer is in your post:

> Obviously, this would be less convinient and wouldn't sync between devices.

That said, any linux user a little bit curious/nerd could use pass + passFF + git (or any self-hosted or not git repo) + password-store (if they want it on their phone too).

To all the great answers here, I'd add another use case: sharing a password securely with family/team, and keeping it up to date when changing. I set up my family in a bitwarden organization, and I can share a password with several people (common access to a shared account).

> Obviously, this would be less convinient and wouldn't sync between devices

That's your answer right there ^

> I'm not a security engineer so pardon me this is dumb.

I am a security engineer, and this isn't dumb. It's a very well thought out, smart question.

I'm not going to try to out do the other answers, but will point out, most seem to underweight the importance of social proof, and convenience

1Password started off like that and relied on file syncing services like Dropbox for supporting multiple devices. It's still using the same foundation, but 1Password provides the syncing service itself. (They aren't supposed to see the master password.)

And the best part is there are solutions already that do this: https://keepass.info/

Does it work on Android or iOS?

I don't use one of those services but I do use a distributed self-hosted one. Reason is I have many different computers phones and tablets. I need my passwords everywhere.

I use Enpass which doesn't sync to cloud and can by synced locally (over LAN) between devices, for exactly this reason.

Also, (some of) these password managers have accompanying browser extensions which add another layer of comfort.

Because I can sync passwords securely between devices and share them bidirectionally with my wife

1password family uses a private key as well as a master password.

Good luck cracking that remotely.

I came here to tell you why people use password managers. Turns out your real question is why people use remote backup password manager services.

I honestly don't know. Keepass + syncthing is really fantastic and very secure. I guess some people have bought into this "services are convenient" narrative, which I don't really think is true at all. There's nothing convenient about finding out that your password database has leaked online, verifying your new machine with SMS 2fa, doing everything in a browser in a web app. Having a file in a directory that's just always there and up to date is convenient, adding a new syncthing directory pair when you get a new machine and then being able to forget about it after that is convenient.

Honestly?

I have no idea.

I use a locally encrypted store, and have done so for almost 10 years. I keep thinking to myself "there's got to be something better, surely I could make an external device..." but it remains to be seen.

I have lots of devices

I use Bitwarden.

My reasons for doing so are, in roughly descending order of importance:

1) It makes it easy for me to have a unique, complex password for each service/account. This limits my exposure to third-party data breaches. If a service I'm using stores their passwords in plaintext, and they get hacked, my exposure is limited to only the impacted accounts

2) I can easily share it across multiple devices. I regularly use macOS, Linux, Windows, iOS, and iPadOS. Bitwarden has clients available for all of these, and they work "well enough".

3) Convenience. For most services, I store my MFA key in Bitwarden alongside the password. I can therefore log in to those services with a few keystrokes: Cmd/Ctrl+l to fill username/password, and Cmd/Ctrl+v to paste the TOTP value. Of course, this increases my personal exposure and decreases the effectiveness of enabling MFA. For critical services - access to production systems for work, financial services, etc. - I have a hardware token that I use. It's not nearly as convenient, but it's good enough to be usable in the cases where I need a higher level of security

4) Sharing. I have a couple hundred accounts that I share within my immediate family.My wife, my kids, and even my own parents have Bitwarden installed on at least one of their devices. I've set up organizations so I can easily share credentials with them. This makes it much easier to have reasonable security on things like my Blink (security cameras) account while not having to physically access their devices to log in for them the first time.

5) Continuity. By having all of my credentials in one place, I'm able to store a physical copy of my Bitwarden credentials in a safe place. If I die unexpectedly, my heirs will have immediate access to all of my accounts. Because that system is the same one I use day-to-day, I don't have to worry about updating a "backup" or having it drift out of sync. I can also rotate my password frequently where appropriate and be confident that those changes will be propagated to my backup without my having to take additional steps to make it happen.

Obviously, the downside is that Bitwarden is then my single point of failure. I mitigate that to the best of my ability. Sign-ins from new devices requires a TOTP that lives on my hardware token or confirmation from one of my existing devices. If my Bitwarden account were to be breached, it would be a huge pain in my ass for sure. The attacker would be able to impersonate me on multiple sites, and perform some actions - off the top of my head, the most impactful one is that they'd be able to drain my checking account. That account only has my "working cash" for half a month at a time, though. All of my savings and investment accounts require at least a TOTP from my hardware token.