502 comments

[ 3.0 ms ] story [ 357 ms ] thread
I keep an encrypted backup and second yubikey at my workplace.
Those are two streams I sure as hell don’t want to cross!
Which is exactly why it makes for a good out-of-band failsafe.
I work from home...
Maybe visit your relatives once in a while and use them as a data drop. It’s really not that big of a problem he makes it out to be. He screwed up.
All my relatives live on other continents :(
During my whole career there was only one workplace in which I would store stuff critical for my personal life.
I'm just as guilty as everybody for not doing this, but ...

perfect is again the enemy of good. Instead of a technically superior backup with rotation and all, it may be better to have some arbitrary, incomplete old backup lying around on a disk at someone's place.

I’d freak out if a friend came to me with a disk and told me to keep it safe.

Imagining someday I go on vacation and valuables are stolen, including that disk. Now that friend’s supposedly personal data is compromised, as of course they would set a lower protection on something that is supposed to be used during emergencies.

Same if the disk gets corrupted because we didn’t realize it’s stored next to the fan, and 2 years were enough to have an impact.

Or we lose it when moving but nobody realizes the loss.

So many weird scenarios, I’d feel more confident if they gave me their kid to raise for 5 years.

Imagining someday I go on vacation and valuables are stolen, including that disk. Now that friend’s supposedly personal data is compromised, as of course they would set a lower protection on something that is supposed to be used during emergencies.

Just use LUKS or FileVault full disk encryption. Your friend just has to memorize one password. If it gets stolen, it's as good to a thieve as random data.

Same if the disk gets corrupted because we didn’t realize it’s stored next to the fan, and 2 years were enough to have an impact.

I would tell them to make more than one off-site copy. It's their responsibility to not just depend on you.

TBH I wouldn't expect someone stealing hard drives along more valuable stuff to just plug it to their Windows machine and call it a day because it doesn't mount.

Also the thief doesn't need to be the one dealing with the data, the same way people stealing cars are usually not the ones brokering them, and brute forcing an offline password wouldn't be crazy long considering it's supposed to be memorable (possibly by more than one person)

Just to say, spreading backup hard disks here and there, and assume everything will be fine even if some of them get lost in the wild feels like a pretty laid back attitude in contrast to the length spent on having a fully functional 2FA system.

LUKS these days supports Argon2, which has configurable time, memory, and parallelism parameters; brute-forcing a single weak password can be as slow as you want it to be. The offline backup of my pass(1) repository on a thumb drive on my keychain takes more than 3 minutes to unlock on an i7-7700K.
Yes, the disk should definitely be encrypted, but it could be using a rather weak password that you can memorize. The key is not to put too much trust in anything, but also not overengineer the solution. Just like DVDs - you hand an old disk to someone without the expectation that it is usable, but it can become a safety net to recover some of your most important data. Lots of copies keep stuff safe.
Easy to memorize does not equal weak (i.e., easy to brute force.) You can use natural language to create very difficult to guess or brute force but incredibly easy to remember passwords.
The someone could be your bank with a safety deposit box. The payment is usually annual and not very expensive IMO at $60 - $150 a year.

Of course, you're open to the risk of loss in a bank robbery, but how often do those happen anyway?

Bank closing office and trashing box is a bigger risk.
I wouldn't freak out. I'd store the disk with the same amount of care that I store my own disks, and I would insist that it is 100% encrypted with free space either encrypted or wiped. (If theft of a powered-off storage medium compromises the data, you're doing it SERIOUSLY wrong.)

Someone who is storing disks offsite is unlikely to have only one copy. I'd offer to review his backup strategy with him, but other than that, I'm "dumb storage", how my friend uses it is his business. I'd also make clear what expectations are if law enforcement or someone with a gun comes for the disk (they're getting it, that's what the encryption is for and I'm not going to jail/dying for something that should be solved with replication).

Do you mind me thinking these reactions are kinda weird? I imagine I’d say ‘sure’ throw the disk on the shelf, and not worry about it any more until they show up years later to get their disk back.

Then it’ll either work or not, but spending any time worrying about what might -with some infinitisemally small chance- happen seems pointless.

If they messed up their system, you offer sympathy and assistance. Not your fault or problem.
>we didn’t realize it’s stored next to the fan

Huh how would that shorten the lifespan of any storage device?

fan might generate magnetic fields.
Backups are not binary. As part of a backup strategy, it may be worth the $200 or so for a USB drive to have a somewhat stale year old backup of last resort sitting in a parent's or friend's closet somewhere. (Presumably encrypted.)
Once you know your master pass phrase in Bitwarden + email you can get back in. Providing of course you don’t enable 2FA, which could lock you out if your Yubikey gets destroyed. Bitwarden has an ‘attachments’ feature so you can upload the QR code seed image used to setup TOTP so you can set up all your TOTP accounts again in an authenticator app in a worst case scenario.
I do this.

But I also enable 2FA and store the seed for that publicly... on the internet. Just without any context at all as to what it does.

By itself the 2FA seed is useless. You need to know what it does, and you also need the email (it's not my public email) and the password (which is very strong).

I also have a set of plain instructions that my partner has explaining how to Bitwarden and access all the things if needed, including how to use a 2FA app, etc.

Worth noting: Bitwarden gives you a recovery code incase you lose your 2FA device. So as Terrence Eden said: invest in a safety deposit box and store the recovery code there. Or memorize it if you can.
Having no 2FA on your password manager is incredibly reckless. That and your email are by far the two most important things you own.
(comment deleted)
This is a very good example of vulnerability introduced by badly organized security system. One does not keep backup access codes in places which are unavailable in case of a failure of primary access methods. Store your 2FAs in a separate phone kept in a SAFE, a combination to which you do remember. Also, adding 2FA to a password manager is probably excessive, just use a really long password which is easy to remember. Like "HowOn5EarthsCanAPersonForgetHisPazzw0rdToPasswordManager?", that'll be enough.
With no second factor you are vulnerable to anything that could sniff your password. I guess this is fine as long as you never log on from any untrusted machine/location?
Also any phishing you don't notice, or many browser hacks. A good 2fa (u2f, fido) authenticates you to the service, but also verifies the service is what you expect.
I'm rather averse to using cloud services for password management. KeePass all the way, syncing the key file with syncthing or something.
The author's codes were kept (on paper) in a safe, but the contents were destroyed in the fire.
Just in case you did not notice, this did not actually happen, it was a hypothetical.
(comment deleted)
- "Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated."

But... the lightning strike caused a fire. That shouldn't mean the fire is "extra hot" or something like that.

I'm disturbed, as I keep these kinds of thing in my fire safe for just such a reason.

The 2017 Tubbs wildfire burned so hot that it melted fireproof safes, as I understand it. Something about 50-100mph winds and incompetent forest fuel management making the fire burn extra hot?
A fire-proof safe is a safe which won't be destroyed by a fire.

That doesn't mean it won't heat up.

That would violate the laws of thermodynamics...

They usually have a rating of how much fire heat they can sustain before the insides get uncomfortable for paper...

About 420 degrees, the question is duration, not temperature.
Fire safes are rated by time and temperature.

A particularly intense house fire could exceed the parameters of one's safe.

It was all hypothetical

> In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal

As a LockPickingLawyer fan, I sometimes wonder if these “fire-proof” safes would actually withstand a fire, as there is so much bullshit labelling going on.
Well, this article is a hypothetical, but fire-proof safes are, like anything with "proof" in the name, not fire-proof, merely fire-resistant. It's theoretically possible for a lightning to strike in the worst possible place and trigger an unusually hot fire, one that exceeds the maximum tolerance for your safe. House fires can apparently hit 1500F, and if you've cheaped out on your safe then you might be in trouble (e.g., the Amazon Basics Fire Safe "can protect your belongings at 1200 F for 20 minutes").
Replace "house hit by lightning" with "house hit by missile strike and now occupied by the Russian Army", a very real scenario nowadays, and you have the same problem again.
For anyone confused about heat and temperature (which in everyday speech get often mixed up) here is a good thermodynamics recap about the definition.[0]

A lightning strike can heat up the air around it because of its relatively high electrical resistance; up to 50k degrees[1].

The change in temperature (average kinetic energy of the air molecules) itself can be seen in the lighting flash (creating for split seconds an awesome "plasma channel", effectively ripping apart the molecules in its dendritic way through hundreds of MV) and consequently heard (if near enough) as a pressure wave, a quick rolling thunder rumble.

Relative to the vast amount of air around a typical lightning discharge event with its characteristic current flow [2] this "temperature" cannot sustain itself so it disperses very quickly. However under the right conditions (flammable materials, humidity etc.) this can jumpstart the chemical process of "burning". Because of the multitude of variables this ain't straightforward [3] as often depicted in movies. So, no the lightning itself cannot "damage" the integrity of a safe but the secondary effects of the environment around it i.e. continuing heat source. (For convenience I've left out the scenarios regarding possible EMP damage and its secondary effects).

[0]https://www.khanacademy.org/science/chemistry/thermodynamics...

[1]https://www.weather.gov/safety/lightning-temperature

[2]https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6953689/table/e...

[3]https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6953689/#!po=85...

> All my passwords are stored in a Password Manager.

And that is the problem!

I've never bought the hype about a different password for each service. I've 4 passwords in total, sorted by importance, and each new service gets the one most appropriate according to the data it manages.

So, having Hacker News pirated means my Quora account is at risk: so what?

And really important stuff (read: banks) is protected by two-factor authentication anyway.

> In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am.

Not really, if you have spent your whole life introducing you as "qjkhgjbhjhgjhgj" to one person and "opiqnbasvwnezc" to the other.

This literally is saying that if someone compromises one of the passwords you use for all the important stuff like banking, they've literally just gained access to every important account you have which can be life changing in a very bad way.

Props on using four passwords instead of just one, though.

> And really important stuff (read: banks) is protected by two-factor authentication anyway.
Still a bad idea, you're leaking information for social engineering attacks either against you or the company holding your account.

Anyway your 2FA is acting to make your passwords actually unique, in a sense, I suppose. Not that I'd necessarily trust it on its own.

The worst information leaks are passwords written on a post-it, and they are usually the outcome of obnoxious safety rules.
> I've never bought the hype about a different password for each service.

It's not a hype. Any reasonable security expert will recommend you this. Because passwords evidentially get leaked. And most people are (I'm sure you aren't) vulnerable to social engineering, especially if the attacker has access to other accounts like HN or Quora.

I surely hope that you don't reuse the password of your email account.

> I surely hope that you don't reuse the password of your email account.

That one is very important for me and is not reused at the moment.

> Any reasonable security expert will recommend you this.

Not when you get to the point that you cannot manage them in your head any more, and you need one more service (or piece of hardware) that you need to protect (via a password and/or physically).

> So, having Hacker News pirated means my Quora account is at risk: so what?

This is all well and good until you encounter hackers that sell off your account(s) for spam or other malicious reasons and pretend to be you while doing whatever illegal services or transactions you can think of. If you can't think of reasons why hackers can't make your life hell when they get access to your accounts then you're not thinking hard or creatively enough.

I used to do that 5+ years ago.... Password manager is much easier...
Two-factor authentication terrifies me.

For my bank from my country of origin that I maintain, I get a battery-powered RSA token. From that I can generate a mobile 2FA token in an app that I can use to log in for day-to-day transaction. If I lose the devices with the 2FA token, I have to pray that that CR2032 is still alive or I lose access to that account until I spend thousands of dollars on international flights (replacing the battery resets the device)

I would suggest keeping an eye on the voltage with a meter and when it starts to drop solder on a second battery while you replace the first, the same way people replace game cartridge batteries without losing SRAM saves.
That's a great recipe to fumble and accidentally reset the device.
How? The original battery provides power while you're soldering on the backup and the backup is solidly soldered on while you swap out the original. How could you be so clumsy you rip out a solder joint?
What if it's only held in by the case itself and not a clip? Then I'd disconnect it simply by opening the device?
Since you knew it was a CR2032 I assumed you were already familiar with it.
I just guessed by the physical size of the device. I guess it could be a smaller coin cell as well.
You are correct. Those BankID physical devices have tamper switches that erase RAM on device opening.

An alternative is debit card bankid (as a smartcard, then add Mobile BankID back), but it's being deprecated soon.

Accidentally disconnecting the original battery while messing with it. Or shorting something out.
A bit OT, but at least for the Game Boy you can pop the cartridge (front of the case off) into a console (GBA is especially good as it only covers part of the cart), power it on and then replace the battery. The game save will remain. Or you can use something like the GB Operator and backup the game save, replace the battery and then rewrite it to the cart :)
I lost access to my bank account in UK because my token ran out of battery. The only way to fix this is to fly to London and show up in person. This is a pain because I can't even figure out my account balance - and this is something I must report for U.S. taxes.
Similar thing happened here to my wife (US, bank in UK). "We don't send those out any more, just use your phone". But... a) my wife didn't have a phone at the time (not one capable of running their only supported version of their app) and ... one of the signup questions was asking about bank balance (or... recent transactions, etc) - but... there's been no recent transactions and we don't know the balance because... we can't log in.

This was... ~ 6-7 months ago. I'm unsure what options are left, or... if my wife sorted it out (she did recently get a newer iphone, and that may have been able to get it sorted).

Similar experience here, but when using the mobile app.

My bank in my country of origin also used to use a token, but they changed to a "token app" in the phone about 10 years ago.

However to authorise this app I had to use an ATM. Since this bank only has ATMs in one country, this means I couldn't lose or trade my phone.

After I moved I kept a super old iPhone in a drawer only for this bank, but at some point the app kept threatening me to upgrade, otherwise it would stop working in the next version. But I couldn't upgrade because my decade-old phone was too old for the new version.

Since even blocking my debit card via phone required using the "token app" (something incomprehensible to me), it became too risky to keep this account.

At this point I had no recourse but to close the account.

The Bank of America app only lets you install it if your Google (or presumably Apple) account country is set as America. I am abroad but needed to use the app. I had to create a VPN on an American cloud instance and connect my phone to it so that I could set my country to America and install the app.
I had similar problems. For one, the LloydsTSB banking app is not available outside the UK App Store, so I had to keep a second iPhone with a UK number while living in the USA just so I could have the app installed.
There's a youtuber/streamer I sometimes watch, an American living in Ukraine until the war. She fled to Portugal when the invasion started, and paid for an item with her credit card enroute. This triggered an automated lockout from the card suddenly being used abroad.

The bank's bureaucracy advised her to unlock it she needed to go in person to her home branch in Ukraine (which has a decent chance of being a pile of rubble given her neighbourhood was hit by shelling in the time after she left).

It shouldn't. You can just use authy, which allows you to onboard devices using your phone number, and then a password to decrypt the existing entries. If you use 2fa with authy, remember that password, and remember your password Manager's password, something like this scenario won't ruin your life.
With 'old' banks (and other systems that use these tokens) with a physical token, you can (often?) not do that.
My bank doesn't use TOTP but rather the Swedish BankID system for 2FA
You open yourself up to a much more devastating attack vector though: sim swapping.

If someone can convince the human at the other end of the line that they are you and that they lost their phone, in most countries and with most telco's, they will be able to get up and running with a new SIM with _YOUR_ number.

Resettting your Authy password via SMS is then just a step away.

Yeah i stopped using authy the first time a token was automatically seeded this way (may have been another way, but it was automatic and I didn't like it because I was also using the seed on my Pebble which i could then no longer do with this method). i prefer manual control over stuff like that and definitely don't want it assuming some magic is okay.
I think you’re being a little paranoid:

https://support.authy.com/hc/en-us/articles/360036077534-Aut...

“How do you derive encryption keys from a Backup Password?

We use the National Institute of Standards and Technology (NIST) recommended algorithm PBKDF2.”

Oh no that's fine, I just didn't like the initial seeds for a new 2fa enrollment being magically transferred to the authy app without my control/intervention. See https://authy.com/guides/twilio/ and note that it's not the usual "scan the qr code". The seed is transmitted straight to authy, which, safe or not, takes away control from me to add that same seed elsewhere.
I don't believe you are correct. I believe an existing installation of Authy is required.

>Can I reset my Backup Password?

> Yes, it is possible to reset your Backup Password by tapping on Change Password in the Backup Password area of the Settings menu within the Authy app. You will have to ensure all 2FA account tokens are decrypted on your device (No red lock icons). Once a user resets their Backup Password on a device, all other devices with the Authy app for this user’s Authy account will require entering this new Backup Password.

https://support.authy.com/hc/en-us/articles/360036077534-Aut...

https://authy.com/blog/understanding-2fa-the-authy-app-and-s...

The fact that they disable SMS authentication for accounts that they deem "high profile" says it all.

Last time I looked, I don't recall there being a backup password (essentially a local encryption). If you SIM swap someone, you'll pull down their OTP seeds, but won't be able to read them without that code... so that's a slight improvement at least.

BUT! They have a recovery process. So the risk profile is convincing the telco to SIM swap + lodging a support ticket with authy (that takes 24 hours to complete).

You can reconfigure Authy to require an existing device to let you in as well. It won't prevent the "absolutely everything is fried" case but it's better than most password managers.

If someone tries to use SMS/Voice to activate Authy on my account it just gets rejected.

Pretty neat for everyone that uses two phones regularly! If you leave that other phone in your desk drawer for several years though, I wouldn't be surprised if it doesn't work...
Authy requires a backups password to restore, or least it can be configured to. Of course, hopefully you remember it in a disaster situation. If you have a cloud password manager you can end up in a chicken and egg situation.
Looks like the backup password can be reset too by support, so while that present an additional barrier to the attacker, it doesn't sound that effective.
I am, on the whole, more concerned about self-DoS via fire or similar disaster than I am about sim swapping.

Other people's threat models will certainly differ though, and whether mine is well chosen is certainly open to question.

I've got a 2fa backup code in a DNS entry on a free hosting provider. I've got another hidden in some public source code, masquerading as an example encryption key. There's all sorts of digital hiding places these days. Self signed certificates (serial number, subject, issuer, etc), http headers, etc. Other possibilities are accounts with determinate passwords (eg. a hash of your name) that are used only to store your secrets.
No, you need the password to decrypt your 2FA codes. There's no password for logging in. You're just incorrectly assuming how it works.

https://support.authy.com/hc/en-us/articles/360036077534-Wha...

>If you lose your Backup Password, you will not be able to decrypt your 2FA tokens from Twilio Authy servers and access them within the Authy app on any other device (Eg: If you bought a new phone to replace an old or lost device). If you still have access to the original device on which you set up the Authy app with your 2FA account tokens for the first time, you can follow these steps to re-configure your Authy app on a new device.

Authy admins cannot reset this password. It looks like they can disable encrypted backups, but not decrypt your shit.

So basically all an attacker should be able to do is gain control of your account, delete your old 2fa codes and then add his own.

How does that square with their blog post about understanding the risks of using SMS [1]?

>5 – 2FA Recovery

>Imagine this scenario: You installed Authy, lost your phone, your laptop is broken, and the bitcoin price is climbing like crazy. You need to login to your crypto wallets, but you either enabled multi-device and all the devices with Authy are not working or accessible, and your account has been tagged high-risk, and you can’t use SMS to install a new Authy app. What are your options?

>Authy has a 24-hour account recovery process. By providing your phone number to Authy Support, we can go through a set of security processes to re-enable your ability to install Authy. Some users may question why account recovery isn’t instantaneous, but our goal is to 100% protect our user’s accounts against an attack or hack, and that includes our recovery process. This 24-hour period allows us the time to perform the necessary due-diligence to verify that you are who you say you are. We’d be doing a disservice to all if we were to rush this process.

[1] https://authy.com/blog/understanding-2fa-the-authy-app-and-s...

Adding a device to your account and encrypting the tokens are distinct unreleated steps.

When you enable encryption, they derive an encryption key off the passcode you provide, encrypt the tokens, then store them on authy's cloud storage. The encrypption key is never sent to authy's servers, and only stored on device. When you add a new device, you're prompted to enter the passcode, which generates an encryption key and decrypts the tokens.

How is support going to decrypt the tokens for you? They need the password, which they don't have.

You use support to add a device to your account, and then you use the password to decrypt your tokens.

Granted, an attacker could gain access to your authy account and then delete all your tokens, but that's different from being able to log in and start using your TOTP 2fa codes. You should also have recovery codes written down somewhere in the case this happens for all your services.

I literally just restarted everything from my previous post with more words.

Then their blog post doesn't make any sense. The answer to their scenario is that the user is fucked and they are locked out of everything.

>You installed Authy, lost your phone, your laptop is broken, and the bitcoin price is climbing like crazy. You need to login to your crypto wallets, but you either enabled multi-device and all the devices with Authy are not working or accessible, and your account has been tagged high-risk, and you can’t use SMS to install a new Authy app. What are your options?

Google authenticator will also backup your keys to the google cloud so installing it on a new device will just work. You'll, of course, need to remember your google account password and not set it up with authenticator as the second factor.

(I don't know much about authy, I only use it to access m sendgrid account, but I didn't like the fact that it used SMS for setting up or restoring an account.)

Last i knew, Google hadn’t updated Authenticator in years. Maybe it’s a mature product and doesn’t need updating, but given Google’s history of dropping projects, I moved from Google AuthenticTor to Authy (by Twilio, an enormous company not fly-by-night)
Well, Google Authenticator uses a standard, well documented algorithm (TOTP) and there is really no reason to touch it unless they discover a security issue, it becomes incompatible with the latest version of android or there is a pressing need to improve the UX. But the UX is pretty simple.

I also have Authy, because that seems to be the only one that SendGrid will work with, but exactly because of this I thought that was non-standard. But as I can see now, they probably also support standard TOTP. But they rely on SMS for initial authenticaion (when you install or re-install the app) and I don't trust that. On a side note, Microsoft also has an Authenticator app, which also supports the TOTP standard. (So it can work wherever you would use the Google Authenticator.)

> But they rely on SMS for initial authenticaion (when you install or re-install the app)

It's been a long time since I installed it, so I'll take your word for it. They have my email address displayed in the app, so maybe I can do authentication on a new device over email, too. But regardless of how you initially authenticate a reinstall (email or SMS), as long as you are using the Authy cloud backup -- which is password-protected and cannot be reset over SMS or email -- what is your concern (genuine question)? I do not see the security risk, but I'm no expert.

Mainly the SMS thing. As far as I can remember, when I reinstalled it on my new phone (about a year ago) I just had to verify my phone number via the SMS they sent.

Also, as I have already been using the Google Auth app, I was somewhat ignorant to check out Authy more in detail. Up to know I thought it wasn't using standard TOTP but some in-house developed algorithm by Twilio (or maybe a lesser known/less standard one) because SendGrid specifically tells you to use Authy. Which in itself seemed like a red flag.

IMO the primary reason they're pushing 2FA is for the people who are careless enough to eg log into their personal email on their work computer.

I wish there was an exam you could take that would get you a "computing license" that you could show to bypass a lot of this stuff.

Enforcing 2FA is the most effective security rule ever created. Vastly more effective than password rules, rotation, user education, any anything else ever tried.

With 2FA, almost all of the traditional attacks are impossible and the only one left is specially crafted fake login pages.

Meh.

You're right when you're dealing with large groups of people which is exactly what I said in my original comment. If you understand these issues passwords on their own are fine. 2FA has some nasty edge cases that make it very easy to lose access to your account (which is what everyone in this thread is talking about.) So as always you're balancing security and availability. For some people the proper balance means just password authentication makes sense.

The best IMO would be client side certificates but no one except maybe Github supports those.

No, passwords on their own are never "enough" for you to be secure as you only control your side of the equation. You don't know if the place you are storing it is doing so in plain text, storing a decryption key right next to it, etc. Even if you are careful (I know what you said above), the network you are on could be compromised despite your best efforts/knowledge. Or any number of other things that could make it trivial for someone to gain access to your account in the event they gain access to simply the password.

I don't claim 2FA is perfect, it has its own host of issues as is being discussed. But it isn't just for "the masses that don't understand how to make strong passwords or how to be secure". Certs are good, but they need to be made simpler than they are now for the very people you claim 2FA is for or they won't be adopted (one of the reasons they aren't more ubiquitous, IMO). And some certs implementations have issues with account recovery as well if you lose access to them.

It's a really hard problem that you do a bit of disservice to when you dismiss it as "just a problem of the plebes".

> You don't know if the place you are storing it is doing so in plain text, storing a decryption key right next to it, etc.

Any service that is storing passwords in plain text is probably not implementing 2FA in an safe way, either.

That really isn't an argument against my point, that it's very hard to verify what is happening once you click submit with your password.
Password-only authentication still has its uses. I don’t want to use 2FA when I’m logging into a website I’ll use once and never again and does not have any private info about me, maybe to post a comment for example. Or try a service they are demoing.
Im glad news.yc and reddit don't require email to sign up...
Those are totally valid use cases. In no way was I saying everything had to offer 2FA. Just pointing out that it is not just for those that don't know how to craft strong passwords or those that practice poor security hygiene, that it is a useful option to have when security is important.
It can also reduce fraud reports -- if a transaction was authenticated with 2FA then it's less likely the fraud claim is legit and more likely it can be tossed.
> careless enough to eg log into their personal email on their work computer.

Can you explain why that is an issue?

Employers keylog. How safe are those logs, for one?
A lot of work computers MiTM all traffic using a corporate certificate authority. A middle box tears apart the requests, and repacks it using its own cert.
> eg log into their personal email on their work computer

Can you elaborate on the specific risk here?

2FA can be "backed up" by either using a 2FA soft token program that allows for backups, like 2faone or Authy, OR by the services themselves granting backup codes for emergencies. For my threat profile, I have no problem storing my 2FA backup passwords/codes in my master password safe. If that is compromised, I was doomed anyway.

If a service does not allow the use of "generic" TOTP ala Authy or Google Authenticator, AND it does not allow for one time use backup codes, then I do not use 2FA with that service unless required. My main bank forces the use of their own built in 2FA (Symantec VIP on the backend) which pisses me off. My work uses Okta and RSA. Oh well.

Pretty much all the banks in my country (Sweden) use a local national digital ID system called BankID which is issued by the banks themselves to mobile devices as a second factor and gets tied to your national ID number (and once issued by your bank is used by your bank, other banks, the government for tax filing/address change/receiving official mail digitally instead of physically, signing contracts for e.g. apartments, and even retailers to address auto-fill).

All the banks I know of require 2FA in the form of either a physical, battery-powered RSA token (sometimes in the form of a EMV card reader) or a valid BankID.

The assumption is you live in the country and can just visit a branch if you have any trouble, which works for 99% of customers. But not for me.

One bank I have set up in a new country set me up with their mobile app and that mobile app is the only way to access the bank. They have a web-app, but login to the web app can only be authorized from mobile. At least an existing install can be used to authorize installs on new devices. Got it on 3 devices installed just in case.
This is one of my great fears. I'm a nomad and all my possessions are in two bags I carry around with me from country to country. It's much easier for this to happen to me.

Not sure what the solution is?

In the past I've tucked away a piece of paper with recover codes on it at a family members house. So in such an emergency I could call them up and tell them where it is.

I should really do that again.

What about snail mail to a relative?
I would imagine you could reach an agreement with a digital savvy lawyer (or law firm) to provide a service to:

- store important information - have human processes to get you access if needed

This is called "escrow" and is extremely common.
Recovery codes can be stored publicly, but deniably on the internet. It would be like finding a hay in a haystack. No need to call anyone, just download a picture of a cat and decrypt it.
This is a cool idea and I've been contemplating it myself - but if you don't control the picture, whay if someone chabges it or recompresses it, then its binary changes and you are screwed.

You are better off with a famous historical text, like in 'invincible' they sued Frankenstein. But it has to be with a clear and indusputed original, not something that has mutiple translations.

What if drumroll its a good uisecase for blockchain? Like use hash of block number 200 or smth.

Not exactly how it works, steganography can produce a plaintext, picture or whatever as a cover for the ciphertext, but the cover is not going to be identical to the original. Consequently steganalysis will be able to recover the ciphertext.

But with deniable steganography you can use a fake key to decrypt the ciphertext, so the guy standing behind you with a $5 wrench can see that you have nothing to hide.

A bit like my gpg encrypted crypto wallet... I mail it to everyone
When I was nomadic I traveled with my 1pass master password (and that only, no other context) on a laminated card in the zippered ‘hidden’ pouch of a travel belt meant to hide money. I figured I might get mugged by someone who knew to look there but that I could perhaps hope to convince them that the card was worthless and keep it even if they took my devices, cards, and cash.
If you use something like 1Password maybe setup an email address only you know about that you send yourself (from the new email) an encrypted zip with your 1Password Emergency Vault? Then you have 3 bits of data (4 if you don't save your master password which we can assume you know) protecting your backup: account name, account password, zip password, and vault master password.
2FA with password manager is pretty much asking for trouble. Any compromise that is capable of leaking my master password can’t be stopped by a second factor.
What do you mean? I need both my Yubikey and my password to log in to my password manager. If my master password gets leaked somehow, they still need my Yubikey, which is on my person at all times.

The CIA could infiltrate my house when I'm sleeping and steal my Yubikey, but any other idiot on the internet that wants my data has no chance, which is what I'm most concerned about.

To leak my master password, “any other idiot on the internet” needs to do one of four things: (1) backdoor my password manager; (2) install a keylogger to capture it while I’m typing it in; (3) somehow grab a copy of the encrypted database and crack it offline; (4) read my mind. (1) is game over; (2) with that level of access they can also steal everything while the password manager is unlocked; (3) with offline cracking, any 2FA protection just extends the password, and my master password is strong enough for any idiot on the Internet; (4) can’t defend against magic.
Sorry, I'm not sure I follow. First you say that 2FA is useless if someone gets your master password, which is wrong, now you argue that stealing a master password is very hard.

What exactly is your point?

I outlined all the scenarios where the master password can be stolen. In none of the scenarios does a 2FA offer additional protection.
Yes it does, because 2FA means you need BOTH the master password and the second factor device to log in. Stealing the password is not enough. That is the point of 2FA.
The point is in none of the scenarios 2FA isn’t compromised at the same time or is even needed (except in the offline cracking case, where cracking password + token is harder than cracking just password, but with a reasonable password both are practically impossible). Read again. Consider realistic attack vectors instead of repeating dogma.
2FA, especially hardware based 2FA protects you from scenarios that could involve leaking of your passwords (such as many common MITM attacks, phishing, spoofing) and makes cracking a DB incredibly hard for your average hacker if they somehow get their hands on it. And you would have to define a 'reasonable password' because I could guarantee what you consider reasonable is orders of magnitude easier to crack than a 2FA + password solution. It objectively reduces the amount of attack vectors to gain access to your accounts.

Calling it dogma when 2FA has known security advantages is just wrong.

I suspect they are thinking of TOTP-based schemes for 2fa, not hardware-based 2fa. With TOTP-based 2fa, you can store the seeds in your password manager, which ends putting them next to the passwords themselves, all in one place.
It's almost comedic that the point of backups is to remove the single point of failure and then security paranoia creates new ones.

Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?

If you're going to be that secure, put them on a USB stick and bury it in your yard or in the hollow of a tree. Easier to update and won't be destroyed when your house burns down.

This obviously requires you to have a yard, which is probably not that common for city dwellers (even people renting houses shouldn't really be digging up their yard, and if you live in a duplex quadplex, you're sharing that yard with some number of neighbours of varying trustworthiness)
I wonder if you could just store a microSD card in a weather proof container taped or attached magnetically to the underside of a bench or other urban fixture. Place 5-6 of them for redundancy and keep them up to date.
Another thing - flash storage that hasn't been powered up for a few years will probably have lost data. Better to get backup codes down on paper.
This happens. I've had SDCards sitting in devices long enough unpowered that they required a format when spun back up.
Large-capacity flash drives are very cheap; and you can write the same data (e.g. archive files) many times to the same drive to guard against some filesystem or file-level corruption.

There are also tools like par2(1) that can create parity recovery data for files; you could write those many times too.

My online backup solution that backs up the root filesystem for all of my machines generates a rolling tarball of that and then creates par2 recovery data for that tarball at 10% redundancy, and keeps 30 days of tarballs in addition to the current snapshot of the filesystem itself. This is because I store them on high-capacity spinning rust drives, which do have a small but non-zero data error rate.

Additionally, forensic tools like photorec(1) can recover these files even from severely damaged filesystems.

Then the only things you need to worry about are "device doesn't enumerate at all when I plug it in" and such. I'm sure you can have 2 devices side-by-side to mitigate that.

While I've yet to have this problem, I've actually been mentally keeping track of my ability to bootstrap back up. LastPass is trying to get me to add TOTP or other 2FA, but even though it promises (for now) that my master password can still get me in, I've resisted, because the password manager is my linchpin, and I need to be able to get in there just with "what I remember", and I don't want another way in where I'm not continually practicing that and keeping the memory fresh.

I also every so often take a backup of the LastPass DB and put it on my local Nextcloud, which get encrypted backup to S3 every night.

2FA is a lot less scary at work, where I have administrators and coworkers who can vouch for me face-to-face and reset it if necessary. I feel like there isn't a widespread understanding that personal authentication is a much harder problem than corporate authentication for that reason. It is easy to end up accidentally webbing together all your personal authentication until your current phone is your one and only token. Heck, with all the 2FA flying around now it's probably possible to get yourself into a situation where the only way to authenticate is using something else you're already authenticated to and you can't bootstrap back up if that expires unexpectedly. If we're not there we're getting close.

I have my 1Password emergency kit, with the password filled in, stored on a water-sealed USB drive[1] which I store in a fire box in my house. The combo should mean, modulo a much hotter fire than most typical house fires, that when the fire department puts out the house I can just cut open the melted fire box and extract the very wet but still functional drive. I haven't tested this, of course, and I might take the above advice and put a second copy somewhere else.

[1]: https://www.corsair.com/us/en/Categories/Products/Storage/US...

I store them in Keepass files and then bury them/give to a friend/save in the cloud/whatever. It's just a single password that you remember, with no reliance on an external authenticator or like. And if someone finds your files, they're useless without the password.

If you store them on cloud, you should obviously do so on a service with no 2FA and a password you remember. The first priority is that you can access it anywhere and the main protection comes from the encrypted Keepass file.

This is why, while 2FA is important, it's not a panacea (and things like the article do happen - which is why I'm always very skeptical of "2FA everything" people)

Some passwords you absolutely do have to memorize. And that is fine. I keep those good passwords for services run by professionals.

Also recovery codes exist

(side note if the pictures are correct - the sim card and the Yubikey might be salvageable)

There is a 3rd way which is not widely adopted yet and it requires to handover some personal documents, but that is to use an IDV service as a fallback. There are obviously some disadvantages as well I am sure you can think of.
How do you still have access to your blog to be able to publish this article?
The article ends with "In the meantime, please rest assured that my home is still standing." So presumably it's all hypothetical.
Also the very first paragraph is "Imagine...".

I missed both of these, and wondered why an HN commenter said luckily everything is fine..

The first paragraph also says "Imagine…"

I skipped over it the first time around, but that made the rest of the post hit harder. This was pretty well written.

We are all now on the precarious stilts of technology.

Apple is the worst regarding this scenario. They force 2FA like you are a child. I get it, in most cases 2FA is great, but my lifestyle makes it a problem.

The problem is more that you have to use Apple's 2FA which is linked to their devices. You lose them all at once because you are robbed? Good luck!

There isn't any way to get a TOTP key you can store in a password manager.

You can still get a TOTP code from Apple via SMS to your trusted phone numbers. When it prompts you for the TOTP code select “Didn’t get a verification code?” and you can pick one of your trusted phone numbers no problem. I have had to use this in the past and it works fine.
I very nearly was not able to login to my Apple account on a new computer because I did not have an old device to verify, and of course I hadn't kept the master recovery key where I could remember where to find it.
That problem is solved by how 1Password works:

* Your password vult is encrypted locally and stored on their servers (just an encrypted file!) * To unlock the vault, you need the password and the generated master code. * The master code is a PDF to print, which you can give someone you trust – they still only have half of the things to get access.

The losing of digital life is completely solved. Just print that damn PDF give it to your parents and remember your password.

Not really solved - forgetting a password is where you started. Does it help to say "Just remember the password!"?
It’s a lot easier to remember one specific password. Especially when you need to enter it at regular intervals.
Not solved, because your parents could lose a piece of paper (I'd say that's actually a fairly high risk, not just theoretical). Anyone could lose a piece of paper, for that matter. You want multiple, distributed across at least three continents to be sure. The same with your password. ;-)
Sure, you don't have to stop at distributing just once copy…
Even then - this is a fairly ugly solution. You're dependent on an external entity to be responsible with your stuff in the case of an emergency.

I love my friends and family, but I'm not sure I'd trust them to keep a random file/paper for years on end "just in case" and still be able to find it when I need it.

Personally - I went with the "extra yubikey in a safe deposit box" approach, and it still feels super shitty.

I'm not at all a fan of "code is law".

It doesn't even scale. This assumes you're the only one with PDFs to share. What if you have siblings and other relatives, and all of them are tech-savvy -- if they aren't now, in the future they will be -- and want to store the PDFs with your parents.

What, are your parents going to be running a PDF storage service, classified by person? That's too much to ask of them (for most parents).

All these "rebutals" to the pdf approach sound like those infomercial TV ads where people have trouble doing normal day to day things.

Like... mass enail the PDF to several members of the family and be done with it. Can it happen that 5 people at once lose their email access? Sure, but the probability is minuscule.

The comment I was replying to was about physical paper copies, not emails.

Distributing digital copies of your password store to your friends and relatives could maybe work. Be sure you're using a really strong password (that you can also remember by heart), because you cannot trust each friend will store the file responsibly away from prying eyes.

Remember the scenario:

- You lost access to your recovery codes and any handwritten notes, so you better remember the master password by heart.

- But this master password better be really strong, because each of your N friends you distributed your files to is a potential leak to hackers and thieves.

- (Tangentially related: remember you have no authenticator either, so your password store better include recovery codes, otherwise without 2FA you're screwed)

> What, are your parents going to be running a PDF storage service, classified by person?

I mean, it's a piece of paper. They could write the name of the person on the paper, keep them alphabetized, and store and search through hundreds of them easily (let's assume they're rabbits with hundreds of children). There may be all sorts of problems with this approach but I don't think burdening parents with paper storage is one of them.

Edit: of course, if they were rabbits I wouldn't trust them with paper storage. Rabbits are notorious chewers.

I dunno. I've already burdened my parents with plenty of things, and so have my siblings. I don't know that I want to make them responsible for storing random bits of paper they may or may not forget about.
> I'm not at all a fan of "code is law".

You can always not use two factor auth.

And I don't in certain cases (even when I'd like to).

But it's getting increasingly hard to opt out of 2fa on some services.

But not using 2FA comes with its own set of problems. The kind of problems 2FA was introduced to mitigate.
I don't know how you or your friends/parents store important documents but everyone in my bubble has multiple document binders with critical paperwork to keep. Adding a single paper to them is no problem, and the paper is not lost. Stuff is never removed from those binders, just new ones added.
Back when my parents were still in the land of the living, I would've been entirely comfortable believing that the odds of them failing at that would've been low enough that (odds of that failing * odds of my needing that data) would've been stupidly low - low enough I'd've accepted the risk and stopped worrying about it on the basis the likelihood of a problem at that point was significantly lower than many other at least as awful problems and I should focus on mitigating those instead.
And what if someone dies? We'd need something that would do periodic health checks. Preferrably during off-peak hours..
Put it with your will. If you have kids or any amount of savings you should have a will. Store it in two separate locations (your house, and someone else's).
I just store a copy at work. I figure I'm unlikely enough to lose all my possessions without dying at the same time that my workplace gets destroyed.
What if you don't really have friends. Not really an uncommon thing.
Put it in a safe deposit box or store it at a notary like a will. There's multiple ways to store a piece of paper offsite without having friends or family.
You still have to be able to prove to THOSE entities that you are who you say you are.

And I say that as someone who has a spare yubikey sitting in a safe deposit box.

Eventually, this would probably work out, but it still feels super shitty.

do you clone the ubikey or enroll two different keys? i struggled to find providers who let you register a second key
You can’t clone a yubikey
You can store keys generated off-device though. Depends which protocols you care about.
I enrolled two different keys.

It's a pain in the butt, and it's very limiting because adding another secure service means going to the bank, so I try to limit the 2fa through yubikeys to things like my password manager, my keycloak instance, and other very important accounts.

My take is that 2fa is still not there yet, and I'm a little worried about the push for webauthn, since I foresee a lot of potentially lost accounts.

That's not a technical problem though. Going to a bank and saying "my house burned down, here's an affidavit or a notarised document stating I am who I say I am" is fairly likely 5o get you access again.
It's SUPPOSED to be a shitty/frustrating/annoying process, not easy. This is your "break glass in case of emergency" solution - you don't want to ever use it and you want it to be super hard for someone else to compromise it.

We have plenty of ways to make this easy but if all those avenues are blocked because of some black swan event, you need a backup - and that backup can't be too easy because then it invites attack.

My first thought in that case would be to store fragments in multiple semi-trusted places that don't know which other semi-trusted places are involved with Shamir's Secret Sharing so "knowing what a majority of the semi-trusted places even are" is a prerequisite to recovery.
Delegating half of the problem to someone else is not what I’d call “completely solved”.

I suppose your point is, nobody should live a life where they can’t trust someone to keep that pdf for them, but it feels to me like solving a technical problem through social means. That’s a fresh take, but it also relies on so many assumptions.

Account security is social. It's using social means to solve a social problem, with a technical bridge.
But this technical problem is unsolvable, our industry lived in arrogance of pretending they solve problems they can't actually they don't, and blaming the user when it fails
Once you have printed out your master key, you might as well go back to writing passwords on a sticky note...
I swear to god sometimes I feel our proffesion mostly consists of people that are a weired combination of arrogant and alternatively gifted. They do not value and do not understand how the rest of society does things.

Hundreds of years ago we have invented this cool thing called a Safe. It works better than 90% of tech-based security systems out there. Write something on a piece of paper, put it behind a locked door, and you will be safe from 99% of scams and attacks that exist. If someone breaks into your house, and get this piece pf paper they will be leaving real fingerprints, and real police will get involved. If noone breaks into your house, then only select few people are ever near that safe.

And even absent a safe... Absent a trusted family member pulling an inside job, how much risk is there really for an average--or even not so average--person to having accounts compromised because someone found passwords written down on a piece of paper somewhere in their house.

Yes, perhaps the equation changes if you have roommates/family you don't really trust.

The trick is to then store it somewhere that anybody who came into posession of it would be unable to figure out -what- master key it was for.

If a friend of mine has an arbitrary chunk of ASCII stored under their google contacts under a name only they and I recognise, absent rubber hose cryptoanalysis of them it's not going to be an issue, and frankly I don't consider that relevant to my threat model - if somebody's -that- excited about my accounts they'll start with the rubber hose on me at which point all bets are already off.

I went through the process of considering this recently, and considered a safe deposit box, but as mentioned, they're not viable in many places. I eventually settled on multiple security keys, distributed across multiple locations I have access to. And it got me thinking, is there a business opportunity in providing secure storage for security keys? Safe deposit boxes are, as the post notes, either mythical or extremely expensive and inconvenient.

I can come up with a few challenges to running such a service, and a few solutions, but I ultimately come back to thinking: nobody smart enough to use a security key is going to trust some third-party to store their emergency key, no matter what security methods are implemented. Am I right in that assumption?

Probably correct. The correct answer is something I’m working on for fun. Basically, witness encryption of a sort. If you can cryptographically/mathematically prove something has happened, you can decrypt a “bootstrap” of your digital life. I’m working on the tooling/encryption bits now, but I already have a (not published) service that monitors phones/computers for “liveness” and provides a cryptographic proof that they are dead when they go offline for a configurable amount of time. You can use that as an input for the witness encryption, along other inputs. You can just store that file in the open, maybe encrypting only your 1password master key or a backup code to your email.
I remember reading a story about backups right after one of the California wildfires and the author said something like this:

"I used to store my backups in the garage and thought myself smart since they were physically separate from my desktop. Then ENTIRE NEIGHBORHOODS burned down and I realized I needed more physical distance"

Sorry to hear that, @edent, and as someone that just got a Yubikey [1], it sounds like I need to place the spare one at a geographically distinct place ASAP, rather than in a lockbox in my house. Easier said than done.

--

1: only my mail and password manager are protected with my Yubikeys. As long as I can have access to one key, I'm safe. Which means if I lose access to both my FIDO keys, I'm fucked.

Ah, I should read to the end before commenting. Happy to know the house is still standing.
I don't 2FA my password manager and email because of the fear of being lock out of everything. I travel a lot and some country I can't received sms. What hapen if I got stole everything. Loose access to my email, bank account .. I don't event know people number because it's in my phone.
1Password “forces” (strongly suggests to) you to physically print a recovery kit with both your master password and secret key on it. I keep mine in a safe deposit box in another part of the city. Of course, losing access to this box is a concern, but ¯\_(ツ)_/¯ I suppose I could also bury it somewhere remote too without the QR code or my identifiable information in it, or mail a copy to a family member.
First, I’m so glad this turned out to be hypothetical, and you didn’t have to suffer through such a catastrophic loss. Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind, and you’d just be glad to have your life and your family - the only real things that matter in this world.

That said, planning a strategy for offsite data storage or a secondary authenticator is of course wise. A safety deposit box or other offsite location that you can frequently refresh and keep up to date would be a good investment. If you’re worried about keeping a master key to your life in a single place, you could separate your data and your authenticator. The how likely depends on your threat model, several people on this site may find it insufficient. To whatever degree you obfuscate or complicate your recovery path, you also increase the risk of losing access to it yourself.

You might also consider it’s not necessarily the “thing you have” that might go MIA, but due to physical injury, age, or just forgetfulness, the “thing you know” could also be at risk. I realize this the older I get. Finding a secure way to store a master password in the event you cannot recall it, or perhaps in the event of your death, is something you may also consider. In this case, I would avoid a cipher or something else you’re likely to forget.

> Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind

To note, our banking system is well part of our digital life. Europe has already a flurry of “real” banks that have no physical presence, and after a catastrophic loss you’ll need that access to your bank as soon as possible.

This has made me think twice about using those banks (I'm thinking of Monzo etc.). I was already reconsidering anyway as all of these banks have been consistently reducing features and limiting usage (e.g. cash withdrawals) and generally making themselves worse than the 'real' banks.
It depends on the “attack” vector you see as the most problematic.

With a “real” bank, I had to go to an agency 5 times in a row to solve a paper issue because they wouldn’t just message me about it as it was “confidential” (they couldn’t validate our home address, though we were receiving their spam pretty fine), and the system was really built around the assumption that making you come to the agency was a no-brainer. The other options evolved snail mailing copies of the papers and waiting for them to process it.

There’s also the issue of “old fashion” people sticking more with traditional banks, making them skew their offerings towards these people. I was endlessly phone spammed with insurance and bullshit travel packs, and I couldn’t just block them as it came from my actual agent.

I think I'm lucky then. My 'traditional' bank is paperless, has a good app and website, and I can do everything over the phone with relative ease if I need to. It's all a bit clunkier than one of the app-native banks (which is why I half-switched to the app bank) but that's the software snob in me more than missing functionality.
> First, I’m so glad this turned out to be hypothetical

I've only learned about this is hypothetical from your comment (yes, I'm guilty of not reading to the very end). I wish the author conveyed that a little more clearly.

The first word in this document is "Imagine", how can it be clearer than that?
This is a common setup to build empathy so doesn't always mean "the following is a hypothetical thought exercise", such as "Imagine you find your self in the same situation as me, your house struck by lightning..."
Unfortunately the Internet is rife with poor sarcasm and misleading titles.
It's ambiguous; the word can be used not only for a hypothetical, but also a "put yourself in my shoes"
Given all the pictures in the article, I took that to mean "imagine you were in my situation", not "imagine this happened to me".
(comment deleted)
It also detracts from the main point, which is this could happen to someone, but, since it’s hypothetical, makes it sounds a lot more unrealistic. The "fireproof but not lightning-proof" safe gave me pause, for example.
If he was actually locked out as described, how would he have made this blog post?
> safety deposit box

A firesafe in a friend or relative's basement is a much better choice. Safety deposit boxes regularly get lost, tossed, or sold and the banks have very little liabilty.

https://www.nytimes.com/2019/07/19/business/safe-deposit-box...

Only given how the article assumes everything burned down, your friends house would also have been struck by freak lightning of doom.
> A firesafe in a friend or relative's basement is a much better choice

The article addresses these options and why they are not ideal either.

Also, one thought experiment I just came up with: how many of your friends are you willing to let store their pendrives in your basement's firesafe? How often would you be comfortable with your friends coming to your home to update their pendrives?

The only thing that needs to be on this pendrive is the master password to the password vault and a separate yubikey.
What is the fascination with pendrives? Can't it be a piece of paper?
I suppose they might want to encrypt a pendrive in case it was stolen from the friends housse. But you could do something similar with a piece of paper.

Pendrives aren't known for storing particularly well over the long term so they probably aren't a great choice anyway.

I know several who I believe would be fine with it, all of whom I see regularly, usually down our usual pub, and all of whom would I suspect be happy to do an update at least every couple months in return for me buying them a few drinks for the hassle.

I already have multiple friends who have copies of my house key held in case something really stupid happens, none of whom found that weird and all of whom I'm willing to trust enough that I believe the risk of having multiple such copies extant but unmarked is significantly less than the risk of not having that fallback plan.

In fact, they all considered "being one of the spare key holders" to be an honour more than anything else.

I am very much aware that there are many people whose situations are very different than mine, but it works for me (and they're all wonderful people for whose existence I try to be appropriately grateful.)

I live in a fire prone area. I have a safe deposit box 30 mins away in a place that won't burn. I keep a HD there with all my photos on it. I refresh the drive monthly. The chance that this small credit union with maybe 100 boxes will lose, toss or sell my box on fire day is pretty minimal.

Yes, safe deposit boxes are not always as safe as spy movies would have you think (or even that we should assume them to reasonably be), but they can still be used as part of a disaster recovery strategy.

> or perhaps in the event of your death, is something you may also consider.

When my dad died we were glad that he had most of his passwords written down. There are a lot of things like the electric bill that we didn't know if he had paid yet or not, and other bills that are entirely paperless that we have have no idea about. Mom would hate to have something not paid just because we didn't know to pay it. There is a lot of paperwork to get access to accounts after someone dies and that takes time. (dad donated his body to science so that added a couple months before we could even start the paperwork)

Unfortunately there was one account we knew he had (because it showed up in quicken) and an IRA with most of his money, but it took us several months to figure out what bank it was at. Please don't do this to your family: write down all your accounts and their passwords in a safe place that someone trusted will look. (I need to take my own advice)

Anyone who acts as the "head of their household" and manages the family's finances, pays the bills, and manages the day to day home ops, do your heirs a favor and write out a Death Book[1] today, that contains all your various accounts, passwords, copies of important documents, and so on. PRINT IT OUT and put it in a safe or other secure place. I recently had two acquaintances who died pretty suddenly and young-ish (in their 40s). One was prepared and had his shit together, and it helped his family more easily pick up the pieces while they grieved. The other one did NOT have his shit together at all, and the result was even more stress and phone calls piled on to his family during an already difficult time.

1: https://www.marketwatch.com/story/to-help-your-heirs-write-a...

Good advice - tracking down all of dad's account information was very laborious after he passed away - we found an insurance policy that covered my mom that I assume he didn't know about since he never made a claim.

We have our list printed and locked in a firesafe (which is bolted to the floor and not easy to find for a thief), as well as electronically in a shared 1Password vault shared between my wife and I. My sister (and executor of our will) knows that the paper is in the fire safe, just in case something disastrous happens to both my wife and I. They'll need a locksmith to get in the safe though.

> Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind

It isn't though. Access to your digital resources is vital to recover from the loss. You need an e-mail address to arrange contractors, you need your contact list to reach out to friends for help, you need access to your bank accounts, your cloud-stored scans of your ID cards, ...

You need an e-mail address to arrange contractors

No. People have been trained to think they need an e-mail address for real-life things, but they don't.

I had a roof replaced in my last place, which involved multiple contractors and insurance companies. No e-mail. No text messaging involved.

I recently moved to a new city, and setting up utilities, dry cleaning service, parking garage, etc... probably involved a dozen new accounts. I gave my e-mail address to none of them. Depending on the disposition of the provider, I either told them I hadn't set up e-mail yet since I moved, or just a flat "no."

you need your contact list to reach out to friends for help

If you're over 40, you can remember the days when it was perfectly ordinary to remember the phone numbers for dozens and dozens of people and businesses. These days, we've allowed computers to think and remember for us (hello, Stackoverflow!) so we don't have to. Memory is a normal skill that many people have lost or neglected.

you need access to your bank accounts

That's why it's important to have your bank accounts with an actual bank, with actual branches, and actual human beings to help you when human being things go wrong in the real world.

your cloud-stored scans of your ID cards

I can't even wrap my brain around why you'd trust information this important to a rental computer a thousand miles away.

"Everything digital" is a marketing tool. In reality, it only works when it works. When things go wrong, digital shows its fragility.

>> If you're over 40, you can remember the days when it was perfectly ordinary to remember the phone numbers for dozens and dozens of people and businesses. These days, we've allowed computers to think and remember for us (hello, Stackoverflow!) so we don't have to. Memory is a normal skill that many people have lost or neglected.

Heck, if you're over 30 you remember this. The problem though is that you remembered those numbers because you dialled them frequently from memory (and, at least in my location, landline numbers were much shorter than cell phone numbers). If you're not doing this on your smartphone you're never going to be able to remember the numbers. e.g. I can remember all of my childhood friends home phone numbers. I can't remember my partners cell phone number.

I recently considered getting an analogue phone book and noting down all the numbers in my smartphone contacts book just in case I ever lost access to the digital version.

You likely still have a printer. Print out your contacts and toss them in a safe
Yep good call. I just realised the Mac contacts app lets you export it to a nice PDF I can print.
Pretend he said "phone unlock code" instead of email password. It's 2022. Everything is digital. Auth is essential.
Phones break and get lost/stolen.

All of us--and I include myself although I try to have some backup information on paper--have probably become too dependent on a single physical device which sucks in more and more information every year. See ongoing digitization of driver's licenses.

Especially for international travel, but really generally, I try to make it so I'm not completely screwed if something were to happen to my phone.

Yes, the "one device per phone number" restriction is quite annoying. I'd like to have multiple, functional copies of my phone. Instead I settle for a phone and a 4G watch, paying for one phone number for each. Since eSIM providers allow cloning but I haven't tried that yet.
I try to still print out boarding passes when I can cos I don't want to deal with delays or missing a flight if my phone runs out of battery, especially if it's a flight out after a full day out and about. It's also less annoying at the airport fiddling with my phone to get the right barcode up each time it's needed (and no, I won't put it in to Google wallet)
I don't go out of way to print boarding passes when I'm on the road. But certainly at home, it takes maybe a minute so why not?
Same. Paper has no downtime.
I stopped doing this when I realized I hadn't used a single paper one in about 50 flights.
You'll start doing it again after someone swipes your phone at the airport (yes, this still happens) and you miss your plane waiting in line to deal with the customer service agents.
I guess that depends on airport. Typically I could get a paper one printed at kiosk using ID if needed, usually 10 min or less. One of the reasons I stopped bothering.
> People have been trained to think they need an e-mail address for real-life things, but they don't.

The Dutch government not only defacto requires it, soon an Android or iOS phone with their app will be required too. Only very determined, very patient people with lots or spare time will be able to do without.

The Dutch government not only defacto requires it, soon an Android or iOS phone with their app will be required too

What do poor people do? Or the very elderly? Or those with diminished mental abilities? Or people whose culture eschews technology?

They get screwed, in most cases.
I assume they do the same thing as anyone else in any other country does. They go through the fall-back bureaucratic channel of 'haul your ass over to a physical, brick-and-mortar agency office'.
The Dutch people should probably protest against measures like those.
They don't, because they are largely anti-luddites.
I was thinking about this on the way home the other day. I'm the most tech savvy of all my family and friends. I live and breath tech. Code all day, game all night.

But I'm the one who hates all smart home devices. I'm the one who wants a dumb TV. I would be perfectly happy with my dumb phone if it didn't keep pocket dialing emergency services.

I want less tech in my life not more.

I'm in a similar spot and have an ancient, dumb plasma TV on its last legs. I've poured HOURS into researching a replacement dumb TV that is reasonably cost effective and available. It's way too hard. I can get commercial displays from Samsung that are about 50% more expensive than consumer grade and about 4 years behind in picture/quality but that's about it.
I just never gave my TV the wifi password.
(comment deleted)
Can't agree more with the last paragraph. Not too long ago, due to my keyboard breaking, I was forced to type my password manager's master password on an unfamiliar keyboard with an unfamiliar layout, and I just blanked. I type it frequently enough on my phone, so I tried typing it there too, but probably due to a combination of mild distress and actively trying to think about what I was typing I couldn't do it there either. I eventually decided to try again later and later that day I managed to type it correctly.

Rest assured, this situation probably sounds as bizarre as it felt. Randomly forgetting something I type every day isn't something I had considered a possibility until then. Maybe a password without as many non-alphanumeric characters would've aided in avoiding this situation, but I get the feeling it could've happened with any muscle-memoried password.

I had a similar problem once. I normally use the dvorak layout but was on a qwerty keyboard. I don't remember exactly why, but I had to muscle-memory type the password as if the keyboard was dvorak and manually remap the characters using an image of a dovrak layout on top of a qwerty keyboard.
My approach to that is to follow xkcd advice with an emergency password which looks less like a random string but more like a real world phrase.

I try to use my local language and some obscure local slang to avoid being guessed by an international dictionary.

> My approach to that is to follow xkcd advice with an emergency password which looks less like a random string but more like a real world phrase.

Yeah, for my master password, I use a slightly misheard line from an episode of a 90's TV show. Googling my misheard version in quotes only gets 6 hits, and it's 30 characters long, so very unlikely to get cracked even without replacing letters with symbols or adding a suffix.

It reminds me of the time I tried to type my password on a keyboard with a French layout, but responding as if it had a US layout. It turns out, even if you think you know where all these special characters are, finding them under pressure (three tries before you're locked out) with misleading visual cues is hard!
Some countries even use more than one keyboard layout, so I try to stick to special chacters that dont change from keyboard layouts. Like dot comma and space.
Few years ago I went to a store and paid with my card and 4-digit password. Not 20 minutes later, at another store, I just couldn't remember the password anymore, missed it 3 times and got my card blocked.

I had to make a new card because I couldn't remember the password to unblock it at the bank.

I had that card and password for 3-4 years at that point, wasn't under any stress at all, and nothing like this had ever happened, nor happened again.

I’ve had the same experience. Walked up to an ATM for the second time in two days and my 4-digit PIN was simply gone from my memory. I never figured out what it was.

That was almost 30 years ago, and thankfully it hasn’t happened again.

I use my ATM so infrequently that it's happened to me a few times. I get cash reups selling stuff on Craigslist so I need the ATM like once a year. Luckily my ATM is right next to an in grocery store branch so resetting the pin is 3-5 minutes talking to someone irl
It has already happened to me blank on the 4-digit PIN I have since more than 5 years. Never thought I could forget something so short I use so often.
Some bank cards have allowed you to change the number to a more memorable one.

The other thing you can do is make a mnemonic story to help you remember it.

I was worried this would happen to me. I made an entry in my notes app. "Doctor Harry Bottomsmith 801-421-8623 9 am Friday" where 4218 was my PIN.

That's saved me a few times when I blanked out. This note, in theory, will look completely innocuous in case anyone gets access to my notes.

I've had a few of these. Until years later when I stumbled upon them again and totally forgot how they were meant to be decoded.
You just validated every adventure game player typing in whatever numbers they can find to try and guess passwords.
I've had this happen to me multiple times, and more often now that so much payment is contactless here (even though I still have the same code as when it wasn't). Additionally, something as simple as a different machine (the most recent instance was a touch screen) can throw me off as well.
A year ago, I had to go to a bank office and engage in some verification process that also required me to use the physical bank card with its preassigned PIN.

No matter what I tried, I hit the 3-try limit for the day, and opted to have the same preassigned PIN sent by mail to my home address.

When walking back home from the bank branch I realized the mistake I had made: I had entered the correct PIN, but had typed it in calculator/numeric keypad order, and not in phone/PIN pad order.

While I've never used that PIN on a numeric keypad for a PC, somehow my brain associated the numbers with their order on a PC keypad, since I had used my PC keypad to unlock my PC with a PIN numerous times more than I had used any card terminal with a PIN.

So, the next day, I returned to the bank branch office to try the same operation again, and indeed - I had correctly entered the PIN and the online banking transfer limit ended up adjusted just fine.

For the past decade and a half, possibly longer, Japanese ATMs have replaced their physical keypads with digital ones where the numbers are randomly placed. Imagine my surprised when the first times I tried to enter my PIN, it kept failing until I took a good close look at the numbers.
Had the same experience. Went to an ATM one night and the PIN for my card that I'd used several times a week for probably a decade was just... gone. Never before, never since.
This happened to me last year.

Completely out of the blue I forgot my PIN, the PIN I had used every day for years. I was at an ATM trying to withdraw cash, got it wrong twice. It was just gone.

Luckily I cancelled it before the machine ate it, but I had to borrow money from someone to get a taxi home.

I had to request a new PIN and I still can't remember what it was. I now keep my pin in my phone under a contact.

I once forgot root password to my FreeBSD installation, I spent a lot of time trying to remember it but failed. So I did a reinstall, and obviously recalled it when prompted to come up with a new one.
I went for a week holiday and when I came back I couldn't remember the alarm code. Had to call the boss at 7am with the alarm blasting in the background.
Mild distress? I don't think that is so rare. But, why are my phone numbers not in the same order as my keyboard numbers! At my bank i drew a blank and had to sit at the assistants desk/ keyboard to fire off the muscles to enter in my old pw, in order to enter in an otu pw they'd generated.
Had that happen with a four digit numeric bank pin once, and several times since then with pass phrases. I tend to get stuck on whatever wrong pattern I entered first and have to try again later.
I posted this earlier:

https://news.ycombinator.com/item?id=21862160

There's a much more evil prank than that:

A user was having a really bizarre problem: They could log in when they were sitting down in a seat in front of the keyboard, but when they were standing in front of the keyboard, their password didn't work! The problem happened every time, so they called for support, who finally figured it out after watching them demonstrate the problem many times:

It turned out that some joker had rearranged the numbers keys on the keyboard, so they were ordered "0123456789" instead of "1234567890". And the user's password had a digit in it. When the user was sitting down comfortably in front of the keyboard, they looked at the screen while they touch-typed their password, and were able to log in. But when they were standing in front of the computer, they looked at the keyboard and pressed the numbers they saw, which were wrong!

Holy crap. That's amazingly evil. And not at all what I thought you were going to say
This happened to me ~2 times I think due to exhaustion and/or stress. Just had to sleep to remember.
Many people with mechanical keyboards (as in non-disposable keyboards) can probably relate to this, having put some keys back the wrong way after cleaning.
It's why the das keyboard with blank key caps was my favorite I've ever owned. It forced me to actually touch-type, rather than touch type the common keys and look for the rest.
Then one always have trouble typing from unfamiliar angles that invalidate ones muscle memory, instead of only when someone swapped some caps...
Oh my god that car prank you linked was incredible.
Being fed up with people asking to use my laptop (some 20 years ago), I cleaned its keyboard and put the caps back on at random. "Yes, of course you can use it, here you are! Oh, sorry, I forgot the keyboard..." Peace and undisturbed working ensued...
Once I got home and found my toddler had completely shuffled the letters on my keyboard.
My employer made me use an SOE Macbook that had the 'butterfly keyboard'. Many of its keys would only work haphazardly. Once I made the mistake of setting my password using the laptop's keyboard instead of the external one I normally used. It had me going for ages before I realised there was one letter in the password missing!
I find it incredibly annoying that my iPad wants to automatically capitalize the first letter of most text-entry fields. I heard somewhere that some sites have made the first char of their passwords case-insensitive because of this, but IDK if this is just lore.
easily disabled which is good!
Not on the client-side! Sometimes it happens when you're typing the first char, in which case you can hit shift (which is visibly activated) and then type the char. But sometimes it 'autocorrects' when you hit the return key, and the only workaround I've found is to type the password with the first char doubled, and then go back and delete the first of the doubled chars. Not fun, especially when you're navigating the cursor on a touchscreen!
huh - if you disable this in the keyboard settings it still persists? Is it a browser input issue? not fun :D
I don't think there's a granular way to do this, shy of turning off autocorrect in its entirety.
I used to work at a company that had some LoB apps used on iPads in a manufacturing facility... if the user login failed and the first character of the password was upper case those apps would retry with it lower case.
(comment deleted)
sometimes i just cant get the password but will get it a bit later when not anxious.
This happened to me, I forgot my Android "pattern", the swiped pin-like thing to unlock the phone. I didn't have a password set. I was able to factory-reset it with my Google account password but I lost recent files that hadn't yet been backed up (photos etc).

I just totally blanked. Like you said, the more I thought about it the less I could remember what it was like. It was really scary.

It's a really scary fact that people try and ignore but: neurons die.

They do this all the time.

They don't come back.

The information associated with them is just gone. Often the information can be reconstructed from other neurons that still work, but not always.

>but I get the feeling it could've happened with any muscle-memoried password.

I can confirm this. Many years ago I had to type for the first time a password on a classmate's iPhone (smartphones were just beginning to become common). The problem was that I didn't really know that password: what I remembered was a shape I was "drawing" onto the keyboard, which involved the numeric keypad... You see were this is going. That event was the one that led me to finally properly memorize that password.

I've done this so many times.

A small annoyance is when I need to change my iPhone passcode because of it being work managed. The keyboard used during that reset is slightly different to the regular iPhone keyboard.

Throws my muscle memory off.

My method of solving this is to only use familiar, well known information about myself as my master password. It's > 50 characters and contains addresses, old ID numbers, my public library card number, account numbers, old usernames from 5th grade (I've never seen another username even remotely close to either my first IRC name or my geocities username). I usually get the order wrong the first time I try it, but correct on the second or third.
I have a recovery code for my iCloud written down on a piece of paper, in an envelope marked for my wife in case of emergency, in my office at work. There is nothing written on that piece of paper but the code.

It's not perfect security, but it's my security blanket in case my house burns down with my phone in it and I need to rebuild my whole house of cards.

> the “thing you know” could also be at risk. I realize this the older I get.

Years ago, when I was in university, I had a couple of machines in my room running FreeBSD with full-disk encryption. These machines were powered on for a few months without reboots until one day when the power went out.

Having not typed in the password in months, and at the time using the kind of passwords consisting of long word with a lot of numeric and symbolic substitutions, I was unable to decrypt the disks of my machines.

I lost a fair bit of data that day, but it taught me a valuable lesson.

These days, any passwords that I use for full disk encryption I make sure to

1. Regularly use. Meaning I’ll reboot machines and retype the passwords on a regular basis. Likewise, I connect external encrypted disks on a regular basis and decrypt them with their passwords.

2. Use pass phrases with many words but without any numbers or special characters. See also https://github.com/ctsrc/Pgen

(For websites etc I use a password manager.)

This is where risk assessment comes into play - people often consider it "evaluate the attackers and how to prevent them" but risks include many things; hardware failures, memory failures, human memory failures, etc.

And one of the biggest risks with encryption is data loss if passphrase are forgotten - using encryption usually involves considering that data loss is better than data exposure - which is obviously true for things like passwords (you'd rather forget your bank's password than have it exposed, because you can reset it) but not necessarily true for other data.

This can lead to things like encrypted systems but storing the off-site backups unencrypted because they're off-line and the only real risk is theft. Again, depends on what the data is.

This is why Android requires users to type their PIN once a week, even if you use biometric authentication. It's an essential practice that needs to be the norm for any biometric auth.
A stroke can happen at any age.
> Finding a secure way to store a master password in the event you cannot recall it,

Currently my master credentials are on an old USB stick (a Yubikey device that I got in an offer, though I only use it to type the long password as if it were a keyboard) and printed (plain and as a QR to save typing issues) & stored well away from the things they secure. The printed copies have the lot, the USB version requires a prefix which I remember.

This may seem risky (the old on-a-post-it-under-the-keyboard issue) but for my online backing and other key stuff the key risk is my password store which is secured by one of those master keys, and its main risk is someone remote getting access to both the key DB and the passphrase and it is properly air-gap secure against that. Similar for the encryption keys for local storage and off-site backups.

> or perhaps in the event of your death

This is a concern I've not at all addressed in my plans. The basics will be putting details in my will for how things should be accessed, but those details need to be both secure from inappropriate access and easy for th eright people to access when the time comes. Though as I have nothing much to leave to anyone that isn't too big a concern yet…

The halfway point is a bigger matter that I (and many others) really should address: what if I'm incapacitated temporarily or otherwise? Someone may need access to my stuff to sort a great many things while I can't. We've had an issue with this with my mother who due to dementia can't even sign her name, so neither she nor my dad couldn't access an account that was only in her name without a huge rigmarole of paperwork and assessments to sort out power of attorney. We've since got things sorted in advance of further problems (myself and my brothers set up with joint PoA so if something happens to him too we can sort what needs sorting more easily) but I have nothing like that setup for myself for either life stuff or technical stuff (or the things that are both).

I'm in good health as far as I know, but I'm not getting any younger (this year I'm on the cusp of leaving "the low 40s") and I've seen unpleasantly final things happen to people who were similarly good health as far as they knew.

I'm a big fan of all lower case phrases as passwords now for this reason. Something like "this is my password there are many like it but this one is mine my password is my best friend it is my life I must master it as I must master my life". Very easy to remember. Very easy to type. Very hard to crack. Cheers.
What do you do for a service that demands uppercase letters, numerals, special characters, and no spaces?
Sure, I have to deal with password requirements when they're a thing. But for things under my control, like my encrypted drives, I do super long lower case letters as per my example.
This is also very relevant for family or trusted access. We had a hell of a time after my father had a stroke (recovered now) even though I had access to his computers and KeePass database - he had plenty of things where phone access was needed but nobody knew his unlock pin and it was required to reactivate fingerprint unlock.
Building on the last paragraph, I keep my root PGP key on an encrypted USB drive. There's several files that are encrypted by the root key, but they're mostly like password manager recovery phrases as well as things like my birth certificate, social security number, and various government IDs I've used. There are two copies of this USB, one travels with me at all times, the other is securely stored and accessed twice a year to ensure it's still performing. Both USB keys have fuses that will blow if opened up. This makes it so that for the rest of my life I will remember one password.

Passwords can also be made more memorable. For instance, because a password manager remembers the rest of my passwords, I made this one what I call a "pattern password". On a US keyboard I could type it in seconds without looking, but it would be too complex to guess.

It took me about 30 seconds to ask the question: If he's locked out of his digital life, how did he post the story to his blog? From that point on I knew it was hypothetical, but it was still a good read and raises important issues.
Where does it say that it's hypothetical?
"please rest assured that my home is still standing" at the very end. I missed this myself.
Lots of made up problems here.

Officials will provide you with replacement/temporary documents in a relatively short time, when you have lost them due to a fire or sth. else.

With those you can start rebuilding your infrastructure. Get new credit/debit cards, buy a new phone, get a replacement SIM from your provider, that way get access to your 2FA system again...

Yeah, it's inconvenient and will take some time, but it's not hopeless.

If your 2FA was based on the device itself, like an Authenticator app, a new phone with a replacement SIM will not help you.
I see. That's a single point of failure, introduced by yourself. Might be good for some, bad for others.
One way to circumvent this is to use a strong passphrase to deterministically generate the PGP/SSH key [1] to unlock other passwords. The SSH key could grant access to a remote server with backups and the PGP key could decrypt passwords using pass [2]. Of course, the "master" passphrase must be kept safe or remembered.

1. https://github.com/skeeto/passphrase2pgp

2. https://www.passwordstore.org/

pass is great for availability, I think I have several friends even in other countries (if a VPS wouldn't be sufficient) that would lend me space with a shell account for a "pass git push".

Of course, the gpg key is an issue, just as well the password or the ssh key for those accounts. In addition to passphrase2pgp, you could also use paperkey and keep it storage and/or a bank safe. I, for one, store my GPG key on a Yubikey. Of course, I would have thought I'm storing it safely, but it's left in my laptop for a few days now, so chances are I would simply leave it there in an actual emergency. However, pass also supports (re)encrypting with multiple keys, and one more Yubikey can then be kept with friends/family, and it can also store backup SSH keys.

Having multiple copies of ssh and GPG keys and the passwordstore git repo, chances are great to be able to recover most of the online presence.

If a phone/tablet itself can be saved, it could also host another mirror of the GIT repo (for example with an app like Working Copy), accelerating recovery.

paperkey: https://www.jabberwocky.com/software/paperkey/

(comment deleted)