2020-08-31

Don't get locked out of your password manager

Let's say you're security conscious so you do all these reasonable things:

  • use a password manager such as LastPass (see this post for more info)
  • use a TOTP-type 2FA app/service such as Authy (see this post for more info)
  • have multiple devices so you have Authy synced between them all, using Authy's Backups Password
  • use a long random string as your Authy Backups Password, so you store it in LastPass (and of course can't remember it)
  • enable 2FA on LastPass using Authy.

Well, you've just created a cross-dependency between LastPass and Authy:

  • you can't log into LastPass without getting a 2FA code from Authy; and 
  • you can't log into Authy (meaning, connect it to the Authy online service) without getting your Authy Backups Password, which is stored in LastPass.
(Note that with LastPass, you can temporary turn off 2FA via an email verification process; but you can't do this with 1Password.  To verify the 2FA disabling, you have to be able to sign into the email account that you've configured for recovery of LastPass.  So if that email account password is random and in LastPass, you have a different cross-dependency.)

What could go wrong?  

Everything is fine as long as your device is working normally.  LastPass remembers your 2FA code for quite a while (several months, maybe?) and Authy remembers your login (meaning, its connection to the online service) forever.

But if somethings happens -- your LastPass 2FA times out, you get logged out of Authy, either of these apps needs to be reinstalled, everything on your device needs to be reinstalled, etc. -- that's when you'll notice, and be bitten by, the cross-dependency.

(As a side note, it's always better to have LastPass and Authy installed and working on more than one device.  That way, if something goes wrong on one device, you can use one of your other devices instead.)

What can you do?

The best way around this cross-dependency is to have your important login-related information stored somewhere else.  I highly recommend that you have some other backup that doesn't depend in any way on LastPass or Authy or even your computer or mobile devices.  Think of it as a fail-safe or last-resort backup.

That other backup should contain critical information like:

  • userid/password for LastPass
  • userid/password for Authy
  • userid/password for Google or Apple (depending on your mobile devices)
  • userid/password for the email account use use to own/recover other accounts
  • userid/password for your cloud-based backup/sync service(s)
  • mobile device login PINs
  • computer login password
  • BitLocker recovery password (if you have a Windows computer)

But where?

 I have three suggestions for how/where to store that backup:

  1. Print it out on paper:
    • Keep a table of the critical login-related information in your accounts file and print it out on paper.  Yes, the old-fashioned flat white stuff.
    • If you can print it out without service names or userids -- so it's just a list of passwords -- that's even better (in case someone finds it or you lose it), but be absolutely certain that you could look at the page in a year and be able to figure out what each password is for, and that you'll remember what the userids are. 
    • You could compromise and include just the first letter of the service name beside each password; also include the userids (or a short form of them that you will recognize) if you're not absolutely sure you'll remember them.
    • Hide the page somewhere really good. 
    • Put an entry in your calendar to update and reprint the list every, say, 3 months.  At the same time refresh your memory on all the information that you haven't printed out (service name, userids, etc.).
  2. Store it on a full-drive encrypted USB flash drive:
    • VeraCrypt (https://www.veracrypt.fr/en/) is the best way I’m aware of to do this full-drive encryption.  It creates an encrypted virtual drive inside the flash drive.
    • With VeraCrypt you'll then have a completely standalone backup that you can decrypt on any computer in the world (after you download and install VeraCrypt on that computer). 
    • If you get a big enough flash drive, e.g., 256 MB, you can backup all your computer files there. 
    • The downside is that with VeraCrypt you'll have to choose and remember a(nother) password to encrypt/decrypt the virtual drive.  (Don't reuse an existing password for this -- create a new one.)
    • You don't need to hide the flash drive -- because you've chosen a strong password -- but putting it in a (supposedly) fireproof safe would be good.
    • Put an entry in your calendar to update the flash drive with your latest files every, say, 3 months. 
  3. Store it in a second LastPass account:
    • This is more complicated so may not be right for everyone.
    • Create a second LastPass account.
    • Don't enable 2FA on it so there is no cross-dependency with Authy or anything else.
    • The account needs to have (i.e., be owned by) a different email address, of course, but ideally choose an email address that you don't use for anything else, isn't publicly visible, and that no one else knows about.  You should probably create a new one just for this.
    • Choose a really strong password since there's no 2FA to provide additional protection for the account.

How to choose?

Here are some considerations when you're deciding which of the three schemes to go with:

  • Scheme #1 is the simplest, but it's potentially readable by an attacker, and it's at the mercy of local physical threats like fire, water damage from fire, theft, etc.  If you're traveling, the page is risky to bring along.
  • Scheme #2 has the benefit of backing up all your files at the same time (if you want), and can't be read if someone finds it, but it too is subject to some of the above local physical threats as well as to EMP.  :)  You can bring the flash drive with you when traveling.
  • Scheme #3 is in the cloud so is not subject to local physical threats, but it's dependent on a third-party.  It's also accessible over the Internet, just by knowing the userid and password -- both a benefit and a risk.  There's nothing you need to bring when traveling.

Availability (of your data, your systems, etc.) is a key pillar of information security, and resilience is necessary for availability.  If you implement one or more of these three fail-safe backup schemes, you’ll be a lot more resilient to the nasty shocks that can hit your digital life.