I know we’re all having fun piling on LastPass for their most recent in a long series of missteps (“LastPass users furious after being locked out due to MFA resets”), but there’s an important lesson here that those of us in the infosec community should be using this as an opportunity to teach: you should be backing up your password manager.
What
You should be regularly exporting the data from your password manager and saving it securely somewhere.
Why
If you use your password manager as intended, then it is the custodian of a lot of data which is important to your life and which would be difficult to impossible to entirely restore should you suddenly lose access to it. That could happen in a number of ways, including:
- The company that hosts the password manager could screw up your access (c.f. the LastPass story).
- They could be the target of a destructive hack and not have sufficient backups to recover.
- They could have an outage at a time when you urgently need access to your data.
- You could accidentally delete data.
- If you use family sharing, a family member could accidentally delete shared data.
- A hacker could break into account and delete data.
Password manager data is no different from any other important data. Important data needs to be backed up in a place that you know you can access if needed. Relying on the password manager company to back up your data isn’t sufficient.
How
This has two pieces: how to get the data out, and how to store it securely.
How to get the data out
Pretty much every password manager allows you to export your passwords and notes. For example:
Consult your password manager’s documentation for additional information.
However, there’s a catch. All of the export methods above except 1Passwords “.1pux” method only contain a subset of your data. None of the others include file attachments in exports, and some of them also don’t include 2FA seeds. If you care about this, you’re going to need to use a script that talks to the password manager’s API.
For example:
- 1Password (I wrote this script before the “.1pux” export format existed, so it might not be necessary any longer)
- Bitwarden (I wrote this one too)
- LastPass (but note these caveats from Reddit: “(1) The ‘sed’ commands in the script don’t work with the Mac version of sed. I got around this by installing gsed (via MacPorts) and modifying the script to use gsed. (2)The script doesn’t properly handle attachment filenames with spaces in them. The attachment exports properly, but the exported filename is only the first part of the name (up to the first space).”)
If you end up writing a script of your own to do this, consider posting it somewhere to help others who are in the same boat!
How to store the data securely
Don’t store your password manager anywhere online in unencrypted form.
That leaves you with two options: either store it offline, or securely encrypt it.
The most obvious “store it offline” implementation is saving it onto a dedicated thumb drive that you only plug in when you’re saving the backup or when you need to access it. This is a perfectly acceptable solution if you’re confident that you don’t need to worry aboutthe people in your home stealing your data.
Personally, I encrypt my backup using GPG public-key encryption with myself as the recipient. There are obviously lots of encryption tools out there; which one to use is left as an exercise for the reader. Use a good encryption password!
Don’t forget to test your backups
You should periodically check your backups to make sure that you can find a password for a particular site if you need to. If you never test your backups, you may not discover until the dreaded emergency happens that there was something wrong with your backup process and it wasn’t working properly.
Thanks for the reminder! I use Dashlane, and was thinking of it as my backup, not as something I need to be backing up. Time to get on that.
This actually was my biggest hesitation around rolling my own Bitwarden (technically Vaultwarden) instance. Not so much the security side of things, but the fact that I’m running it on a single server without the multi-data-center redundancy of the commercial systems. Figuring it out pushed me to really think through an automated offsite backup system, and even then, I don’t think I’d have done it if the Bitwarden clients didn’t all cache local copies of the database (that’s horribly inconvenient, but in an absolute catastrophic loss, I could get the important credentials out one-by-one).