[Update: I now have a proposal for how to solve this: Paradux]
First we picked a good password, which we reused for many sites all over the web. Some of those sites were broken into, so the bad guys got their hands on our passwords and promptly impersonated us all over the web. Reusing passwords was clearly a bad idea.
So we created different passwords for different sites. Which we forgot, because there were so many.
So we started using password manager, with one master password, which we could remember! But then, the 2018 California wildfires raced at and right across us, and all of our devices. We escaped with nothing more than the T-shirts we were wearning, and we lost all of our credentials all at the same time as we lost laptops and cell phones. There simply wasn’t time to collect them all.
Well, it hasn’t happened to me yet, but I’m sure it could happen to me. And if it’s not a wildfire, it might just be a regular fire, a burglary, a robbery or what have you.
Of course we could put the passwords into a password manager in the cloud, but that poses its own problems: it is more attackable than something local, and we might never know when it was attacked; it possibly costs money (which means the passwords might disappear if not paid promptly), and it requires trusting a third party. (If you were a crook with a few million to invest, what investment could be better than buying or running an on-line password management company?)
And there are more failure scenarios. Let’s try to enumerate them:
- I forget my master password (old age, amnesia, or just me being me)
- I forget the location of my password manager (same)
- the data of my password manager is deleted (hardware failure, theft, fire, disabled account)
- I’m incapacitated (coma, and somebody needs to pay the bills on my behalf)
- I was hit by the bus (death, and somebody needs to get at some of my data)
… and attack scenarios:
- Somebody managed to get access to the data managed by my password manager
- Somebody used a recovery process (e.g. for when I’m incapacitated) for a purpose that I did not authorize.
There is also the matter of non-electronic credentials. It should be possible to at least recover copies of birth certificates, passports and the like after a major catastrophe.
Let me hark one more time on the California wildfires. They swept so quickly, and so strongly, across entire towns, engulfing everything, including local banks. Including safety deposit boxes at local banks. While I have not heard of what happened to them in the recent fires, personally I would expect major damage of the content of safety deposit boxes as well. So simply making copies of everything and trusting your local bank seems to be a bad idea.
We need an approach to solves all of this, and as far as I know, there is no such thing. Chances are, a single approach can be defined that works for most of us, perhaps with variations for the more or less paranoid. That should be something we can figure out? Ideas?