[jzdziarski]

First, I’m so glad this turned out to be hypothetical, and you didn’t have to suffer through such a catastrophic loss. Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind, and you’d just be glad to have your life and your family - the only real things that matter in this world.

That said, planning a strategy for offsite data storage or a secondary authenticator is of course wise. A safety deposit box or other offsite location that you can frequently refresh and keep up to date would be a good investment. If you’re worried about keeping a master key to your life in a single place, you could separate your data and your authenticator. The how likely depends on your threat model, several people on this site may find it insufficient. To whatever degree you obfuscate or complicate your recovery path, you also increase the risk of losing access to it yourself.

You might also consider it’s not necessarily the “thing you have” that might go MIA, but due to physical injury, age, or just forgetfulness, the “thing you know” could also be at risk. I realize this the older I get. Finding a secure way to store a master password in the event you cannot recall it, or perhaps in the event of your death, is something you may also consider. In this case, I would avoid a cipher or something else you’re likely to forget.

[mid-kid]

Can't agree more with the last paragraph. Not too long ago, due to my keyboard breaking, I was forced to type my password manager's master password on an unfamiliar keyboard with an unfamiliar layout, and I just blanked. I type it frequently enough on my phone, so I tried typing it there too, but probably due to a combination of mild distress and actively trying to think about what I was typing I couldn't do it there either. I eventually decided to try again later and later that day I managed to type it correctly.

Rest assured, this situation probably sounds as bizarre as it felt. Randomly forgetting something I type every day isn't something I had considered a possibility until then. Maybe a password without as many non-alphanumeric characters would've aided in avoiding this situation, but I get the feeling it could've happened with any muscle-memoried password.

[DonHopkins]

I posted this earlier:

https://news.ycombinator.com/item?id=21862160

There's a much more evil prank than that:

A user was having a really bizarre problem: They could log in when they were sitting down in a seat in front of the keyboard, but when they were standing in front of the keyboard, their password didn't work! The problem happened every time, so they called for support, who finally figured it out after watching them demonstrate the problem many times:

It turned out that some joker had rearranged the numbers keys on the keyboard, so they were ordered "0123456789" instead of "1234567890". And the user's password had a digit in it. When the user was sitting down comfortably in front of the keyboard, they looked at the screen while they touch-typed their password, and were able to log in. But when they were standing in front of the computer, they looked at the keyboard and pressed the numbers they saw, which were wrong!

[alistairSH]

Holy crap. That's amazingly evil. And not at all what I thought you were going to say

[ajxs]

My employer made me use an SOE Macbook that had the 'butterfly keyboard'. Many of its keys would only work haphazardly. Once I made the mistake of setting my password using the laptop's keyboard instead of the external one I normally used. It had me going for ages before I realised there was one letter in the password missing!

[gnicholas]

I find it incredibly annoying that my iPad wants to automatically capitalize the first letter of most text-entry fields. I heard somewhere that some sites have made the first char of their passwords case-insensitive because of this, but IDK if this is just lore.

[Merad]

I used to work at a company that had some LoB apps used on iPads in a manufacturing facility... if the user login failed and the first character of the password was upper case those apps would retry with it lower case.

[cschep]

easily disabled which is good!

[gnicholas]

Not on the client-side! Sometimes it happens when you're typing the first char, in which case you can hit shift (which is visibly activated) and then type the char. But sometimes it 'autocorrects' when you hit the return key, and the only workaround I've found is to type the password with the first char doubled, and then go back and delete the first of the doubled chars. Not fun, especially when you're navigating the cursor on a touchscreen!

[cschep]

huh - if you disable this in the keyboard settings it still persists? Is it a browser input issue? not fun :D

[jlg23]

Being fed up with people asking to use my laptop (some 20 years ago), I cleaned its keyboard and put the caps back on at random. "Yes, of course you can use it, here you are! Oh, sorry, I forgot the keyboard..." Peace and undisturbed working ensued...

[chmod775]

Many people with mechanical keyboards (as in non-disposable keyboards) can probably relate to this, having put some keys back the wrong way after cleaning.

[zdragnar]

It's why the das keyboard with blank key caps was my favorite I've ever owned. It forced me to actually touch-type, rather than touch type the common keys and look for the rest.

[chmod775]

Then one always have trouble typing from unfamiliar angles that invalidate ones muscle memory, instead of only when someone swapped some caps...

[chmod775]

*Then one always has

[lobocinza]

This happened to me ~2 times I think due to exhaustion and/or stress. Just had to sleep to remember.

[ChrisMarshallNY]

Great prank (the car swap). Must’ve cost quite a bit, though.

If you have an iPhone, this app is pretty damn hilarious: https://apps.apple.com/us/app/action-movie-fx/id489321253

It’s done by Bad Robot (JJ Abrams’ company). Shows how easy it is to do really good special effects, these days.

[thatjoeoverthr]

Once I got home and found my toddler had completely shuffled the letters on my keyboard.

[Arrath]

Oh my god that car prank you linked was incredible.

[sabellito]

Few years ago I went to a store and paid with my card and 4-digit password. Not 20 minutes later, at another store, I just couldn't remember the password anymore, missed it 3 times and got my card blocked.

I had to make a new card because I couldn't remember the password to unblock it at the bank.

I had that card and password for 3-4 years at that point, wasn't under any stress at all, and nothing like this had ever happened, nor happened again.

[wishfish]

I was worried this would happen to me. I made an entry in my notes app. "Doctor Harry Bottomsmith 801-421-8623 9 am Friday" where 4218 was my PIN.

That's saved me a few times when I blanked out. This note, in theory, will look completely innocuous in case anyone gets access to my notes.

[SenHeng]

I've had a few of these. Until years later when I stumbled upon them again and totally forgot how they were meant to be decoded.

[account42]

You just validated every adventure game player typing in whatever numbers they can find to try and guess passwords.

[kibwen]

This is more generally known as steganography: https://en.wikipedia.org/wiki/Steganography

[ntauthority]

A year ago, I had to go to a bank office and engage in some verification process that also required me to use the physical bank card with its preassigned PIN.

No matter what I tried, I hit the 3-try limit for the day, and opted to have the same preassigned PIN sent by mail to my home address.

When walking back home from the bank branch I realized the mistake I had made: I had entered the correct PIN, but had typed it in calculator/numeric keypad order, and not in phone/PIN pad order.

While I've never used that PIN on a numeric keypad for a PC, somehow my brain associated the numbers with their order on a PC keypad, since I had used my PC keypad to unlock my PC with a PIN numerous times more than I had used any card terminal with a PIN.

So, the next day, I returned to the bank branch office to try the same operation again, and indeed - I had correctly entered the PIN and the online banking transfer limit ended up adjusted just fine.

[SenHeng]

For the past decade and a half, possibly longer, Japanese ATMs have replaced their physical keypads with digital ones where the numbers are randomly placed. Imagine my surprised when the first times I tried to enter my PIN, it kept failing until I took a good close look at the numbers.

[thraxil]

Had the same experience. Went to an ATM one night and the PIN for my card that I'd used several times a week for probably a decade was just... gone. Never before, never since.

[urxvtcd]

I once forgot root password to my FreeBSD installation, I spent a lot of time trying to remember it but failed. So I did a reinstall, and obviously recalled it when prompted to come up with a new one.

[LandR]

This happened to me last year.

Completely out of the blue I forgot my PIN, the PIN I had used every day for years. I was at an ATM trying to withdraw cash, got it wrong twice. It was just gone.

Luckily I cancelled it before the machine ate it, but I had to borrow money from someone to get a taxi home.

I had to request a new PIN and I still can't remember what it was. I now keep my pin in my phone under a contact.

[macintux]

I’ve had the same experience. Walked up to an ATM for the second time in two days and my 4-digit PIN was simply gone from my memory. I never figured out what it was.

That was almost 30 years ago, and thankfully it hasn’t happened again.

[grogenaut]

I use my ATM so infrequently that it's happened to me a few times. I get cash reups selling stuff on Craigslist so I need the ATM like once a year. Luckily my ATM is right next to an in grocery store branch so resetting the pin is 3-5 minutes talking to someone irl

[Vinnl]

I've had this happen to me multiple times, and more often now that so much payment is contactless here (even though I still have the same code as when it wasn't). Additionally, something as simple as a different machine (the most recent instance was a touch screen) can throw me off as well.

[jay_kyburz]

I went for a week holiday and when I came back I couldn't remember the alarm code. Had to call the boss at 7am with the alarm blasting in the background.

[tarsinge]

It has already happened to me blank on the 4-digit PIN I have since more than 5 years. Never thought I could forget something so short I use so often.

[PontifexMinimus]

Some bank cards have allowed you to change the number to a more memorable one.

The other thing you can do is make a mnemonic story to help you remember it.

[grog454]

I had a similar problem once. I normally use the dvorak layout but was on a qwerty keyboard. I don't remember exactly why, but I had to muscle-memory type the password as if the keyboard was dvorak and manually remap the characters using an image of a dovrak layout on top of a qwerty keyboard.

[frostwarrior]

My approach to that is to follow xkcd advice with an emergency password which looks less like a random string but more like a real world phrase.

I try to use my local language and some obscure local slang to avoid being guessed by an international dictionary.

[Sohcahtoa82]

> My approach to that is to follow xkcd advice with an emergency password which looks less like a random string but more like a real world phrase.

Yeah, for my master password, I use a slightly misheard line from an episode of a 90's TV show. Googling my misheard version in quotes only gets 6 hits, and it's 30 characters long, so very unlikely to get cracked even without replacing letters with symbols or adding a suffix.

[isolli]

It reminds me of the time I tried to type my password on a keyboard with a French layout, but responding as if it had a US layout. It turns out, even if you think you know where all these special characters are, finding them under pressure (three tries before you're locked out) with misleading visual cues is hard!

[ncpa-cpl]

Some countries even use more than one keyboard layout, so I try to stick to special chacters that dont change from keyboard layouts. Like dot comma and space.

[empyrrhicist]

Had that happen with a four digit numeric bank pin once, and several times since then with pass phrases. I tend to get stuck on whatever wrong pattern I entered first and have to try again later.

[GTP]

>but I get the feeling it could've happened with any muscle-memoried password.

I can confirm this. Many years ago I had to type for the first time a password on a classmate's iPhone (smartphones were just beginning to become common). The problem was that I didn't really know that password: what I remembered was a shape I was "drawing" onto the keyboard, which involved the numeric keypad... You see were this is going. That event was the one that led me to finally properly memorize that password.

[remram]

This happened to me, I forgot my Android "pattern", the swiped pin-like thing to unlock the phone. I didn't have a password set. I was able to factory-reset it with my Google account password but I lost recent files that hadn't yet been backed up (photos etc).

I just totally blanked. Like you said, the more I thought about it the less I could remember what it was like. It was really scary.

[efreak]

My method of solving this is to only use familiar, well known information about myself as my master password. It's > 50 characters and contains addresses, old ID numbers, my public library card number, account numbers, old usernames from 5th grade (I've never seen another username even remotely close to either my first IRC name or my geocities username). I usually get the order wrong the first time I try it, but correct on the second or third.

[InCityDreams]

Mild distress? I don't think that is so rare. But, why are my phone numbers not in the same order as my keyboard numbers! At my bank i drew a blank and had to sit at the assistants desk/ keyboard to fire off the muscles to enter in my old pw, in order to enter in an otu pw they'd generated.

[concordDance]

It's a really scary fact that people try and ignore but: neurons die.

They do this all the time.

They don't come back.

The information associated with them is just gone. Often the information can be reconstructed from other neurons that still work, but not always.

[NoPicklez]

I've done this so many times.

A small annoyance is when I need to change my iPhone passcode because of it being work managed. The keyboard used during that reset is slightly different to the regular iPhone keyboard.

Throws my muscle memory off.

[grogenaut]

sometimes i just cant get the password but will get it a bit later when not anxious.

[mixmastamyk]

You just described tech interviews. ;-)

[tgsovlerkhgsel]

> Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind

It isn't though. Access to your digital resources is vital to recover from the loss. You need an e-mail address to arrange contractors, you need your contact list to reach out to friends for help, you need access to your bank accounts, your cloud-stored scans of your ID cards, ...

[reaperducer]

You need an e-mail address to arrange contractors

No. People have been trained to think they need an e-mail address for real-life things, but they don't.

I had a roof replaced in my last place, which involved multiple contractors and insurance companies. No e-mail. No text messaging involved.

I recently moved to a new city, and setting up utilities, dry cleaning service, parking garage, etc... probably involved a dozen new accounts. I gave my e-mail address to none of them. Depending on the disposition of the provider, I either told them I hadn't set up e-mail yet since I moved, or just a flat "no."

you need your contact list to reach out to friends for help

If you're over 40, you can remember the days when it was perfectly ordinary to remember the phone numbers for dozens and dozens of people and businesses. These days, we've allowed computers to think and remember for us (hello, Stackoverflow!) so we don't have to. Memory is a normal skill that many people have lost or neglected.

you need access to your bank accounts

That's why it's important to have your bank accounts with an actual bank, with actual branches, and actual human beings to help you when human being things go wrong in the real world.

your cloud-stored scans of your ID cards

I can't even wrap my brain around why you'd trust information this important to a rental computer a thousand miles away.

"Everything digital" is a marketing tool. In reality, it only works when it works. When things go wrong, digital shows its fragility.

[basisword]

>> If you're over 40, you can remember the days when it was perfectly ordinary to remember the phone numbers for dozens and dozens of people and businesses. These days, we've allowed computers to think and remember for us (hello, Stackoverflow!) so we don't have to. Memory is a normal skill that many people have lost or neglected.

Heck, if you're over 30 you remember this. The problem though is that you remembered those numbers because you dialled them frequently from memory (and, at least in my location, landline numbers were much shorter than cell phone numbers). If you're not doing this on your smartphone you're never going to be able to remember the numbers. e.g. I can remember all of my childhood friends home phone numbers. I can't remember my partners cell phone number.

I recently considered getting an analogue phone book and noting down all the numbers in my smartphone contacts book just in case I ever lost access to the digital version.

[grogenaut]

You likely still have a printer. Print out your contacts and toss them in a safe

[basisword]

Yep good call. I just realised the Mac contacts app lets you export it to a nice PDF I can print.

[brnt]

> People have been trained to think they need an e-mail address for real-life things, but they don't.

The Dutch government not only defacto requires it, soon an Android or iOS phone with their app will be required too. Only very determined, very patient people with lots or spare time will be able to do without.

[reaperducer]

The Dutch government not only defacto requires it, soon an Android or iOS phone with their app will be required too

What do poor people do? Or the very elderly? Or those with diminished mental abilities? Or people whose culture eschews technology?

[vkou]

I assume they do the same thing as anyone else in any other country does. They go through the fall-back bureaucratic channel of 'haul your ass over to a physical, brick-and-mortar agency office'.

[brnt]

They get screwed, in most cases.

[paganel]

The Dutch people should probably protest against measures like those.

[brnt]

They don't, because they are largely anti-luddites.

[jay_kyburz]

I was thinking about this on the way home the other day. I'm the most tech savvy of all my family and friends. I live and breath tech. Code all day, game all night.

But I'm the one who hates all smart home devices. I'm the one who wants a dumb TV. I would be perfectly happy with my dumb phone if it didn't keep pocket dialing emergency services.

I want less tech in my life not more.

[foobarbecue]

Pretend he said "phone unlock code" instead of email password. It's 2022. Everything is digital. Auth is essential.

[ghaff]

Phones break and get lost/stolen.

All of us--and I include myself although I try to have some backup information on paper--have probably become too dependent on a single physical device which sucks in more and more information every year. See ongoing digitization of driver's licenses.

Especially for international travel, but really generally, I try to make it so I'm not completely screwed if something were to happen to my phone.

[avh02]

I try to still print out boarding passes when I can cos I don't want to deal with delays or missing a flight if my phone runs out of battery, especially if it's a flight out after a full day out and about. It's also less annoying at the airport fiddling with my phone to get the right barcode up each time it's needed (and no, I won't put it in to Google wallet)

[ghaff]

I don't go out of way to print boarding passes when I'm on the road. But certainly at home, it takes maybe a minute so why not?

[ska]

I stopped doing this when I realized I hadn't used a single paper one in about 50 flights.

[ddingus]

Same. Paper has no downtime.

[foobarbecue]

Yes, the "one device per phone number" restriction is quite annoying. I'd like to have multiple, functional copies of my phone. Instead I settle for a phone and a 4G watch, paying for one phone number for each. Since eSIM providers allow cloning but I haven't tried that yet.

[bluGill]

> or perhaps in the event of your death, is something you may also consider.

When my dad died we were glad that he had most of his passwords written down. There are a lot of things like the electric bill that we didn't know if he had paid yet or not, and other bills that are entirely paperless that we have have no idea about. Mom would hate to have something not paid just because we didn't know to pay it. There is a lot of paperwork to get access to accounts after someone dies and that takes time. (dad donated his body to science so that added a couple months before we could even start the paperwork)

Unfortunately there was one account we knew he had (because it showed up in quicken) and an IRA with most of his money, but it took us several months to figure out what bank it was at. Please don't do this to your family: write down all your accounts and their passwords in a safe place that someone trusted will look. (I need to take my own advice)

[ryandrake]

Anyone who acts as the "head of their household" and manages the family's finances, pays the bills, and manages the day to day home ops, do your heirs a favor and write out a Death Book[1] today, that contains all your various accounts, passwords, copies of important documents, and so on. PRINT IT OUT and put it in a safe or other secure place. I recently had two acquaintances who died pretty suddenly and young-ish (in their 40s). One was prepared and had his shit together, and it helped his family more easily pick up the pieces while they grieved. The other one did NOT have his shit together at all, and the result was even more stress and phone calls piled on to his family during an already difficult time.

1: https://www.marketwatch.com/story/to-help-your-heirs-write-a...

[Johnny555]

Good advice - tracking down all of dad's account information was very laborious after he passed away - we found an insurance policy that covered my mom that I assume he didn't know about since he never made a claim.

We have our list printed and locked in a firesafe (which is bolted to the floor and not easy to find for a thief), as well as electronically in a shared 1Password vault shared between my wife and I. My sister (and executor of our will) knows that the paper is in the fire safe, just in case something disastrous happens to both my wife and I. They'll need a locksmith to get in the safe though.

[codetrotter]

> the “thing you know” could also be at risk. I realize this the older I get.

Years ago, when I was in university, I had a couple of machines in my room running FreeBSD with full-disk encryption. These machines were powered on for a few months without reboots until one day when the power went out.

Having not typed in the password in months, and at the time using the kind of passwords consisting of long word with a lot of numeric and symbolic substitutions, I was unable to decrypt the disks of my machines.

I lost a fair bit of data that day, but it taught me a valuable lesson.

These days, any passwords that I use for full disk encryption I make sure to

1. Regularly use. Meaning I’ll reboot machines and retype the passwords on a regular basis. Likewise, I connect external encrypted disks on a regular basis and decrypt them with their passwords.

2. Use pass phrases with many words but without any numbers or special characters. See also https://github.com/ctsrc/Pgen

(For websites etc I use a password manager.)

[bombcar]

This is where risk assessment comes into play - people often consider it "evaluate the attackers and how to prevent them" but risks include many things; hardware failures, memory failures, human memory failures, etc.

And one of the biggest risks with encryption is data loss if passphrase are forgotten - using encryption usually involves considering that data loss is better than data exposure - which is obviously true for things like passwords (you'd rather forget your bank's password than have it exposed, because you can reset it) but not necessarily true for other data.

This can lead to things like encrypted systems but storing the off-site backups unencrypted because they're off-line and the only real risk is theft. Again, depends on what the data is.

[kibwen]

This is why Android requires users to type their PIN once a week, even if you use biometric authentication. It's an essential practice that needs to be the norm for any biometric auth.

[makeitdouble]

> Second, if you had actually suffered such a loss, your digital life would hopefully be the last thing on your mind

To note, our banking system is well part of our digital life. Europe has already a flurry of “real” banks that have no physical presence, and after a catastrophic loss you’ll need that access to your bank as soon as possible.

[basisword]

This has made me think twice about using those banks (I'm thinking of Monzo etc.). I was already reconsidering anyway as all of these banks have been consistently reducing features and limiting usage (e.g. cash withdrawals) and generally making themselves worse than the 'real' banks.

[makeitdouble]

It depends on the “attack” vector you see as the most problematic.

With a “real” bank, I had to go to an agency 5 times in a row to solve a paper issue because they wouldn’t just message me about it as it was “confidential” (they couldn’t validate our home address, though we were receiving their spam pretty fine), and the system was really built around the assumption that making you come to the agency was a no-brainer. The other options evolved snail mailing copies of the papers and waiting for them to process it.

There’s also the issue of “old fashion” people sticking more with traditional banks, making them skew their offerings towards these people. I was endlessly phone spammed with insurance and bullshit travel packs, and I couldn’t just block them as it came from my actual agent.

[basisword]

I think I'm lucky then. My 'traditional' bank is paperless, has a good app and website, and I can do everything over the phone with relative ease if I need to. It's all a bit clunkier than one of the app-native banks (which is why I half-switched to the app bank) but that's the software snob in me more than missing functionality.

[dmm]

> safety deposit box

A firesafe in a friend or relative's basement is a much better choice. Safety deposit boxes regularly get lost, tossed, or sold and the banks have very little liabilty.

https://www.nytimes.com/2019/07/19/business/safe-deposit-box...

[wintermutestwin]

I live in a fire prone area. I have a safe deposit box 30 mins away in a place that won't burn. I keep a HD there with all my photos on it. I refresh the drive monthly. The chance that this small credit union with maybe 100 boxes will lose, toss or sell my box on fire day is pretty minimal.

Yes, safe deposit boxes are not always as safe as spy movies would have you think (or even that we should assume them to reasonably be), but they can still be used as part of a disaster recovery strategy.

[the_af]

> A firesafe in a friend or relative's basement is a much better choice

The article addresses these options and why they are not ideal either.

Also, one thought experiment I just came up with: how many of your friends are you willing to let store their pendrives in your basement's firesafe? How often would you be comfortable with your friends coming to your home to update their pendrives?

[mst]

I know several who I believe would be fine with it, all of whom I see regularly, usually down our usual pub, and all of whom would I suspect be happy to do an update at least every couple months in return for me buying them a few drinks for the hassle.

I already have multiple friends who have copies of my house key held in case something really stupid happens, none of whom found that weird and all of whom I'm willing to trust enough that I believe the risk of having multiple such copies extant but unmarked is significantly less than the risk of not having that fallback plan.

In fact, they all considered "being one of the spare key holders" to be an honour more than anything else.

I am very much aware that there are many people whose situations are very different than mine, but it works for me (and they're all wonderful people for whose existence I try to be appropriately grateful.)

[Aeolun]

The only thing that needs to be on this pendrive is the master password to the password vault and a separate yubikey.

[foobarian]

What is the fascination with pendrives? Can't it be a piece of paper?

[ridgered4]

I suppose they might want to encrypt a pendrive in case it was stolen from the friends housse. But you could do something similar with a piece of paper.

Pendrives aren't known for storing particularly well over the long term so they probably aren't a great choice anyway.

[foobarian]

I suppose an overheated safe would not be good for either a flash storage or paper. Maybe engrave the pdf on a piece of metal :-)

[loloquwowndueo]

Only given how the article assumes everything burned down, your friends house would also have been struck by freak lightning of doom.

[philistine]

I have a recovery code for my iCloud written down on a piece of paper, in an envelope marked for my wife in case of emergency, in my office at work. There is nothing written on that piece of paper but the code.

It's not perfect security, but it's my security blanket in case my house burns down with my phone in it and I need to rebuild my whole house of cards.

[M4v3R]

> First, I’m so glad this turned out to be hypothetical

I've only learned about this is hypothetical from your comment (yes, I'm guilty of not reading to the very end). I wish the author conveyed that a little more clearly.

[enriquto]

The first word in this document is "Imagine", how can it be clearer than that?

[skeeter2020]

This is a common setup to build empathy so doesn't always mean "the following is a hypothetical thought exercise", such as "Imagine you find your self in the same situation as me, your house struck by lightning..."

[spiffytech]

Given all the pictures in the article, I took that to mean "imagine you were in my situation", not "imagine this happened to me".

[aidenn0]

It's ambiguous; the word can be used not only for a hypothetical, but also a "put yourself in my shoes"

[lupire]

Unfortunately the Internet is rife with poor sarcasm and misleading titles.

[felideon]

It also detracts from the main point, which is this could happen to someone, but, since it’s hypothetical, makes it sounds a lot more unrealistic. The "fireproof but not lightning-proof" safe gave me pause, for example.

[Macha]

If he was actually locked out as described, how would he have made this blog post?

[kodah]

Building on the last paragraph, I keep my root PGP key on an encrypted USB drive. There's several files that are encrypted by the root key, but they're mostly like password manager recovery phrases as well as things like my birth certificate, social security number, and various government IDs I've used. There are two copies of this USB, one travels with me at all times, the other is securely stored and accessed twice a year to ensure it's still performing. Both USB keys have fuses that will blow if opened up. This makes it so that for the rest of my life I will remember one password.

Passwords can also be made more memorable. For instance, because a password manager remembers the rest of my passwords, I made this one what I call a "pattern password". On a US keyboard I could type it in seconds without looking, but it would be too complex to guess.

[dspillett]

> Finding a secure way to store a master password in the event you cannot recall it,

Currently my master credentials are on an old USB stick (a Yubikey device that I got in an offer, though I only use it to type the long password as if it were a keyboard) and printed (plain and as a QR to save typing issues) & stored well away from the things they secure. The printed copies have the lot, the USB version requires a prefix which I remember.

This may seem risky (the old on-a-post-it-under-the-keyboard issue) but for my online backing and other key stuff the key risk is my password store which is secured by one of those master keys, and its main risk is someone remote getting access to both the key DB and the passphrase and it is properly air-gap secure against that. Similar for the encryption keys for local storage and off-site backups.

> or perhaps in the event of your death

This is a concern I've not at all addressed in my plans. The basics will be putting details in my will for how things should be accessed, but those details need to be both secure from inappropriate access and easy for th eright people to access when the time comes. Though as I have nothing much to leave to anyone that isn't too big a concern yet…

The halfway point is a bigger matter that I (and many others) really should address: what if I'm incapacitated temporarily or otherwise? Someone may need access to my stuff to sort a great many things while I can't. We've had an issue with this with my mother who due to dementia can't even sign her name, so neither she nor my dad couldn't access an account that was only in her name without a huge rigmarole of paperwork and assessments to sort out power of attorney. We've since got things sorted in advance of further problems (myself and my brothers set up with joint PoA so if something happens to him too we can sort what needs sorting more easily) but I have nothing like that setup for myself for either life stuff or technical stuff (or the things that are both).

I'm in good health as far as I know, but I'm not getting any younger (this year I'm on the cusp of leaving "the low 40s") and I've seen unpleasantly final things happen to people who were similarly good health as far as they knew.

[fmajid]

A stroke can happen at any age.

[fencepost]

This is also very relevant for family or trusted access. We had a hell of a time after my father had a stroke (recovered now) even though I had access to his computers and KeePass database - he had plenty of things where phone access was needed but nobody knew his unlock pin and it was required to reactivate fingerprint unlock.

[anonymousiam]

It took me about 30 seconds to ask the question: If he's locked out of his digital life, how did he post the story to his blog? From that point on I knew it was hypothetical, but it was still a good read and raises important issues.

[LazyEvaluation]

I'm a big fan of all lower case phrases as passwords now for this reason. Something like "this is my password there are many like it but this one is mine my password is my best friend it is my life I must master it as I must master my life". Very easy to remember. Very easy to type. Very hard to crack. Cheers.

[vikingerik]

What do you do for a service that demands uppercase letters, numerals, special characters, and no spaces?

[LazyEvaluation]

Sure, I have to deal with password requirements when they're a thing. But for things under my control, like my encrypted drives, I do super long lower case letters as per my example.

[rambojazz]

Where does it say that it's hypothetical?

[collinmanderson]

"please rest assured that my home is still standing" at the very end. I missed this myself.