Joined the channel. Thanks for the invite!

For a more detailed explanation of how to set up KeePass, [there are many guides readily available](http://lmgtfy.com/?q=how+to+keepass).

Yes. In fact KeePassX2 and KeePass databases are compatible with each other.

I'm going to go ahead and urge everyone [**not** to use LastPass](https://www.hackread.com/lastpass-hacked-this-time-for-good/). They have been compromised in the past. With KeePass (even if you're using DropBox to sync multiple devices) the amount of surface area you leave exposed to possible attacks is way lower than with a service like LastPass - which is known to be a central location for login credentials of countless users.

I don't deny that LastPass has certain features with are a convenient, such as sharing login details for a specific account with other LastPass users, but you're trading convenience for security, which in the big picture has far too much in common with trading liberty for security: those who do it deserve neither, and will probably lose both.

If you have a Yubikey/Nitrokey or similar, it is possible to use it for 2FA in KeePass.

http://i.imgur.com/yiHh8nA.gif

As long as you have as strong passphrase, the keepass DB can be safely sync'ed via cloud storage, since the data in it is encrypted. Alternatively, [Syncthing](https://syncthing.net/) can be used, allowing for cloud-less synchronization across multiple machines.

If you are on android there is an, currently unreleased but usable, 2FA generator called "andOTP". In contrast to the mentioned Google Authenticator you can backup the entries with a strong password in an encrypted file. If you lost your phone you can install the app and restore it with the encrypted file. But don't forget the password :)

The app is available on the playstore and as well in the F-Droid store. If you are deeper in programming android or even java you can read the sourcecode on github as well or compile it on your own.

https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp

https://f-droid.org/packages/org.shadowice.flocke.andotp/

https://github.com/flocke/andOTP

If you are using Authy, it backs up your keys on their servers - but this is less secure for obvious reasons.

For Google Authenticator, you need to back up the key when you set it up. Unless your phone is rooted, you have to make a backup of the QR code that you scan with your phone, or better yet, write down key provided along with the QR code.  On a rooted device, you can simply back Google Authenticator up with Titanium Backup (just make sure to backup your Titanium Backup folder to a device other than your phone, and be sure to encrypt the backup since the authenticator secret keys are backed up in cleartext).plain

it is not always easy like Bittrex gives 7 day trade ban on 2FA key recovery request and bitfinex also block ur activities for some time and u need to have SMS recovery.

It's non-trivial to do so because the only way the chain currently verifies a transaction's validity is by checking the digital signatures on the tx. While creating a 2FA mechanism for transfers on the steemit.com frontend interface would be easy it would in no way thwart an attacker who got control of an accounts private keys (they could just import the keys into cli_wallet and empty an account that way), without major changes to the backend. In order for a meaningful improvement in security, 2FA capability would have to be baked in to the STEEM blockchain. It's possible we'll see the addition of such a feature in a future hardfork someday.

IMO, hardware wallet support would do considerably more to ensure safety of high value accounts. I'm hoping 
 that once the BitShares Munich devs finish coding Ledger support for BTS it might get ported to STEEM. 

In the meantime what you can do is only perform transfer operations from a trusted device. On all other devices, log in with your posting private key in WIF format, rather than your password. It's also best practice to log in to various applications built on STEEM (ie. ChainBB for STEEM) with your posting private key, rather than your password.

My only Apple product is a macbook that I have for the sole purpose of playing and producing music. I deliberately disabled iCloud and all their associated services. The word on the street is Apple take security seriously, so I'm inclined to say it can be used securely - as long as you're generating random unique 22+ character passwords for each and every account. That being said, I use KeePassX2 on my Macbook (pretty much purely for Soundcloud/Mixcloud logins). The only thing I use the OSX keychain for is locally stored wifi passwords.

My views, when it comes to security software - if it's not open source, it's not even in the running for something I would consider using. I may not have the skills to personally audit the code, but I (and/or others) could crowdfund a campaign to hire professionals to do it. I do not have that option for products that are proprietary, and in my book, Apple's (or any other company's) promise that their product is secure simply is not good enough without proper proof to back it.

Exchanges have been hacked too. There were many who reasoned "I'm not a security expert, I'll probably be safer if I entrust Mt.Gox with storing my coins, since they obviously know what they're doing" and lost everything as a result.

Personally, I find it absolutely mind boggling that a majority of exchanges allow users to make deposits and trade without enabling 2FA first. So many thefts could be prevented if more exchanges dared to inconvenience their users by requiring 2FA to be enabled as a prerequisite for doing anything else.

It's more convenient, for sure, but the way it binds to a phone number is a rather large lapse in security for the same reason SMS 2FA is insecure. Unless the choice isn't offered, I always select Google Authenticator over Authy.

This is a perfectly valid backup mechanism for 2FA keys, I would still write the 2FA keys down though (or have some additional backup mechanism). The flash memory on the phone you use could fail at any time. 

Never forget that the golden rule for backups is `x=n-1`, where `x` is the number of copies of your data you have, and `n` is the number of independent storage devices you have copies stored on.