3

I'd like to start using a password manager, but I'm not sure how to handle account recovery.

I'm not a criminal or a secret agent, so if I lose my master password (or my second authentication factor, like a Yubikey thumbdrive, or my own thumb), I don't want my data to be unrecoverable (and by "my data" , I mean "my access right to all my accounts for which I used my password manager to store potentially automatically generated and forgettable passwords": I can afford to lose access to my password manager, if I can reset it, and regain access to all my accounts separately with each of their account recovery options).

Let's assume I don't use the password manager's vault recovery, because they all seam unsafe or unpractical, when they are available.

The only way to be able to recover any account in any situation (phone, computer and password-list-on-a-piece-of-paper lost or taken by someone else, for example) is by using account recovery from an email address, since it only requires an internet access and a password, but it just moves the problem elsewhere.

For example, I could use an unique recovery email address for all accounts from a security-oriented provider like ProtonMail, and use it only for account recovery to make it less visible to potential attackers.

But it's still another password to remember (with the master password) and another entry point, and if I use the password manager to store this new password but lose the master password, the recovery address becomes useless.

The only solution I can think about is by using a trusted person (like my wife) to store on their password manager my recovery address password and to never change it (unless their master password is compromised for example), and I could do the same for theirs. That way, it's unlikely that we both lose access to our respective password managers.

So my question is: Which strategy is the best concerning password manager and account recovery?

Are password managers vault recovery more secure than my propositions? Are there better alternatives?

P.S. : When I say "password manager's vault recovery", I mean "password manager's means to recover my vault or my master password", and when I say "account recovery", I mean "account provider's means to recover my account or my password which I stored in my password manager", for example, Facebook specific account recovery means.

CidTori
  • 183
  • 6

3 Answers3

1

I think that you are confused about how password managers work. You mention using an email recovery option, that's just not possible with any serious password manager. A password manager service doesn't know your master password, so they can't give it back to you in an email. It's just impossible.

Some password managers support emergency access (eg: LastPass's emergency access) that give other users delayed access to your vault. This allows you to give someone access to your vault after you haven't logged in for a few days. Note that this may not include recovering the master password (LastPass doesn't support password recovery), but it does give access to the vault contents. Using such a recovery method, you could store your master password in your vault and rely on the trusted person and delayed emergency access to recover the master password.

The emergency recovery strategy is similar to using another person's vault to store your password, but it adds a delay. This has pros and cons. If you need the password quickly, the delay is a hassle. But if the other person's password vault is somehow compromised, the delay gives you time to revoke emergency access before yours is compromised too.

If you do want to use paper as a backup of your master password, store it somewhere secure - like a safe deposit box. While that doesn't provide instant access, it reduces the chance of the paper being viewed by an attacker to near zero.

The easiest solution is, of course, to just not forget your master password. Personally, I write my master password down when I change it, carry it with me for a few days, then securely dispose of it (consider fire) once I have it memorized. I've never forgotten it (though I do have emergency recovery set up).

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • I'm not confused about how password managers work, but I may have poorly explained my problem : see my edit, if it helps. – CidTori Apr 15 '18 at 15:16
  • As I explained in my question, I'd prefer not to use paper to store my master password, since it can be hard to retrieve, or even lost. Moreover, if I'm using 2FA with a Yubikey for my password manager and lose it, the master password won't be enough. I That's why I'd like to at least recover each individual account linked to my password manager, since most of the time, account providers like Facebook or Outlook allow some account recovery using an email address. – CidTori Apr 15 '18 at 15:53
  • Thank you for the comparison between my proposed solution and LastPass emergency access, I didn't know it. – CidTori Apr 15 '18 at 15:55
  • Thanks for clearing it up. I think I understand better @CidTori. Sounds like some of my answer isn't relevant to your question. Sorry about that. At least with LastPass, you can [disable MFA](https://helpdesk.lastpass.com/multifactor-authentication-options/) if you lose your YubiKey. This reverts to using your email for MFA. – Neil Smithline Apr 15 '18 at 20:58
1

I'm using a password vault for years, and have never forgotten the master password. The threats I considere are:

  • hacking of my web accounts: the password manager offer an easy random password generation
  • stolen vault: the password vault is only installed in local devices (my phone, my wife's phone and our PC, and is never sent on network => it can only be stolen if one of the devices is too. I have planned to change all the passwords ASAP if this should happen
  • damaged vault: as it exists on 3 different devices, I hope that the 3 should not break at the same time, and that I should be able to restore a broken copy from a good one
  • loss of the master password: I hope that my wife and I will not forget it at the same time. The downside is that I seldom change it. Ideally it should be written on a paper stored in a physical safe, but I considere that the risk is not worth it

The risks that I accept:

  • I must trust my wife...
  • the master password is not that strong and not frequently changed - but a hacker should first steal a physical device, and I have planned to change all the contained passwords if that should happen
  • the synchronization between the 3 vaults is manual: I know that I must do it whenever a password is added or changed
  • if a bad guy manages to steal one of the devices holding the vault, I hope that I will notice it and be able to change all the passwords before he can break the master password

The threats that are not even mitigated:

  • the rubber hose attack. IMHO it is probably the higher risk in terms of consequences if if not occurences, but it is still the harder to prevent
  • internal attacks on the sites (bank). I must trust the sites I use.

I do not pretend that this is the best solution, it is just a possible one, and one that fits my needs.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

Fundamentally, you don't want to have all your passwords reliant on a single password -- that you might forget! and that's a reasonable precaution. I'd wager more people have lost access to password managers from lost passwords than to mailicious 'hackers'.

Your solution of sharing with your wife would solve this issue, since you both act as backups to each other, but it also exposes you to a new threat. If someone hacked your wife's lastpass, they'd get yours as well. I still think the solution is practical, but I wouldn't call it 'best'.

It gets slightly more complicated when we talk about MFA. Because passwords alone aren't sufficient if you've lost your MFA token/code.

Using LastPass as an example, your MasterPassword is used to encrypt all your passwords. Without it, you'd be unable to retrieve your passwords -- however, your MFA code is NOT used for encryption, just authentication. So a lost of the MFA token/code would still be recoverable, usually via email reset.

If your Primary Email has MFA -- then you can see what kind of rabbit hole we're going into here. If you're on GMail, presumably, after a long back-and-fro with a Google employee, you'll get back your mail, which will allow you to get back LastPass access (not the passwords in LastPass, just the access to the encrypted blob it stores). After doing this, you can get your password from your wife's account and voila, back to normal -- but this process can take days (maybe weeks).

My recommendation is to store your MasterPassword and a few backup codes physically somewhere (disconnected from the internet). Either on a piece of paper, or on a ThumbDrive that you use specifically for this purpose. To be clear, the passwords and codes should be kept separately from each other, because they are used for different situations. And a thief that accidentally stole one couldn't gain access to your account.

That physical 'thing' can be secured in a place you and your wife know about -- either in a safe, a locked drawer at your home, even just a piece of paper you hide in the encyclopedia brittanica (because I've yet to come across a thief that has stolen one of those).

In the event of a lost password, you'd reach out for it for the paper/drive with the lastpass password. In the event of a lost phone (with your MFA token on it), you'd just reach out for the MFA backup codes (because you still remember your password).

In the event 'heaven-forbid' you die in a plane crash, where both your password and tokens are lost -- your loved ones can reach out to both and re-activate your account (provided you told them where they both are).

Of course, there's always the possibility of someone coming into your home and stealing 'both' the password and tokens and gaining access to your account. This to me is a reasonable risk to take -- the flip side is remembering your password and only writing down your backup tokens.

keithRozario
  • 3,571
  • 2
  • 12
  • 24