Photo of Terence Eden. He has a beard and is smiling.

I've locked myself out of my digital life

· 124 comments · 1,500 words · Viewed ~51,278 times.

Imagine…

Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes.

In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle.

This presents something of a problem.

In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can remember the password to that. But logging in to the manager also requires a 2FA code. Which is generated by my phone.

The phone which now looks like this:

A melted phone. Credit: Reddit user Crushader.

Oh.

Backups

I'm relatively smart and sensible. I regularly exported my TOTP secrets and saved them in an encrypted file on my cloud storage - ready to be loaded onto a new phone.

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in - you guessed it - my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

Perhaps I can use my MFA FIDO2 Key?

A melted security key. Photo taken from A Side Journey To Titan: Revealing and Breaking NXP's P5x ECDSA Implementation on the Way.

Oh.

Emergency Contacts

Various services allow a user to designate an "emergency contact". Someone who can access your account in extremis. Who do you trust enough with the keys to your digital life?

I chose my wife.

The wife who lives with me in the same house. And, obviously, has just lost all her worldly possessions in a freak lightning strike.

Photo of a house engulfed in flames. Photo taken by Wikimedia user LukeBam06.

Oh.

Recovery Codes

Most online services which have Multi-Factor Authentication, also provide "recovery codes". They are, in effect, one-time override passwords. A group of random characters which will bypass any security. Each can only be used once, and then is immediately revoked.

I was clever. I hand-wrote the codes on a piece of paper (so they can't be recovered from my printer's memory!) and stored them in a fire-proof safe, secured with a key hidden under the cat's litter-box.

Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated. Along with the cat's litter-box. The cat is fine.

I know… I know… I should have kept them in a lock-box in my local bank. The only problem is, virtually no banks offer safe deposit boxes in the UK. The one that does charges £240 per year. A small price to pay, for some, to avoid irreversible loss. But it adds up to a significant ongoing cost.

But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box.

The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork.

An AI generated image of a melted driver's licence.

Oh.

Friendly Neighbourhood Storage

Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?

There are a few problems with that.

  1. Every time I sign up to a new service, I would need to add it to the USB stick. How many times can I pop round with a fresh stick before it becomes an imposition?
  2. What if my friend (or their kid) accidentally wipes the drive?
  3. If a freak lightning storms hits both our houses at the same time, I still lose everything.
  4. Even if I did all that, I would have to give the USB stick a strong password to make sure my friend didn't betray me. So I either need to remember that, or I'm stuck in the password-manager-paradox.

Perhaps I could split the USB sticks between multiple friends using Shamir's Secret Sharing? That solves some problems - mostly the accidental losses and remembering a strong password - but creates even more issues. Now I have to do a lot more admin and worry about all my friends conspiring against me!

Phone Home

One of the weakest forms of identity is the humble phone number. Several of my accounts use my mobile number to text me authorisation codes. SMS isn't the most secure way to deliver passwords - it can be intercepted or the SIM can swapped to one controlled by an attacker. But, if I can get my phone number back, I stand a chance of getting in to my email and perhaps some other services.

That's a weakness in my security posture. But one I may need to take advantage of.

The only question is - how do I prove to the staff at my local phone shop that I am the rightful owner of a SIM card which is now little more than soot? Perhaps I can just rock up and say "Don't you know who I am?!?!"

I know, I'll show them my passport!

Burning EU passport 20180318

Oh.

Bootstrapping of trust

I am lucky. I have a nice middle-class life and know lots of professionals - doctors, lawyers, teachers - who I hope would be happy to vouch for me. I could use one of my friends to confirm my identity for a replacement passport. Once I have a passport, I should be able to get a SIM card with my phone number. And, I hope, some online services.

I would, however, need to use a credit or debit card to apply for a replacement passport. But all of my cards are melted to slag - and I can't prove to the bank that I am who I say I am because I don't know my account number, password, or mother's maiden name.

You see, I was "clever" and took some idiot's advice about setting your mother's maiden name to being a random string of characters. Those details are, of course, stored in my inaccessible password manager!

Hopefully one of my friends will be prepared to lend me the £75.50 to get a new passport.

I'll just call up one of my friends. Hmmm… now, where did I store their phone number?

A melted phone. Credit: Reddit user Crushader.

Oh.

Starting over

Again, I'm lucky. I live relatively close to some friends and family. And I'm confident that they'd be gracious enough to pay an emergency cab fare if I started hammering on their door at silly o'clock in the morning.

With their help, I think I could probably call up enough insurance companies to figure out which one covered the property. I would hope the insurance company would have some way of validating with the emergency services that the house is, indeed, a smoking crater. I don't know if that would get me emergency cash, or if I'd have to rely on friends until I get access to my bank account.

I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home?

I don't know whether my insurance policy covers me for access to digital files. Even if it did, I'm not sure how they can force a company like - say - Google to give me access to my account. It isn't like Google went through a KYC (Know Your Customer) process when I signed up.

Code Is Law

This is where we reach the limits of the "Code Is Law" movement.

In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.

But when things are secured by an unassailable algorithm - I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn't have access to my passwords. There is no-one to convince. Code is law.

Of course, if I can wangle my way past security, an evil-doer could also do so.

So which is the bigger risk:

  • An impersonator who convinces a service provider that they are me?
  • A malicious insider who works for a service provider?
  • Me permanently losing access to all of my identifiers?

I don't know the answer to that. If you have a strong opinion, please let me know in the comment section.

In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal

Share this post on…

124 thoughts on “I've locked myself out of my digital life”

  1. said on diggingthedigital.com:

    I’ve locked myself out of my digital life door @edent (shkspr.mobi)

    Imagine…
    Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes.
    In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle.
    This presents something of a problem.
    In order …


    OK. Nu ik dit heb gelezen moet ik toch eens serieus nadenken over de opties. Bliksem kan inslaan. Brand. Ik kan een beroerte krijgen en het hoofdwachtwoord van mijn password manager vergeten. Zoveel losse eindjes in dat digitale leven die, als een kort lontje, elkaar aansteken en zo snel als een exponentiële grafiek door je leven branden.

    Reply | Reply to original comment on diggingthedigital.com

    1. says:

      THIS...is EXACTLY why I hate 2FA. Here's one solution. Have 1 email just for your password w/o 2FA or with the easiest PW. Don't use it for anything. Don't surf with it. Don't give it to anyone else. Every new password send an email to that email. Now here's the trick. Use one passphrase a pin # and change it / secure it based on the website. So if your passphrase if I am a bad muthafacker. Then your Gmail could be G1234IAmABadMuthafacker. Your bank UKBank,Inc could be U1234IAmABadMuthfacker$ ($ i.e money) Your bank Visa card could be: V1234IAmABadMuthafacker$

      Now you know your passphrase. So to save this password on that email account or anywhere accessible via public library you simply remind yourself like this: X xx X Xxx Xxxxxx Xxxxxx (Cap each word, no spaces)
      Then write: Gmail: Variable/Pin/Passphrase. There. You just reminded yourself. But no one else knows unless you TELL them.

      For bank account, put: UKBank: Variable/Pin/Passphrase/$

      Visa: Variable/Pin/Passphrase/$
      It's easy. Your pin should always be the same. Your variable, decide if it's the first, 2nd or last of the website's name and keep it that way. I've used 1st letter as an example.

      Reply

      1. @edent says:

        To be clear to other readers - this is terrible advice.

        If a website has special requirements (e.g. no special characters, max of 12 characters, etc) then the scheme doesn't work.

        If a website asks you to change your password (and you can't reuse an old one) then the scheme doesn't work.

        If a website leaks your password (or if several do) then your scheme is easy to defeat.

        If your emails aren't encrypted in transit, your passwords are exposed.

        If your email is hacked - either by an insider or someone social engineering your email provider - then your passwords are exposed.

        In short - please don't use these scheme.

        Reply

      2. Sean Lu says:

        I use a similar idea but without such a rigorous mnemonic scheme. I just use Anki (and don't have the answers on the cards since they're synced online). But I still forget my passwords pretty regularly, and my passwords could probably be made harder to guess.

        Reply

    3. says:

      On an analog matter, it reminds me the day I asked my boss: "what is the strongest way to backup things?". Short answer: engrave data on a stone...

      So huge paradox of digital life:
      1/ you can replicate data infinitly without any error...but each storage taken indivudually is weak...really weak
      2/ you can secure access easily with cryptographic algorithms...but anyone who solves/finds a way to break it, the security of all data in the world is comprimised (the best example is RSA, which is not recommended anymore)

      Thanks for your thought and anyway: if you can't protect data, don't collect it 🙂

      Reply

  3. said on twitter.com:

    I honestly had to sit there thinking “has Terence’s house actually been struck by lightning and burned down? Announcing that purely via an educational blog post would be a very Terence thing to do…” before I got to the bottom of the post


    Reply | Reply to original comment on twitter.com

    1. digital prepper says:

      Same. I have a tool to help me memorize key passwords that don’t get daily use (i.e. everything that isn’t my master password), like those for my email, Apple account, etc. If everything burns down, I get the corresponding 2FA backup codes from my parents’ and use the memorized passwords to retrieve my vault. The only cost, aside from (very) occasional snail mail to my parents asking them to just put this piece of paper in their safe, is that I have to memorize 6 passwords instead of 1. And my parents’ phone number.

      Reply

  6. Ian Betteridge says:

    The "leave something with friends/neighbours" option is interesting. That is, after all, what we already do: we have a set of keys for one of our neighbours' houses so we can pop in and walk their dog when required, and they still have a set of ours from when they used to pop in and feed our cat (RIP).

    They could, of course, come round and ferret through our drawers - but we would be able to work out they had pretty easily, even without the presence of a security camera. So: should our approach to digital security be the same? A trusted third party who could use your passwords, but if they did you would get notified?

    Reply

    1. @edent says:

      It's a tough one. Having liven in half-a-dozen locations since University - I don't think I've ever given a neighbour a set of keys. And, frankly, I'd probably refuse if they tried to foist them on me! That might be my antisocialness - or my paranoia. I'm not sure which.

      I have a lot of sympathy for the code-is-law crew. I shouldn't have to put my trust in anyone. But I also like the idea of a "canary" which fires if a trusted 3rd party attempts access.

      Reply

  8. said on twitter.com:

    A similar thing that haunts me the most is losing my memory. I use 1Password but what if I forget my pass phrase to get in? What if my iPhone doesn’t want to accept faceid and demands my now forgotten passcode? Yubikey is nice but is only a 2nd factor, not 1st

    The worry is real!


    Reply | Reply to original comment on twitter.com

    2. Nicolas says:

      You can never rely on FaceID, you just reboot the phone or someone else looks at the camera too many times and it becomes useless until you enter your passcode.

      Reply

    3. says:

      After forgetting my 1Password password for an agonising day before it came back to me, I finally took their advice and printed out their recovery kit and wrote it there, and tucked it somewhere safe. So that takes care of the ‘forgetting’ problem, unless, of course, that safe place is struck by lightning at the same time as I forget the password.

      Reply

      1. says:


        So that takes care of the ‘forgetting’ problem, unless, of course...


        Well, you recognize one problem. But just in a general way, writing stuff down does not necessarily "take care of the 'forgetting' problem". My late mother-in-law lived to be 97. Never really suffered from dementia -- she was pretty cogent right up to her death. But her memory did decline as she got older. So somewhere in her '70s she started writing everything down. Then she started to forget where she'd put the notes. You can print out your 1Password 'emergency kit' but then you have to remember where you put it. If you put it in your desk drawer or safe at home, well, it might have been incinerated with the rest of the house (as you acknowledge). So you can put it in the bank, but see the OP above for problem of getting into bank. You can give it to your daughter to keep at HER house but then you have to remember that you did that, or she's got to remember that you gave it to her AND she has to remember where SHE put it. (My oldest daughter is a surgeon. Her memory's awesome for some things but absolute cr*p for others.)

        Not saying writing stuff down is a BAD idea. Print out your emergency kit from 1Password and give it to all THREE of your daughters. And then be nice to them.

        Reply

  9. Alex B says:

    I settled on a plain text file of credentials, split using Shamir's Secret Sharing and requiring at least 2 people to collaborate to reconstruct, with pieces shared on USB keys with my partner, my parent, and on various bits of storage I'm likely to have with me. I never actually got round to doing it, though...

    In the meantime, I'm relying upon grabbing my mobile phone or tablet, and wallet as I evacuate.

    Reply

  13. says:

    Shh! Don’t say the quiet part out loud! We’re all incredibly vulnerable to this.

    I have offsite backups of my most important data. However, I probably wouldn’t be able to recover it without either my phone, laptop, desktop computer, or home server. I need one of them. These devices holds all my secrets under crypt and key.

    For most people, this is an unrecoverable situation. The more stuff you have — whether that be online accounts or devices — the harder it is to do disaster recovery. My “emergency plan” is to always carry my phone with me. It’s my digital life and it holds a on-person backup of my most crucial stuff.

    Reply

  16. says:

    I often think when I see an attack on some "badly done" security procedure like giving your birthdate to "authenticate" as a person: "Well, it's bad. But it's a good middle-ground between security and usability. And the few abuses are covered by insurance. So, all in all, it's not too bad."

    Which your story seems to underline.

    But of course the best way would be to have a t-out-of-n threshold decryption with your friends devices. Not?

    Reply

  17. Richard says:

    So your problem is you can't access your online password manager without a MFA code to your phone? Is that basically it? If so, you just need an offline password manager like https://keepass.info/ and then upload the password database to cloud storage to keep it safe and accessible. Problem solved?

    Reply

    1. Richard says:

      Ah, you already said you need MFA to log into your cloud account, my bad, didn't see that the first time around. Is that an actual requirement though? I don't believe I have MFA on my MS OneDrive...

      Reply

  18. Mikael says:

    Interesting, indeed.

    As I live in an area well known for having produced some nasty earthquakes, I'd foresee that if my house were reduced to rubbles it'd be together with most of the neighbors' houses. And the rubbles might very well get very well charred once the local natural gas lines burst.

    So... Hm.

    I have set up my wife as an emergency contact for my password manager, which wouldn't help in this scenario, but I'm thinking that I should set up a second emergency contact in the form of family members who live outside the area. It would still make the process of getting into stuff takes very long time, but eventually I should be able to get in that way.
    If I can survive without email for that long, of course.

    Reply

  21. said on twitter.com:

    Reminds me of the time my phone was stolen. So I needed to buy a new one so I needed to move money around in my bank to be able to buy one. But I needed the same phone to login to the bank. So many increasing dependencies in our lives like this and not enough talking about it


    Reply | Reply to original comment on twitter.com

  22. said on mastodon.social:

    @Edent Really wish there were more affordable alternatives to off site storage.I am in similar danger but I don't have any trusted party near me to keep a USB stick with all my keys.Currently i keep an encrypted USB hidden in my car so at least if the apartment goes up in flames I'd have that...

    Reply | Reply to original comment on mastodon.social

  24. Matthijs says:

    Interesting story, hope all will be fine soon again.
    For the safe storage, what I did was to dig a casing pipe into the ground between our house and our neighbours. We have 2 utp cables in this, one for them and one for us. Now we have a NAS in their house and vice versa. We both cannot access each other’s NAS, we don’t know the passwords.
    Now it was quite some digging, but as a result we have a (we think) safe backup of everything. Chances of both houses burning or flooding or whatever are slim.

    Reply

    1. Aaron Axvig says:

      Consider lightning, as mentioned in this very blog post. If it strikes one of the houses, it could easily traverse the UTP cable and fry the other NAS. And lightning could presumably strike both houses, or the utility feed that supplies both houses.

      Reply

    1. japanese.sweden.clue says:

      You can keep a backup of your Secret Key without your email address or password included in your recovery kit. Hardcopy or digital copy (cloud storage, etc) The Secret Key is fairly useless without those additional details. Many folks have multiple backups that way, so even if someone were to access your Secret Key, it wouldn't do much for them. If you have 2FA enabled on your 1Password account, that would provide an additional layer of protection as well.

      Reply

  27. Aaron Axvig says:

    Consider the case of cash currency, which one may think of as "paper is law". There are many ways in which a $20 bill can be lost forever, with absolutely no . Still people find cash useful, and even preferred, for some things. And obviously unsuitable for many things.

    Similarly, code as law is useful for some things and not for others.

    Reply

  28. said on twitter.com:

    I think about this nightmare scenario quite a bit: it's not even your digital life any more, it's your LIFE

    I have enough stuff in a cloud account with a password I know that I could reboot from scratch... but I'd have to talk customer support into disabling 2FA for me to do it!

    Reply | Reply to original comment on twitter.com

    1. Bob Ligma says:

      And that's the whole point of the conundrum. If you can talk someone into disabling 2FA then someone posing as you could theoretically for so as well.

      Reply

  35. said on twitter.com:

    It’s great to say “enable 2FA, it’s more secure”. (And you should, I’m not saying you shouldn’t.) But the mechanics of password reset are extremely important and nuanced and their failure modes (as seen here) are horrifying. We need to be taking them more seriously.

    Reply | Reply to original comment on twitter.com

  42. says:

    I locked myself out of a 15-year-old email, thus locking myself out of numerous services. There isn't really a good solution to off-site storage, not in a secure way anyway. I don't live in an apartment, so I keep everything at the other end of the garden locked away. It's interesting to see how all the services layer upon each other, if you lose access to x, you'll lose access to y. I print my backup codes and lock them away.

    Reply

  43. japanese.sweden.clue says:

    I used to work for 1Password. If you're with 1Password, contact the support team. They'll be able to authenticate you and disable 2FA on your account. You'll still need your Secret Key & Password to access your data though. If you're missing your Secret Key, you won't be able to reaccess unless your wife knows hers. Then she could login and perform a recovery on your account.

    Reply

  47. said on twitter.com:

    Password managers are a huge SPoF that many people don't realize is there. Sure it's better than having only a couple different passwords, but once you're in, you have everything, including documentation on what accounts exist, what username to use, etc.
    And it is opened often.



    Reply | Reply to original comment on twitter.com

  50. Michael says:

    Since before password managers, I have always stored my important info in a password protected spreadsheet and email it encrypted using Proton Mail to my sister to store on her laptop and she doesn't know the password.

    Reply

  51. Natural D. Zaster says:

    There's something to be said for 'bury it in the backyard in a sealed container'.

    'It' being a print and digital version as an A/B test. 🙂

    Also, degrowth and permacomputing comes to mind here.

    Reply

  53. says:

    Hey, in the UK, is a sim swap attack really that easy?

    https://nordvpn.com/blog/sim-swap-attack/

    It sounds like the fault of the provider more than anything else, which should / would be easy to make sure there is a firm process in place to stop this from happening (surely it is madness to have this service at the end of a phone call with no clear steps in place to keep things secure?)

    https://ee.co.uk/help/help-new/managing-and-using-my-account/leaving-ee/what-is-a-pac-code

    text PAC to 65075
    log in to My EE and go to Menu > Account settings > Leave EE

    So your phone needs to be secure, and you provider account needs to be secure.

    Seems simple enough, they you can rely on phone number as your gateway back in, store everything in cloud provider, and get back up to speed?

    Perhaps I am missing something, I am not militant about security...

    Reply

  54. Nico says:

    Interesting read! I think I had something like this in mind when I switched to authy as my 2fa provider. The idea of losing my access when losing a device somehow scared me. Also it didn't seem possible to transfer the Google authenticator to a new device at this time. I don't know if this is still the case.

    Reply

  55. Pawel says:

    Google has a dead man switch of sorts - after set time of inactivity it can be setup to transfer all rights to someone else via email. Its not perfect because you would need to camp out for half a year of course. I wonder if other services let you do that?

    As for key distribution among friends - there has to be some smart solution relying on the fact that your home server isn't there. App hosted on amazon that will call your home lab, perhaps your number? Even a freaking buzzer in your house! And only after it fails all that it would release some control, perhaps one extra human remambabre password away from full access? I believe UKs nuclear deterant submarines have checklists to ensure UK is well and trully gone before firing any nuclear missles. I don't know how much is available on the subject, but surely this must be a common problem, when you broeden it's scope.

    Reply

  57. ReaderThe says:

    Paragraph "Friendly Neighbourhood Storage" is quite unrealistic for me and isn't helpful to make a plan for that accident.


    USB stick can have only the most important passwords to most important services. When you have access to those more important services you can recover a most recent password manager file backup from multitude of cloud services etc.
    Hide it. It isn't meant to be used until an emergency.
    Changes are close to zero.
    Yeah, you need to remember master password. How do you logged into password manager up to that day without it?


    Aside from that TOTP secrets are only second factor - they won't let you log in alone without password. It should be thought as a proof of physical access to something. You can also store it unencrypted, when it is stored on your property. Cloud provider? Encrypt it, because it is being stored on someone's else servers. Yours flash driver in your house? It can lay unencrypted. A piece of paper amongst documents in yours parents house? It also probably can be stored in unencrypted form here too.

    Reply

  58. Dave Ings says:

    Great post - made me think - thanks.

    I use 1Password, which has built in 2FA support. My simplest mitigation seems to be to store offsite a hardcopy of 1PW’s “emergency kit”. This would get me back into my 1PW account if I lost all else. So that’s what I plan to do.

    YMMV of course.

    Reply

  59. Malcolm X says:

    A few years ago i imagined worst case scnario (I must admit you have a better imagination than me ) and i found a solution for that : what i do is store all 2fa totp codes in an encrypted keepass vault and remember that password instead of keeping it in password manager

    since it is encrypted it doesnt matter where i upload it but ofc for max security and privacy , e2e cloud services like filen/mega are a better option ( better to upload them to at least 2 just in case)

    then take the link of that file and use link shortner (use at least 2 again just in case) , and have something like bit.ly/2fa which u can access anywhere

    whenever i have a new 2fa entry i just upload the new vault in same directory as before , with file versioning , i have all previous vaults in same place with same link

    Reply

    1. @edent says:

      There are two main problems with this approach.

      The first is that you won't remember the password. History has shown us that unless people regularly use a password, they'll forget it. If you do choose an easy to remember password - the chances are that it will be easy to guess.

      The second problem is that you're relying on a weak second factor - that the file is "hard" to find. If you have created a bitly link, the chances are that a search engine has already picked up the file.

      Reply

      1. Malcolm X says:

        regarding your first concern : I usually add more sites to the vault so i constantly use that password so that isn't an issue , you can always use a slightly similar password to the one for password manager

        As for your second concern : you can use a more privacy friendly link shortner or self host one . And even if they pick it up , if you use a password with good entropy for the vault , it will be impossible to decrypt it

        Reply

  60. Sam says:

    Well, you could simply create another account in your password manager (like Bitwarden) and store all your 2FA recovery codes and of course, ensure this account does not have 2FA enabled. In this account, just have the recovery codes with hints /clues that only you can understand to what service it is meant for (without using usernames). This way, in the unlikely event of account compromise (with your leaked password), it's only a bunch of strings.

    You then need to remember only two master passwords (one for password manager with 2FA and another with a password manager without 2FA).

    I follow the above, while also having Authy to synchronize on my wife's father's phone (besides her phone of course) and another desktop at their place.

    Reply

    1. Nico says:

      May I ask why you sync Authy to many devices? I assume you don't use their server side backup then? If so, why not? Or is this just an additional layer?

      Reply

  61. says:

    This actually happened to me last year (flat burned down completely, nothing recoverable) but I was lucky that I picked up my phone which gave me instant access to my Cloud storage / 2FA etc to be able to still access all of my digital data. If the phone had been left behind that would have been a different story.

    I also lost my NAS, which was mostly a local backup of my cloud data but I did (foolishly) have some data only on there so that has now gone forever.

    Reply

    1. Peter "Halpern says:

      One of the reasons I am happy to be a US citizen and a citizen of another country.

      I have a safe deposit box at two different banks. (yes, they are geographically separated) FYI safe deposit boxes can be relatively inexpensive in the US or free depending on your relationship with the bank (Assets Under Management or breadth of products)
      I have copies of many of the items listed in those boxes. (A 'relatively recent' backup hard drive, keys to multiple items, legal documents including a proxy where my mother can access the safe deposit box, photocopies of driver's license, the passports, Social Security card, etc)
      Bank accounts with basic emergency funds in two countries.
      Cloud backups of many of the items listed above, as well as additional items as safeguards.

      While not a perfect DRP, it is sufficient and not costly.

      Reply

  63. Brenden Walker says:

    Local backups mirror my NAS data daily (2 NAS boxes with 15TB each). When we leave for any extended period of time the local backup HD's are stored in a 4 hour rated fire safe.

    Everything is encrypted locally prior to storage on Azure, $50 credit I get with MSDN sub covers that (employer pays MSDN sub). This is the only cloud storage I leverage, weekly backups for most data.

    Password database is synced to 2 USB sticks along with the software necessary (KeePass portable), one is in my pocket at all times and the other is...elsewhere. I update the password DB every month or so, and immediately if I'm cycling/setting up a login for something critical (bank, insurance, etc). Years ago I memorized a complex passphrase that is only used for this one purpose. Password DB is not cloud hosted so if anyone gets access to it for brute forcing they've managed to bypass a lot of security to get there.. and will need to brute force a very complex passphrase. I accept the residual risk on this.

    I don't use my phone for anything sensitive, if it were lost or stolen my main concern would be getting a new phone. For critical 2FA I prefer hardware tokens.

    I have done disaster recovery exercises including full restoration of systems as well as specific data recovery. This works for me, and keeps my wife happy (artists make a lot of data!) YMMV.

    Reply

  64. Bob Ligma says:

    Easy solution: just have a hot site set up in another state, ready for you to walk in and start using right away.

    Reply

  65. fourzerosix says:

    should have a small bunker below the house for important storage and water/fire-proof safe

    Reply

  69. Matt says:

    I think the obvious failure here in your hypothetical is that you did not have an off-site backup. Superficially it looks like you do, cause everything is in the cloud. However it's not an off-site backup unless your encryption keys are also backed up off-site, along with the credentials to access it all (and yes your second factor is a credential). In this hypothetical, all your second factors (security keys, phone, paper with recovery codes) were stored on-site, which is why everything failed.

    You mention storing a USB stick with a friend, but then only consider the unworkable solution of storing a frequently changing target (backup codes for all your services). All you really need to store is the credentials and keys to restore from your off-site backup, and possibly for your email account. That is probably just the recovery codes (and passwords if not memorized) for your cloud site(s) and your email account, and maybe a spare security key that's authorized for those accounts if that's in your budget. Those shouldn't need to be updated very often. Encrypt those with the same passphrase you use for your password manager (which you presumably have memorized). You can reduce the risk of your friend or their kid misplacing/wiping it with an envelope and marker (pretty cheap). As for the concurrent loss of both sites, do you only have one friend? Do they all live in the same city?

    Other solutions include using another cloud backup site which you only put your encrypted password store in, and then don't turn on 2FA for that one (it's only protecting an encrypted file). I've even seen the suggestion somewhere to store your encrypted password file in the public part of your cloud account, but that effectively turns off 2FA for your password management.

    Reply

  71. Billy Eager says:

    Idea:
    1. A phone app which routinely checks for phone movement periodically when the phone is unlocked and sends an "All Good" confirmation back to the app's cloud account where you have set up a number of event triggers.
    2. After X amount of time of it failing to send the "All Good" confirmation (due to lightning strike/fire/space lasers destroying the phone or the phone being lost/stolen but remaining locked) the cloud account sends an email to preset addresses stating that if no response is received by clicking on a link within, important information from you will be sent in X amount of time
    3.
    a) Fortunately you have a new phone being set up and you managed to remember your login for your favourite password storage app so don't need this package to be sent. You click the link on the email to delay the delivery long enough for your new phone to be set up so the app can be reinstalled and continue to send "All Good" confirmations to your app cloud account
    OR
    b) You don't have any other means to access your digital life than through the information contained in the digital delivery package, so nobody clicks on the link in the email and the digital package is then sent at the required time, thereby restoring your access to your digital life

    Note:
    Said app would only allow the creation of the digital 'package' and trigger settings/email recipients once and the entire setup would remain locked and encrypted within your app account cloud storage unless it is deleted/replaced with a new one. This means even if your app account access was compromised the most damage which could be done by the intruder would be the deletion of your encrypted event package and the app could be set to automatically notify you whenever a deletion is done on your cloud account and block any cloud deletion during an active countdown period.

    This is the closest I can get to a mechanism by which an account compromise reveals nothing useful to an intruder while ensuring that delivery of the data package is only made in the absence of any responses from you or your recipient group. (You could even make it a 'n of n' response requirement just to prevent a 'bad' recipient from maliciously responding to the alert email and reseting the countdown timer even though they know the data release is needed)

    Thoughts?

    Reply

    1. @edent says:

      If the "digital package" is encrypted - then how will you remember the long and complex password for it?

      If it is unencrypted - then the provider of the service has all your data.

      This isn't a problem which can be perfectly solved by throwing more technology at it.

      Reply

      1. Billy Eager says:

        The digital package would be encrypted with your own public key, to which the privkey would be held by you and your fallback recipients (again, could make it 'n of n' to unlock if necessary so no single recipient could unlock it)

        The encrypted digital package would be useless without the privkey which would be useless without the digital package to decrypt.

        An attacker would have to compromise multiple email accounts without knowing which email addresses are in the recipient group and gain access to the required privkey(s).

        Reply

        1. @edent says:

          So we're back to square one! How do you protect that private key? What happens if you accidentally lose it in a lightning strike?

          Reply

          1. Billy Eager says:

            As I said, your fallback group have a privkey each for n-of-n multisig. No single person can unlock the encrypted package. You set it at, say 3-of-5, and if one of those 3 is you, post-disaster, there is only a need for you to rely on 2 of your fallback group, or 3 if you're not around any more or you've no longer got access to your own privkey for the group.

            How scorched-earth is your scenario that you want to demand the recovery plan has to account for multiple people in multiple locations losing the privkeys you sent to them?

            Reply

  77. kimmyG says:

    Isn't this post just the opening slide(s) of a VC presentation looking for funding for a company offering safekeeping vaults for digital assets (pwd + MFA keys for password manager, etc) that are secured with DNA - so you have to show up in person at an authorized location, where they will DNA test you to confirm who you are, and then release the contents of the digital vault?

    Reply

  79. said on mastodon.org.uk:

    @kev @Edent The problem with the multiple Yubikeys solution is that you need both/all of them on hand when you setup a new service - no way of registering all using just one - so no keeping the backup in a disused lavatory in a basement with a sign saying "beware of the leopard".That's if the service supports multiple- the fact on Mastodon I have my phone, Windows Hello and 2 Yubikeys all setup on a free service for 2fa and $ limit you to one device is astonishing

    Reply | Reply to original comment on mastodon.org.uk

  81. Alexey says:

    A simple and reliable solution to the problem is to store important data in encrypted form in public places, such as:
    - github repo
    - telegram channels (supports unlimited number of files up to 2 GB)
    - public pages at vk.com (supports unlimited number of files up to 4 GB)

    Use strong encryption and long passphrase, keep backups in several public places - and the problem is over.

    Reply

      1. Alexey says:

        This is a line from a poem (in Russian) that I will never forget, for example.

        Reply

        1. @edent says:

          Слава Україні!

          But most people don't have such a good memory. And, if you've experienced a traumatic event, even your fantastic memory may be compromised. Of course, you remember exactly which capital letters you used, whether you replaced any letters with numbers, and if you used spaces or not?

          Wait... is it the same poem you and your friends all learned at school? How long do you think it will take them to crack it?

          Reply

          1. Alexey says:


            Слава Україні!


            Героям слава!


            But most people don't have such a good memory.


            It's a matter of practice and repetition. If a person cannot memorize a long phrase from 1-2 times, then he will be able to memorize it from 10-1000 times. This is a matter of desire. If a person wants, he will find a way to memorize a long phrase, even consisting of random characters.

            Alternatively, in addition to the phrase, you can use some publicly available file as a key (billions of files are published on the Internet, the attacker does not know which one can be your keyfile).


            And, if you've experienced a traumatic event, even your fantastic memory may be compromised.


            OK, I can't offer a one-size-fits-all solution that will work in all cases. But at least the solution I proposed will work with the case described in your article (in most cases).


            Of course, you remember exactly which capital letters you used, whether you replaced any letters with numbers, and if you used spaces or not?


            Sure.


            Wait... is it the same poem you and your friends all learned at school?


            Maybe.


            How long do you think it will take them to crack it?


            40+ symbols including digits and capital letters. My passphrase consists not only of a line from a poem. I think it will take a very, very many years.

            Reply

  83. Josenildo da Silva says:

    First of all, sorry for the bad English, I'm using a translator.

    It's late 2024 and the problem persists. I found your perspective quite interesting.

    My point is that at some point, you need to trust something/someone.

    I've been thinking about making a disaster recovery plan (especially in case I become incapacitated), with the main passwords/keys on paper and giving a copy to my wife and one to my brother-in-law (who knows IT and can help with data recovery).

    In addition to the copy at my house (which would be inaccessible in a disaster), my idea is to make a copy of essential data (ID documents, access keys, copy of the bitwarden database and things like that) at my mother's house, using a raspberry pi.

    Use a site-to-site VPN and perform automatic backups of the data to her house and check this periodically (and especially when changing passwords/registering for sensitive services, such as banking and government).

    This way, if something happens to me, my wife can easily access everything she needs (or if I get locked out, I can recover).

    Without the data, the letter will be of no use to my brother-in-law. Likewise, if my mother's house is robbed and the Raspberry Pi is stolen, the data is encrypted (and I can change the passwords/access keys so that the stolen data becomes useless).

    Reply

Trackbacks and Pingbacks

  4. :

    This is a belated response to the “ I’ve locked myself out of my digital life” post that was circulating earlier this month. Its author describes a hypothetical situation in which a single unexpected disaster (such as a lightning strike) could cause disruptive damage to your digital – and in turn, to your “analogue” – footprint.The post is thoughtful and makes a good point – I’m not really arguing against it. In fact, I believe that everyone should be doing some sort of prep work for unforeseen events. However, a lot of the theoretical aftermath can be avoided with this one simple trick: redundancy. Keep a spare laptop* at your office or in your parents’ house, use a password manager with a secure online repository (such as pass with git), and you’ll be fine until Russia invades. Plus, that’s a little less dead weight to lug around when biking to work.– five-year old Thinkpads and Latitudes go for around 250 EUR, but you can run Firefox and Vim on a 10 year old X220 anyway

  5. :

    […] pointed me to a blog post by Terence Eden, which contains a bit of a thought experiment on what happens if you have a catastrophic accident (say, a house fire) and lose access to all your […]

  6. :

    […] Für einige Dienste ist ein zweiter Faktor Pflicht und für andere sehr sinnvoll – insbesondere für den Passwort-Manager, der praktisch den Schlüssel zum gesamten digitalen Leben enthält. Es gibt verschiedene Formen von Zwei-Faktor-Authentifizierung, etwa per SMS oder über eine Authenticator-App. Am besten besorgt ihr euch zwei oder drei Hardware-Token (z. B. YubiKey), richtet alle ein und lagert sie an unterschiedlichen Orten. Ansonsten besteht die Gefahr, sich aus dem eigenen digitalen Leben auszusperren. […]

What links here from around this blog?

  1. YubiKey Neo - a thumb sized USB device - on cardboard backingHow do I revoke a FIDO / WebAuthN token from every service?
  2. Photo of an MCB - a small electrical switch. It is in the off position.Lessons learned from a power-cut

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">