I have been keeping an eye out for
This is exectly why I do not use TOTP and similar. Used it once and it scared the shit out of me. Took it away instantly.
That is why I have 6 Yubikeys, distributed to my family members. One long push to the password manager’s master password, one short touch to OTP. I also have backups on my corporate Onedrive for recovery keys and emergency keys. I also have 1Password, backup of 1Password on Bitwarden and Proton Pass (even though it sucks but it can at least make me recovery 1Password)
Edit. Second pair of the Yubikeys are on our keychains, so even in case of emergency we can’t leave our keys behind. Sorry but we are not clueless as that blog poster.
Edit2. If you have spare money, or better to say you are expecting to get hit, use a bank safe to store your passwords and backup keys.
Here’s how I do it.
I have two accounts on the same password manager (PM) with two different email addresses. The first PM is for storing emails and passwords. The second PM is for my 2FA seeds themselves, recovery codes, and any security questions.
The credentials of the second email address and the second PM are not stored in the first PM. The second email address and its respective PM account do not have 2FA enabled to prevent any circular dependencies. They both also share the same password. (Probably not good practice but I think the risk of losing access to my digital life is bigger.)
I use a cross-platform 2FA service to be able to access my 2FA codes from any device using an account. I use the same email address as the secons PM for the 2FA account. The credentials of the 2FA account are stored on my second PM only and I do not have 2FA enabled for my 2FA account. The first PM has 2FA enabled however.
I have memorised the credentials for both my PM accounts. These credentials grant me access to my entire digital life and are not tied to any specific device.
I have two pieces of paper printed out with these credentials. One is at my house and one is at my friends’ house.
This way, if i lose access to any of my devices, I am not locked out of anything, just mildly inconvenienced.
I would:
- use a cloud service for 2fa, or keep some kind of cloud backup/redundancy available for the important stuff.
- keep cloud 2fa backup access in some way that is not digitally linked to you. I feel like you could ask someone(s) that you trust and does not live with you to keep them in their cloud storage or share access to a cloud folder you control. this could just be the totp secret or recovery code with no identifying info. maybe some password hints. could obscure it in some way to make it less obvious if it’s compromised (e.g. encode or salt it) to make one feel better but I don’t feel this is a risky option if it’s just an unidentified recovery code string. I would be more worried about the person you trusted deleting it or something.
This can be done for free. We encrypt the data → store it in a public place. If this data is publicly available, you will not lose access. If the data is encrypted, then no one will have access to the data.
You can backup the exported encrypted db.
What are you afraid of if the data is encrypted?
Thank for this. It’s worth thinking about.
Michael Bazzell spoke about this in one of his podcast episodes. He keeps his old phone and a laptop at a friends/family house.
My variation on this is to keep an old phone in the car trunk along with a non-electronic spare key hidden on my property. No need to worry about water damage with a basic metal key. I already keep a spare metal key in my wallet which I can open the car and retrieve my spare electronic key from the trunk.
I can also leave a usb-c drive at my sister’s house with my KeepassDX database on it.
USB stick / SD card with a veracrypt container. Keepass password manager inside the veracrypt container.
Hide the container on an SD card at an offsite location.
Good thing the mirror wasn’t broken and replaced, or taken down and donated/sold. Yet.
You can always make a few caches and store at different locations. If they get lost its encrypted anyway!
Multiple off site / out of timezone backups on multiple clouds too. Critical for me, as I live near some major fault lines and areas prone to forest fires.
What about adding encrypted password database (e.g. keepass) to encrypted cloud strorage (e.g. cryptpad, tresorit, filen), with account set only with (strong) password, no 2FA. And free tier cloud can be used, as the file is less than 1MB
You can attach multiple files up to 2 GB in size to posts in your public Telegram channel.
Since the channel is public, you do not need to know the keys to the cloud.
This is the method I would recommend and have mentioned before: encrypt it securely, then store it publicly.
Also: you can attach files up to 4 GB in https://vk.com - russian social network (fully controlled by FSB, but what should you be afraid of if you are not from Russia and your files are encrypted?). This can be used as free unlimited storage.
Files up to several MB can be stored at github gists (in base64 form).