They list three different vendors on the site for prescription inserts (one per region), and there are other vendors who offer them, too. The partnered US vendor had them listed at $150 but I think some of the other options are cheaper.
- If you use our client you can use our servers
- If you don't use our client, you can't use our servers, but you can use any other server
It's like, technically it's sometimes[1] OSS, but they don't care about actually being FOSS in practice. If I can't fork the software, add or remove a feature and keep using the software's other features, it hasn't hit the bare minimum to be called FOSS, IMO.
1 - Most old versions of Signal are OSS, but frequently updates are only shared after a long delay - in some cases over a year out of date, if my memory serves me.
I had YouTube Family at $15/month until this month, when they raised the price to $23. I signed up back when Google Play Music was still a thing.
I was never able to get into YouTube Music, though, so I don't actually use it to stream my music. The fact that my playlists are shared between YouTube and YouTube Music is enough for me to drop it from serious consideration as a music streaming service on its own. That, plus the lack of lossless streaming, inconsistent, clunky UI, and lack of any positive features that distinguish it from Spotify, Tidal, and Apple Music, is why I never used it for anything other than sharing songs with people who didn't use Tidal.
That they apparently also include ads in the albums I transferred from Google Play Music - albums that I paid for - is just added insult.
The main way I justified paying the subscription was that other people in my household got access to ad-free music streaming (and they actually used it, unlike me), Youtubers get comped more from me watching their videos, and I didn't have to worry about whole-home adblockers to remove ads from the app. But after a 50% price hike that takes it above the prices for Tidal Family ($15), Apple Music Family ($17), and Spotify Family ($16), it's not something I can justify anymore.
(Youtube Music Family is $15, FWIW, but it doesn't include Youtube itself.)
> That, plus the lack of lossless streaming, inconsistent, clunky UI, and lack of any positive features that distinguish it from Spotify, Tidal, and Apple Music, is why I never used it for anything other than sharing songs with people who didn't use Tidal.
The UX and performance of the YouTube Music web client is so much worse than the old Google Music web client. I used to be able to scroll my entire album collection without a hiccup on Google Music, that's now impossible with YouTube Music
I wouldn't recommend keeping your TOTPs in Lastpass Authenticator at all. That's worse than having them in Bitwarden given Lastpass's track record. If you want something with cloud sync that isn't your password manager, maybe try Authy? (I don't recommend Authy, but it would be an improvement.)
IMO it makes sense to have most of your TOTPs in Bitwarden - anything that isn't critical. The reduced friction means you're more likely to enable TOTP 2FA for every account that you can - net increase in security compared to not having it at all.
For your critical accounts, I recommend securing them with your Yubikey via U2F / WebAuthn if possible. If not, then use your Yubikeys to store the TOTP codes. If you need/want a better backup than a second device, you could consider literally writing them down or backing them up into a Veracrypt encrypted container. You could also use an open-source, local-only TOTP app like andOTP/Aegis on Android or Tofu/OTP Auth on iPhone.
Aegis [0] is a much better alternative to Authy if having backups is a must (and even if it isn't too), specially because you will be in control of these backups. If you are on iOS Raivo [1] is a similar alternative that provides encrypted backups to iCloud.
If you use the browser extension, it provides resistance against phishing attacks because the password and TOTP won't auto-populate. It doesn't help against sophisticated MITM attacks at all - for those you need U2F / WebAuthn.
It helps against brute force attacks but how much it helps depends on the service. If your service prompts for a 2FA code when provided with an incorrect password, then it helps a lot. If an attacker receives confirmation that they have a correct password before needing to enter the 2FA code, then it helps less.
TOTP in Bitwarden (or 1Password or KeePass) is an upgrade over SMS authentication in terms of both security and convenience.
For most people, TOTP in a dedicated app is not actually much more secure:
1. They could lose the device. Without a backup, they're suddenly unable to login to their accounts.
2. Their device may not be well secured, e.g., either not requiring auth to unlock it or only having a 4 digit PIN.
3. They're likely logging into accounts on their phones and have the password manager and TOTP app on their phones as well.
4. If the TOTP app has backups, then it's vulnerable.
5. Such a user may be less likely to use 2FA in a given app because it's less convenient.
If you secure your devices with long alphanumeric passwords, secure your password manager with U2F / WebAuthn and an even longer alphanumeric pass phrase, and consistently enable TOTP 2FA, then you'll be more secure than the person who either uses it less consistently or who uses it on device
Yes, you would be more secure if you used it consistently AND had 2+ dedicated devices for your TOTP codes (your main device and at least one backup). But let me propose an alternative: do that just for your most critical accounts, but use your password manager's TOTP solution for everything else.
Which dedicated device would I recommend for storing your TOTP codes? The same one I recommend for U2F, the Yubikey 5 series (specifically the Yubikey 5C NFC). It can store up to 32 codes, which for 99% of people is more than enough for all of their critical accounts.
> TOTP in Bitwarden (or 1Password or KeePass) is an upgrade over SMS authentication in terms of both security and convenience.
The article makes a similar point:
>> Among the people I’ve “interrogated” about sufficiently securing their online accounts were few who proudly said they’ve adopted a Password Manager and… they’ve copied their favorite password that they’ve been reusing all over the place into the Password Manager. And now they use the Password Manager’s web browser extension to paste the same password into each login form. Well, the only thing they’ve gained is a false sense of security.
>> However, if they do add a 2nd factor of authentication, even if that’s a TOTP managed by the same Password Manager, they do end up in a much better place. Now, looking back at the attack scenario I described above, their leaked password is not enough to log into other online accounts. Yes, they are still vulnerable to a scenario where their Password Manager account gets popped and the TOTP secrets are revealed. But still, their security posture has improved a lot!
Keepassxc allows you to store those TOTP codes and lock your password database using Yubikey. Even if someone stoles your password database file, it won't work as the attacker needs your Yubikey too.
> Even if someone stoles your password database file, it won't work as the attacker needs your Yubikey too.
It's the same with any password manager. The issue is, after someone somehow had one peek at the decrypted data, they have all the TOTP seeds they need so they no longer care.
TOTP in another app is not more secure because TOTP is not secure (not phishing-resistant against real-time proxy attacks even script kiddies can pull off thanks to Evilginx).
FIDO2 and FIDO U2F are phishing-resistant, but almost nobody implements them, preferring security theater, and even when they do, not correctly (e.g. PayPal only allowing you to use one key, so if it gets broken or lost you are SOL).
Time-based One Time Password. If enabled, it's a 6 digit code that you enter after entering your password. Google Authenticator is the most well-known app that produces them.
