Ask a security trainer: What about the password for my password manager?

- The Latest
  Regular reporting on government secrecy, surveillance, and the rights of reporters and whistleblowers.
  - The Classifieds
  - News Releases
- Technology
  Working open source software products to protect journalists, newsrooms, and their sources.
  - SecureDrop
  - Dangerzone
- U.S. Press Freedom Tracker
  A database of press freedom incidents in the United States.
  - Data Visualizations
  - Explore the Database
- Digital Security Education
  Digital security trainings and resources for journalists.
  - Request a Training
  - Guides & Resources
- About Us
  Protecting and defending press freedom when we need it the most.
- Our Team
  - Staff & Contributors
  - Board of Directors
- Transparency
  - Reports & Financials
  - Announcements
- Get in Touch
  - Jobs & Internships
  - Contact Us
Donate

Freedom of the Press Foundation (CC BY 4.0)

Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.

Dear DST,

Do you use a password manager for your password manager? I thought of this question as I learned the hard way. When I forgot my password for a Proton account, I got locked out of all Proton services, including the password manager. I saw this as a downside of being locked into a particular ecosystem, although the recovery method was quite easy.

Signed,
Terra Bytes

(For those who have not yet gotten started using a password manager to ensure you’re using long, unique passwords to minimize the impact of a breach, begin with our guide.)

Hi Terra,

First, it’s great to know that you’re already using a password manager.

Second, to your question, I use a long, unique, and randomized password for my password manager. In fact, I used the password manager to generate the password. I also store backup methods locally on my devices to allow me to get back into my account if I ever lose access. This helps reassure me that I have a game plan in case I ever forget a password or lose a device.

This question hits home because I’ve seen things. I’ve locked myself out of password managers, lost two-factor authentication codes stored on a cellphone, and lost account recovery information to hard-drive failure. I’ve spent hours talking to customer service to convince them to let me back into my accounts or reset my recovery methods. I can’t do this all again. I have but one life.

Creating redundancy about how to access an account provides some extra peace of mind. When starting up an account, this means storing backup codes somewhere safe, potentially in a password manager or on a local file on devices you control.

This also means having a fallback in case you can’t access your two-factor authentication codes. For example, this might include using backup codes, as well as having more than one 2FA method, and opting for the safest one you have available to you at the moment.

Finally, this also means keeping a copy of your password manager password somewhere safe until you’ve fully committed it to memory. This copy might even be stored in another password manager (say, KeePassXC) that you store offline for emergencies.

There is a potential trade-off here: Having these fallbacks for getting into your account also means someone else could recover your accounts if they manage to get into the trusted location where you store your backup codes.

Each person’s experience is different here, and what level of redundancy is acceptable for you is up to you. I can only speak for myself, but I’ve never regretted having backup options for getting into my accounts. I’ve only ever been frustrated by locking myself out, so I’m relieved to have these options.

Now, has anyone seen the key to my house?

Best,
Martin