Ask HN: Where should I keep my recovery codes (Google account for exemple)?

12 points by asadlambdatest ↗ HN
Not sure if this is the best place to ask this but: Like everybody, I have alot of online accounts, which all require passwords. I have 3 google accounts and each one comes with 10 recovery codes. Now my question is this: Where should I put them? somewhere in my house? In my password manager app where all my passwords are stored? I try to secure my accounts as much as possible with different password, and 2 steps verifications, but the recovery code is the last layer of protection for an account and I want to keep it in a safe place. Thanks! Edit: word

15 comments

[ 3.1 ms ] story [ 49.9 ms ] thread
Written in my passport, mixed in with visa stamps. Hard to tell what they might mean if you don't know what to look for.
You've just told the whole world. Not so hard anymore.
Physically secured storage. Either a safe deposit box or a fire safe in your home.
I just implemented this. Ultimately I want to have 2 USB sticks with veracrypt on it with the recovery files in the volume.

For now I just zipped them up in an AES-256 encrypted zip file. Keep one in the fire safe and maybe one in my car or work.

My process is simpler. I printed out the recovery codes on paper and stored that in my fire safe.
On paper somewhere you keep in several places? You never know when your mobile or laptop is going to break or get lost for 2FA. It's not likely an attacker is going to steal your note of these and know your login.
Convert the code to a numbering using modulo arithmetic. Take a movie file, and encode black frames for a full minute for every number in your set. Burn the movie to a DVD and add it to your household collection.

If you need to recover the recovery code, watch the movie with a notepad handy.

This is the answer I was expecting from HN. Thank you.
I wrote them down, put them in an envelope and in my safe deposit box.
Crypted archive stored in an unrelated backup service?
I keep mine in my password manager, which is sync'd across all of my devices. That way, if I lose access to my 2FA device, I can still get into my accounts, even if I'm traveling.
Doesn't this make 2fa less secure for you? Assuming your password and your recovery codes are in the same place, that's only one factor auth.
In general, an attacker wouldn't be getting my password from my password manager, they'd be getting it through phishing, or brute force, or some other way. If they acquire my password in any way other than a total compromise of my password manager, then 2FA still protects the accounts.

If an attacker is able to compromise my password manager, then quite frankly, I have much bigger issues to worry about than my 2FA codes. But there are ways to make that harder, too. For example, some password managers also support 2FA (mine supports Yubikey).