I'm not seeing what this adds. This is the same thing as putting up 2 passwords and calling it 2FA (which it isn't). Under the vast majority of threat cases I can think of, you are either still screwed because they capture your login at the same time they capture your master password or you are stuck back with the problem of remembering a secure, non-guessable element for every account, which is exactly why password managers exist in the first place.

This is either ineffective, impractical or both depending on the threat you are trying to protect against. It's also trying to solve a problem that was already solved. This is exactly the reasoning behind 2FA/MFA and making sure that access to multiple things is needed.

It would be much better to get a Yubikey or similar and put your HOTP/TOTP secrets in to that so that it is physically isolated from your phone and the internet and thus can't be compromised without direct theft of multiple devices. You get the same advantages without the disadvantages and limitations of hanging your security on two of the same factor.

See arxiv.org/abs/1706.05085 - "Horcrux: A Password Manager for Paranoids".

I had a related idea of how to do encrypted messaging: horcruxencryptedmessaging.jperla.com

This is exactly like salting hashes before storing them in a DB, quite clever.

While it is great advice/suggestion. Here is a catch that should be carefully considered. You can't have too many Horcrux phrases. Using the same one across all websites means that when a website handles your data irresponsibly and is leaked to hackers/unintended-users, then the phrase is ousted immediately and rendered useless (and leaving you under a false sense of security). So Horcruxes need to be used selectively. Not on websites that don't offer 2FA, but on websites/services where you trust them to handle your data responsibly. for example using the same Horcrux for a food delivery app and a banking app is a bad idea. They don't do the same threat modeling and possibly don't look at data privacy and security with the same lense.

This is cool Phani, I have an add-on technic for it. Use a fixed number like 4 or 5 along with Horcrux.After the password manager fills the password enter left-arrow 4-5 times (the fixed number that you have in mind) and start entering the Horcrux. You need to remember the number+Horcrux. Some of my colleagues were using it, I felt it super cool. Just incase anyone likes it. 2FA is a must these days BTW.

Makes sense, reduces the possibility of the password manager being a single point of failure.

Also today I learned I can use a passphrase in bitwarden :-)

That is such a good title I had to click :) Great job!

This Horcrux password is new to me, so did I get it right, you'll have your password auto-filled by 1password (or whatever) and then typo your addition to it (which was stored in your head)?

I use the following at the moment: 1Password (Master pass only in my head, very long and random) All passwords generated and unique 2FA for all-important apps with G2FA

To me, that seemed pretty solid because even if you'd get my 1Password you couldn't really get into the important part.

Came for the Harry Potter reference, stayed for the content. Great article ! I use this approach when allocating secrets to users : the secret is a mix of a unique secret in database per user, and a environment secret shared by all users. This way if one of the source is compromised my secrets remains safe.

The "2FA with my head" looks very interesting to me.

On a side note, the risk of using only one Horcrux is that if 2 of your passwords gets compromised, your Horcrux gets slayed by Basilik Venom (because that's an easy catch). Somehow Voldemort was ahead of us in muggles in terms of security with the powerful choice of 7 Horcrux.

Very well explained.

Phani KaranI use one password for password management, it works great and it also works great with the two-factor authorization for GitHub or any other site which supports 2FA.

Multiple levels of security is a good suggestion and a layman can adhere to the new rules of securing personal information. Appreciated for the quick education to the new bees.

So this is great but... I have left a sealed envelope for my wife in case I violate Rule #1 ("No dying!")

I would have to put my horcrux in there, which renders it pretty useless as such.

Thoughts?

Terrific job - well explained for someone not as familiar with password standards. Hope to read more of your posts!

This was such a fun read! All I gotta do now is change only every password of mine.

Very good idea. Best solution for my password management. I am gonna implement it.