1Password (or similar) — what to do if the worst happens?

Hello all,

A recent message from my bank (about what to do if your phone is stolen), had me start thinking about my use of 1Password, and what I would do if things went badly south.

My am a 1P Family subscriber — but presume a similar scenario could play out regardless of what password manager is being used.

So, what would I do if I were travelling overseas, and my iPhone, MacBook Pro (and iPad) were all stolen?
If memory serves, a few years/prior versions back, I could’ve gone into an internet cafe, and signed into 1P through a browser.
I would then simply have to remember my email address used, and the 1P main vault PW.
Now, it seems I would also need to enter the (very long, un-memorisable) “secret key”?
The latter, is visible inside 1PW, which I no longer have access to.

Let’s assume I was diligent and printed that out as a type of emergency kit, and it is now sitting somewhere back home — I would then have to find a way to phone home, and get those details from my SO… but that could be all sorts of tricky in the absence of a phone etc.

Regardless, I see 1PW also has a new feature called Recovery Codes, but this requires your access to one of your email accounts — and all my email PW’s are stored inside 1PW.
So that’s not looking likely either.

Am I correct then that — and this is NOT a criticism of 1PW or any similar PW manager — one really wants to avoid a situation where all your devices are lost/stolen at once? If that happens, you are in for a world of pain…

Or am I missing something obvious, in terms of an alternative solution? Keep a “on-site”, discrete copy of that “secret key” somewhere with you whilst travelling overseas (to be kept in the hotel safe etc.), so that you at least have a chance of quick access via a browser?

Any other suggestions would be welcome (leaving aside the expected comments about writing them all down in a notebook)…!

1 Like

I can confidently say nope, we have always needed the secret key. I started using 1PW in ‘08 and when I was switching to 1Password.com in 2017 I screwed up and locked myself out. When I emailed support for advice they included the following:

“Please make sure to sign in from a browser with that key and your Master Password so that you can save your Emergency Kit, which contains all of that info. If you still have trouble, let me know and I’ll be happy to help you delete your account and start over.”

As for what you could do “if the worst happens”, I found this:

I noticed this years ago when I did a clean install of my iPhone. But I’m glad your question reminded me about this feature. :grinning:

1 Like

I know that, again, it can be argued that this can get stolen or lost along with everything else, but a Yubikey that lets you access at least your most crucial account (which is likely your email account) and your password manager via the web, is probably worth the investment if you are planning for such a scenario, and is more convenient than having all the codes printed out.

3 Likes

If you are left naked on the street with no possessions whatsoever and the contents of your hotel room have all been removed, then you have a rather serious problem.

But in any situation short of that, there could well be a way to secure a copy of your recovery key somewhere.

You could also consider basic transposition ciphers for encoding it, so it is not immediately obvious what it is.

As a random example, you could print a copy, laminate, and tuck it somewhere where it will not be stolen with the rest of your stuff.

Or you could use some sort of a book cipher for encoding, and bring along a book on your travels that people are not likely to want to steal. :slight_smile:

My bank once offered a device that produced a 2FA number when pressed, but I’ve never used a Yubikey. However didn’t LassPass get hacked because the decryption keys for everyone’s account resided on their website? IMO that’s why I would never use LassPass or a similar password manager.

Both 1Password and Apple Passwords decrypt our passwords on-device. This is why I need both my password and secret key to access my account.

And an Apple Passwords user needs their iCloud password and an Apple iPhone, iPad, or Mac. So, it seems to me that Apple treats our devices like a Yubikey.

Or you could be like Jason Bourne and have your secret key implanted in your hip :grinning:

2 Likes

This is actually a great thing to think about and I’m now curious about Yubikey.

I decided awhile back to stick with 1Password since it seems to offer the greatest flexibility for all situations, standard and emergency. The one fail point is if I don’t have my phone or my laptop with me but need to access 1Password on someone else’s computer. I don’t have that long secret key accessible.

Given the fires in LA and that, at least for the western US and Canada, fire season is basically year round now, putting together a plan for this is actually important.

I actually have a fire evacuation plan in place (which we’ve sadly had to use at times). It’s broken down in to what to grab if there’s 5 minutes warning, 30 minutes warning and more than an hour warning. All of them include phone and portable chargers. It would be easy to add a Yubikey to one of those, if it will at least allow me to get into my fastmail and 1password account. Or I could use the laminated card idea mentioned and keep it in my escape backpacks.

I’m curious to hear if there are other ideas/practices people have regarding this and worst case scenarios.

This is good to think about. In my case, I know the password to something online that has recovery info.

1 Like

My 1Password recovery key is printed out and stored in my safe deposit box at my bank.

3 Likes

Enjoy it while it lasts. It’s easier to find an honest politician than a safety deposit box these days. Banks now consider them obsolete.

My bank is one of the largest in the US and they closed their main branch in my city last year. Where I had a box for over 20 years. :face_with_symbols_over_mouth:

I know my 1password details and my AppleID password (my primary email account) off by heart.

But yeah, you don’t want to get all of your devices stolen at the same time, that would make it much more difficult to recover.

If you have someone outside your nuclear family who you truly trust, you could swap sealed envelopes or encrypted hard drives (passwords all the way down) with the basic information you’d need as a break glass recovery.

You could store your secret key, embedded among other characters, in an Apple Notes or Evernote note with a general or misleading name. So if you know credentials for one of those, you could get to that note to extract the key. Then you only need your password in addition to that.

1 Like

5 minutes warning, 30 minutes warning and more than an hour warning.

This is brilliant. Going to do the same.

Until you realize you lost all of your Apple devices and Apple is requiring you to type in the code they just sent to your devices. :slight_smile:

1 Like