Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

17 comments on “How Should I Keep Recovery Codes Secure?”

  1. I do both methods. I keep the digital files primarily for my own use. The printed copies of my recovery codes and instructions for their use are kept with my will and other documents for when I go 404.

  2. Just a few minutes before reading or even seeing this article, I went into Facebook settings and got my recovery codes after having set up two-factor authentication the prior evening. I copied and pasted the codes into the Facebook entry in my password program (KeePass). I then immediately backed up my password database to my cloud backup.

    I hadn’t even known about recovery codes until this morning, when I was in Facebook settings looking for something else.

  3. I use all 3 encryption methods mentioned in the article. For single files, I use encrypted .zip files. There are many programs that manage .zip files, so you can decrypt them on any computer. I use Cryptomator for all my sensitive files on my computer because I can work with those files on my computer as if they were not encrypted. A disadvantage of that is that unless I have Cryptomator installed on a computer, those files are inaccessible, so I don’t see that as the best way to encrypt a recovery code. I use VeraCrypt for collections of files and for system encryption on my older computers that don’t support Bitlocker.

  4. As much as I like Password Managers (my current favorite is Dashlane), they come and go, raise prices above what I want to pay, etc. So, I still keep my password protected Excel file that I started over 30 years ago. Now over 900 entries I have everything in there, logins, passwords, recovery codes, which credit card is on the account so when I get a new number or expiration date, I can sort Excel to find all the accounts with that card so I can update them quickly. A few years ago, I moved all my files to OneDrive, so I keep that password protected spreadsheet in my OneDrive Personal Vault for another layer of protection. From time to time, I create a backup copy of that file and store it locally and in my safe deposit box at the bank.

    Password protect a spreadsheet:

    OneDrive Personal Vault:

  5. I add each recovery code to the online account entry I have for that specific account in my Bitwarden vault. Click EDIT for any account set up in Bitwarden and you’ll see a NOTES field where you can add any text. Paste it there. Now its in the cloud, secured, encrypted, and accessible 24/7 from any computer/ anywhere. I also save them in a .txt file in a Cryptomator vault, but as was stated before, if you don’t have Cryptomator on the computer you use to retrieve it you can’t get to it.

  6. I keep my recovery codes in my password manager. There is a ‘Notes’ section where I copy/paste the code with an indicator of what it is. Since my vault password is very long, and the encryption on my vault is strong, I feel very secure in keeping this information there. As an added measure, I export the entire contents of my vault annually, then encrypt it in a password protected zip file on my primary computer, replacing the previous year’s copy. I also store a copy of the password to that zip file in my password vault and in my OneDrive vault so it’s being stored in two places. This may seem like a bit of over-kill, but I’d rather be safe than sorry.

    Ernie (Oldster)

    • Definitely not overkill. Overkill and security are an oxymoron. There’s never too much security. Password managers are a great place to store recovery keys. That’s one of the things they are designed for.If they can protect your passwords, they can protect sensitive data.

  7. Some recovery codes are unique, and can be used any number of times. That’s how the encrypted mail provider Tutanota does it.

    Its recovery code can be used instead of the password, or instead of your 2FA secret if you have lost either. You only have a single recovery code at any given time, but you can swap it for another one whenever you like.

    This ability can be put to work if you have been hacked. Suppose a hacker gained entry, and locked you out by changing the password. If he did not think of changing the recovery code, you can regain access with it, then change the password to lock the hacker out, then change the recovery code to be 100 % safe.

    Naturally, if a hacker was able to get in in the first place, it means you have rotten security habits (poor or reused password), so you shouldn’t count on the recovery code as an anti-hacker tool.

    But it’s nice to know it’s possible in theory.

    • “it means you have rotten security habits” – not always. If the password were exposed through some other means (rotten security at the provider, for example), it wouldn’t be your doing.

  8. I recently had trouble logging in to an account I had for about five years. Since 2FA was established for this account, I felt safe. However, my phone number for 2FA was changed abruptly and I lost access to my account. I had backup codes but I was not able to locate them and therefore had to start all over again with a new version of my permanently lost account.
    So I set up 2FA again and downloaded new backup codes. The new codes are printed and encrypted on a separatee drive in case of computer system failure. I believe that it is not safe have backup codes stored on computer systems because of possible corrupted backups that will not restore the system to operational status. About two months ago, my system failed and the backups were unable to reset my system. No usable backups, no recovery codes – a hard lesson to learn.
    I have Dropbox and OneDrive. However, I am a bit skeptical about putting valuable information on online platforms because hackers always seem to find a way of getting around security strategies of online storage providers. I welcome commentary o the subject under discussion.

    • If you encrypt those sensitive files with a long (16 or more characters) they should be safe in the cloud. As a backup, you can keep a copy in OneDrive and Dropbox. Zip encryption using 7Zip is as good as any encryption method.

    • ” hackers always seem to find a way” -> this is misnomer. Yes hackers do gain access to accounts, but if you do security properly, the chances of them getting your specific account is low.

      As Mark pointed out encryption is the key. In addition to the tools he mentioned I’d recommend looking at Cryptomator as well.

  9. The only Recovery Code I have is for Google data (a total of10 codes and they consist of just 8 numbers each). And it’s for Google personal data such as contacts, messages, calendar, etc. I have never been introduced to such codes from any other website. What would be the other typical websites that offers this? I apologize if I missed something.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.