Write That Password Down!

I am thinking about how dependent I am on my password manager application these days. I use 1Password myself. There are several players in this market place. I chose 1Password because they are not owned by a company that I prefer not to do business with, and it has all the features I need. YMMV (your mileage may vary) of course.

I was thinking about two facets of this. One is that all password managers come with instructions for creating a “password manager emergency kit” (PMEK). They don’t use that term, I made it up. However, they always tell you to back up the credentials that you need to regain access to your password manager database, whether it is stored on your local disk or in the cloud.

This is really important to do, as soon as you start using a password manager. Even before you figure out how to get your passwords in, or go through changing your passwords to unique nonsensical ones. A secure password manager is only secure if your password vault can only be accessed by authorized individuals, meaning those who know the vault password. Assuming that you selected a sufficiently strong vault password, and you keep that password from falling into the wrong hands, then nobody … nobody except you … can unlock that vault. Ever. Nobody, not even technical support for your software company, not the police, not the NSA, no deity in any pantheon can unlock that vault without the password. If that last sentence is untrue, then the password manager is NOT secure. Period. With some exceptions for hierarchically managed vaults.

1Password provides information about their emergency kit here: https://support.1password.com/emergency-kit/. Others do something similar. It is really, really, really important to save your Master Password and your account key some place secure, on paper! Preferably in sealed, tamper-evident envelopes stored in a locked box or drawer or safe deposit box, or all of the above. “Lots of copies keeps stuff safe.”  You don’t want to have copies easily available to anyone who is wandering through your home (think cleaning people, guests, children, etc.) but you also want to have a way to recover those bits of information if you forget the password.

Two very important additional considerations: Off site access, and access in case of your incapacitation.

Off site access means that you have a copy somewhere that you can get to if your home / computers / etc. become unavailable. Fire, flood, catastrophic failure of your home … we imagined these. Losing access to our mother’s apartment because of COVID-19 quarantine protocols was not one that we had thought about. We always assumed that one of her children would have physical access to her apartment if necessary. This has been an epic FAIL with safety restrictions in retirement facilities. I leave it as an exercise to the reader whether you save a copy with a trusted friend (someone who would never have reason or desire to steal your identity who has your best interests at heart), in a safety deposit box, or with your estate executor / personal representative / attorney. That may be a good idea regardless. Unless / even if your estate passes automatically to your spouse, it would be wise to share an escrow copy of that with the people who will have to sort out your finances after you become incapacitated. I consider “death” to be a special case of incapacitated.

Also very important … it is necessary for you to teach the person who will become your proxy in case of incapacitation how to use your password vault software. They will need to know where to find the emergency password, they need to have the password management software installed on their computer, and then need to know how to use that software.

More and more, everything we do is online. Banking, credit, salary / retirement management, recreation, identity, social networks, you name it … it is all online and it all requires a username and password. Using a password manager is important (I would say essential, but who listens to me). In most cases, you have been trained not to write down passwords. However, in the case of the credentials needed to get access to your password manager, either remotely for yourself after  a systems (or home) failure, or for your family member, estate executor, etc., write that password down (and keep copies in safe places).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.