Note: I originally wrote this blog post 2022-02-23, around the time I was dealing with improving my backup strategy, but forgot to publish it. I also improved things since so that I could more or less start from scratch (or at least better odds than back then). So, the setup in this article is the setup I had back when I wrote this article.
If you read my blog recently (see note above), or followed me on Mastodon, you might have noticed I’ve been thinking about backups and worst-case scenarios lately.
Imagine one of the following scenarios:
- You’re traveling abroad for a long while, for some reason border control confiscates your laptop and phone and other electronics.
- Your place burns down, with all your electronics destroyed, all data lost.
To be clear, just one scenario, it’s unlikely both happens simultaneously.
And let’s say, your phone is also gone, and any USB drives and other storage media you may have had.
Let’s just say, the worst-case scenario happened.
Could you regain access to your online accounts and your things?
I know I couldn’t. I use a KeePass database, hosted on my NAS, with a backup copy on a USB drive and my phone.
If those were, for some reason, to be destroyed, or say, confiscated at a border, I’d be offline.
I don’t know my passwords. It’s all unique/random/long strings in my password manager.
I don’t even know my password for my email account.
I have two-factor-auth enabled almost everywhere, where possible. So, even if I knew my (various) email passwords, I couldn’t just do a password reset.
I wouldn’t be able to access my emails, my cloud drives, my Cryptomator, my instant messaging. I use encryption almost everywhere, and don’t know the keys, either.
I’d be locked out.
I do have a backup strategy, as shared in an earlier article, but I hinted there that there’s still one problem to be solved, and that’s this problem here: My backup strategy assumes I have my KeePass database and 2FA.
In some rare cases, 2FA is SMS, not because I want that, but because some sites only allow that. In a worst-case scenario, where everything burns down, I should be able to regain my ID at an embassy or government authority in some way or form. With that, I could regain my phone number (new SIM), which is registered to my name.
But in the case of TOTP (AKA “Google Authenticator” & co.), or a hardware security key (AKA “YubiKey”), when those are gone, they are gone.
How “normal” people solve this
With “normal”, I mean the average Joe, who isn’t an IT expert. How they “solve” this, is by just using one password for everything, without 2FA. Then they use something like Dropbox or Google Drive, and just store everything in there, unencrypted. Of course, this means they won’t lose access to everything if things go south. However, on the other hand, without 2FA, anyone who knows your password (for example phishing), will be able to access your things. And by using one password everywhere, one can then access all your things. This is known as “credential stuffing”, and is increasingly becoming a problem: Some data breach reveals some email and password combination, and that combination can then be used to authenticate everywhere. In a worst-case scenario, this could lead to identity-theft and blackmailing/ransomware and whatnot.
So, how “average Joe” handles this, is not acceptable.
Some possibly actual solutions
So, I need to somehow back up my KeePass password database, my KeePass 2FA database (yes, those are separate… many make the mistake to have it all in one database), and my YubiKeys…
So, here are some thoughts/possible solutions:
- Have a backup in a fire-proof safe, perhaps both as CD and USB drive, and one backup YubiKey or two, in the hopes that at least either CD or USB stick, and at least one YubiKey, would survive.
- Get one of those free cloud drives, like Dropbox, Google Drive or similar, which have a free tier that is enough to host KeePass and some other things as backup, and memorize the password.
- Switch to using one of those hosted password managers, like Bitwarden, or have Bitwarden in parallel, with a copy of the most important things in it, and memorize the master password.
- Get a second cloud drive account, somewhere else, to host the TOTP (2FA) database separately.
- Set up TOTP (AKA “Google Authenticator”) 2FA as backup to your hardware security keys, in case you lose your keys.
- Actually print out the recovery codes shown to you, and carry them with you, and a copy in a fire-proof safe.
I should clarify that I knowingly suggested the less privacy-friendly cloud storage options like Dropbox and Google Drive for a good reason: The privacy-friendly cloud drives are usually not free, and if they are, they require active usage to not get purged for inactivity. Those are usually run by smaller businesses who can’t afford to give away storage like the big providers, and the chance for data-loss is also greater there. The big providers will likely hang on to your files for years to come, which is ideal for a small encrypted backup that needs to be available in case things go south.
Could you continue from scratch?
Back to the original question, could you continue from scratch?
Do you have this all figured out, and could you regain access to it all if stranded abroad without your devices, or if your place burns down, destroying your data?
If not, will you look into it now that you’re made aware? How would you solve this?
If yes, did you manage to do it securely, or are you an average Joe reusing passwords?
Let me know in the comments. (:
If you enjoyed this article, consider donating a coffee. (: