First, I’m so glad this turned out to be hypothetical, and you didn’t have to suffer through such a catastrophic loss. Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind, and you’d just be glad to have your life and your family - the only real things that matter in this world.
That said, planning a strategy for offsite data storage or a secondary authenticator is of course wise. A safety deposit box or other offsite location that you can frequently refresh and keep up to date would be a good investment. If you’re worried about keeping a master key to your life in a single place, you could separate your data and your authenticator. The how likely depends on your threat model, several people on this site may find it insufficient. To whatever degree you obfuscate or complicate your recovery path, you also increase the risk of losing access to it yourself.
You might also consider it’s not necessarily the “thing you have” that might go MIA, but due to physical injury, age, or just forgetfulness, the “thing you know” could also be at risk. I realize this the older I get. Finding a secure way to store a master password in the event you cannot recall it, or perhaps in the event of your death, is something you may also consider. In this case, I would avoid a cipher or something else you’re likely to forget.
Can't agree more with the last paragraph. Not too long ago, due to my keyboard breaking, I was forced to type my password manager's master password on an unfamiliar keyboard with an unfamiliar layout, and I just blanked. I type it frequently enough on my phone, so I tried typing it there too, but probably due to a combination of mild distress and actively trying to think about what I was typing I couldn't do it there either. I eventually decided to try again later and later that day I managed to type it correctly.
Rest assured, this situation probably sounds as bizarre as it felt. Randomly forgetting something I type every day isn't something I had considered a possibility until then. Maybe a password without as many non-alphanumeric characters would've aided in avoiding this situation, but I get the feeling it could've happened with any muscle-memoried password.
A user was having a really bizarre problem: They could log in when they were sitting down in a seat in front of the keyboard, but when they were standing in front of the keyboard, their password didn't work! The problem happened every time, so they called for support, who finally figured it out after watching them demonstrate the problem many times:
It turned out that some joker had rearranged the numbers keys on the keyboard, so they were ordered "0123456789" instead of "1234567890". And the user's password had a digit in it. When the user was sitting down comfortably in front of the keyboard, they looked at the screen while they touch-typed their password, and were able to log in. But when they were standing in front of the computer, they looked at the keyboard and pressed the numbers they saw, which were wrong!
My employer made me use an SOE Macbook that had the 'butterfly keyboard'. Many of its keys would only work haphazardly. Once I made the mistake of setting my password using the laptop's keyboard instead of the external one I normally used. It had me going for ages before I realised there was one letter in the password missing!
I find it incredibly annoying that my iPad wants to automatically capitalize the first letter of most text-entry fields. I heard somewhere that some sites have made the first char of their passwords case-insensitive because of this, but IDK if this is just lore.
I used to work at a company that had some LoB apps used on iPads in a manufacturing facility... if the user login failed and the first character of the password was upper case those apps would retry with it lower case.
Not on the client-side! Sometimes it happens when you're typing the first char, in which case you can hit shift (which is visibly activated) and then type the char. But sometimes it 'autocorrects' when you hit the return key, and the only workaround I've found is to type the password with the first char doubled, and then go back and delete the first of the doubled chars. Not fun, especially when you're navigating the cursor on a touchscreen!
Being fed up with people asking to use my laptop (some 20 years ago), I cleaned its keyboard and put the caps back on at random. "Yes, of course you can use it, here you are! Oh, sorry, I forgot the keyboard..." Peace and undisturbed working ensued...
Many people with mechanical keyboards (as in non-disposable keyboards) can probably relate to this, having put some keys back the wrong way after cleaning.
It's why the das keyboard with blank key caps was my favorite I've ever owned. It forced me to actually touch-type, rather than touch type the common keys and look for the rest.
Few years ago I went to a store and paid with my card and 4-digit password. Not 20 minutes later, at another store, I just couldn't remember the password anymore, missed it 3 times and got my card blocked.
I had to make a new card because I couldn't remember the password to unblock it at the bank.
I had that card and password for 3-4 years at that point, wasn't under any stress at all, and nothing like this had ever happened, nor happened again.
A year ago, I had to go to a bank office and engage in some verification process that also required me to use the physical bank card with its preassigned PIN.
No matter what I tried, I hit the 3-try limit for the day, and opted to have the same preassigned PIN sent by mail to my home address.
When walking back home from the bank branch I realized the mistake I had made: I had entered the correct PIN, but had typed it in calculator/numeric keypad order, and not in phone/PIN pad order.
While I've never used that PIN on a numeric keypad for a PC, somehow my brain associated the numbers with their order on a PC keypad, since I had used my PC keypad to unlock my PC with a PIN numerous times more than I had used any card terminal with a PIN.
So, the next day, I returned to the bank branch office to try the same operation again, and indeed - I had correctly entered the PIN and the online banking transfer limit ended up adjusted just fine.
For the past decade and a half, possibly longer, Japanese ATMs have replaced their physical keypads with digital ones where the numbers are randomly placed. Imagine my surprised when the first times I tried to enter my PIN, it kept failing until I took a good close look at the numbers.
Had the same experience. Went to an ATM one night and the PIN for my card that I'd used several times a week for probably a decade was just... gone. Never before, never since.
I once forgot root password to my FreeBSD installation, I spent a lot of time trying to remember it but failed. So I did a reinstall, and obviously recalled it when prompted to come up with a new one.
Completely out of the blue I forgot my PIN, the PIN I had used every day for years. I was at an ATM trying to withdraw cash, got it wrong twice. It was just gone.
Luckily I cancelled it before the machine ate it, but I had to borrow money from someone to get a taxi home.
I had to request a new PIN and I still can't remember what it was. I now keep my pin in my phone under a contact.
I’ve had the same experience. Walked up to an ATM for the second time in two days and my 4-digit PIN was simply gone from my memory. I never figured out what it was.
That was almost 30 years ago, and thankfully it hasn’t happened again.
I use my ATM so infrequently that it's happened to me a few times. I get cash reups selling stuff on Craigslist so I need the ATM like once a year. Luckily my ATM is right next to an in grocery store branch so resetting the pin is 3-5 minutes talking to someone irl
I've had this happen to me multiple times, and more often now that so much payment is contactless here (even though I still have the same code as when it wasn't). Additionally, something as simple as a different machine (the most recent instance was a touch screen) can throw me off as well.
I went for a week holiday and when I came back I couldn't remember the alarm code. Had to call the boss at 7am with the alarm blasting in the background.
I had a similar problem once. I normally use the dvorak layout but was on a qwerty keyboard. I don't remember exactly why, but I had to muscle-memory type the password as if the keyboard was dvorak and manually remap the characters using an image of a dovrak layout on top of a qwerty keyboard.
> My approach to that is to follow xkcd advice with an emergency password which looks less like a random string but more like a real world phrase.
Yeah, for my master password, I use a slightly misheard line from an episode of a 90's TV show. Googling my misheard version in quotes only gets 6 hits, and it's 30 characters long, so very unlikely to get cracked even without replacing letters with symbols or adding a suffix.
It reminds me of the time I tried to type my password on a keyboard with a French layout, but responding as if it had a US layout. It turns out, even if you think you know where all these special characters are, finding them under pressure (three tries before you're locked out) with misleading visual cues is hard!
Some countries even use more than one keyboard layout, so I try to stick to special chacters that dont change from keyboard layouts. Like dot comma and space.
Had that happen with a four digit numeric bank pin once, and several times since then with pass phrases. I tend to get stuck on whatever wrong pattern I entered first and have to try again later.
>but I get the feeling it could've happened with any muscle-memoried password.
I can confirm this. Many years ago I had to type for the first time a password on a classmate's iPhone (smartphones were just beginning to become common). The problem was that I didn't really know that password: what I remembered was a shape I was "drawing" onto the keyboard, which involved the numeric keypad... You see were this is going. That event was the one that led me to finally properly memorize that password.
This happened to me, I forgot my Android "pattern", the swiped pin-like thing to unlock the phone. I didn't have a password set. I was able to factory-reset it with my Google account password but I lost recent files that hadn't yet been backed up (photos etc).
I just totally blanked. Like you said, the more I thought about it the less I could remember what it was like. It was really scary.
My method of solving this is to only use familiar, well known information about myself as my master password. It's > 50 characters and contains addresses, old ID numbers, my public library card number, account numbers, old usernames from 5th grade (I've never seen another username even remotely close to either my first IRC name or my geocities username). I usually get the order wrong the first time I try it, but correct on the second or third.
Mild distress? I don't think that is so rare.
But, why are my phone numbers not in the same order as my keyboard numbers!
At my bank i drew a blank and had to sit at the assistants desk/ keyboard to fire off the muscles to enter in my old pw, in order to enter in an otu pw they'd generated.
A small annoyance is when I need to change my iPhone passcode because of it being work managed. The keyboard used during that reset is slightly different to the regular iPhone keyboard.
> Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind
It isn't though. Access to your digital resources is vital to recover from the loss. You need an e-mail address to arrange contractors, you need your contact list to reach out to friends for help, you need access to your bank accounts, your cloud-stored scans of your ID cards, ...
No. People have been trained to think they need an e-mail address for real-life things, but they don't.
I had a roof replaced in my last place, which involved multiple contractors and insurance companies. No e-mail. No text messaging involved.
I recently moved to a new city, and setting up utilities, dry cleaning service, parking garage, etc... probably involved a dozen new accounts. I gave my e-mail address to none of them. Depending on the disposition of the provider, I either told them I hadn't set up e-mail yet since I moved, or just a flat "no."
you need your contact list to reach out to friends for help
If you're over 40, you can remember the days when it was perfectly ordinary to remember the phone numbers for dozens and dozens of people and businesses. These days, we've allowed computers to think and remember for us (hello, Stackoverflow!) so we don't have to. Memory is a normal skill that many people have lost or neglected.
you need access to your bank accounts
That's why it's important to have your bank accounts with an actual bank, with actual branches, and actual human beings to help you when human being things go wrong in the real world.
your cloud-stored scans of your ID cards
I can't even wrap my brain around why you'd trust information this important to a rental computer a thousand miles away.
"Everything digital" is a marketing tool. In reality, it only works when it works. When things go wrong, digital shows its fragility.
>> If you're over 40, you can remember the days when it was perfectly ordinary to remember the phone numbers for dozens and dozens of people and businesses. These days, we've allowed computers to think and remember for us (hello, Stackoverflow!) so we don't have to. Memory is a normal skill that many people have lost or neglected.
Heck, if you're over 30 you remember this. The problem though is that you remembered those numbers because you dialled them frequently from memory (and, at least in my location, landline numbers were much shorter than cell phone numbers). If you're not doing this on your smartphone you're never going to be able to remember the numbers. e.g. I can remember all of my childhood friends home phone numbers. I can't remember my partners cell phone number.
I recently considered getting an analogue phone book and noting down all the numbers in my smartphone contacts book just in case I ever lost access to the digital version.
> People have been trained to think they need an e-mail address for real-life things, but they don't.
The Dutch government not only defacto requires it, soon an Android or iOS phone with their app will be required too. Only very determined, very patient people with lots or spare time will be able to do without.
I assume they do the same thing as anyone else in any other country does. They go through the fall-back bureaucratic channel of 'haul your ass over to a physical, brick-and-mortar agency office'.
I was thinking about this on the way home the other day. I'm the most tech savvy of all my family and friends. I live and breath tech. Code all day, game all night.
But I'm the one who hates all smart home devices. I'm the one who wants a dumb TV. I would be perfectly happy with my dumb phone if it didn't keep pocket dialing emergency services.
I'm in a similar spot and have an ancient, dumb plasma TV on its last legs. I've poured HOURS into researching a replacement dumb TV that is reasonably cost effective and available. It's way too hard. I can get commercial displays from Samsung that are about 50% more expensive than consumer grade and about 4 years behind in picture/quality but that's about it.
All of us--and I include myself although I try to have some backup information on paper--have probably become too dependent on a single physical device which sucks in more and more information every year. See ongoing digitization of driver's licenses.
Especially for international travel, but really generally, I try to make it so I'm not completely screwed if something were to happen to my phone.
I try to still print out boarding passes when I can cos I don't want to deal with delays or missing a flight if my phone runs out of battery, especially if it's a flight out after a full day out and about. It's also less annoying at the airport fiddling with my phone to get the right barcode up each time it's needed (and no, I won't put it in to Google wallet)
You'll start doing it again after someone swipes your phone at the airport (yes, this still happens) and you miss your plane waiting in line to deal with the customer service agents.
I guess that depends on airport. Typically I could get a paper one printed at kiosk using ID if needed, usually 10 min or less. One of the reasons I stopped bothering.
Yes, the "one device per phone number" restriction is quite annoying. I'd like to have multiple, functional copies of my phone. Instead I settle for a phone and a 4G watch, paying for one phone number for each. Since eSIM providers allow cloning but I haven't tried that yet.
> or perhaps in the event of your death, is something you may also consider.
When my dad died we were glad that he had most of his passwords written down. There are a lot of things like the electric bill that we didn't know if he had paid yet or not, and other bills that are entirely paperless that we have have no idea about. Mom would hate to have something not paid just because we didn't know to pay it. There is a lot of paperwork to get access to accounts after someone dies and that takes time. (dad donated his body to science so that added a couple months before we could even start the paperwork)
Unfortunately there was one account we knew he had (because it showed up in quicken) and an IRA with most of his money, but it took us several months to figure out what bank it was at. Please don't do this to your family: write down all your accounts and their passwords in a safe place that someone trusted will look. (I need to take my own advice)
Anyone who acts as the "head of their household" and manages the family's finances, pays the bills, and manages the day to day home ops, do your heirs a favor and write out a Death Book[1] today, that contains all your various accounts, passwords, copies of important documents, and so on. PRINT IT OUT and put it in a safe or other secure place. I recently had two acquaintances who died pretty suddenly and young-ish (in their 40s). One was prepared and had his shit together, and it helped his family more easily pick up the pieces while they grieved. The other one did NOT have his shit together at all, and the result was even more stress and phone calls piled on to his family during an already difficult time.
Good advice - tracking down all of dad's account information was very laborious after he passed away - we found an insurance policy that covered my mom that I assume he didn't know about since he never made a claim.
We have our list printed and locked in a firesafe (which is bolted to the floor and not easy to find for a thief), as well as electronically in a shared 1Password vault shared between my wife and I. My sister (and executor of our will) knows that the paper is in the fire safe, just in case something disastrous happens to both my wife and I. They'll need a locksmith to get in the safe though.
> the “thing you know” could also be at risk. I realize this the older I get.
Years ago, when I was in university, I had a couple of machines in my room running FreeBSD with full-disk encryption. These machines were powered on for a few months without reboots until one day when the power went out.
Having not typed in the password in months, and at the time using the kind of passwords consisting of long word with a lot of numeric and symbolic substitutions, I was unable to decrypt the disks of my machines.
I lost a fair bit of data that day, but it taught me a valuable lesson.
These days, any passwords that I use for full disk encryption I make sure to
1. Regularly use. Meaning I’ll reboot machines and retype the passwords on a regular basis. Likewise, I connect external encrypted disks on a regular basis and decrypt them with their passwords.
2. Use pass phrases with many words but without any numbers or special characters. See also https://github.com/ctsrc/Pgen
This is where risk assessment comes into play - people often consider it "evaluate the attackers and how to prevent them" but risks include many things; hardware failures, memory failures, human memory failures, etc.
And one of the biggest risks with encryption is data loss if passphrase are forgotten - using encryption usually involves considering that data loss is better than data exposure - which is obviously true for things like passwords (you'd rather forget your bank's password than have it exposed, because you can reset it) but not necessarily true for other data.
This can lead to things like encrypted systems but storing the off-site backups unencrypted because they're off-line and the only real risk is theft. Again, depends on what the data is.
This is why Android requires users to type their PIN once a week, even if you use biometric authentication. It's an essential practice that needs to be the norm for any biometric auth.
> Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind
To note, our banking system is well part of our digital life. Europe has already a flurry of “real” banks that have no physical presence, and after a catastrophic loss you’ll need that access to your bank as soon as possible.
This has made me think twice about using those banks (I'm thinking of Monzo etc.). I was already reconsidering anyway as all of these banks have been consistently reducing features and limiting usage (e.g. cash withdrawals) and generally making themselves worse than the 'real' banks.
It depends on the “attack” vector you see as the most problematic.
With a “real” bank, I had to go to an agency 5 times in a row to solve a paper issue because they wouldn’t just message me about it as it was “confidential” (they couldn’t validate our home address, though we were receiving their spam pretty fine), and the system was really built around the assumption that making you come to the agency was a no-brainer. The other options evolved snail mailing copies of the papers and waiting for them to process it.
There’s also the issue of “old fashion” people sticking more with traditional banks, making them skew their offerings towards these people. I was endlessly phone spammed with insurance and bullshit travel packs, and I couldn’t just block them as it came from my actual agent.
I think I'm lucky then. My 'traditional' bank is paperless, has a good app and website, and I can do everything over the phone with relative ease if I need to. It's all a bit clunkier than one of the app-native banks (which is why I half-switched to the app bank) but that's the software snob in me more than missing functionality.
A firesafe in a friend or relative's basement is a much better choice. Safety deposit boxes regularly get lost, tossed, or sold and the banks have very little liabilty.
I live in a fire prone area. I have a safe deposit box 30 mins away in a place that won't burn. I keep a HD there with all my photos on it. I refresh the drive monthly. The chance that this small credit union with maybe 100 boxes will lose, toss or sell my box on fire day is pretty minimal.
Yes, safe deposit boxes are not always as safe as spy movies would have you think (or even that we should assume them to reasonably be), but they can still be used as part of a disaster recovery strategy.
> A firesafe in a friend or relative's basement is a much better choice
The article addresses these options and why they are not ideal either.
Also, one thought experiment I just came up with: how many of your friends are you willing to let store their pendrives in your basement's firesafe? How often would you be comfortable with your friends coming to your home to update their pendrives?
I know several who I believe would be fine with it, all of whom I see regularly, usually down our usual pub, and all of whom would I suspect be happy to do an update at least every couple months in return for me buying them a few drinks for the hassle.
I already have multiple friends who have copies of my house key held in case something really stupid happens, none of whom found that weird and all of whom I'm willing to trust enough that I believe the risk of having multiple such copies extant but unmarked is significantly less than the risk of not having that fallback plan.
In fact, they all considered "being one of the spare key holders" to be an honour more than anything else.
I am very much aware that there are many people whose situations are very different than mine, but it works for me (and they're all wonderful people for whose existence I try to be appropriately grateful.)
I suppose they might want to encrypt a pendrive in case it was stolen from the friends housse. But you could do something similar with a piece of paper.
Pendrives aren't known for storing particularly well over the long term so they probably aren't a great choice anyway.
I have a recovery code for my iCloud written down on a piece of paper, in an envelope marked for my wife in case of emergency, in my office at work. There is nothing written on that piece of paper but the code.
It's not perfect security, but it's my security blanket in case my house burns down with my phone in it and I need to rebuild my whole house of cards.
> First, I’m so glad this turned out to be hypothetical
I've only learned about this is hypothetical from your comment (yes, I'm guilty of not reading to the very end). I wish the author conveyed that a little more clearly.
This is a common setup to build empathy so doesn't always mean "the following is a hypothetical thought exercise", such as "Imagine you find your self in the same situation as me, your house struck by lightning..."
It also detracts from the main point, which is this could happen to someone, but, since it’s hypothetical, makes it sounds a lot more unrealistic. The "fireproof but not lightning-proof" safe gave me pause, for example.
Building on the last paragraph, I keep my root PGP key on an encrypted USB drive. There's several files that are encrypted by the root key, but they're mostly like password manager recovery phrases as well as things like my birth certificate, social security number, and various government IDs I've used. There are two copies of this USB, one travels with me at all times, the other is securely stored and accessed twice a year to ensure it's still performing. Both USB keys have fuses that will blow if opened up. This makes it so that for the rest of my life I will remember one password.
Passwords can also be made more memorable. For instance, because a password manager remembers the rest of my passwords, I made this one what I call a "pattern password". On a US keyboard I could type it in seconds without looking, but it would be too complex to guess.
> Finding a secure way to store a master password in the event you cannot recall it,
Currently my master credentials are on an old USB stick (a Yubikey device that I got in an offer, though I only use it to type the long password as if it were a keyboard) and printed (plain and as a QR to save typing issues) & stored well away from the things they secure. The printed copies have the lot, the USB version requires a prefix which I remember.
This may seem risky (the old on-a-post-it-under-the-keyboard issue) but for my online backing and other key stuff the key risk is my password store which is secured by one of those master keys, and its main risk is someone remote getting access to both the key DB and the passphrase and it is properly air-gap secure against that. Similar for the encryption keys for local storage and off-site backups.
> or perhaps in the event of your death
This is a concern I've not at all addressed in my plans. The basics will be putting details in my will for how things should be accessed, but those details need to be both secure from inappropriate access and easy for th eright people to access when the time comes. Though as I have nothing much to leave to anyone that isn't too big a concern yet…
The halfway point is a bigger matter that I (and many others) really should address: what if I'm incapacitated temporarily or otherwise? Someone may need access to my stuff to sort a great many things while I can't. We've had an issue with this with my mother who due to dementia can't even sign her name, so neither she nor my dad couldn't access an account that was only in her name without a huge rigmarole of paperwork and assessments to sort out power of attorney. We've since got things sorted in advance of further problems (myself and my brothers set up with joint PoA so if something happens to him too we can sort what needs sorting more easily) but I have nothing like that setup for myself for either life stuff or technical stuff (or the things that are both).
I'm in good health as far as I know, but I'm not getting any younger (this year I'm on the cusp of leaving "the low 40s") and I've seen unpleasantly final things happen to people who were similarly good health as far as they knew.
This is also very relevant for family or trusted access. We had a hell of a time after my father had a stroke (recovered now) even though I had access to his computers and KeePass database - he had plenty of things where phone access was needed but nobody knew his unlock pin and it was required to reactivate fingerprint unlock.
It took me about 30 seconds to ask the question: If he's locked out of his digital life, how did he post the story to his blog? From that point on I knew it was hypothetical, but it was still a good read and raises important issues.
I'm a big fan of all lower case phrases as passwords now for this reason. Something like "this is my password there are many like it but this one is mine my password is my best friend it is my life I must master it as I must master my life". Very easy to remember. Very easy to type. Very hard to crack. Cheers.
Sure, I have to deal with password requirements when they're a thing. But for things under my control, like my encrypted drives, I do super long lower case letters as per my example.
For my bank from my country of origin that I maintain, I get a battery-powered RSA token. From that I can generate a mobile 2FA token in an app that I can use to log in for day-to-day transaction. If I lose the devices with the 2FA token, I have to pray that that CR2032 is still alive or I lose access to that account until I spend thousands of dollars on international flights (replacing the battery resets the device)
I lost access to my bank account in UK because my token ran out of battery. The only way to fix this is to fly to London and show up in person. This is a pain because I can't even figure out my account balance - and this is something I must report for U.S. taxes.
There's a youtuber/streamer I sometimes watch, an American living in Ukraine until the war. She fled to Portugal when the invasion started, and paid for an item with her credit card enroute. This triggered an automated lockout from the card suddenly being used abroad.
The bank's bureaucracy advised her to unlock it she needed to go in person to her home branch in Ukraine (which has a decent chance of being a pile of rubble given her neighbourhood was hit by shelling in the time after she left).
Similar thing happened here to my wife (US, bank in UK). "We don't send those out any more, just use your phone". But... a) my wife didn't have a phone at the time (not one capable of running their only supported version of their app) and ... one of the signup questions was asking about bank balance (or... recent transactions, etc) - but... there's been no recent transactions and we don't know the balance because... we can't log in.
This was... ~ 6-7 months ago. I'm unsure what options are left, or... if my wife sorted it out (she did recently get a newer iphone, and that may have been able to get it sorted).
Similar experience here, but when using the mobile app.
My bank in my country of origin also used to use a token, but they changed to a "token app" in the phone about 10 years ago.
However to authorise this app I had to use an ATM. Since this bank only has ATMs in one country, this means I couldn't lose or trade my phone.
After I moved I kept a super old iPhone in a drawer only for this bank, but at some point the app kept threatening me to upgrade, otherwise it would stop working in the next version. But I couldn't upgrade because my decade-old phone was too old for the new version.
Since even blocking my debit card via phone required using the "token app" (something incomprehensible to me), it became too risky to keep this account.
At this point I had no recourse but to close the account.
The Bank of America app only lets you install it if your Google (or presumably Apple) account country is set as America. I am abroad but needed to use the app. I had to create a VPN on an American cloud instance and connect my phone to it so that I could set my country to America and install the app.
I had similar problems. For one, the LloydsTSB banking app is not available outside the UK App Store, so I had to keep a second iPhone with a UK number while living in the USA just so I could have the app installed.
2FA can be "backed up" by either using a 2FA soft token program that allows for backups, like 2faone or Authy, OR by the services themselves granting backup codes for emergencies. For my threat profile, I have no problem storing my 2FA backup passwords/codes in my master password safe. If that is compromised, I was doomed anyway.
If a service does not allow the use of "generic" TOTP ala Authy or Google Authenticator, AND it does not allow for one time use backup codes, then I do not use 2FA with that service unless required. My main bank forces the use of their own built in 2FA (Symantec VIP on the backend) which pisses me off. My work uses Okta and RSA. Oh well.
Pretty much all the banks in my country (Sweden) use a local national digital ID system called BankID which is issued by the banks themselves to mobile devices as a second factor and gets tied to your national ID number (and once issued by your bank is used by your bank, other banks, the government for tax filing/address change/receiving official mail digitally instead of physically, signing contracts for e.g. apartments, and even retailers to address auto-fill).
All the banks I know of require 2FA in the form of either a physical, battery-powered RSA token (sometimes in the form of a EMV card reader) or a valid BankID.
The assumption is you live in the country and can just visit a branch if you have any trouble, which works for 99% of customers. But not for me.
Enforcing 2FA is the most effective security rule ever created. Vastly more effective than password rules, rotation, user education, any anything else ever tried.
With 2FA, almost all of the traditional attacks are impossible and the only one left is specially crafted fake login pages.
You're right when you're dealing with large groups of people which is exactly what I said in my original comment. If you understand these issues passwords on their own are fine. 2FA has some nasty edge cases that make it very easy to lose access to your account (which is what everyone in this thread is talking about.) So as always you're balancing security and availability. For some people the proper balance means just password authentication makes sense.
The best IMO would be client side certificates but no one except maybe Github supports those.
No, passwords on their own are never "enough" for you to be secure as you only control your side of the equation. You don't know if the place you are storing it is doing so in plain text, storing a decryption key right next to it, etc. Even if you are careful (I know what you said above), the network you are on could be compromised despite your best efforts/knowledge. Or any number of other things that could make it trivial for someone to gain access to your account in the event they gain access to simply the password.
I don't claim 2FA is perfect, it has its own host of issues as is being discussed. But it isn't just for "the masses that don't understand how to make strong passwords or how to be secure". Certs are good, but they need to be made simpler than they are now for the very people you claim 2FA is for or they won't be adopted (one of the reasons they aren't more ubiquitous, IMO). And some certs implementations have issues with account recovery as well if you lose access to them.
It's a really hard problem that you do a bit of disservice to when you dismiss it as "just a problem of the plebes".
Password-only authentication still has its uses. I don’t want to use 2FA when I’m logging into a website I’ll use once and never again and does not have any private info about me, maybe to post a comment for example. Or try a service they are demoing.
Those are totally valid use cases. In no way was I saying everything had to offer 2FA. Just pointing out that it is not just for those that don't know how to craft strong passwords or those that practice poor security hygiene, that it is a useful option to have when security is important.
A lot of work computers MiTM all traffic using a corporate certificate authority. A middle box tears apart the requests, and repacks it using its own cert.
It can also reduce fraud reports -- if a transaction was authenticated with 2FA then it's less likely the fraud claim is legit and more likely it can be tossed.
One bank I have set up in a new country set me up with their mobile app and that mobile app is the only way to access the bank. They have a web-app, but login to the web app can only be authorized from mobile. At least an existing install can be used to authorize installs on new devices. Got it on 3 devices installed just in case.
It shouldn't. You can just use authy, which allows you to onboard devices using your phone number, and then a password to decrypt the existing entries. If you use 2fa with authy, remember that password, and remember your password Manager's password, something like this scenario won't ruin your life.
You open yourself up to a much more devastating attack vector though: sim swapping.
If someone can convince the human at the other end of the line that they are you and that they lost their phone, in most countries and with most telco's, they will be able to get up and running with a new SIM with _YOUR_ number.
Resettting your Authy password via SMS is then just a step away.
I don't believe you are correct. I believe an existing installation of Authy is required.
>Can I reset my Backup Password?
> Yes, it is possible to reset your Backup Password by tapping on Change Password in the Backup Password area of the Settings menu within the Authy app. You will have to ensure all 2FA account tokens are decrypted on your device (No red lock icons). Once a user resets their Backup Password on a device, all other devices with the Authy app for this user’s Authy account will require entering this new Backup Password.
The fact that they disable SMS authentication for accounts that they deem "high profile" says it all.
Last time I looked, I don't recall there being a backup password (essentially a local encryption). If you SIM swap someone, you'll pull down their OTP seeds, but won't be able to read them without that code... so that's a slight improvement at least.
BUT! They have a recovery process. So the risk profile is convincing the telco to SIM swap + lodging a support ticket with authy (that takes 24 hours to complete).
You can reconfigure Authy to require an existing device to let you in as well. It won't prevent the "absolutely everything is fried" case but it's better than most password managers.
If someone tries to use SMS/Voice to activate Authy on my account it just gets rejected.
Pretty neat for everyone that uses two phones regularly! If you leave that other phone in your desk drawer for several years though, I wouldn't be surprised if it doesn't work...
Yeah i stopped using authy the first time a token was automatically seeded this way (may have been another way, but it was automatic and I didn't like it because I was also using the seed on my Pebble which i could then no longer do with this method). i prefer manual control over stuff like that and definitely don't want it assuming some magic is okay.
Oh no that's fine, I just didn't like the initial seeds for a new 2fa enrollment being magically transferred to the authy app without my control/intervention. See https://authy.com/guides/twilio/ and note that it's not the usual "scan the qr code". The seed is transmitted straight to authy, which, safe or not, takes away control from me to add that same seed elsewhere.
Authy requires a backups password to restore, or least it can be configured to. Of course, hopefully you remember it in a disaster situation. If you have a cloud password manager you can end up in a chicken and egg situation.
Looks like the backup password can be reset too by support, so while that present an additional barrier to the attacker, it doesn't sound that effective.
>If you lose your Backup Password, you will not be able to decrypt your 2FA tokens from Twilio Authy servers and access them within the Authy app on any other device (Eg: If you bought a new phone to replace an old or lost device). If you still have access to the original device on which you set up the Authy app with your 2FA account tokens for the first time, you can follow these steps to re-configure your Authy app on a new device.
Authy admins cannot reset this password. It looks like they can disable encrypted backups, but not decrypt your shit.
So basically all an attacker should be able to do is gain control of your account, delete your old 2fa codes and then add his own.
How does that square with their blog post about understanding the risks of using SMS [1]?
>5 – 2FA Recovery
>Imagine this scenario: You installed Authy, lost your phone, your laptop is broken, and the bitcoin price is climbing like crazy. You need to login to your crypto wallets, but you either enabled multi-device and all the devices with Authy are not working or accessible, and your account has been tagged high-risk, and you can’t use SMS to install a new Authy app. What are your options?
>Authy has a 24-hour account recovery process. By providing your phone number to Authy Support, we can go through a set of security processes to re-enable your ability to install Authy. Some users may question why account recovery isn’t instantaneous, but our goal is to 100% protect our user’s accounts against an attack or hack, and that includes our recovery process. This 24-hour period allows us the time to perform the necessary due-diligence to verify that you are who you say you are. We’d be doing a disservice to all if we were to rush this process.
Adding a device to your account and encrypting the tokens are distinct unreleated steps.
When you enable encryption, they derive an encryption key off the passcode you provide, encrypt the tokens, then store them on authy's cloud storage. The encrypption key is never sent to authy's servers, and only stored on device. When you add a new device, you're prompted to enter the passcode, which generates an encryption key and decrypts the tokens.
How is support going to decrypt the tokens for you? They need the password, which they don't have.
You use support to add a device to your account, and then you use the password to decrypt your tokens.
Granted, an attacker could gain access to your authy account and then delete all your tokens, but that's different from being able to log in and start using your TOTP 2fa codes. You should also have recovery codes written down somewhere in the case this happens for all your services.
I literally just restarted everything from my previous post with more words.
Then their blog post doesn't make any sense. The answer to their scenario is that the user is fucked and they are locked out of everything.
>You installed Authy, lost your phone, your laptop is broken, and the bitcoin price is climbing like crazy. You need to login to your crypto wallets, but you either enabled multi-device and all the devices with Authy are not working or accessible, and your account has been tagged high-risk, and you can’t use SMS to install a new Authy app. What are your options?
I've got a 2fa backup code in a DNS entry on a free hosting provider. I've got another hidden in some public source code, masquerading as an example encryption key. There's all sorts of digital hiding places these days. Self signed certificates (serial number, subject, issuer, etc), http headers, etc. Other possibilities are accounts with determinate passwords (eg. a hash of your name) that are used only to store your secrets.
Google authenticator will also backup your keys to the google cloud so installing it on a new device will just work. You'll, of course, need to remember your google account password and not set it up with authenticator as the second factor.
(I don't know much about authy, I only use it to access m sendgrid account, but I didn't like the fact that it used SMS for setting up or restoring an account.)
Last i knew, Google hadn’t updated Authenticator in years. Maybe it’s a mature product and doesn’t need updating, but given Google’s history of dropping projects, I moved from Google AuthenticTor to Authy (by Twilio, an enormous company not fly-by-night)
Well, Google Authenticator uses a standard, well documented algorithm (TOTP) and there is really no reason to touch it unless they discover a security issue, it becomes incompatible with the latest version of android or there is a pressing need to improve the UX. But the UX is pretty simple.
I also have Authy, because that seems to be the only one that SendGrid will work with, but exactly because of this I thought that was non-standard. But as I can see now, they probably also support standard TOTP. But they rely on SMS for initial authenticaion (when you install or re-install the app) and I don't trust that. On a side note, Microsoft also has an Authenticator app, which also supports the TOTP standard. (So it can work wherever you would use the Google Authenticator.)
> But they rely on SMS for initial authenticaion (when you install or re-install the app)
It's been a long time since I installed it, so I'll take your word for it. They have my email address displayed in the app, so maybe I can do authentication on a new device over email, too. But regardless of how you initially authenticate a reinstall (email or SMS), as long as you are using the Authy cloud backup -- which is password-protected and cannot be reset over SMS or email -- what is your concern (genuine question)? I do not see the security risk, but I'm no expert.
Mainly the SMS thing. As far as I can remember, when I reinstalled it on my new phone (about a year ago) I just had to verify my phone number via the SMS they sent.
Also, as I have already been using the Google Auth app, I was somewhat ignorant to check out Authy more in detail. Up to know I thought it wasn't using standard TOTP but some in-house developed algorithm by Twilio (or maybe a lesser known/less standard one) because SendGrid specifically tells you to use Authy. Which in itself seemed like a red flag.
I would suggest keeping an eye on the voltage with a meter and when it starts to drop solder on a second battery while you replace the first, the same way people replace game cartridge batteries without losing SRAM saves.
How? The original battery provides power while you're soldering on the backup and the backup is solidly soldered on while you swap out the original. How could you be so clumsy you rip out a solder joint?
A bit OT, but at least for the Game Boy you can pop the cartridge (front of the case off) into a console (GBA is especially good as it only covers part of the cart), power it on and then replace the battery. The game save will remain. Or you can use something like the GB Operator and backup the game save, replace the battery and then rewrite it to the cart :)
This recently happened to me after my laptop and phone were stolen on vacation. Everything is in 1Password. I of course didn't have the recovery paper with me. I recently changed my iCloud password to be more secure, and luckily I remembered it. But I needed 2FA to log in still.
I had to go to an AT&T store, port my phone number to a different iPhone, restore from an iCloud backup using the SMS 2FA, and then I could finally log into 1Password for my passwords and MFA.
If I didn't have a memorable iCloud password this would have been impossible without the 1Password recovery paper.
Devices are often lost/stolen on vacation where the myriad layers of protection are extremely hard — if not impossible — to penetrate.
This is why some of my most important accounts (iCloud, Google) are passwords that I've forced myself to memorize. I've been stuck in the chicken and egg quagmire before and it really sucks. iCloud is particularly bad especially on the phone because none of the popups have password manager support so you have to manually go look it up, navigate back to whatever prompted for the password, and re-trigger the dialog.
If you (the Royal ‘you’, I’m not having a go at you) have 1Password and you do not have a printed, sealed copy of your recovery steps safely hosted at a best friend or relative’s house then I think you’re bonkers.
It’s so easy. Print it out. Write your password on it. Put it in an envelope and seal it. Give it to someone – suffice to say you trust this person with your life – who doesn’t live next door (otherwise their house burnt down along with yours).
You never need do anything ever again, other than not change your master password.
As joshstrange mentions above, iCloud password prompts don't support password managers, which is the main reason why I have a memorable one.
Password managers are more useful to me than a spreadsheet in iCloud. I don't see why having a memorable iCloud password implies I should get rid of a password manager.
Do you have a spreadsheet of passwords in a cloud account somewhere?
A password manager mitigates other threats that a spreadsheet in iCloud Drive does not, such as a program just directly reading it and ruining your life. And, anyways, password managers give you auto fill which is a significant quality of life improvement.
A memorable password is not a bad password, if done right. I have a password for both my google account and Apple ID that's easy to type because when you're in device setup you can't auto fill and so random passwords are a huge pain
When I was doing IT ops for a company, we had a little program that generated 4 random common words and put a symbol between them (!.@#$%). Super easy to type and fairly easy to memorize, but according to every password checker also really hard to crack.
"Broth.Dogs.Run.Blue" is 10x easier to remember than "$#kdSk$SWE223" but 1000x times more secure. Probably more so, because you are less likely to have to write it down to remember it.
Password managers plus biometric auth mean I almost never even need to copy-paste a password, let alone type one. I just hit "fill" and it fills it in. For most of the services I use these days, I've never typed or manually pasted the password, ever, not even once.
Yeah, I have a few key passwords (email and password manager being the main ones) memorised, and also stored written on paper in a safe place. Password manager also explicitly doesn’t have 2FA enabled so I should always be able to access that so long as I have an internet connection.
Now that I think about it, I might need to rethink my 2FA strategy for email to ensure that’s also accessible.
Something like this DID happen to me a few years ago... but really? If i don't regard the lost documents (ID, drivers license, ownership documents...) took me a few months to get newly issued and there is still a gmail and amazon account out there i will perhaps never be able to log in again there was really no big problem.
This is also the incident that convinced me to NEVER leave my current bank: I am at a tiny, tiny local bank with perhaps 50 employees... so, they did know me and it was no problem to get money and a new set of cards. The funny thing is: Before that incident i was contemplating about moving to a more modern bank which offers an app...
> i will perhaps never be able to log in again there was really no big problem.
If you use Google as your identity provider and Gmail as your recovery (or registration) email for every online service you use, it's a big problem.
Remember: you don't remember all those passwords (if you do, they are probably weak) so you need the recovery email. But you cannot access your email, because you lost both your phone and 2FA to log in elsewhere. So it's not just Gmail, it's every online thing you use.
But maybe you don't use Google and Gmail like this. Maybe you have a separate username/password for every single online thing. Ok... what were those passwords again?
Let's say you are using Microsoft as your identity provider (can this be done? never seen it) and Outlook as your recovery email. How does this help in this scenario:
- You lost your phone and laptop.
- You lost your 2FA device.
- You lost your recovery codes.
- You lost any way of demonstrating you are who you say you are.
How is Microsoft Outlook going to help you? Are you going to call a Microsoft support person over somebody else's phone and tell them to please help you? I don't think the problem is Google in this scenario (I've no love of them, mind you).
Asking people to stop using Google and Gmail strikes me as unrealistic as asking them to stop using Facebook.
I am talking spesifically about email - with namecheap you can literally show them your ID document, they have your phone number on file and they can call you. They have to help you access the service you paid for, otherwise you have grounds for a lawsuit.
I have not tried this with microsoft, but ai imagine it should be similar.
There is nothing special about Gmail, why do you have to use it?
I had this warning 14 years ago when a friend's gmail was stolen and their support (back when they had it) refused to lift a finger despite him selding a scan of his ID, etc. I am never using free service for something vital again.
> I can walk into a physical store of my phone company and have a new simcard in minutes
This doesn't work in all countries.
> Setting up forwarding takes a couple minutes. This isn't like leaving WhatsApp where you are stuck
I find this unsatisfying. In this day an age, your email is often your id. I don't feel comfortable with my id being one thing to some people, and another to others, without rhyme or reason. I'm also not comfortable with having forward configured in an (allegedly) unsafe account I may lose access to.
I don't know, and it terrifies me. I don't have a good answer to this. This is why TFA resonates with me.
I think we need some sort of unified online identity that is relatively easy to recover in case of accidents but very hard for hackers to crack/steal, and also that this identity cannot depend on the whims of Google, Facebook, Microsoft or any corporate provider with arbitrary and opaque appeals procedures.
I don't know what a truly achievable and satisfying answer would be like. I've lost some sleep over this :(
And don't get me started on backups of irreplaceable digital things like photos of your loved ones. I've really lost sleep over this. I do have some backups, but it's a chore and none are foolproof.
I have "recovery capsules". Some are electronic (high quality usb drive) and some are dead tree on waterproof paper. These get me back into my password manager and require things I know to decrypt. USB drive contains needed decryption software for lots of platforms. This bootstrap data almost never changes.
Emails, clouds, photos, etc get backed up automatically onto a homelab which stores data on ZFS. I manually do a backup (semi-automated, plugging in the drive to the dock is manual still).
I had a buddy I exchanged backups with but lost that situation, so I need to find a new one or two, but that gives me offsite backup.
Admittedly this isn't perfect - if my local city melts then I am screwed but also I probably have bigger problems then anyways.
> Admittedly this isn't perfect - if my local city melts then I am screwed
I wouldn't worry about this too much. Also if there is a nuclear war, I assume we will all have more pressing matters to worry about.
But for more common scenarios: the problem is that it feels like too much work. Convenience wins the day, even if I'm at the mercy of Google and their support is terrible and people frequently get locked out on a whim, and Google doesn't care. I know, I'm digging my own grave here :/
PS: I do keep my encrypted passwords database in a pendrive, and I do print recovery codes for Gmail. I suppose everything else can be recovered from those two (if Gmail doesn't lock me out on a whim). But in case of a fire that burns everything down, I'm lost. This doesn't address my photos either; I think some are backed up in... Google Photo? [facepalm]
The biggest benefit of a paid email provider is you have a paid stake in it. If you're locked out, you're still paying for the service so they have an interest in restoring your access so you continue paying.
A lot of places will let you back in if you can provide some transaction metadata like last charge date, billing address, last4 of card, etc.
Oh, when you call support they will go through a verification process. Worst case you send them a copy of your (new) drivers license/photo ID. As long as the person on the other end is a human, this isn't a problem but if you are facing Google which has no support, you are screwed.
> as unrealistic as asking them to stop using Facebook.
I don't use Facebook. Not an issue. Several family members also don't use it. I keep in touch with people by calling them by phone every few weeks.
> if you are facing Google which has no support, you are screwed
I agree Google has enough horror stories that make me dread the day disaster decides to strike.
I do have the suspicion their support is not entirely automated though. There are online groups of "volunteers" where, if you post asking for help and provide some evidence, your request will be magically expedited. This makes me think Google's official stance is "no human support", but really there is some unofficial support. Still terrible, but something to consider.
> I don't use Facebook
That's why I said what's unrealistic is asking people to stop using Facebook. For people who already use it.
As an aside, having people call me on the phone every two weeks just to see how I'm doing sounds like an annoyance to me.
> That's why I said what's unrealistic is asking people to stop using Facebook
I used Facebook since it was restricted and used it genuinely for many years. I stopped. Likewise for many of my family - they are ex-Facebook users.
> having people call me on the phone every two weeks just to see how I'm doing sounds like an annoyance to me.
To each their own but if you are using a platform that is in theory meant to connect you with other people.. then it sounds like you want social connection. Facebook is fake. Phone calls can be fake or awkward or other things too but the default tends to be pretty good with a bit of practice.
Having someone care about you enough to take the time to call you on a semi-regular basis is a feature, not a bug.
> I used Facebook since it was restricted and used it genuinely for many years. I stopped. Likewise for many of my family - they are ex-Facebook users.
Glad it worked for you, but surely you see the little value of the anecdotical? For most people, asking them to stop using Facebook is unrealistic.
> Having someone care about you enough to take the time to call you on a semi-regular basis is a feature, not a bug.
If you were my friend, I would kindly ask you to stop doing this. Maybe we wouldn't be friends. Once in a while it's ok, especially to arrange something, but semi-regularly: nope.
But we are getting sidetracked, the point was not to argue about Facebook. The point is that asking people to stop doing arbitrary things is unrealistic, and therefore it won't work.
In some instances i could remember the password in others... now, i just created a new account if i did think i would need the service. Overall, even if i did not gain ANY of this accounts back it wouldnt really harm my life. I would have to recreate some stuff from memory, find some other providers, all things considered it would have been more of an inconvenience than a real problem.
Some of these accounts may be services you sank real money into. Say, Steam or iTunes or whatnot. Or maybe you've built a reputation out of these accounts. Maybe you lost access to a blog or some other thing where you wrote or stored important stuff that matters to you.
If your stance is "hey, it doesn't matter if I lose all access to my online life" then yes, I can see why this wouldn't be a problem for you.
This article wasn't meant for you then, but for the rest of us.
Agreed, but making your own redundant backups is difficult and with plenty of pitfalls.
Do you keep your backup at home? It would be destroyed in the fire. Do you sync to some offsite which isn't the cloud? Who maintains it? How often do you do test your backups?
I make a daily backup on 2 ancrypted usb harddrives, in the morning when i go to work i take the nightly created backup with me and leave it at work and take the second drive that is at my workplace back home in the evening. Its not perfect, but secure enough for me.
Protecting your password db with a physical key sounds pretty stupid. I was always wary of 2FA for exactly this reason. It's something that you can lose or damage. Actually, it's pretty common to kill your most used 2nd factor, your mobile.
The solution here is pretty simple: learn 2-3 strong passwords. Definitely learn the strong password for your password manager and a primary email account, that you can usually use to reset the password to all the other accounts anyway. And don't use 2FA for those. I only ever use 2FA if it is enforced by a service. The real danger of not using 2FA is in your password being stolen. (Using strong passwords protect against brute forcing them.)
Also, about the hypotheticals: offline IDs (like passport and ID card) should be relatively easy to get hold of and once you have those you can have your bank account back. You obviously don't need to know your bank account numbers (that's not a password) and you can't fake your mother's name when you submit your data to a bank (because that's part of your ID information and it's almost certainly in your ID document anyway). Otherwise yes, use a random string whenever stupid sites ask for 'password reminders' or security questions.
Every article about 2FA lists the primary email account as the most important account to secure with 2FA, precisely because it can be used to reset all other passwords. And yet interestingly when I Google "why use 2FA?" the entire first page of results lists only spurious reasons (protection against phishing, brute-force cracking, social engineering, password reuse) and not the actual reason 2FA is potentially useful for securing a single-use, strong password (protection from keylogging and MITM attacks).
The thought experiment in the linked article makes it clear that using "something you own" as the second factor for your primary email account is not a good idea. I'm not sure what the best solution is, but I agree that the risk of having your single, strong email password intercepted is lower than that of losing your stuff.
Looking at one everyone say, using backup codes and asking friends to store them (preferably on a USB drive in an encrypted password store) can be a good solution. I don't think most people need to worry about criminals (or the state) tracking down their connections and extort the backup keys from them.
I would never enter my email password into anyone else's computer, though. And this is also true for all of the other important passwords too.
Yep lost my phone when I was outside the US. Couldn’t get it replaced for a month and lost all access to any accounts that had 2FA set up for that amount of time. It’s also almost impossible to get your sim replaced when you can’t show up in person and show identification I learned.
I noticed many people in this thread have the delusion perfect security can exist; perfect security is impossible; there are always drawbacks. You have a choice to make: it's either hard for you to unlock the relevant secret to the point of possibly being locked out yourself or: you make copies of secrets or use other redundances which makes the unlocking easier but the security lower.
In most cases the reasonable choice is to make it hard even for you to fully unlock all the secrets but not to the point that is nearly impossible because at the very least: you may want to have inheritance.
My digital life isn't as cloud-based. Most of it is in locally stored files. For example, my Gmail account is synced to a local Thunderbird instance and all my photo and video storage is local.
I have two sets of backup hard disks (each set is a current one, and an old one, both of which get synced; the old one only with the more important stuff since it is smaller). Both sets are LUKS encrypted. One set lives in the filing cabinet at the office (during the COVID lockdown it was at a friend's house). An automatic nag system bugs me if either set hasn't been updated for 40 days.
Updating them is semi-manual. Plug them in, enter the decryption code, run a script stored on the disk itself that gathers all the data - from all over my LAN - that needs backing up. When it's done, unmount and unplug the disk. Make sure one set is always offsite - update set A, take it to the office, store it there, bring set B home, update it.
It's not perfect. If the sort of disaster in this article were to strike, I'd potentially not have the last month's data. But I would have all my passwords (backed up on these disks) and if I had something that gives a last-resort recovery code, that too would be on there - in a separately encrypted sub-filesystem that I know the password to. This is so the super sensitive stuff isn't even decrypted fulltime on my home machine.
I should have readable copies of all the important physical documents and cards in this separately encrypted subfolder too, but currently don't.
To me these hard disks are one step removed from optical backups, which I used to make. The more "offline" the better. Even the currently local set is kept unplugged between updates. Also keeping a NAS at another location means having internet access at that location. The work network/firewall would not permit this use, for one thing.
I'm just as guilty as everybody for not doing this, but ...
perfect is again the enemy of good. Instead of a technically superior backup with rotation and all, it may be better to have some arbitrary, incomplete old backup lying around on a disk at someone's place.
I’d freak out if a friend came to me with a disk and told me to keep it safe.
Imagining someday I go on vacation and valuables are stolen, including that disk. Now that friend’s supposedly personal data is compromised, as of course they would set a lower protection on something that is supposed to be used during emergencies.
Same if the disk gets corrupted because we didn’t realize it’s stored next to the fan, and 2 years were enough to have an impact.
Or we lose it when moving but nobody realizes the loss.
So many weird scenarios, I’d feel more confident if they gave me their kid to raise for 5 years.
I wouldn't freak out. I'd store the disk with the same amount of care that I store my own disks, and I would insist that it is 100% encrypted with free space either encrypted or wiped. (If theft of a powered-off storage medium compromises the data, you're doing it SERIOUSLY wrong.)
Someone who is storing disks offsite is unlikely to have only one copy. I'd offer to review his backup strategy with him, but other than that, I'm "dumb storage", how my friend uses it is his business. I'd also make clear what expectations are if law enforcement or someone with a gun comes for the disk (they're getting it, that's what the encryption is for and I'm not going to jail/dying for something that should be solved with replication).
Do you mind me thinking these reactions are kinda weird? I imagine I’d say ‘sure’ throw the disk on the shelf, and not worry about it any more until they show up years later to get their disk back.
Then it’ll either work or not, but spending any time worrying about what might -with some infinitisemally small chance- happen seems pointless.
Imagining someday I go on vacation and valuables are stolen, including that disk. Now that friend’s supposedly personal data is compromised, as of course they would set a lower protection on something that is supposed to be used during emergencies.
Just use LUKS or FileVault full disk encryption. Your friend just has to memorize one password. If it gets stolen, it's as good to a thieve as random data.
Same if the disk gets corrupted because we didn’t realize it’s stored next to the fan, and 2 years were enough to have an impact.
I would tell them to make more than one off-site copy. It's their responsibility to not just depend on you.
TBH I wouldn't expect someone stealing hard drives along more valuable stuff to just plug it to their Windows machine and call it a day because it doesn't mount.
Also the thief doesn't need to be the one dealing with the data, the same way people stealing cars are usually not the ones brokering them, and brute forcing an offline password wouldn't be crazy long considering it's supposed to be memorable (possibly by more than one person)
Just to say, spreading backup hard disks here and there, and assume everything will be fine even if some of them get lost in the wild feels like a pretty laid back attitude in contrast to the length spent on having a fully functional 2FA system.
LUKS these days supports Argon2, which has configurable time, memory, and parallelism parameters; brute-forcing a single weak password can be as slow as you want it to be. The offline backup of my pass(1) repository on a thumb drive on my keychain takes more than 3 minutes to unlock on an i7-7700K.
Yes, the disk should definitely be encrypted, but it could be using a rather weak password that you can memorize. The key is not to put too much trust in anything, but also not overengineer the solution. Just like DVDs - you hand an old disk to someone without the expectation that it is usable, but it can become a safety net to recover some of your most important data. Lots of copies keep stuff safe.
Easy to memorize does not equal weak (i.e., easy to brute force.) You can use natural language to create very difficult to guess or brute force but incredibly easy to remember passwords.
Backups are not binary. As part of a backup strategy, it may be worth the $200 or so for a USB drive to have a somewhat stale year old backup of last resort sitting in a parent's or friend's closet somewhere. (Presumably encrypted.)
* Your password vult is encrypted locally and stored on their servers (just an encrypted file!)
* To unlock the vault, you need the password and the generated master code.
* The master code is a PDF to print, which you can give someone you trust – they still only have half of the things to get access.
The losing of digital life is completely solved. Just print that damn PDF give it to your parents and remember your password.
Not solved, because your parents could lose a piece of paper (I'd say that's actually a fairly high risk, not just theoretical). Anyone could lose a piece of paper, for that matter. You want multiple, distributed across at least three continents to be sure. The same with your password. ;-)
Even then - this is a fairly ugly solution. You're dependent on an external entity to be responsible with your stuff in the case of an emergency.
I love my friends and family, but I'm not sure I'd trust them to keep a random file/paper for years on end "just in case" and still be able to find it when I need it.
Personally - I went with the "extra yubikey in a safe deposit box" approach, and it still feels super shitty.
I don't know how you or your friends/parents store important documents but everyone in my bubble has multiple document binders with critical paperwork to keep. Adding a single paper to them is no problem, and the paper is not lost. Stuff is never removed from those binders, just new ones added.
Back when my parents were still in the land of the living, I would've been entirely comfortable believing that the odds of them failing at that would've been low enough that (odds of that failing * odds of my needing that data) would've been stupidly low - low enough I'd've accepted the risk and stopped worrying about it on the basis the likelihood of a problem at that point was significantly lower than many other at least as awful problems and I should focus on mitigating those instead.
It doesn't even scale. This assumes you're the only one with PDFs to share. What if you have siblings and other relatives, and all of them are tech-savvy -- if they aren't now, in the future they will be -- and want to store the PDFs with your parents.
What, are your parents going to be running a PDF storage service, classified by person? That's too much to ask of them (for most parents).
> What, are your parents going to be running a PDF storage service, classified by person?
I mean, it's a piece of paper. They could write the name of the person on the paper, keep them alphabetized, and store and search through hundreds of them easily (let's assume they're rabbits with hundreds of children). There may be all sorts of problems with this approach but I don't think burdening parents with paper storage is one of them.
Edit: of course, if they were rabbits I wouldn't trust them with paper storage. Rabbits are notorious chewers.
I dunno. I've already burdened my parents with plenty of things, and so have my siblings. I don't know that I want to make them responsible for storing random bits of paper they may or may not forget about.
All these "rebutals" to the pdf approach sound like those infomercial TV ads where people have trouble doing normal day to day things.
Like... mass enail the PDF to several members of the family and be done with it. Can it happen that 5 people at once lose their email access? Sure, but the probability is minuscule.
The comment I was replying to was about physical paper copies, not emails.
Distributing digital copies of your password store to your friends and relatives could maybe work. Be sure you're using a really strong password (that you can also remember by heart), because you cannot trust each friend will store the file responsibly away from prying eyes.
Remember the scenario:
- You lost access to your recovery codes and any handwritten notes, so you better remember the master password by heart.
- But this master password better be really strong, because each of your N friends you distributed your files to is a potential leak to hackers and thieves.
- (Tangentially related: remember you have no authenticator either, so your password store better include recovery codes, otherwise without 2FA you're screwed)
Put it with your will. If you have kids or any amount of savings you should have a will. Store it in two separate locations (your house, and someone else's).
Put it in a safe deposit box or store it at a notary like a will. There's multiple ways to store a piece of paper offsite without having friends or family.
That's not a technical problem though. Going to a bank and saying "my house burned down, here's an affidavit or a notarised document stating I am who I say I am" is fairly likely 5o get you access again.
It's SUPPOSED to be a shitty/frustrating/annoying process, not easy. This is your "break glass in case of emergency" solution - you don't want to ever use it and you want it to be super hard for someone else to compromise it.
We have plenty of ways to make this easy but if all those avenues are blocked because of some black swan event, you need a backup - and that backup can't be too easy because then it invites attack.
It's a pain in the butt, and it's very limiting because adding another secure service means going to the bank, so I try to limit the 2fa through yubikeys to things like my password manager, my keycloak instance, and other very important accounts.
My take is that 2fa is still not there yet, and I'm a little worried about the push for webauthn, since I foresee a lot of potentially lost accounts.
My first thought in that case would be to store fragments in multiple semi-trusted places that don't know which other semi-trusted places are involved with Shamir's Secret Sharing so "knowing what a majority of the semi-trusted places even are" is a prerequisite to recovery.
Delegating half of the problem to someone else is not what I’d call “completely solved”.
I suppose your point is, nobody should live a life where they can’t trust someone to keep that pdf for them, but it feels to me like solving a technical problem through social means. That’s a fresh take, but it also relies on so many assumptions.
But this technical problem is unsolvable, our industry lived in arrogance of pretending they solve problems they can't actually they don't, and blaming the user when it fails
I swear to god sometimes I feel our proffesion mostly consists of people that are a weired combination of arrogant and alternatively gifted. They do not value and do not understand how the rest of society does things.
Hundreds of years ago we have invented this cool thing called a Safe. It works better than 90% of tech-based security systems out there. Write something on a piece of paper, put it behind a locked door, and you will be safe from 99% of scams and attacks that exist. If someone breaks into your house, and get this piece pf paper they will be leaving real fingerprints, and real police will get involved. If noone breaks into your house, then only select few people are ever near that safe.
And even absent a safe... Absent a trusted family member pulling an inside job, how much risk is there really for an average--or even not so average--person to having accounts compromised because someone found passwords written down on a piece of paper somewhere in their house.
Yes, perhaps the equation changes if you have roommates/family you don't really trust.
The trick is to then store it somewhere that anybody who came into posession of it would be unable to figure out -what- master key it was for.
If a friend of mine has an arbitrary chunk of ASCII stored under their google contacts under a name only they and I recognise, absent rubber hose cryptoanalysis of them it's not going to be an issue, and frankly I don't consider that relevant to my threat model - if somebody's -that- excited about my accounts they'll start with the rubber hose on me at which point all bets are already off.
For some reason, I did not appreciate this hypothetical. I spent my whole blog post feeling sorry for this person only for them to suddenly declare it was all fake, and then immediately ask for money.
Normally I’m quite good about these things, but this was too much.
I’m not sure if there was any edit or not, I certainly felt it actually happened, though I’ll admit there were a few discrepancies.
E.g. the picture of the burning house is a McMansion, but the author indicates they live in the Uk. The passport is clearly set on fire, etc. But I could justify these as ‘well, obviously there is nothing left, so the author just took a random picture of a burning passport’.
Agreed, and I’m surprised no one else is saying it.
It activates the “I was just assaulted” empathy regions of my brain. Seeing that it was fake was like, oh, not assaulted, just lying for literary effect. Okay.
Like everyone else, I’m glad they’re ok, and didn’t have to suffer through this.
Easy solution would have been to backstop your secrets in a cloud storage account run by a firm that you can call on the phone and talk to a Unix engineer in California.
It would have been a pain and we would have made you jump through all kinds of weird hoops and I would have to be personally involved… but we’d have gotten you in.
After 21 years of this we’ve seen all of this - customers die, people are in comas, admins get fired… we’ve helped everyone and treated them like human beings.
"As I said in the post, if the company can grant access to me - they can grant access to themselves, or a malicious insider, or my twin sister."
Well, presumably the access is to (seemingly) random, gibberish data that you have stored with (borg, restic, etc.). So you'll need to remember a last-ditch passphrase to your own encryption if you're using us for your backstop.
We encourage all of our customers to encrypt their data here - regardless of their use-case - and we don't hold those keys.
I can't overstate to you just how suspicious and spidey-sense-tingling we get when someone says they are locked out and can we help them get back in. We get very adversarial and we have a LOT of tests we can apply to their claims.
The reason other firms don't do this isn't because it's not workable - but because it is time consuming and "not scalable".
We're talking about two different passwords - the password to your rsync.net account and the passphrase to (duplicity/borg/restic/etc.) that you used to create your failsafe backup here.
If you use an SSH key with a passphrase, etc., to access rsync.net that could, indeed, be an authentication that you lose because your phones and laptops and yubikeys burn in a fire.
But if you can authenticate to a human being, which you can here (after a lot of probing and testing), then the only thing you need to remember is your borg passphrase. Or duplicity. Or gpg pipelined through tar ... or whatever.
Also, for a bunch of cases, you can use something akin to a multi-step ceasar cipher.
Yes, the obvious case of e.g. rot13 isn't exactly helpful security wise, but if you select e.g. 4, 22, 18 as the rotation order now you only need to be able to memorise -that- to get your passphrase back from an otherwise unmarked file lying around in the same (or other) storage.
Obviously, think hard about your threat model for that one, but if (as I keep procrastinating) I ever put backups of such stuff on something like rsync.net I'd give something akin to that approach serious consideration as being an acceptable trade-off overall.
Right, but alternatively you could register an account with a password manager, use a (long) pass phrase as the password for that, and store all your other credentials in the password manager. That way you have full access with only a single pass phrase needing to be remembered, and customer support not required…
I don’t use a password manager. Instead, I have a formula in my head to generate a unique complex password for each site or online service based on its domain name and some other optional parameters, if the site has password constraints (eg. no special characters, short maximum length).
I have an encrypted plain text file (just a .txt in an encrypted macOS disk image) containing all of the parameters (if any) to generate the passwords for each site, which I keep on Dropbox, accessible at public URL I have memorized. This lets me easily update my password parameters file (open the disk image on my computer, update the .txt file, close the disk image).
This is the way to go imo, password managers sound cool and may prevent password reuse leak problems but what they also are is a single point of failure for all your accounts.
It's swapping a problem that doesn't affect you (especially with 2fa being a thing for everything now) for a much larger critical problem that can seriously screw you.
The problem with this technique is that if it's generated algorithmically with no "randomness" to it, someone else can figure it out.
You might be doing everything right, but perhaps your vendor's database gets breached, and your plaintext password for Adobe gets posted on the darkweb. So if someone sees that your plaintext password is "1a2s3d4fAdobe5g6h!", they might then infer how you "construct" your password, and then go try logging into your Amazon account with the same email address and "1a2s3d4fAmazon5g6h!" as the password.
The algorithm is considerably more complicated than that. Somebody would have to get ahold of several of my passwords (and the names of the services they lead to) to figure out my algorithm. For that to happen, someone would have to invest a large amount of resources to specifically target me, in which case I probably have bigger problems to worry about than some relatively low-stakes online accounts getting compromised. For extremely sensitive accounts (eg. bank, primary email) my passwords do not follow this scheme.
Remember, the vast majority of password reuse attacks are automatic credential stuffing, not deliberate, individual targeting.
Nobody is going to bother with reverse engineering your algorithm, or even bother targeting you individually, when it is orders of magnitudes more likely your passwords will be revealed via a garden variety database breach/leak. That low stakes online account you have? That's also the one likely to have their user account/password database stolen, which was stored plaintext.
Basically the threat model I am worried about is: random website gets hacked and loses its password database. So if criminals hack two such sites and correlate email addresses, they will see two essentially fully random passwords for me. If that happens to you, they might notice a pattern in website url and prefix/postfix characters.
Once that happens, a criminal could notice your password is more of a pattern than a full random password (of typable characters).
But in order to do anything beyond hacking the single compromised account, the criminal would have to reverse engineer my algorithm, which, as you said, nobody would bother doing.
In addition, the algorithm is complex enough that it would be hard for a casual observer to distinguish the embedded domain name from general password randomness.
Your scheme ideally would rely on not tying all your accounts together with the same email address
That is true, but this only becomes relevant when an attacker is manually searching for my email across multiple password dumps (as opposed to an automated credential stuffing attack), which means I’m being specifically targeted.
I don't know about that. Various episodes of Darknet Diaries make it clear stolen password databases are searched for any matching email accounts, which of course depends on the motivation level of the attackers. I suspect a simple "check all emails in this one database for a match in the other database" isn't that large of a hurdle. Your average CS101 class might include an extract emails, sort, merge-compare type of assignment.
And yes, like so many others here, you apparently have the goldilocks algorithm. Easy/simple enough for you to generate on the fly yet secure enough to resist all but nation-state attackers.
To that I say - congrats. But the GENERAL advice to the public at large is that the rest of humanity isn't as awesome as you are, and THEIR password generating algorithms of generated characters plus domain name are easily deduced from a single sample, thus making password managers far far superior to protecting against actual real world threats ("crappy website has lousy security and got breached through zero fault of mine") and not the frequently imagined threats ("I am the target of a concerted effort by extremely sophisticated attackers with infinite time/budget").
In addition to the fact that password managers can be single points of failure for reasons other than credential loss, sometimes I need a password on a device where my password manager is not available (eg. a friend’s device).
It's almost comedic that the point of backups is to remove the single point of failure and then security paranoia creates new ones.
Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?
If you're going to be that secure, put them on a USB stick and bury it in your yard or in the hollow of a tree. Easier to update and won't be destroyed when your house burns down.
While I've yet to have this problem, I've actually been mentally keeping track of my ability to bootstrap back up. LastPass is trying to get me to add TOTP or other 2FA, but even though it promises (for now) that my master password can still get me in, I've resisted, because the password manager is my linchpin, and I need to be able to get in there just with "what I remember", and I don't want another way in where I'm not continually practicing that and keeping the memory fresh.
I also every so often take a backup of the LastPass DB and put it on my local Nextcloud, which get encrypted backup to S3 every night.
2FA is a lot less scary at work, where I have administrators and coworkers who can vouch for me face-to-face and reset it if necessary. I feel like there isn't a widespread understanding that personal authentication is a much harder problem than corporate authentication for that reason. It is easy to end up accidentally webbing together all your personal authentication until your current phone is your one and only token. Heck, with all the 2FA flying around now it's probably possible to get yourself into a situation where the only way to authenticate is using something else you're already authenticated to and you can't bootstrap back up if that expires unexpectedly. If we're not there we're getting close.
Large-capacity flash drives are very cheap; and you can write the same data (e.g. archive files) many times to the same drive to guard against some filesystem or file-level corruption.
There are also tools like par2(1) that can create parity recovery data for files; you could write those many times too.
My online backup solution that backs up the root filesystem for all of my machines generates a rolling tarball of that and then creates par2 recovery data for that tarball at 10% redundancy, and keeps 30 days of tarballs in addition to the current snapshot of the filesystem itself. This is because I store them on high-capacity spinning rust drives, which do have a small but non-zero data error rate.
Additionally, forensic tools like photorec(1) can recover these files even from severely damaged filesystems.
Then the only things you need to worry about are "device doesn't enumerate at all when I plug it in" and such. I'm sure you can have 2 devices side-by-side to mitigate that.
This obviously requires you to have a yard, which is probably not that common for city dwellers (even people renting houses shouldn't really be digging up their yard, and if you live in a duplex quadplex, you're sharing that yard with some number of neighbours of varying trustworthiness)
I wonder if you could just store a microSD card in a weather proof container taped or attached magnetically to the underside of a bench or other urban fixture. Place 5-6 of them for redundancy and keep them up to date.
I have my 1Password emergency kit, with the password filled in, stored on a water-sealed USB drive[1] which I store in a fire box in my house. The combo should mean, modulo a much hotter fire than most typical house fires, that when the fire department puts out the house I can just cut open the melted fire box and extract the very wet but still functional drive. I haven't tested this, of course, and I might take the above advice and put a second copy somewhere else.
I store them in Keepass files and then bury them/give to a friend/save in the cloud/whatever. It's just a single password that you remember, with no reliance on an external authenticator or like. And if someone finds your files, they're useless without the password.
If you store them on cloud, you should obviously do so on a service with no 2FA and a password you remember. The first priority is that you can access it anywhere and the main protection comes from the encrypted Keepass file.
Well, this article is a hypothetical, but fire-proof safes are, like anything with "proof" in the name, not fire-proof, merely fire-resistant. It's theoretically possible for a lightning to strike in the worst possible place and trigger an unusually hot fire, one that exceeds the maximum tolerance for your safe. House fires can apparently hit 1500F, and if you've cheaped out on your safe then you might be in trouble (e.g., the Amazon Basics Fire Safe "can protect your belongings at 1200 F for 20 minutes").
As a LockPickingLawyer fan, I sometimes wonder if these “fire-proof” safes would actually withstand a fire, as there is so much bullshit labelling going on.
For anyone confused about heat and temperature (which in everyday speech get often mixed up) here is a good thermodynamics recap about the definition.[0]
A lightning strike can heat up the air around it because of its relatively high electrical resistance; up to 50k degrees[1].
The change in temperature (average kinetic energy of the air molecules) itself can be seen in the lighting flash (creating for split seconds an awesome "plasma channel", effectively ripping apart the molecules in its dendritic way through hundreds of MV) and consequently heard (if near enough) as a pressure wave, a quick rolling thunder rumble.
Relative to the vast amount of air around a typical lightning discharge event with its characteristic current flow [2] this "temperature" cannot sustain itself so it disperses very quickly. However under the right conditions (flammable materials, humidity etc.) this can jumpstart the chemical process of "burning". Because of the multitude of variables this ain't straightforward [3] as often depicted in movies. So, no the lightning itself cannot "damage" the integrity of a safe but the secondary effects of the environment around it i.e. continuing heat source.
(For convenience I've left out the scenarios regarding possible EMP damage and its secondary effects).
Replace "house hit by lightning" with "house hit by missile strike and now occupied by the Russian Army", a very real scenario nowadays, and you have the same problem again.
The 2017 Tubbs wildfire burned so hot that it melted fireproof safes, as I understand it. Something about 50-100mph winds and incompetent forest fuel management making the fire burn extra hot?
> In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal
It doesn't even take a lightning strike to get into this type of situation. September rolls around and everyone gets a new iPhone. Many forget to migrate their password manager over before sending their old phone back. Unlike the author who clearly thinks a lot about disaster scenarios and redundancy and recovery, more casual users do not. Some get lucky and are logged in to their password manager on their desktop. Some not so much and are even locked out of their AppleID credentials. Even if you remembered to migrate your password manager, you might not have remembered to bring your MFA code app.
This is the entire impetus behind Uno's productized Shamirs Secret Sharing recovery scheme: https://www.uno.app/blog/replacing-passwords-with-people. Our bet is that, like the author questions in the OP, for most people with a trusted network of friends and family, the main threat vector is not hackers and nation states trying to take over their digital lives, but rather nature, age, and accidents, etc. And that social redundancy is an acceptable risk in order to mitigate the tendency we have to want to be our own single point of failure.
This happened to me but because I broke my phone. My broken phone had Google Authenticator on it and I don't have my backup codes since I've had authenticator for years and never thought to redownload them. Anyways, now I can't login to my Facebook or Twitter anymore. Facebook doesn't seem to have any kind of account recovery and the methods they say I can use (e.g. log in from another device and you'll get a notification) don't work. I even have my phone number logged with them but apparently not as part of 2 factor, so I can't recover my account that way either.
TBH this experience has really made me question using an authenticator app every again.
Authy is great. I've started duplicating my MFA codes to KeepassXC so the OTP can be generated from my desktop or mobile in two different ways. I do love how KeePass will just start generating codes by pasting the secret into this format: otpauth://totp/Chrome:USER?secret=XXXXXX&period=30&digits=6
Have they talked at all about why? An interesting point about our implementation is that, unlike Facebook, Uno is not a custodial emergency contact recovery service. So we’re not in the business of trying to KYC all your friends and accept a “multi-sig” credential access request. We’re shamirs all the way down so we don’t have what I imagine would be a pretty large admin overhead for something that isn't really FB’s product.
Apple will send you the new iPhone and a box for your old one if you're in the iPhone upgrade program. Similar story with other carrier trade-in programs.
Generally you can view your master secret on other installs of your password manager which is enough to get you bootstrapped back in on a new phone if you lose yours.
This is one of my great fears. I'm a nomad and all my possessions are in two bags I carry around with me from country to country. It's much easier for this to happen to me.
Not sure what the solution is?
In the past I've tucked away a piece of paper with recover codes on it at a family members house. So in such an emergency I could call them up and tell them where it is.
Recovery codes can be stored publicly, but deniably on the internet. It would be like finding a hay in a haystack. No need to call anyone, just download a picture of a cat and decrypt it.
This is a cool idea and I've been contemplating it myself - but if you don't control the picture, whay if someone chabges it or recompresses it, then its binary changes and you are screwed.
You are better off with a famous historical text, like in 'invincible' they sued Frankenstein. But it has to be with a clear and indusputed original, not something that has mutiple translations.
What if drumroll its a good uisecase for blockchain? Like use hash of block number 200 or smth.
Not exactly how it works, steganography can produce a plaintext, picture or whatever as a cover for the ciphertext, but the cover is not going to be identical to the original. Consequently steganalysis will be able to recover the ciphertext.
But with deniable steganography you can use a fake key to decrypt the ciphertext, so the guy standing behind you with a $5 wrench can see that you have nothing to hide.
If you use something like 1Password maybe setup an email address only you know about that you send yourself (from the new email) an encrypted zip with your 1Password Emergency Vault? Then you have 3 bits of data (4 if you don't save your master password which we can assume you know) protecting your backup: account name, account password, zip password, and vault master password.
When I was nomadic I traveled with my 1pass master password (and that only, no other context) on a laminated card in the zippered ‘hidden’ pouch of a travel belt meant to hide money. I figured I might get mugged by someone who knew to look there but that I could perhaps hope to convince them that the card was worthless and keep it even if they took my devices, cards, and cash.
Time for my "carve your 2FA recovery codes into rock" startup to shine. I might even offer offsite backups: store your rock with codes in my back yard with public access, the trick here is - no one knows which stone is whose.
I remember reading a story about backups right after one of the California wildfires and the author said something like this:
"I used to store my backups in the garage and thought myself smart since they were physically separate from my desktop. Then ENTIRE NEIGHBORHOODS burned down and I realized I needed more physical distance"
Officials will provide you with replacement/temporary documents in a relatively short time, when you have lost them due to a fire or sth. else.
With those you can start rebuilding your infrastructure. Get new credit/debit cards, buy a new phone, get a replacement SIM from your provider, that way get access to your 2FA system again...
Yeah, it's inconvenient and will take some time, but it's not hopeless.
I don't 2FA my password manager and email because of the fear of being lock out of everything. I travel a lot and some country I can't received sms. What hapen if I got stole everything. Loose access to my email, bank account .. I don't event know people number because it's in my phone.
Scenarios like this is why i keep offline archives of my most valuable digital assets, our family photos.
Literally everything except the photos can be replaced/restored/recreated, however impractical. The same goes to some extent for offical papers like passports, birth certificates, etc.
I keep all of our files in the cloud (using Cryptomator for privacy where needed), and keep a local mirror as well as a local versioned backup, and a versioned cloud backup (so basically 3-2-1). Besides that, i make yearly archives on Blu-Ray M-disc media of all the photos we've shot in the previous year. 25GB or 100GB media depending on how busy that year was.
I make identical copies, and store them at geographically different locations. I also don't use any form of encryption, compression or archiving. The photos are simply stored "raw" on the media using whatever filesystem Blu-Ray discs use.
Alongside the Blu-Rays, i also keep a couple of external drives (mechanical) that contains a full mirror of our family albums, and select personal documents like 2FA recovery codes, a backup of my 1Password, etc. This is stored as a GPG encrypted tar file. The encryption is symmetric with a strong passphrase well known to me.
These drives are checked (either long S.M.A.R.T. check or badblocks), updated and rotated yearly. Again, drives stored in geographically different locations.
I don't understand the point of having 2FA with your password manager.
When I open my password manager on a malware infected PC it doesn't
matter how the password vault is opened. Once it's opened it is
available in RAM and the malware is able to read it completely anyway.
My passwords are stored in Keepass on an encrypted backup disc, locally
and also in another household. There is no way I would make the
accessibility to something important like that dependent on additional
hardware.
Damn, I’m really sorry for you, that sounds like a traumatizing experience to go to. I wish you the best.
Edit: wait, it is hypothetical?! Not sure how I feel about this, the whole article reads like a real situation, learning it is hypothetical from other comments makes me feel I’ve been emotionally manipulated…
Bitcoiners who like to take their self custody seriously often use tools like fire resistant metal plates to write their recovery seed words through a center punch tool. Products like the coinkite seed plates backup exist but it is also possible to roll your own using washers and bolts. For BIP39 only the first 4 letters of each word are necessary. You can also setup multisig or seed x0r to make sure a thief doesn’t breach into your seeds with just one plate, often stored on multiple geographic locations.
I wonder if some similar strategy exists for normal master passwords. Could be a nice idea for a low-tech-product-for-high-tech-solutions product. Perhaps a metal card where the user can manually punch a QR code.
One way to circumvent this is to use a strong passphrase to deterministically generate the PGP/SSH key [1] to unlock other passwords. The SSH key could grant access to a remote server with backups and the PGP key could decrypt passwords using pass [2]. Of course, the "master" passphrase must be kept safe or remembered.
pass is great for availability, I think I have several friends even in other countries (if a VPS wouldn't be sufficient) that would lend me space with a shell account for a "pass git push".
Of course, the gpg key is an issue, just as well the password or the ssh key for those accounts. In addition to passphrase2pgp, you could also use paperkey and keep it storage and/or a bank safe. I, for one, store my GPG key on a Yubikey. Of course, I would have thought I'm storing it safely, but it's left in my laptop for a few days now, so chances are I would simply leave it there in an actual emergency. However, pass also supports (re)encrypting with multiple keys, and one more Yubikey can then be kept with friends/family, and it can also store backup SSH keys.
Having multiple copies of ssh and GPG keys and the passwordstore git repo, chances are great to be able to recover most of the online presence.
If a phone/tablet itself can be saved, it could also host another mirror of the GIT repo (for example with an app like Working Copy), accelerating recovery.
This is a very good example of vulnerability introduced by badly organized security system. One does not keep backup access codes in places which are unavailable in case of a failure of primary access methods. Store your 2FAs in a separate phone kept in a SAFE, a combination to which you do remember. Also, adding 2FA to a password manager is probably excessive, just use a really long password which is easy to remember. Like "HowOn5EarthsCanAPersonForgetHisPazzw0rdToPasswordManager?", that'll be enough.
With no second factor you are vulnerable to anything that could sniff your password. I guess this is fine as long as you never log on from any untrusted machine/location?
Also any phishing you don't notice, or many browser hacks. A good 2fa (u2f, fido) authenticates you to the service, but also verifies the service is what you expect.
This is essentially an extreme version of the the "digital bootstrapping" problem that I ponder more regularly than is probably healthy. It often seems like an intractable problem but I think n decent solution that doesn't require a lot of work looks like this:
1. Have an encrypted file of secrets that you can access with an offline password manager like KeepassDX. This file contains not only the logins to your web accounts, but also all of your financial information like bank accounts and credit cards, drivers license number, social security numbers, etc. Protect it with ONE strong password that you memorize. Use it daily to reinforce memorization. All other accounts you have, secure them with a random password and put them in this file. You only want to remember the ONE master password. You can use browser and browser extensions for sites that don't matter much in the grand scheme of things but NOT for critical sites like bank accounts because we all know browsers are the #1 target of attackers and regularly face security problems.
2. If you have multiple devices, share the KeepassDX file somewhere "in the cloud" with something like Nextcloud or similar proprietary service that actually syncs a copy to the local device. You basically want it available in multiple places, automatically if at all possible. I wouldn't post it publicly, but don't fret too much about it falling into the wrong hands because if you remember, it's protected by a strong password that you have memorized. For added safety, copy the password file to a thumb drive every month or so and keep it in your car or your desk at work.
3. Keep all of your important digital data (financial records, family photos, etc) on a NAS in your house. If you live alone and just have one "main" computer, then an external disk will do. Encrypt the disks, put the key in your password manager.
4. Back up your NAS to remote storage every night. This can be a raspberry pi at a relative's house, or a cheap VPS, also with encrypted disks that only you have the key to.
There are many variations to this, but the overall idea is to have ONE strong master password that you memorized and are forced to recall regularly which protects ONE file containing ALL of your secrets, ONE place to store your important documents, and MULTIPLE distributed backups/copies of all of these.
Always have two or more yubikeys. I think every howto about those tells you about that. This thought experiment is a good reminder I need to physically separate them though.
Thanks for listing this overview and worst case scenario. I can say, for myself, that my current setup covers this situation. Everything is immediatly synced to my server located offsite, through IPSEC, meaning I have at every time at least two copies of data that are physically separate. My password manager needs a password file and key. the key I remember, the password file is in my encrypted ZFS volume on my server. If my phone (dies), I can still get the password file from my laptop or from the server; if the server dies, I still have it on my laptop or phone. It is extremely unlikely that all three die at the same time. Yet, even for this scenario, I have a printed out list of password of my password manager, hidden at a location that is usually inaccessible. Of course, I follow the 3-2-1(-0) rule, providing additional piece-of-mind beyond that "worst case".
So yes, I agree fully: Prepare for worst (and hope for best).
For anyone thinking about self-hosting, I suggest to place your server not at your main place - host it offsite (e.g. at your parents house). Makes you also better in remote work and produces overall more stable systems (because driving 100km is a painful motivator).
An idea for the key file: this can also be something you can reproduce, like a text file with a sentence acting effectively as a 'second password'. Or some other thing that you can recreate from scratch.
Yes, good point.. the keyfile is basically comparable to OTP, just that it is more flexible. In my case, it is indeed a file with specific format (keepass), but other systems ar emore open.
I would need to recover access to my password manager and my 2FA authentication tool (which is cloud backed up.) My password manager has recovery codes and my 2FA has a recovery process. Those - and, actually my email service's recovery codes (although technically not needed, since I can use the password manager and 2FA but this would speed up my time to access) - are in hard copy and stored in my safe and at a safe at a relative's home several hundred miles away. For additional security, there is a word written on the envelope at the relative's house that the relative knows to require I provide if we are not in-person (to prevent someone faking a call and asks for the information.) The document is also sealed and included with my Will, which is held by my trusted executor.
With that document I can recover access to my complete digital life.
The advantage is nothing changes. New accounts are added to my password manager and 2FA, but nothing needs to change on the recovery process side.
There are some other ideas I have, if I didn't have a trusted relative/friend, who I could give the document to but I haven't felt the need to implement them.
I went to jail. When I got out, of the thousands of online accounts I had created over the previous 20 years I could only get back into about 3 of them.
I'm probably about to return to jail, and now everything is MFA, so I have no idea how to set this up so that my friends and family can get into my accounts. My phone will be dead within weeks, so I'm going to lose my number, which is a primary factor in many logins.
huh? In my country, everybody is registered in several administration databases with enough data to re-id you anywhere, anytime, and they even have biometric data (usually your finger prints) and medical data (they know where you have scars, and have probably some DNA infos).
In the information age, ppl have to be sure their administration and corpos are using this power sanely for the Right(TM) stuff or things will turn to ...
The UK - for better or worse - doesn't have a centralised ID system. Biometrics aren't routinely logged unless you get entangled with the law.
I may be registered in several different databases. But how do I prove that I am me? If the answer is that I know my mother's maiden name and address history - that means a fraudster could also access those accounts.
Passports usually have, at least, your finger prints in the chip. And as I said, they have tons of data on you (pics, medical stuff, telecom, etc). It all depends on how ez it is for the competent administrative services to access those databases (do you really think the MI6 does not have access to those database?)
Why do you think having microsoft having access to the global networks of IT professionals via its owned linkedin database is something that should not even be possible?
ofc, but if you want to go to the US from UK, you must have a UK biometric passport with sufficient biometric data in the chip to satisfy the US customs.
The biometric data consists of depth data from your photo only
> The EU has set minimum standards for passports which include the use of facial and fingerprint biometrics. The UK is not covered by these regulations and fingerprint biometrics are not included in UK passports.
> The International Civil Aviation Organisation recommendations for biometric standards include a digitised photograph embedded on a chip in the passport. Countries wishing to stay in the US Visa Waiver programme have had to start issuing biometric passports in line with these international recommendations.
The UK passport contains a digitised photograph which meets the ICAO requirement and is therefore valid for entry into the US without a visa.
> The EU has set minimum standards for passports which include the use of facial and fingerprint biometrics. The UK is not covered by these regulations and fingerprint biometrics are not included in UK passports.
The UK passport does not contain fingerprints. This is one of the opt-outs the UK received when it was in the EU.
So you say that UK citizens don't need pertinent biometric data on their passports (not even a visa) to get in the US due to some agreement between the 2 countries.
You absolutely need a biometric passport to enter the US, and have since 2016. Fingerprints are not part of it, they are taken at the border. However, sufficient biometric information is included to grant you access to the UK via an electronic gate.
For those that follow the "take a backup drive to a relatives house" - how do you actually do the backups in that case? Do you have two backup jobs running, one for "the important stuff" and one for the rest of the system, and the important stuff just goes to the other disk? I'm trying to get better about this, but this is something I've never fully understood.
I have an old SFF Dell OptiPlex at my mothers house in another country. It isn't on 24/7 as I have it set to power on automagically weekly so it is up during my scheduled backup window. If I need it any other time a simple phone call to my mother and she can hit the power button. Then I can just access it thanks to WireGuard.
The setup is simple, it runs Debian with four drives. The OS and primary data is RAID1 then two independent drives that a script automatically keeps everything in sync so I have three copies of everything over four drives.
I also have two USB flash drives with it (but not connected) that have an identical OS setup on so should the local system drives die I can ask my mother to pop in the USB and boot it up and still access the 2nd and 3rd backup drives. It all works when I have tested it out although never needed to actually use it.
This isn't for multimedia of course just my really important stuff such as 2FA recovery keys, scans of passports and legal paperwork, etc. As it is only a few GB I don't bother to delete anything ever, I only ever add so even if I rescan in stuff it doesn't replace the old copy.
It is all encrypted on my end first so even if someone steals the machine the data is as safe as it is anywhere else.
Is it perfect? Nah but it is more than good enough and hasn't failed me. I also have local backups of course, this is really my last resort kind of thing.
This is why, while 2FA is important, it's not a panacea (and things like the article do happen - which is why I'm always very skeptical of "2FA everything" people)
Some passwords you absolutely do have to memorize. And that is fine. I keep those good passwords for services run by professionals.
Also recovery codes exist
(side note if the pictures are correct - the sim card and the Yubikey might be salvageable)
>> But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box.
>> The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork.
How is this not the solution? You can get new ID from the government and then access the box.
It’s just that easy, huh? Here are the problems I would face when trying to get an ID from the government without having any ID.
My state’s DMV wants to see:
* One document (with full name) proving identity and date of birth. [A birth certificate.]
* One document (with full name and full Social Security number) confirming Social Security number
* Two documents (with current physical address) proving state residency
The U.S. State Department requires you to apply in person for a new passport if your old one is destroyed. Processing, issuing, and delivering it currently takes about half a year. Oh yeah, and you will need to bring your birth certificate.
I just requested a certified birth certificate from the register of deeds in my county, and they said it SHOULD be ready by December.
So, I should be able to exist again by … next summer.
>> I just requested a certified birth certificate from the register of deeds in my county, and they said it SHOULD be ready by December.
That's...insane. Obviously this all depends on where you live but 6 months to get a birth certificate is crazy. I can get mine in less than 5 working days after I submit my request (which can be done on the phone, in person, or by mail). And that's the standard non-priority service.
This was discussed under "Bootstrapping of trust" in the same article. Getting new ID requires money+people who vouch for you, both of which you can't access without having access to them. It's circular dependencies all the way down.
Ah, I glossed over it and missed that. I guess the point of this is that it's an absolute worst case scenario, which is highly unlikely for anyone. Most people will have an out (e.g. in reality you probably can find someone to vouch for you - doctor, priest, lawyer, if not friends that live close by and if you can find a friend nearby asking for a lend of $50 for ID application in your time of need will probably be successful).
Where I live, the DMV will issue you a new driver’s license without any accompanying documents. They use facial recognition to verify your identity. This brings its own issues to the table, but it solves this problem.
This is ultimately why I haven't made the leap to Yubikey style auth. My backup plan depends ultimately on something I know (the password to a backed up copy of my password vault which contains 2fa codes for essential services, and backed up totp codes which are encrypted with a password in that vault for the rest).
I've been thinking about this recently in terms of end of life type stuff. By the time I die (hopefully), access to digital accounts will be a major part of end of life care. Being able to deactivate accounts, set up things, or notify them to close is so much easier if you just have the passwords and details up front. Of course I use 1Password for the passwords. I'm working with an estate attorney to help with a living trust and will for all the legalities too. But I'm going to give my attorney the 1Password recovery PDF for sure. And of course, attorneys generally have pretty good document storage and recovery scenarios too.
So not just someone who is locked out, but doesn't know my passwords. How can they be given the keys at the right time to do what they need? (Like if I'm in the hospital, etc.). It's a hard problem.
I've got an escape hatch for most of my auth. An encrypted file with my bitwarden backup and recovery codes exists in a public not listable s3 bucket under a random uuid file name. I've got its (partial) name stored with friends without any context. I hope I'll never have to use it...
Because given enough time all encryption will fall or become very affordable to crack, so it's not in my interest to have it scraped and stored somewhere forever.
- Have an emergency google account with stuff that is only relevant for the emergency, limited access, that you could login into from anyone's computer, not worrying that you would also compromise more important data
- Use Authy and remember its backup password for 2FA codes
- Use an offline password manager for important passwords, use an online manager with no 2FA for passwords relevant to an emergency situation
- Keep an online backup of all your data, encrypted, on some storage service in another region
- Have an emergency pendrive that has the encrypted backup of all your data and carry it with you all the time (I keep it in my wallet). Nowadays it's easy to get a 512GB pendrive. Bonus is if you are linux user and the pendrive also has a bootable system, so you can boot your entire system from a pendrive, on any computer.
- Remember multiple complex passwords and use them regularly - use muscle memory + have a recovery note just in case you forget it (see the last paragraph)
Note that it's unlikely for multiple things to fail at once. I.e. my laptop could get stolen or an external backup HDD could break, but it's unlikely to happen at once. All could be destroyed in a single event (like the post describes), but then there's the offshore online backup - it's extremely unlikely that it would be nuked at the same time (unless literally in a nuclear war, but that would be a bigger problem). You could also forget the encryption and password manager passwords, but again, it's unlikely it would all happen at the same time.
On another note, I did lock myself out partially and almost locked myself out completely, due to forgetting a password used for encryption. I mis-typed a password to one of my password managers once, then as I tried to enter it again and again, the pattern got scrambled in my brain. That was not that difficult to recover from. But I almost did forget the password that I use to encrypt my /home and all backups. I followed the lessons from the previous mistake, took some 30 min pause and retyped the password (after 3 unsuccessful attempts previously) and I logged in. Whew. From then on, I store a part of the password on a piece of paper, scrambled with other passwords and remember the rest. The point is, never trust on muscle memory alone to store the password. It's possible to make a mistake, once you make a single mistake, it's possible to repeat the mistake and untrain the correct password from your brain permanently.
I went through the process of considering this recently, and considered a safe deposit box, but as mentioned, they're not viable in many places. I eventually settled on multiple security keys, distributed across multiple locations I have access to. And it got me thinking, is there a business opportunity in providing secure storage for security keys? Safe deposit boxes are, as the post notes, either mythical or extremely expensive and inconvenient.
I can come up with a few challenges to running such a service, and a few solutions, but I ultimately come back to thinking: nobody smart enough to use a security key is going to trust some third-party to store their emergency key, no matter what security methods are implemented. Am I right in that assumption?
Probably correct. The correct answer is something I’m working on for fun. Basically, witness encryption of a sort. If you can cryptographically/mathematically prove something has happened, you can decrypt a “bootstrap” of your digital life. I’m working on the tooling/encryption bits now, but I already have a (not published) service that monitors phones/computers for “liveness” and provides a cryptographic proof that they are dead when they go offline for a configurable amount of time. You can use that as an input for the witness encryption, along other inputs. You can just store that file in the open, maybe encrypting only your 1password master key or a backup code to your email.
My country issues ID cards. Police has biometric data on me (fingers and photo). I guess in my country I can easily obtain a new ID card and from here, prove my identity to the different providers. I guess it is very hard still, but better than nothing. Isn't it?
Most places allow you to "bootstrap" back up from nearly nothing, but it can involve getting a copy of your original birth certificate from the county/hospital, etc.
This is also a reason why you should keep all expired IDs around in a safe location separate from your normal life; even an expired passport/driver license can help get the bureaucracy to get you setup again.
When you're in a situation like this, you're working to convince the person at the DMV counter that you're who you say you are, and expired IDs, along with utility bills, etc, can go very far.
Convincing a computer is much more difficult, which is the point of this article.
Right. Unless you use a completely anonymous service payed by mailing cash in, you should be able to bootstrap your way back in, it just may take some time. I’ll say that a company whose daily business depends on some 2FA-protected service should ensure that they have redundant second factors stored at a different location.
I am working toward a setup where I am certain my critical data will not be lost due to broken phones or house fire. I'm also working on a strategy for death, amnesia, etc. for my friends to help if I ever forget my own password or pass away.
My strategy (some parts still being implemented):
* Use a password manager (Keepass)
* For anything 2FA, it either can use Authy (has backup service) or has backup codes.
* Authy backup code and all other backup codes are in password manager
* Password manager and all important digital data is stored in AWS Glacier
To be implemented:
* Instructions for disaster recovery printed and stored in AWS
* Master password to Keepass written in envelope in my house
* AWS accounts, S3 buckets and Shamirs secret sharing configured so that any 2/5 friends or family can login to AWS, get a copy of my safe, and together unlock it in case of death or disaster
AWS Glacier Deep Archive costs about $1/TB/month and is highly redundant, so for cold storage and DR is perfect for this. Shamirs secret sharing is a cool tech for breaking up secret data between people to allow the reconstruction of a secret key.
One of the good things that cryptocurrency brings is secure cryptography devices like Ledger. It has a secure screen that allows you to copy 24-word mnemonic to a sheet of paper and recover everything from it in case you lost/damaged your device. The mnemonic can be carved onto a piece of metal that would survive fire or locked into bank safe so as to survive incidents like this. It has proven to work reliably for exchanges where billions of dollars are at stake. And best of all, it supports U2F so you can sign in to regular websites with it.
I hope that such technology would find its use outside the crypto world and help us keep our identity safe.
A nice thing to do if you don't have Ledger. But in case you change your password because of a laptop compromise you have to change it on all devices and carve it again.
Ledger is much safer so you shouldn't need to do it more than once. Just make sure the mnemonic never enters the digital world - don't point a camera at it.
My bank is changing my MFA from SMS to mobile banking auth with each and every mobile banking app update. I tried to explain them to not do so, as when I break, lose my phone, it's quite easy to use a spare or get even a new sim card with the same number, but for anything else (buying a new phone, changing limits for cash withdrawal for a new phone, buying a ticket for public transport to a physical phone shop) I need the MFA code. Which I don't have of course. And surely I don't remember the unique 9 digit random identifier that is written on my bank contract to access mobile banking hotline. Shitlock.
So if any single one of your used services leaks your password, you‘re essentially screwed since the root can be determined. Have you heard of haveibeenpwned.com?
I used to use this as well (with site-specific part in the middle, not as a suffix) but then switched to Bitwarden and random passwords as some suffixes were not unique and with 300+ services it started being annoying to type over and over again. Also a more sophisticated attacker could intercept two passwords and see the similarity, then bruteforce just the difference.
Ok, so some guy in Croatia now knows the root, so what? How does that help them? They can't access the other suffixes without physical access to my home computer. Not to mention they have no idea which part is the root and which part is the suffix
This is exactly why I try to opt out of any two factor authentication on some of my accounts. Yes, the 7 symbol password isn't very secure, but it's truly random and I remember it well. If anything happens, I can log into the account from anywhere and regain access to the rest of my stuff. If anyone knows how I could convince Google as well to let me opt out of two factor authentication, I would be very grateful. Obviously not for my phone account, nor for my professional account. Just for my personal email.
We are all now on the precarious stilts of technology.
Apple is the worst regarding this scenario. They force 2FA like you are a child. I get it, in most cases 2FA is great, but my lifestyle makes it a problem.
I was under the impression that the Secure iCloud Keychain recovery functionality that was added in the last iOS/macOS update could be used to recover.
You can still get a TOTP code from Apple via SMS to your trusted phone numbers. When it prompts you for the TOTP code select “Didn’t get a verification code?” and you can pick one of your trusted phone numbers no problem. I have had to use this in the past and it works fine.
I very nearly was not able to login to my Apple account on a new computer because I did not have an old device to verify, and of course I hadn't kept the master recovery key where I could remember where to find it.
Keep OTP recovery codes in a separate online account (rarely used) with a strong password you can memorize. This lets you recover accounts even if all your devices are gone.
> I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home?
Credit cards are usually sent by mail, and the sender doesn't even know whether you have a mail hold, temporary mail forwarding, or 6-month forwarding due to a move set with your post office.
Use a password manager to that allows custom encrypted vault storage, and gives the installer for free.
Use a basic password to store the vault and installer offsite, with a memorized string of random words that fit together in such a way that you will not forget, bury a paper in your garden.
I recently caught myself hosting a password manager on a home server, with the data stored in sql on the same machine both credentials of which were on the self-hosted server.
Safety deposit boxes are an unequivocally terrible idea. They have very few safeguards, subject to seizure easily, and contents are uninsured or minimally insured.
I get that SD boxes aren't as great as we'd expect them to be, but they can still be part of a reasonable disaster recovery strategy:
I live in a fire prone area. I have a safe deposit box 30 mins away in a place that won't burn. I keep a HD there with all my photos on it. I refresh the drive monthly. The chance that this small credit union with maybe 100 boxes will lose, toss or sell my box on fire day is pretty minimal.
I concede that they may be OK as storage unit for backup copies which can be replaced relatively cheaply and may work well if you check that your backup still exists and functions. Just don't be like that watch collector that lost everything.
1Password “forces” (strongly suggests to) you to physically print a recovery kit with both your master password and secret key on it. I keep mine in a safe deposit box in another part of the city. Of course, losing access to this box is a concern, but ¯\_(ツ)_/¯ I suppose I could also bury it somewhere remote too without the QR code or my identifiable information in it, or mail a copy to a family member.
Interesting. It seems that there is no digital life. There are bits of information out there that only you can unscramble but there is nothing other than passwords binding these to your identity.
How is this solved in the real world? Gated access and obfuscation? Having a safe that is perfect and indestructible (encryption) only to rely on a flimsy key (yubikey, remembering passwords, etc.) is asking for trouble.
This reminds me of the time I worked for a disaster recovery company in their backup provider division. You could choose to encrypt all of your data end-to-end, but doing so meant you had to be responsible with the encryption keys; we could not bail you out if you lost them. Unsurprisingly clients were a lot less interested in that option once we had this conversation
Sorry to hear that, @edent, and as someone that just got a Yubikey [1], it sounds like I need to place the spare one at a geographically distinct place ASAP, rather than in a lockbox in my house. Easier said than done.
--
1: only my mail and password manager are protected with my Yubikeys. As long as I can have access to one key, I'm safe. Which means if I lose access to both my FIDO keys, I'm fucked.
Once you know your master pass phrase in Bitwarden + email you can get back in. Providing of course you don’t enable 2FA, which could lock you out if your Yubikey gets destroyed. Bitwarden has an ‘attachments’ feature so you can upload the QR code seed image used to setup TOTP so you can set up all your TOTP accounts again in an authenticator app in a worst case scenario.
But I also enable 2FA and store the seed for that publicly... on the internet. Just without any context at all as to what it does.
By itself the 2FA seed is useless. You need to know what it does, and you also need the email (it's not my public email) and the password (which is very strong).
I also have a set of plain instructions that my partner has explaining how to Bitwarden and access all the things if needed, including how to use a 2FA app, etc.
Worth noting: Bitwarden gives you a recovery code incase you lose your 2FA device. So as Terrence Eden said: invest in a safety deposit box and store the recovery code there. Or memorize it if you can.
My passwords and important documents are sync'ed to the cloud, my office PC, my home PC, my home Mac, and my laptop. If for some reasons the three places (office, home, and DC) which are in a circle of about 40 km are destroyed at the same time, I probably could care less as there would be some major disaster like a mega earthquake, thermonuclear war, etc.
I wonder if one workaround isn’t to store info like 1Password key and password - not username - in a pdf with a simple, easily remembered password, in an email IMAP account with a similarly easy password? Could even be a bitly link to a Dropbox file.
I know that creates a huge security hole but it’s only one if someone else is able to identify which account it applies to.
It's simple ... just have offsite backup and sync (TM)
As for bootstrapping your identity, consider having a couple devices that need your biometrics to generate a password and unlock stuff, and store them in various banks or buried under a tree.
If you ever get amnesia, you can always implant the location info in your ass like Jason Bourne.
I use a variation of the USB to a friend method that I call horcruxing. Several USBs distributed to different friends that contain enough info for me to get back into my cloud synced password manage (plus a copy of all the passwords I have at that time). The USB is encrypted with a password I have memorized.
It's not perfect (nothing is?) but to ease my 2FA fears I keep two copies.
One on authenticator app on my mobile.
Another as keepassXC TOPT entries in a file in a USB stick.
To have a perfect mirror requires adding both (mobile and keepassXC) when enabling 2FA for the first time, as few services allow to see the 2FA key after enabling it.
Almost all of my digital life is in three places: 1) Google 2) Dropbox and 3) LastPass
I make it a point to pay for all of these, even though the free tier might have been good enough. I hope (maybe naively) that will help me get to a human if some disaster happens.
I never understood MFAs. In terms of ability to "log back in", it creates more "weakest links", where failure of one can lock me out of all.
Most consumers don't, but I use 3+ phones at a time, picking up whichever one has battery and is near me, and replace phones multiple times a year. MFAs and similar "future-looking" security solutions seem to target majority cases, whereas I think such security solutions need to support edge cases.
Currently, my best guess is magic links where I can set aliases like "this particular email" to be the source of truth, such that I can lose a device or two and still access the email, and still replace entire email if email is compromised (or regularly, just for best practice). But definitely does not feel satisfying...
Big respect for experts who are thinking about this problem day and night to solve it for the humankind. Seems hard and is definitely critically important!
The mistake here, is that 2FA is used in a circular logic hence it's not useful to use it. If you must avoid 2FA being a problem in a situation like this just don't use it; remember a password or otherwise keep it secure; never lose it.
There is a 3rd way which is not widely adopted yet and it requires to handover some personal documents, but that is to use an IDV service as a fallback. There are obviously some disadvantages as well I am sure you can think of.
It's probably worthwhile to keep backup identity documents and data with a trusted local friend who's number and address you have memorized. Hopefully they are not out of town or suffering a calamity, too!
I looked into Yubikey a while back and the first thing that pooped into my head was to buy 3 and put the third one in a bank's safe deposit box. Keep one for myself and give the other to my wife.
I mistook the initial "imagine" but read to the end to see it was hypothetical. That said the passport burning set off alarms in my head. The rest was within reason, even the house on fire (thought the non-lightning-proof fire safe sounded fishy) but he had time to take a picture of his passport while it was on fire and he didn't try to put it out? Unrealistic.
I guess I should have been skeptical of /any/ pictures for that matter, especially the house since "how would he take the picture if his phone was fried".
I regularly print my whole keepass DB on paper and I keep it in safe (fireproof) place. I never had to use it, but knowing it exists eases me a lot. I highly encourage you to do the same.
So I do actually use a safety deposit box at the bank he mentions - and I think it is worth the £20 a month.
It does contain a backup yubikey (which is set as a master for creating new ones) as well as a printed paper copy of my private key. The 2nd slot on it stores the secret key for my 1password so I can get back into that if needed.
I use Authy for 2FA which is backed up with a decent password that I know - but would be pretty tricky to guess.
The bank have a photo of myself and wife, along with signatures - so when you go to access it they compare your photo (I had to show ID last time as I had grown a beard which looked nothing like me) and have you sign to access. So I think even if I had lost my card with my account details on it, I should still be able to get back into my digital life.
Edit: Even if the safety deposit key is destroyed, you can get a replacement for <insert fairly high amount of money> if it came to it.
2FA with password manager is pretty much asking for trouble. Any compromise that is capable of leaking my master password can’t be stopped by a second factor.
What do you mean? I need both my Yubikey and my password to log in to my password manager. If my master password gets leaked somehow, they still need my Yubikey, which is on my person at all times.
The CIA could infiltrate my house when I'm sleeping and steal my Yubikey, but any other idiot on the internet that wants my data has no chance, which is what I'm most concerned about.
To leak my master password, “any other idiot on the internet” needs to do one of four things: (1) backdoor my password manager; (2) install a keylogger to capture it while I’m typing it in; (3) somehow grab a copy of the encrypted database and crack it offline; (4) read my mind. (1) is game over; (2) with that level of access they can also steal everything while the password manager is unlocked; (3) with offline cracking, any 2FA protection just extends the password, and my master password is strong enough for any idiot on the Internet; (4) can’t defend against magic.
Sorry, I'm not sure I follow. First you say that 2FA is useless if someone gets your master password, which is wrong, now you argue that stealing a master password is very hard.
Yes it does, because 2FA means you need BOTH the master password and the second factor device to log in. Stealing the password is not enough. That is the point of 2FA.
The point is in none of the scenarios 2FA isn’t compromised at the same time or is even needed (except in the offline cracking case, where cracking password + token is harder than cracking just password, but with a reasonable password both are practically impossible). Read again. Consider realistic attack vectors instead of repeating dogma.
2FA, especially hardware based 2FA protects you from scenarios that could involve leaking of your passwords (such as many common MITM attacks, phishing, spoofing) and makes cracking a DB incredibly hard for your average hacker if they somehow get their hands on it. And you would have to define a 'reasonable password' because I could guarantee what you consider reasonable is orders of magnitude easier to crack than a 2FA + password solution. It objectively reduces the amount of attack vectors to gain access to your accounts.
Calling it dogma when 2FA has known security advantages is just wrong.
I suspect they are thinking of TOTP-based schemes for 2fa, not hardware-based 2fa. With TOTP-based 2fa, you can store the seeds in your password manager, which ends putting them next to the passwords themselves, all in one place.
The issue here, is that OP planned for his house to be destroyed and having is phone OR not having is phone but still having his house. But didn't plan for having his house destroyed AND loosing its phone.
One can still imagine a scenario where you can loose your phone AND your house AND another recovery method etc
Random tangent, but do we even need .mobi domains anymore? The web became responsive to mobile, so I fail to see a case where it makes sense, and with Google having made .app it even defeats the idea that they could be used to market apps. Whoever runs that TLD missed the mark there honestly.
If you want to bootstrap your way out of scenarios in the OPs, a passport card is proof of identity and citizenship.
What I do currently, is I have a smartphone with a wallet case, which has a passport card, credit card, insurance card, and a bus pass with enough fare to take a 28X[1] to the airport.
I actually just sat down to have a cortado and clean my go bag, because I had to use my mace and haven't been able to replace it.
(I the past I had a smaller "TSA friendly" messenger bag that I got at an Army Navy store plus a larger black backpack which can contain... well, pretty much anything that's legal in PA for me to put into it, but since I'm a grown adult, things like sharpies, a gerber multi tool, gum bands, an umbrella, noise cancelling headphones, and several batteries and the cables to connect them to my devices are perfectly reasonable things to carry around with me on a rainy day.)
Then, you keep that plus whatever weapons you think you need next to your bed.
I'm left handed, so usually my phone and a large knife and mace go next to the bed[0].
Then there is a locked door with a Louisville slugger next to it. Beyond that is a second door with two chains, and something else beside that one, with the walkway in between littered with hazards.
And on top of all that, I often keep a radio going so it's ambiguous if I'm home, since my landlord likes to enter my unit uninvited and not even leave a tag behind noting they were there, despite several warnings that I was perceiving their illegal behavior as threatening.
(Much like your post, I had a fire scare -- my dad claimed to know someone from the mafia who might burn my home down, and I had an outlet spark out around the same time, along with a series of odd people lurking around, some of whom still return to my home to this day despite frequent reports)
I'd love to have my passport card in a safe deposit box, but the last bank I looked into that with abused their access to the information I was looking for one.
(They said there was a waitlist, so since I thought I'd be staying long term, I just kept my passport in a safe, or separate from my passport card in case I had an extreme incident, like having my favorite bag broken open because I had to mace someone in the face, then choke them to nearly to death when they didn't take that strong hint to get away from me.)
Anyways, thanks for sharing, and if anyone has any advice on my security setup, I'm happy to take feedback.
(I'm trying to avoid making the thing on my bedside a handgun loaded with .22 hollowpoints, and the thing beside the door a shotgun loaded with buckshot small enough to not penetrate a wall and kill my neighbors if I need to fire it, but I'm very annoyed I feel a need to note this level of detail and ask for feedback, given the conversations I've had off of this site leading up to today.)
--
[0] The intent being to mace them, then stab them if they don't give up, then retreat to safety to call a lawyer. Not an ambulance. I'm not your caregiver. I'm not your friend. Come into my home and make me feel unsafe at night, and be prepared to die.
[1] The 28X is the route that takes you to the airport in 412, it's what I reccomend anyone who cannot abide by the rules of civil society look into rathrt https://www.portauthority.org/PAAC/apps/pdfs/28X.pdf
> All my passwords are stored in a Password Manager.
And that is the problem!
I've never bought the hype about a different password for each service. I've 4 passwords in total, sorted by importance, and each new service gets the one most appropriate according to the data it manages.
So, having Hacker News pirated means my Quora account is at risk: so what?
And really important stuff (read: banks) is protected by two-factor authentication anyway.
> In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am.
Not really, if you have spent your whole life introducing you as "qjkhgjbhjhgjhgj" to one person and "opiqnbasvwnezc" to the other.
> So, having Hacker News pirated means my Quora account is at risk: so what?
This is all well and good until you encounter hackers that sell off your account(s) for spam or other malicious reasons and pretend to be you while doing whatever illegal services or transactions you can think of. If you can't think of reasons why hackers can't make your life hell when they get access to your accounts then you're not thinking hard or creatively enough.
> I've never bought the hype about a different password for each service.
It's not a hype. Any reasonable security expert will recommend you this. Because passwords evidentially get leaked. And most people are (I'm sure you aren't) vulnerable to social engineering, especially if the attacker has access to other accounts like HN or Quora.
I surely hope that you don't reuse the password of your email account.
> I surely hope that you don't reuse the password of your email account.
That one is very important for me and is not reused at the moment.
> Any reasonable security expert will recommend you this.
Not when you get to the point that you cannot manage them in your head any more, and you need one more service (or piece of hardware) that you need to protect (via a password and/or physically).
This literally is saying that if someone compromises one of the passwords you use for all the important stuff like banking, they've literally just gained access to every important account you have which can be life changing in a very bad way.
Props on using four passwords instead of just one, though.
That said, planning a strategy for offsite data storage or a secondary authenticator is of course wise. A safety deposit box or other offsite location that you can frequently refresh and keep up to date would be a good investment. If you’re worried about keeping a master key to your life in a single place, you could separate your data and your authenticator. The how likely depends on your threat model, several people on this site may find it insufficient. To whatever degree you obfuscate or complicate your recovery path, you also increase the risk of losing access to it yourself.
You might also consider it’s not necessarily the “thing you have” that might go MIA, but due to physical injury, age, or just forgetfulness, the “thing you know” could also be at risk. I realize this the older I get. Finding a secure way to store a master password in the event you cannot recall it, or perhaps in the event of your death, is something you may also consider. In this case, I would avoid a cipher or something else you’re likely to forget.