The technique is simple.
The problem is that the technique is time-consuming and ponderous.
Letâs review that technique, and what you can do to avoid this situation in the future.
Become a Patron of Ask Leo! and go ad-free!
Losing your passwords
Iâm a strong believer in using password vaults like LastPass, primarily because they enable greater security.
Using a password vault, you can easily use longer, more secure passwords, and easily use different passwords for every site. These two actions together increase your overall online security tremendously.
If thereâs a downside to using a password vault itâs that, used properly, you donât know your own passwords. This is a good thing, since strong passwords are, essentially, unknowable. But itâs also a bad thing, in that should you lose access to your password vault, you lose access to all the information stored therein.
In the case of LastPass specifically, if you forget your LastPass master password, there is no recovery.1 LastPass canât tell you your password because they donât know your password. LastPass knows if you type in the right password, but it doesnât know what it is. As a result, if you forget it, they canât recover it for you.
Thereâs really only one recourse
Each account.
One at a time.
Itâs painful. Itâs ponderous. But itâll work.
Itâll just take some time.
Before you start
Before you start, however, Iâd recommend you set up a new account with your password vault so that as you reset all those passwords, you can:
- make them long and strong
- use a different password on each site
- let the password vault remember it for you
Thereâs no requirement that you do it all immediately.
As you go about your day and attempt to log in to an account for which you havenât reset a password, do so. Over time, youâll rebuild the database of passwords stored in your password vault.
Prevention
Itâs easy to say, âDonât forget your vault passwordâ and leave it at that. But I realize thatâs oversimplistic. It also doesnât account for other things that can go wrong.
So, instead, fall back on my other most common recommendation: back up.
Specifically, back up the contents of your password vault. Ideally, back it up in an unencrypted form which you then save in some different, yet secure, way. For example, I regularly back up my LastPass vault, unencrypted, and save it in a different, secure location. Should I ever lose access to my LastPass account, Iâll always have that backup from which to start over.
Bottom line:
- Reset your passwords, one at a time.
- Remember those new passwords using a password vault.
- Back up the contents of your password vault regularly.
That way, youâll never be in this position again.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
That method isnât always successful. It wonât work if youâve lost access to your recovery email accounts for those lost passwords, as you said in:
https://askleo.com/a-one-step-way-to-lose-your-account-forever/
Back up your vault now and often.
Leo â
Hi. Iâm not using LastPass (yet), so my apologies if these are stupid questions.
1) You mention early in the article that âif thereâs a downside to using a password vault itâs that, used properly, you donât know your own passwords.â Is this because LastPass doesnât allow us to know or just that we donât need to know the passwords? Iâm guessing itâs the latter case as you do tell us later in the article to back up the contents of our password vault, which I assume means something like print out a list of your passwords.
2) You also mention in the article that âUsing a password vault, you can (a) easily use longer, more secure passwords, and (b) easily use different passwords for every site. These two actions together increase your overall online security tremendously.â If I am already doing âaâ and âbâ without using LastPass (or some other password managers), will using LastPass anyway give me some additional benefits? For example, does the way LastPass inserts the password on the website make it more secure than if I manually type the password in? Does LastPass make it harder for keyloggers or some other malware to steal my password?
Thanks for your help.
1) You donât need to. I can see my passwords, if I want, but because it enables my use of long complex passwords â like, say, 9cZBYrpvdYZ4Pn3uyr5q â I have no need, nor ability, to âknowâ or remember it.
2) No, vaults donât improve the actual login technology, and they do not bypass malware. If you already have long (20 characters?) and strong (random characters?) without a vault or other tool, good on ya. :-)
LastPass may not protect against malware or keyloggers but it can protect you against accidentally clicking on a phishing link because it wonât fill in the login information unless it detects itâs on the correct site. Additionally, if you donât know the password, you wonât be able to attempt to log in manually.
I read your article on recovering passwords. It did not however address my issue. Last time I left my computer, it was doing updates. When I returned, it was asking for my login password. I do not remember that password. Is there any help for me?
If, this is your personal computer or laptop. . .Juar ask to âre-setâ your password. Microsoft is very good at doing this. One other tip, always keep your initial password for starting your computer these days, on a piece of paper or my preference an index card. I am the one who âfixesâ my Hubbyâs computer and I frequently forget his initial password, thank goodness for my index card. I donât have to fix his computer often and it is easy to forget.
Now, if this computer is a work computer, you need to be very cautious and preferably use as simple of a password as possible, since, you do not want anyone to get into your files and claim to be you. I donât mean 1234567 or password either, but something easy to remember, but would be hard for someone else to know. In a work environment, you will need to call the IT Team to get your password reset, at least that is what I have had to do, when I was working. In a small business office, you will need to talk with the Officeâs Administrator.
Just an example: Th1s i5 m3 pa$$w0rD. . .And you can only use this, IF, your company allows capitial and small letters, symbols, spaces and numbers. I learned how to sort of create my own passwords from an AT&T Support Tech, late one night about 12 years ago. What the example password is saying is, âThis is me passwordâ by using all of the combination of the keyboard keys, you can create a simple, yet good password.
To me, there is no problem when using LastPass or RoboForm or DashLane and so on, in losing all of your passwords. I have had to reformat, start from scratch my computer several times and have used both LastPass and RoboForm. Yes, when you have to start from âscratchâ, it is not easy to get all of your passwords back. Losing all of your passwords happens when you are using a Browser Password settings. . .Not when you are using LastPass or RoboForm or DashLane or any of the other password managers.
Why, isnât there a problem? It simply, the good password managers are stored on a cloud these days. I am not sure which is worse. . .Losing all of your passwords without a password manager or having a breach in a cloud that stores the password managers passwords??? Six of one and a half a dozen of another.
I thank the heavenly stars that I did have a password manager when I had to reformat my computer or replace my hard drive. Even if you were using the paid version of the good password managers and the subscription has expired. . .You can always use the FREE version of your chosen password manager. This is what I have done and I must say, I am one thankful lady, too!!! So, have hope IF, you are using a good password manager, like I have in the past, as well as today. I refuse to be without either LastPass or RoboForm.
The problem is if you lose your master password to LastPass or Roboform ⊠then you lose everything they might contain.
Even a lengthy complex password can be written on paper and stored in a physical file.
You can also export the passwords (and fields to be filled) to text files. From the LastPass menu, More Options/Advanced/Export will save passwords and form data.
When you make a new password or change one, write it down in your address book reserved for passwords. Then you have a local permanent document of all your important passwords. Keep the book in a secure location if necessary.
I use a âmethodâ rather than software to create and remember passwords.
In its simplest form:
1. Create a 6 or more letter word or phrase that youâll always remember: Got!Cha
2. Create a 6 or more digit number or numeral/punctuation that youâll always remember: 200100!
3. When you have to CREATE a new password for a website, note the 2nd 3rd 4th 5th character of its name: (askleo would be: skle)
4. Place your results for item 1 first, then item 2, then item 3:
My PW for Leoâs website will be: Got!Chaskle200100!
Youâll always have the âMethodâ in your head, so you wonât (typically) lose it.
An article about this is here: http://silvermarc.com/password-please/
Not sure what âaddress bookâ youâre referring to, JohnâŠ..but by âwriting it downâŠand keeping it in a secure locationââŠ.havenât you just defeated the entire purpose of having a password manager?
(My first comment above was for John Andrews)
Also, SilverMarc, thatâs similar to a technique my wife uses, but a) it doesnât allow you to take advantage of any of the âautologinâ features of, say, LastPass, where even if you and your significant other both have account on the same site (eBay, for example) your password manager will âpresent youâ with multiple login options (depending on the site, YOU might have two or three sign-ons of your own, one for business, personal, anonymous, etc.)
And b) what do you do when itâs time to âchangeâ your password, for security purposes. Thatâs a lot of messing around if youâve got 100 or 200 login IDâs and passwords to âmethodizeâ! Just my 2 cents.
In my opinion, people over-estimate the strength of this method. Crackers are aware of these techniques â if your password is hacked on any one site, it isnât really any better than âusing the same password everywhereâ â your âmethodâ will likely be obvious, or at least trivial to deduce.
So, Leo, Iâm inclined for the most part to give kudos to LastPass for simplifying my life over the last 8 or 10 years.
HOWEVERâŠ..
1. Their MOBILE version of their vault system has never worked that well (at least not on Android, the most popular mobile OS on the planetâŠâŠand,
2. They just DOUBLED their cost for using the mobile system. Thatâs right a nasty 100% price increase.
Is there a less expensive competitor that also addresses the mobile market?
Michael,
LastPass is free on desktop and mobile. Thatâs how I use it â free. You can pay for premium to get a few extra features, but free gets you the basics. See https://helpdesk.lastpass.com/lastpass-now-free-on-all-devices/
You might also look into KeePass â it is free and open-source. I have not actually used their mobile app, but I know that there is one, and I am extremely pleased with their desktop app (I use the portable version).
Whatâs the deal with 2 factor authentication passwords with thunderbird? (yes I know theyâre called something else but it escapes me now) Since the last microsoft update, I have to input my email passwords every single time I call up thunderbird. I am about ready to leave the thunderbird app open every time I put the computer to sleep or do away with 2 factor authentication. They are stored in the thunderbird app but the app doesnât find them in there anymore and the menu bar is grayed out at that point. I have to access the lastpass vault and copy and paste those two factor passwords stored in yahoo and hotmail accounts in the comments section. Or I can just go to the internet and sign in with the regular password/text message. Either way itâs an inconvenience and thatâs not how thunderbird is supposed to work is it?
I have also been using the win10 mail app(and that problem is not there) but it saves the emails to a different location on my computer and that is a big problem. Thatâs just my rant for the day.
Personally, while vaults are useful for non-essential login/passwords I prefer the less hackable way of simply a pocket note book where I have the really important login/passwords down in it, I keep one copy in my safe deposit box, the other I keep in a locked place in home.
That way I have passwords I consider essential in a non-pc form
login and passwords for say online games, websites I browse that require such etc I can put in a vaultâŠ
Depending on a vault which itself is pass worded means if have a HDD crash requiring a new HDD, etc
or something happens to your PC and you have the situation of having to recover every site id vault is ko-ed
it can be a problem for essential ones.. Iâm one of those I guess who prefers a non-pc form of backing up such
Certain login/passwords I will not save to pc nor even a vaultâŠthats where a non-pc recording is better.
And where then should have a backup elsewhere like I have in my safe box
Like Karena, I have been very satisfied with Keepass. Itâs slightly less convenient than Roboform or LastPass but it has several advantages that compensate for the slightly slower performance in auto-filling name and password. First, itâs open source â when I researched other password vault providers, I was uneasy about possible connections with Big Brothers here and abroad. Also, itâs completely free. Kept in your Dropbox, you have easy access to the vault on all your computers. Finally, it too allows export of material in a variety of different formats and it prints content in a nice format that can help you find duplicates or whatever if you have a large editing job to do.
Also, people should not overlook the potentials of the humble encrypted ZIP file for storing backup copies of exported passwords. Stored on a flash drive in a safe location away from home or even online, the ZIP file provides excellent protection against catastrophic loss.
Lastly, Keepass allows you to use a keyfile to encrypt the vault. The same is true of TrueCrypt and Veracrypt. In the real world, a keyfile provides far more protection than a password, since an intruder, even one who knows the password, cannot open the vault without access to the keyfile. If you are careful about camouflaging the identity of the file â for example, having a jpg buried among 1000âs of jpgs on your computer or storing it on a removable drive â the vault will not be vulnerable even if you use only a two or three letter password or no password at all.
So everyone: Use a good password manager, but be sure to follow the advice given above and BACKUP THE DATA!
You can also use steganography to hide the key inside an image, music or video file. Overkill for most, but for the truly paranoid . . .
I use Password Safe for my passwords, it is free except for a donation if you want. Every site seems to need a password so I must have 100 password or more.
One day a couple of monts ago I went brain dead and could not remember the password to Password Safe!
It took me half a day to finally remember the password.
Now I have the password for Password Safe written down, not the whole thing but enough to figure out what the password is.
There was once a cartoon âFrank and Ernestâ where a group was sitting around a fire and in the background was a city in ruin. The caption âIt all started when one day everyone forgot their passwordsâ.
Iâm going to be a bit of a devilâs advocate here ⊠one needs to weigh up the cost of having very strong (or even hidden) passwords against the convenience of having simple, easy to use ones. Ask youself what would be the consequences of someone guessing or cracking your password? Would it matter? Why would someone bother to crack the password of an old pensioner? The only thing I dont use autofill for is banking and other money sites.
I tutor an iPad class at my U3A ⊠most are scared to use online banking or online shopping because they think itâs not safe. Where did they get thst idea from?
Actually I think people seriously underestimate the possibility of being hacked (with a poor password), and the eventual disruption and hassle it could cause. By that I mean, yes, even an old pensioner is a valuable target, and yes it would matter a great deal. They could use your account to impersonate you, fool your friends, steal your identity and more. PLEASE donât think it wonât happen to you.
Online banking and shopping are safe â safer Iâd argue than offline â but itâs only so with reasonable precautions, and one of those is taking appropriate steps like strong passwords to keep yourself safe.
(I lost all my passwords.) Daughter moved in with me & decided writing passwords down was a waste of time. So she got rid of that for me. Whatâs wrong with 39 yr old kids?
another problem I received a text saying âF*** Youâ. I texted back. The gentleman said âsomeone keeps asking for money numerous times a dayâ from MY PHONE NUMBER! so what do i do about that?
To recover your passwords, the one-by-one recovery method as described in this article is the only way, as long as you know the password to your recovery email account.
As for someone using your phone number being used to scam people for money, unfortunately, thereâs really nothing you can do about that except report it to the police and your cell service provider, and the chances of them being able to do anything about it are slim. A hacker can âspoofâ a calling number without having to hack your account. Itâs similar to email address spoofing.
Someoneâs Sending from My Email Address! How Do I Stop Them?!
âFromâ Spoofing: How Spammers Send Email that Looks Like It Came from You
Has a Hacker Really Hacked My Email Account?
Substitute phone account for email account and phone number for email address in these articles and pretty mucheverything applies.