Timed One-Time Passwords not working


I’m a Lastpass user and so many probably know they’ve had a serious data breach.

So apart from changing my password I decided finally to turn on 2FA and went through the process for TOTP but when I login I am not asked for a code. I cleared cookied and data for the Runbox.com domain.

Hello. Did you complete the process by entering the first TOTP in the set up screen? If you did that and it still doesn’t work please open a support ticket at https://support.runbox.com

Thank you.

Fear of data breaches & more identity theft is why I only use KeePass on my laptop & android phone. KeePass & the password file are not synchronized with a cloud or backed up anywhere except on my local devices & usb sticks. Online password managers are a massive honeypot for anyone that can hack their way in & that’s why I will never use one. This isn’t the first time Lastpass has been hacked.

I use the KeePassDX app from F-droid, but other KeePass apps are available from different developers on Play & Apple that can synchronize. The KeePass file created by one device like a pc can be copied & used by the app or software of another device.

For ease of use & so I don’t have to keep track of changes on two devices then make the same changes on another device, I only make changes to my KeePass file on my laptop then plug my phone into the laptop with a usb cord & copy the new file to my phone & open the same file with the phone app to confirm it is the new file & that it works. For those that synchronize with a cloud service the KeePass file can be downloaded from there.

The KeePass software for computers https://keepass.info/ is more technical & takes awhile to become familiar with. I recommend trying a KeePass app for a phone or tablet first because the apps are much easier to learn compared to the software. After using an app for even a short time the KeePass software basics will be easier to understand.

KeePass also works with Linux & will be trying that when I try Linux for the first time with Linux Mint Cinnamon so I can quit using Microsoft & Windows. Many years ago I was a victim of identity theft when $20 was stolen from my debit card by a fraudulent website I had never heard of, but I was reimbursed by the card issuer.

That’s a good reason to only use Credit Cards online & at stores & pay the bill every month, so your real money in your account isn’t jeopardized. Some people aren’t able to recoup the real money once it’s been stolen from their account.

Like many people I’ve also been the victim of identity theft through many large data breaches, thankfully there seems to have not been any consequences from that. But I’m still cautious with my info & what I do with it online. The following is how that relates to a password manager & using 2FA.

A few years ago I had the misfortune of changing my phone number & forgetting to disable 2FA for about 10 online accounts. Fortunately my phone carrier was able to put my old phone number on another SIM card with a small amount of money so I could access accounts with 2FA for sign-in & disable 2FA until I could change my phone number on the accounts.

After that scare of nearly losing some accounts I started putting 2FA after the title for relevant entries in my KeePass. So I can simply scroll through my Bills & Shop folder & easily see which entries have 2FA enabled. My Apps & Internet folder is only for online accounts that will never have payment info or 2FA. Keeping the two categories separate makes finding things & staying organized easier for me.

To be thorough & make sure I don’t forget where I used 2FA, I use No2FA after the title for accounts with the 2FA option but I chose not to use it, No2FA makes it easy to know which account I can add 2FA if I want it. I also designated other keyboard symbols for different things that I can include with the title or searchable Tags to find all entries with a matching character.

Such as @ to indicate where my address & personal identifying info is saved so I can remember to remove it or falsify it later with incorrect info should the account or service get hacked. For shopping accounts I don’t use regularly, or may delete, I remove my personal info, or falsify it if it can’t be removed from the account, & put an X next to that entry in KeePass as a reminder.

Can use CC after the title, or in the search Tags, for an entry where a Credit Card is saved so don’t have to sign-in to every account & check.

I don’t keep payment cards on shopping or bill pay accounts that I’m not actively using or don’t plan to use regularly. For example my auto insurance I pay every 6 months online & select the option for the site to not save my card. For online shopping accounts I rarely use but don’t want to delete I save a payment card to make the purchase & after the purchase has shipped I remove the card from the account.

Because I don’t use Google, or any cloud service, in another KeePass folder of the same file I save important contact info for people whose info I don’t want to lose should something happen to my phone, along with my drivers license number, vehicle info, auto & renters insurance policy numbers, health insurance card info etc etc.

Over time I switched to using KeePass to save any important piece of info (except my Social Security Number) that I may want later so everything is consolidated in one place. Many times it has saved me not looking for info elsewhere on paperwork or for something that’s in my wallet but not handy to grab while at home.

Every year I evaluate all of my online shopping & bill pay accounts & delete accounts I don’t want to use anymore. Some sites where a purchase has been made will only disable the account, but not delete it so they still have the purchase info for their records. But for the most part when requesting to delete an account that is what will be done. Then I delete it from KeePass.

These tips & idea’s can be applied to any password manager. Although for a cloud password like Lastpass or Dashlane instead of using obvious things like $, 2FA, CC maybe use different symbols or abbreviations that you can remember instead like &, %, ), / etc.

Because of the Lastpass breach, if you’re in the USA I strongly recommend getting a security freeze with all 4 credit agencies Equifax, Experian, Innovis & Transunion. If you’re a victim of identity theft or fraud you have to report it to the Federal Trade Commission (FTC) easy to do on their site and/or make a report to local law enforcement for where you live, whether that be the sheriff or police.

Provide the credit agencies with a copy one or both of those reports & they will give you 7 year extended fraud alert for free. Fraud alert requires a company or institution to call you first at your phone number they have on file to confirm your identity before credit or a loan will be granted. That phone call may be the same day while you wait on the premises or it may not be until a day or two later. I’ve had it happen both ways.

Even though it’s not difficult to temporarily lift the freezes, when they have to be lifted it is usually for all 3 agencies because most creditors refuse to say which agency they will check, will say they don’t know which agency will be checked or that the choice will be random.

A security freeze and/or fraud alert could cause annoying delay’s for people that frequently like to get new credit cards with promotions or other credit offers. I’m perfectly happy my credit is difficult to access because my small amount of credit needs are taken care of. It’s highly unlikely something will come up where I need a credit check because I’m never owning a home again & will pay cash for any vehicle I buy.

Anyway, just some thoughts I wanted to share. I don’t expect or want a line by line reply. lol

1 Like