Before you all think I’ve gone completely doolally, let me explain! Until today I have a QR code set up and a recovery phrase and a recovery file. I am reviewing my all backups and security etc and have been thinking about the fire scenario when you lose everything. Obviously for this to be an issue, my offsite backup method would have to have failed too, (this is manual, not cloud, so not impossible that the portable HDD would happen to be at home at the time of the hypothetical fire) and the trauma of it all will also have made me lose my memory so, in this hypothetical scenario, I’ve forgotten my Proton password. So all in all quite an unlikely scenario! Nevertheless, I am of a nervous disposition, so just having the “minimum” recovery options is making me jittery.
I am the controller of all things financial and IT related in our house, so also wanted to make sure that my husband could access my Proton account in the event of my death so have set him up as an “emergency contact”. He also has a Proton email which is already connected to my account anyway as we have Proton Duo. So if I’m doing that I though I may as well set his email up as a recovery email for my password?
I trust him implicitly, we have full insight into each others affairs, money, health etc and have codes and passwords for each other’s devices which we both use with gay abandon. In a torture scenario, he’d hold out much longer than me so not worried there either
Am I missing anything here? Any issues with doing this that I haven’t considered?
You’re already using the feature designed for that purpose. I know you trust your husband, but you also have to think about the potential for malware or a social engineering attack where his account getting compromised would mean your proton would also.
I’d also say you probably shouldn’t share passwords like that, I think most services where that would be useful let you share a subscription between multiple accounts.
Thanks for your reply Fria. I’m not sure I quite understand it all, could I clarify?…
Are you envisaging a scenario here where his account is compromised and he doesn’t know, then I send a recovery email to his account whereby the bad actors can then use that to access my email? Is that not a risk with any alternative email account, even your own? Would you advise never using email as recovery option or is their a particular risk in using my husband’s?
I’m not sure what you mean by this? We don’t use the same passwords/codes for (important) services or our devices. I don’t think I’ve said that we do this in my OP, but maybe I’ve been unclear or you mean something else?
Yes and specifically since you said you’re the IT of the household he’s probably more of a risk than you. His activities and devices are a whole separate attack surface from your own, I’d say using your email is minimally increasing your risk but using someone else’s is increasing it quite a lot.
As an example, my dad was sent a fake Gmail login screen where he put his login info in, and the attacker was only stopped because Google’s heuristic analysis detected a suspicious login and didn’t send him the SMS 2FA code. That’s the kind of thing that happens all the time with less technical people.
I think I misread this part as you sharing passwords to your accounts. Still might be a good idea to just have separate user accounts on devices where it’s supported, and give him a regular, unprivileged user account for each device of yours that he’s using.
If you live together, which it sounds like you do, I think you may be failing to consider that a fire that locks you out of your account would very likely also lock him out of his. It may not be very helpful.
Ultimately, you have to think about your threat model and what is most important. More recovery options inherently creates more ways for bad actors to try to get into your account. Which is more concerning; the possibility that one of your enemies could compromise his account, and then yours, or the possibility of permanently losing all data locked behind your account?
Personally, I would err on the side of not losing data. If your recovery phrase is not physically written down, that may be something you should include in your off-site backup if you have a physical safe (laminated, if possible).
I used to minimize my recovery options because I considered my threat model a bigger risk. I was wrong, and am very lucky I had still done just enough that I was able to recover the vast majority of my data (and ultimately, by some miracle, I actually ended up recovering all of it).
Just to be clear on this the attacker wouldn’t need to have access to your account they would jsut need access to your husband’s account and know your protonmail address. You wouldn’t need to be involved at all.
Thanks Fria, that’s really helpful. Although I am more IT savvy than he is, without going into detail, his job means that he’s no more likely than me to fall for phishing etc - I don’t want to do him a disservice by implying otherwise! We are both pretty clued up on this, and we try to keep up to date with latest scams etc so do our best to minimise the chances. Having said this, from what you’ve outlined, it seems to be an extra risk for not much reward - the likelihood of losing all my devices, and forgetting my password at the same time is extremely small, and the tiny potential benefit of adding the email address, does not seem outweigh the extra risks … so I’ll take his email off then and calm my jitteriness!
I don’t understand why this would be needed? What is the concern and what is the risk I would be mitigating?
It would stop him from doing privileged things like installing device wide software or running malware with admin permissions. Some operating systems like Android even encrypt each user separately with different keys so there’s not much chance that one user getting exploited would affect the other ones. On a modern desktop system the separation isn’t as good so it’s not as important but definitely malware can do a lot more damage with higher privileges.
Thank you that’s a useful perspective and one to mull on. My recovery phrase is saved in more than one place, and at least one of the drives will be off-site. I am intending to get a safe but don’t have one yet so will make sure the phrase goes in the safe in paper form once I get it (I already have a laminator though so am set up to go on laminating - thanks for that tip!).
I am sorry you had to go through the panic of nearly losing all/most of your data. That must have been so stressful for you. Really glad to hear you managed to recover it! Must have been such a relief for you. I had a slightly lesser incident where i lost a small amount of data, which prompted me to really ensure that I had better backup practices. I am definitely in a better position now but still some work to do!
If you also have a printer you trust, consider printing it rather than writing it. There is no guarantee you will be able to read your own handwriting in the future, after all. Good luck with your endeavors!
I have a printer, but not sure if I trust it tbh, it’s set up to talk to HP for auto reordering of ink - I haven’t got around to investigating the privacy issues with it yet, but its on the list! So a good reminder to probably not print something like this! Thank you!
Oh yes, I hadn’t followed that completely, good shout… they would get my address from his account, and then could use that to request the recovery email. OK so yes that’s a much bigger risk than my previous scenario. So that adds to the scales - way more risk than benefit on this one. Thanks for the clarification.
Thanks Fria, I understand you concern, and its something to be aware of in general terms, but there is zero chance of him doing any of those things. He might use my phone or laptop to check the weather, set a route in the car quickly, or quickly look up a contact or a webpage or something. He’s not downloading software or apps. He doesn’t check his email on my devices. He’d go and find his phone to do that. Rereading it, I maybe misrepresented the amount/type of use in my OP with my flippant/jokey tone, so apologies if that has misled you.
Just remember that your encryption keys for your Proton account are derived from your master password (unless you have also chosen to enable the 2nd password option). What that means is, that by using the recovery email option to enact a password reset won’t give you back access to the contents of your account ..unless you can somehow provide either the original recovery phrase or your old master password.
For that reason, I don’t even bother setting up email/phone recovery on my Proton account.
Bottom line: Make sure you have a way to access your recovery phrase in the event of any eventuality.
There’s an option, which can be disabled, to get your data back if you connect from a recognized device. I know this because I briefly tried switching to Proton Authenticator from Google Authenticator. Turns out at the time you had to be logged into Proton to use your Proton Authenticator, which I then needed to log into my proton account. I don’t know if it still works like that. My recovery keys were out of date as well.
I was briefly very nervous, thinking I had lost all my passwords, until it recognized my device and decrypted the data somehow. Now I use Aegis, vaultwarden, and a couple FIDO 2 keys. I wonder how many other people did this when Proton Authenticator came out.
