Manage 2FAs, passwords, and their backups

I’m in bit of a dilemma on how should I setup my password manager, 2fa, and their backups in a way that if one gets compromised, others remain intact.

Currently, I have Bitwarden on one device, while auth application on another, with the backup codes of accounts and 2fa on the Bitwarden account, which of course isn’t ideal.

With backups, I thought of exporting and encrypting them with Cryptomator to upload them on cloud, but the question of storing their encryption key/password comes up and where should I store them. Storing it in Bitwarden defeats the purpose of the backup because if I lose my passwords for any reason, I wouldn’t be able to access the backup.

So what should I do here? I’m thinking of maybe setting up a second Bitwarden acc and storing my 2fas, backup codes, and encryption keys/password there. Not exactly ideal, but I can’t think of anything else. Storing physical isn’t possible, as I don’t trust myself enough for it to not get lost. Thanks

Emergency sheet can be a way bitwarden_reddit/emergency_kit.md at 3db77694d04ca77d179779222dcd11cbe0536ac8 · djasonpenney/bitwarden_reddit · GitHub

The point of emergency sheet is to use on times of emergency like house burning down, losing all access, amnesia, waking up from a 5 years comma etc etc. Generally you don’t also fully encrypt the emergency sheet itself to prevent catch-22, ouroborous, chicken and egg situation making the point of emergency sheet moot. Encryption are important and all but not when it result in you locking yourself up.

If its digital text/pdf copy on usb drive, something like 1 way rot-13 obscuring should be fine if you’re confident you waking up from a 5 year comma would remember or be reminded by someone how to deobscure it. Also have >1 copy in 2 different place. Just 1 copy is a single point of failure, house burning down or flood disaster waiting to happen.

Think thoroughly how to approach it since its not fully encrypted. Different people did it differently. Physical copy, usb drive, bank vault, trusted family member, trusted friend etc etc.

I just create a memorable password and set a calendar reminder to practice recalling the password. In the beginning I might do every day, then when I feel more confident every week, and so on.

1 Like

Interesting read. Storing a complete backup in a usb drive or a portable HDD makes the most sense, but I don’t really have any space to store it securely.

I don’t trust bank vaults, and I don’t trust anyone enough to give them my digital life for safekeeping. Maybe I should buy an SD Card and stuff it under my bed lol. But then again, my biggest fear is someone getting their hands on it so I can’t get behind not encrypting the backup with veracrypt either.

I guess that’s what I have to go with. Two complete encrypted backups within the house and elsewhere, and checking up on them every few weeks to make sure they work fine and I remember the password.

I’ve heard from several people backing up to a USB drive is risky due to their chances of file corruption.

Welcome to the forum!

On your backups with cryptomator… I attach my 2FA apps backups to a KeePass database entries for each. Good encryption, and clients/applications on just about any platform to be able to open them up with moderate ease in an emergency situation.

My siblings and I, we either have the others KeePass file(s) or the password(s), but not both. We are spread out between a couple time zones. And I live between two earthquake faults.

I’ve never liked the idea of storing sensitive logins on paper - what if somebody finds the paper? If there’s enough detail for a loved one to gain access to your accounts, there should be enough detail for some opportunistic burglar. But there’s situations where having a physical backup is necessary, like in the event of a head injury or death.

I was thinking of setting up another Bitwarden account that I can designate as a trusted emergency contact. I could store its login details on paper and set a long wait time for it to be able to access my vault.

This way, even if someone steals the paper, they won’t be able to get into my vault if I still have access to my main account. But if I’m incapacitated, my loves ones should be able to gain access without me, and the wait time shouldn’t matter much.

This means you could be a lot more cavalier about how you store the emergency sheet. You gain convenience and security.

1 Like

Amnesia are a thing too… Bitwarden subreddit got atleast once a week someone comes asking for help because they forgot the master pw and no emergency sheet/record/whatever to bootstrap. Obviously no one would be able to help, not even bw staff themselves. Basically whole digital life gone just like that because solely rely on unreliable memory alone.

How to ensure confidentiality, integrity, and availability of your data.

  1. Encrypt your sensitive data (backups and others) to ensure confidentiality and integrity. Use tools that provide strong encryption and authentication.
  2. Store it in a public place on the Internet to ensure availability.

This way, you will have access to it from anywhere with an internet connection, and a fire in your home won’t destroy your backups. Authenticated encryption will ensure data confidentiality and protection against forgery.

1 Like

Yeah corruption is a problem. Logics says to just setup an encrypted HDD, but it’s a huge waste of space.

Can you please elaborate more on this? What’s your exact setup?

Didn’t know Bitwarden had that feature, will look it up more.

Sure. I’m currently evaluating 3 2FA apps:

  • Aegis - love this
  • Ente Auth - like this
  • Bitwarden Authenticator - waiting since June for an update. yawn.

I have a second Keepass database for 2FA backup. Each of the apps can make a backup, most need a password for encryption. On my phone I open this Keepass database which just has an entry for each app. I attach the backup file to the entry, save it.

My keepass 2FA file will move to my other computers when Syncthing next runs, and once it hits one of my computers it goes to two different clouds.

I send updated Keepass copies to my siblings when there are enough changes to warrant it.