[CGamesPlay]

I somewhat recently made my personal disaster recovery plan, and the password manager features prominently into it. If I lose all of my electronic devices in a sudden accident, how can I recover my online life? To address your questions specifically:

1. I used Shamir's secret sharing to send out a copy of my secret key to a few loved ones. The master password is in my memory only. If I forget the master password, I lose.

2. I use 1Password, and they say they make accounts read-only once you stop paying. If they did actively delete my account, my devices have a local copy. If I lose my devices and they delete my account at the same time, I lose.

3. I don't know what you're imagining, but you need the data, secret key, and master password to have this be a concern.

4. This has nothing to do with my threat model, I'm afraid. I can't imagine a world in which knowing my IP address leads to decrypting my password vault.

5. I am and this is correct. If there's a vulnerability in the cryptography used by 1Password, I lose. As you said, if there's a trojan update, I lose.

6. This is the same as 1 and 2.

All things considered, as a regular person who is concerned about protection from thieves and not especially concerned about being a target of governments, I am OK with these risks.

[vinay_ys]

> All things considered, as a regular person who is concerned about protection from thieves and not especially concerned about being a target of governments, I am OK with these risks.

As a regular person, you have to consider these possible attacks on your money/data:

1. Attacker is a person in your life – friend/family/acquaintance – targeted you specifically. Attack may not be very sophisticated and maybe easy to defend against if basic hygiene is followed.

2. Attacker is a remote entity – people who you don't know personally – you were not targeted personally – but you became a target because you are part of a cohort they targeted – nothing personal. Attack of this form can be quite sophisticated.

3. Thief is a govt entity (foreign or domestic) – because you were targeted directly or because you are connected to someone who was targeted directly. More than technical mechanism there are legal mechanisms at play here.

#2 is a very big threat. A password manager service company is a very attractive target for them. Imagine the recent SolarWinds Orion supply chain attack being done by an underground cyber criminal group and being chained together to compromise your favorite password manager service stack.

[cubic]

My least-effort solution to most of these issues is to be storing hard copies of the password to my primary email in different places and using 2FA.

Then if my password manager does get nuked or compromised, I can "restore" my accounts by using the "forgotten password" feature for most places. If I get trojaned, what are they really going to do with my accounts? The majority of things of importance are behind 2FA anyway, and I'm not a public enough figure that any of my data that isn't is of any importance anyway.

[waynesonfire]

How did you encode messages for (1)? Did you provide instructions? Did you keep a copy?

[CGamesPlay]

There's a ton of online sites for it. I used something custom, but the first result on google seems like it would work just fine. https://iancoleman.io/shamir/

I kept a copy of the combined secret... it's the secret key to my password manager. I do have a plain-text document that fully describes the steps to restore my identity, but it's addressed to myself. My goal is to get my own identity back, not to prepare for my own death.