
Ask HN: Where should I keep my recovery codes (Google account for exemple)? - asadlambdatest
Not sure if this is the best place to ask this but:
Like everybody, I have alot of online accounts, which all require passwords. I have 3 google accounts and each one comes with 10 recovery codes. Now my question is this: Where should I put them? somewhere in my house? In my password manager app where all my passwords are stored? I try to secure my accounts as much as possible with different password, and 2 steps verifications, but the recovery code is the last layer of protection for an account and I want to keep it in a safe place. Thanks!
Edit: word
======
drunkenmonkey
Convert the code to a numbering using modulo arithmetic. Take a movie file,
and encode black frames for a full minute for every number in your set. Burn
the movie to a DVD and add it to your household collection.

If you need to recover the recovery code, watch the movie with a notepad
handy.

~~~
ezekg
This is the answer I was expecting from HN. Thank you.

------
bblough
I keep mine in my password manager, which is sync'd across all of my devices.
That way, if I lose access to my 2FA device, I can still get into my accounts,
even if I'm traveling.

~~~
marcc
Doesn't this make 2fa less secure for you? Assuming your password and your
recovery codes are in the same place, that's only one factor auth.

~~~
bblough
In general, an attacker wouldn't be getting my password from my password
manager, they'd be getting it through phishing, or brute force, or some other
way. If they acquire my password in any way other than a total compromise of
my password manager, then 2FA still protects the accounts.

If an attacker is able to compromise my password manager, then quite frankly,
I have much bigger issues to worry about than my 2FA codes. But there are ways
to make that harder, too. For example, some password managers also support 2FA
(mine supports Yubikey).

------
kasey_junk
Physically secured storage. Either a safe deposit box or a fire safe in your
home.

~~~
runamok
I just implemented this. Ultimately I want to have 2 USB sticks with veracrypt
on it with the recovery files in the volume.

For now I just zipped them up in an AES-256 encrypted zip file. Keep one in
the fire safe and maybe one in my car or work.

~~~
kasey_junk
My process is simpler. I printed out the recovery codes on paper and stored
that in my fire safe.

------
seanwilson
On paper somewhere you keep in several places? You never know when your mobile
or laptop is going to break or get lost for 2FA. It's not likely an attacker
is going to steal your note of these and know your login.

------
gregjor
Written in my passport, mixed in with visa stamps. Hard to tell what they
might mean if you don't know what to look for.

~~~
shincert
You've just told the whole world. Not so hard anymore.

~~~
gregjor
Crap.

------
ioddly
I wrote them down, put them in an envelope and in my safe deposit box.

------
kuroguro
Crypted archive stored in an unrelated backup service?

------
fiftyacorn
keepass or similar

