Using a password manager is smart security. That’s nothing new. However, the best password managers keep your credentials locked behind a single “master” password that only you know. But what happens if you lose that master password?
Pictures: IsaArt (Shutterstock), jakeliefer, Wajahat Mahmood
If you lose or forget your master password, getting in usually isn’t as simple as just clicking a “forgot password” button, like you would for any other account on the web. In most cases, you have to jump through a few hoops — or you can’t get it at all. In this post, we’ll look at some of the popular password managers out there and what you can do to avoid getting into this sticky situation.
Popular Password Managers and Their Master Password Policies
When you start using a password manager, it will likely warn you that it’s important to remember your master password. If there’s any password you should be sure to remember, it’s your master password. After all, that’s the whole point: It’s easier to remember (or secure) one good, strong password and let it generate the rest for you.
Depending on the password manager you choose, losing your master password can be easily remedied, or a nightmare to recover from. Here are some of the most popular, and how they handle lost master passwords.
LastPass
LastPass has a whole guide dedicated to account recovery if you’ve lost your master password. In short, if you’ve really forgotten or lost your password, you can activate a One Time Password (OTP) to access your vault. It will work once (you’ll have to reset your password afterward), and you’ll need access to the email account you use for your LastPass account.
If the issue is that you’ve recently changed your master password and can’t get in, you can revert your vault to a previous state. You’ll be able to get in using your old password, but any changes you’ve made since the old version are lost. Of course, all of this assumes you lost your master password, but you DO remember (or can access) the email account associated with LastPass, which may be a catch-22.
If that doesn’t work, or you no longer have access to that email address, you’re sadly out of luck — and out of your account. You can delete your vault and start over, but your passwords will be lost and you’ll need to start over from scratch.
Dashlane
Dashlane is a little more restrictive than LastPass, which is both a good and bad thing. In short, no one at Dashlane can access or grant access to your account. That means if you lose your master password, your vault is locked forever, even if it’s synced across devices or saved in the cloud.
If you use Dashlane’s mobile apps and you have a device PIN set up (and you have the app set to only ask for your password when your phone restarts) you may be able to access your passwords long enough to write them down elsewhere. You can’t change your master password from the mobile apps. Beyond that, your only option is to create a new account or reset your existing one (so you can reuse the same email address.) Doing that deletes all of the data in your account, though, so you’re starting from scratch.
This may seem draconian, but for a password manager, it’s actually a good thing. While it may be inconvenient, it also means there’s no way someone can socially engineer their way into your account.
KeePass
KeePass lets you secure your vault with a master password, a “key file” or both. Since your password vault is always stored on your computer, you never have to worry about a third party getting their hands on it. You can sync it across devices using Dropbox or Google Drive, but you still need your password or key file to open it.
Here’s the catch, though: Since KeePass is free, open-source, and not really supported by a central team, if you lose your master password or your key file, you’re out of luck. There’s no backdoor, no password reset feature, nothing. If you’re locked out is because you changed your password and you have backups of your old vault, you can restore from backups and use the old password. There’s more information on this here.
Now, you might consider trying to crack your KeePass database. It’s probably a bad idea. KeePass has built-in protection against brute force and cracking attempts, but there are tutorials that try to show you how to do it anyway. However, if your master password or key was strong (and it should be), most experts agree that there’s no secret method that works, and it’s really not worth the time and effort. It’s an option, but we don’t recommend it.
1Password
1Password’s approach to your password vault is much like Dashlane’s. They don’t have access to your vault, or its encryption key, so there’s no way for them to reset your password or grant you access to your data. They explain why here, and offer a few tips that might help here, but they boil down to the same ones as earlier: If you can restore from a backup where you know the password, do that, but any changes between then and now are lost.
If you’re logged in to 1Password on another device, you may be able to access your passwords and save them, but once you’re asked to log in again, you’ll be locked out. Similarly, 1Password doesn’t support two-factor authentication for your account, so there’s nothing to lose there (but also no added protection). Either way, the result is the same — lost your master password? You’re out of luck.
Roboform
Roboform has been in the business of password management for a long time, but if you forget your master password, you’re just as out of luck as any other service. They explain in greater detail here, but the bottom line is this: If you’re logged out of Roboform and you’ve forgotten your master password, you can reset it, but you’ll delete all of your data in the process. If you have Roboform set up to always remember your master password, though, you’ll never be in this situation (unless something happens to log you out, like a software update or a reinstall.) Roboform will let you password protect some things but not others once, but if you’re logged out and can’t log back in, you have to start from scratch.
How to Keep This From Happening to You
If you’ve noticed a theme, it’s that you’re pretty much screwed if you lose your password. Most password managers require you to either back up to when you knew the password, or start over. The best way to get into your password vault later is to prepare now. Here are a couple of things you can do, before it’s too late:
- Write Down or Export Your Backup Codes/One-Time Passwords: Many password managers support backup codes and other one-time passwords that can be used in an emergency. Usually they’re presented to you once, like when you set up an account, or when you generate them on-demand. They will work as a method to change your password or get back into your account, but you have to write them down or keep them safe somewhere outside of your password vault. The process is similar to what happens if you lose your phone and you have two-factor authentication set up. If you export those codes and keep them somewhere safe now, you’ll be able to access your data later.
- Write Your Master Password Down and Store It Somewhere Safe: We normally don’t recommend writing a password down at all, since your master password is the key to all of your passwords. Don’t keep it somewhere obvious, of course, but sometimes there’s value in jotting down your password somewhere safe, just in case you forget it or something else crazy happens to it. You could even encrypt it in a file somewhere, but then you’ll need the encryption key, and then you’re headed down the rabbit hole of encrypting the things you need to decrypt the encrypted stuff. You could even write it on a slip of paper and put it in a fireproof safe, just in case something crazy happens and you forget what it is, but remember it’s there.
- Make Use of Emergency Contacts: If your favourite password manager supports password sharing or emergency contacts, make sure you have an emergency contact set up. Dashlane, for example, supports emergency contacts who can access your vault if you’re unable to. The feature is generally intended for things like medical emergencies, but it works just as well for forgotten passwords. They won’t be able to reset your password and get you back in, but they will have access to your accounts — which is more than you’ll have. With their help, you can write down, export or reset your other passwords.
- Export Your Passwords Now, While You Have Access: It’s important to choose services that give you “data freedom”, or the ability to easily export your data and take it with you if they ever shut down, or if you want to try something new. Make sure your password manager gives you that option. Even if they don’t, they should have some export ability, even if it just dumps a plain-text CSV of account user IDs and passwords on your desktop. If it does, export your data, and then save that file somewhere safe. There are obvious downsides here — any updates or password changes you make mean you’ll have to dump a new file, and if the file is unencrypted, you’ll probably want to put it somewhere secure, like a USB drive you can stash somewhere safe, or someplace encrypted through another method (which then introduces another password to the mix.) Still, having a dump of your passwords that’s a few days old when you’re locked out of your vault is better than having nothing at all.
- Back Up Your Data: In the same vein as backing up your password vault somewhere safe, make sure you back up your data in general. It’s just good practice to have solid backups, but most password managers store your encrypted data locally. If you restore an old version of the app and its files, you can get in using an old password (you’ll have an older version of your vault, but again, it’s better than nothing.) This will only help you out if the issue is that you’ve changed your master password and you can’t get in using it or the new one, but restoring an old version is a common tip from customer support for all of the popular password managers.
Of course, the best time to prepare for losing your master password is before you lose it. It goes without saying that you should try not to forget or misplace your master password, even if you choose to back it up specifically somewhere safe. If you do, most of these methods will get you up and running in some state if something happens.
Either way, it’s important to remember that password managers aren’t like your email account or your internet banking account — they won’t just send you an email with a link to reset your password, after which everything is fine. Most assume that if you’re prudent enough to secure all of your passwords, you’re prudent enough to make sure you have continued access to your vault.
Comments
7 responses to “What To Do If You Lose The Master Password To Your Password Manager”
I’m confused about password managers and why security folks think they’re a good idea.
Our IT insists that we not keep a physical copy of our I-shit-you-not several dozen systems due to its vulnerability (which is confusing… vulnerable to who, exactly? Other people in the same office? The cleaners? Hackers aren’t getting into my locked desk drawer, I’ll tell you that. There’s a whole bunch of physical and social security systems that have to fail before that happens).
And yet they’ll recommend a digital password manager, which CAN be hacked? Or worse, lost? A close friend of mine uses one for everything and lost her access to it… nearly lost everything. It was only a miracle of me keeping a record of a glitched ‘hidden’ email address that was able to help her restore things with the provider.
I’m sure there’s some very clever people can provide a very reasonable answer, but to me, “Put all your eggs in one basket, they’ll be safer that way!” sounds incredibly counter-intuitive.
Well it comes down to the strength of the crypto. If you use a really strong crypto with a really strong master password then in theory you could publish your password vault on the web (not recommending that you do) and be safe. If there’s a backdoor then all is lost and the only way to be 100% sure there isn’t a backdoor is to use open source crypto software.
Of course it doesn’t help you if you lose your master password. There probably comes a point where losing that could be just as costly as resetting all your passwords after someone broke into your office.
Oops, double.
If a password manager offers a means to reset your master password then it is inherently insecure and you shouldn’t be using it.
Storing the password vault only on the local computer doesn’t necessarily make it safer either. It comes down to the crypto being used. I’d be even more worried about storing a backup of plain text passwords, especially with malware and stuff.
Why no mention of Mac keychain? It’s been around for so long (since Mac OS 8.6 but its roots were older still and has been in Mac OS X since the first release) that it quite possibly predates all the password managers in this article. It’s used by so many people as the default/built in password manager on Mac OS X that at least a precursory mention to compare it with other password managers would have been good.
This should be the opening sentence of the article.
Similar issue, however I have tried getting my Apple ID password reset, however I no longer have my Recovery Key.
The “geniuses” this term is loosely at Apple when I asked them with official government identification (drivers license, medicare, etc.) said the date of birth in there system is different to their records.
What do I do now?
I use LastPass and like it (although it seems not to work quite as well as it used to). I’m a bit disturbed to read that you can reset the master password with a one time password and your email account. That means that the LastPass account is effectively only secure as my email account. Surely that can’t be right can it as the whole point is to provide security?