4

I have recently started using a password manager, and I am worried about having a plan B in case I lose access to the vault file and need to access the passwords: for instance, both my laptop and my phone get stolen at the same time while I am on the road, and I need to access my funds on e-banking to buy a plane ticket.

Are there best practices on how to deal with scenarios like this one? One approach could be "keep your e-banking and your primary e-mail password outside the password manager, and don't use 2FA for those", but I understand that this weakens security in a different way.

This question is similar to this one, but I am asking about a different risk scenario.

EDIT: Just to clarify after reading the first two answers: I have backup, but accessing backup in a scenario such as the one I have described is a problem in itself.

Federico Poloni
  • 871
  • 9
  • 15

4 Answers4

6

Backups. Follow the 3-2-1 rule: three copies, on at least two different media, one of which is offsite.

Personally, my 1Password keychain is sync'd to my laptop and my phone. It's backed up regularly through Time Machine, both to the laptop itself and to a hard drive in my apartment accessed over WiFi. It's also sync'd to Dropbox, which allows accessing archival copies of any previous version. The Dropbox password is written down in a fire safe (arguably, it should be a password I remember — if the apartment burns down particularly spectacularly, that could theoretically take out the phone, laptop, hard drive, and fire safe).

Given this, I'm probably more likely to win the lottery twice than to lose my password vault.

Stephen Touset
  • 5,774
  • 1
  • 23
  • 38
  • Is the password to your backup also stored only inside the password manager? If so, how do you deal with the scenario I wrote in my question (abroad, laptop and phone stolen, need to access accounts)? – Federico Poloni Sep 19 '16 at 08:36
  • As I said, Dropbox. I don't currently use a password that I remember, but I probably should. – Stephen Touset Sep 19 '16 at 08:47
  • So, essentially, in the scenario I pictured you are hosed? – Federico Poloni Sep 19 '16 at 09:07
  • Not if you remember your Dropbox password, like I suggested? I also have a roommate who can easily access my fire safe, if given the location of the key. – Stephen Touset Sep 19 '16 at 09:21
2

In the scenario you describe: I'm on the road, both my laptop and phone have been stoled, I need to access by banking passwords, you are likely to fall in a classical security vs. useability question.

Highly robust solutions use something you have (the phone or laptop holding the vault) and something you know (here the master password). If you want it to work once you have no access to the something you have, you are left with only something you know.

You can imagine an acceptable but less secure solution here: you can use an online copy of your passwo. There are only things you now (dropbox account, location of backup file and master passwords), but you are vulnerable to offline attacks on you password files if you dropbox account is compromised.

An alternative would be to identify some data that you always want to be accessible (bank account password) and share them with someone you can trust (your wife/husband). It does make sense if you have a shared bank account... That way, you can stay with something you have + something you know, but some secrets are shared with someone else.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
2

This is one area where the promise of "you only need to remember 1 password now!" starts to break down.

At home it will never matter because I sync to several devices including my work computer, two home computers, at least one mobile device, and a USB stick for good measure. But if I'm traveling I'll probably only have my phone and maybe a USB stick.

So what I do is to memorize my primary email password which also gives me access to one of my online backups. In addition I'll be able to reset pretty much any password I use through this email, or through my secondary email which I could reset from this email if I needed to. If I needed to do online banking but couldn't use my password manager for some reason I could always reset my bank password.

Now I'm at more than 1 password to memorize, but it's still easier to memorize 4 passwords than 104.

Ben
  • 3,896
  • 1
  • 10
  • 22
0

The first case you're talking is losing access to your devices and the data on it. The solution is to have backup of your vault files. The backup could be on physical medium like flash or external hard drive. You could have online backup, taking into account your vault password is strong enough which it should be, on your own server or a cloud service preferably one with zero knowledge storage.

The second case is availability of your password data. In case you lost your physical devices you could access your online backup, so it should have a password you remember for quick access. You could use a multi word password with at least four words. In case of two factor authentication you could have a backup number with a feature phone. Moreover you could enable alternative ways for two factor authentication like email or backup codes.

Last but not least it's better to consider classification with password management. It means there should be at least two vaults for password storage. One for important stuff like banking information and another for general accounts. This approach takes slighter more management effort but gives more flexibility by having different strategies for security and availability. For example easier password and more backup locations for general vault and stronger password and conservative backup locations for important vault.

Koorosh Pasokhi
  • 1,107
  • 1
  • 9
  • 10
  • So, essentially, you suggest keeping my backup password outside of the password manager? I don't see how 2FA would function in the scenario I have described (laptop *and* phone stolen, far from home, need to access accounts). – Federico Poloni Sep 19 '16 at 08:40
  • Or, in other words: if everything you have with you gets stolen, how can you use "something you have" for 2FA? – Federico Poloni Sep 19 '16 at 08:43
  • 1
    Not sure how that would be a problem with using a password manager, that's a problem in general. If you're worried about access to your vault because of 2FA, then store a copy somewhere that allows printed backup codes or something to be used as the 2nd factor. – Ben Sep 19 '16 at 12:48
  • @FedericoPoloni as I suggested in the answer and Ben said in his comment you should use 2FA with fallback mode in these scenarios, like printed backup codes or email fallback. That's why I recommended to use passwords that you can remember in online backups so you can access your backup codes or email password. – Koorosh Pasokhi Sep 19 '16 at 13:57