A terrifying cautionary tale on password management

This just happened to me and I figured I’d share the pain as a warning to you all.

I’m hyper-vigilant in my online security and use 1Password for everything. Not only do I use it for 40+character, complex, & random passwords, but I generate long, complex, & random “passwords” that I use as my username whenever I can (email is too easily guessed). I use 2FA everywhere it’s supported AND I refuse to give correct answers to so-called “security” questions (which can easily be socially engineered), instead generating a random group of words using 1Password. All secured safely in 1Password and I’ve never had an issue, ever.

Until yesterday.

I had temporarily turned off 1Password sync to work on something, which then required me to restart my Mac. I did…only to hit a weird OS X bug where it didn’t accept my password (which I know was correct). Not a problem, I can reset the password using the recovery code. Oh, nuts…that recovery code is in 1Password. Which is now not syncing. Accessible only on the Mac. That I can’t get into because it’s locked with a recovery code I’ve never tried to memorize. And because I turned off sync, that code isn’t even on my iPhone.

I literally have no way to get back in. I figure I can restore from Time Machine–nope, those encrypted backups are encrypted with a password, you guessed it, now in 1Password only on my Mac. Shoot. Backblaze–nope, those encryption keys are in 1Password only on my mac. I’m dying.

Everything is gone–every single login to everything important in life is gone. I figure I can go to these websites and reset passwords and that’ll be a lot of work, but I can do it. Nope–because I don’t know my email password and even if I did, the 2FA is in 1Password along with the emergency recover codes.

I try everything I can think of, to no avail, and go to bed–of course, after something like this, I can’t sleep. And then it hits me–my bank access is 100% gone. It’s entirely inaccessible. There’s no physical bank branches and I can’t login online. I don’t know the username, the password, the 2FA, the backup codes, or the security questions. How can I even prove to my bank that I’m me?

Then I remember–I have my bank’s app on my iPad and it’s logged in. So, worst case scenario, I can at least transfer all my money out of that bank if I can’t get back in. And then I think–I had put my iPad into Airplane Mode days earlier (can’t remember why)…and maybe I hadn’t turned it off.

I get out of bed at 1:30am and rush downstairs–sure enough, Airplane Mode is still on. I unlock it, open up 1Password…and everything is there. Hallelujah, thank you Jesus. Right there is my Mac’s recovery code and with it I can reset the Mac password and regain access to my local-only 1Password vault. Praise God.

Lessons learned:

1. Backups aren’t just for user error–they’re for software & hardware failures. I’ve never used backups for anything but “Oh, I shouldn’t have deleted that file,” so I’ve never prepped for catastrophic failure.
2. Software & hardware failures can come at the worst possible time. “It’s not a big deal to turn off 1Password sync for a few minutes while I adjust this” = stupid bonehead idiot idea. Because of COURSE that’s when you get a software bug.
3. Always, always, ALWAYS make sure that the passwords to access your device(s) are accessible while that device is locked. In my case, I had the password to my Mac but not its recovery code.

TLDR: OS X bug made me lose access to 1Password data and nearly destroyed my life and finances. Airplane Mode saved me. Don’t be like me.

Wow, that’s quite frightening. Lucky save. It stinks when you do all the right things and then narrowly miss getting hit with such a catastrophe.

Exactly–the wrong OS bug at the exact right time…ah man alive. So grateful on a “fluke” my iPad had that code. Gonna print out key codes & putting them in my deposit box or something. Craziness.

Do(n’t) you have a 1Password membership?

If you do, you could use the 1 year item history feature via the web.

" ALWAYS make sure that the passwords to access your device(s) are accessible while that device is locked" Excellent advice, for this situation and many others.

What happens if you are incapacitated for some reason - or worse? How may of us have considered how our family, etc. can access our digital life, when we can’t log in for them?

Shortly after I began my first job out of college, a co-worker taught me the philosophy of the 6 P’s:
Proper, Prior, Planning, Prevents, Poor, Performance.

Note: It was actually the 7 P’s, but one of our executives objected to an adjective used to emphasize Poor

Yup, that’s where my mind went next – need to have enough passwords written down that people can get into your devices and your password manager. And that needs to be kept with your will, frankly. I haven’t done that yet, but I need to.

No, I haven’t done the membership; been really happy owning the software fully and haven’t ever felt the need to do it.

But…that would’ve been a better solution! Of course, had I just kept my normal sync turned on it wouldn’t been ok.

Wow! I’m glad all that worked out. But I sympathize with the stress of it all! Reading your tale of woe, it occurs to me that I have no idea what my “recovery code” is for my Mac. Is this something we set? I assume it’s not our apple ID. This code sounds pretty important and I’m thinking I should know what it is!

I’m pretty upset that you didn’t put the TLDR at the top because it would’ve saved me a lot of anxiety!

Glad it all worked out in the end.

It’s a code that’s generated when you use FileVault 2 to encrypt your hard drive. You may have chosen to send it to Apple for safe-keeping (I think it gives you that option), but I wanted to keep it local only. Go to System Preferences>Security & Privacy>FileVault; if you have it enabled/on, then a recovery key was generated. If you don’t have it, not sure there’s anything you can do–maybe turn off FileVault, decrypt the drive, and then re-encrypt it. If FileVault is off, you should turn it on, otherwise anyone with physical access to your computer has total access to everything on it.

Haha, I thought about it, but I wanted you to feel some of my terror

Huh? What OS X bug is this?

“I’m sorry Mark, I can’t do that.” - HAL

Glad you managed to get it sorted!

A frightening tale indeed.

My personal rule of thumb is that such data should be accessible on at least 2 independent devices. My 1PW database is accessible on mac, iPhone and iPad - and I refuse to use cloud for passwords to my life. However, for WLAN sync you have to start 1PW simultaneously on mac and iPhone/iPad while being in the same wlan - don’t think I could ever delete all of them. Still, I should think about a db backup to NAS and a written password to the NAS account. Just in case.

It’s a weird one that I’ve been plagued with the last year or so–I can log in and out of my account no problems, but as soon as I reboot, the password no longer works (but recovery code does work). I need to reinstall the OS to fix it, I’m sure, but it was just never worth the has (because how often do you reboot your Mac?) But as soon as I have a full backup from today, I’m doing that ASAP.

Haha, you made me literally laugh–thanks

Yup, good rule of thumb – assuming you don’t get robbed and lose all your devices . Why I’m tweaking that rule of thumb is that such data should be on 2 independent devices AND you need a paper trail to get you fully into both devices OR to set it up again on new devices.

I could literally feel the hairs stand in the back of my neck reading this having been in a somewhat similar situation several years ago.

Glad to eat you got it settled in the end

Glad you were able to,recover. I’m going to do a backup tonight. I think 1PW let’s you make a recovery archive of some sort.

Edit: also their emergency kit for online accounts.

You might check which keyboard layout is enabled when you can’t log in. I switch from Dvorak to US depending on which physical keyboard I’m using, so if I’m using my Dvorak output keyboard and macOS is set for Dvorak, i have to switch it before I can log in.
If you don’t use multiple layouts, perhaps a shortcut key is changing it?

For something so vital I always have a back up plan for my back up plan.

Every year I do a CSV back up of my vault and store that on an encrypted disk image on a flash drive that I keep in a safe. I’ve seen too many computers and apps fail to not do this.