The technique is simple.
The problem is that the technique is time-consuming and ponderous.
Let’s review that technique, and what you can do to avoid this situation in the future.
Become a Patron of Ask Leo! and go ad-free!
Losing your passwords
I’m a strong believer in using password vaults like LastPass, primarily because they enable greater security.
Using a password vault, you can easily use longer, more secure passwords, and easily use different passwords for every site. These two actions together increase your overall online security tremendously.
If there’s a downside to using a password vault it’s that, used properly, you don’t know your own passwords. This is a good thing, since strong passwords are, essentially, unknowable. But it’s also a bad thing, in that should you lose access to your password vault, you lose access to all the information stored therein.
In the case of LastPass specifically, if you forget your LastPass master password, there is no recovery.1 LastPass can’t tell you your password because they don’t know your password. LastPass knows if you type in the right password, but it doesn’t know what it is. As a result, if you forget it, they can’t recover it for you.
There’s really only one recourse
Each account.
One at a time.
It’s painful. It’s ponderous. But it’ll work.
It’ll just take some time.
Before you start
Before you start, however, I’d recommend you set up a new account with your password vault so that as you reset all those passwords, you can:
- make them long and strong
- use a different password on each site
- let the password vault remember it for you
There’s no requirement that you do it all immediately.
As you go about your day and attempt to log in to an account for which you haven’t reset a password, do so. Over time, you’ll rebuild the database of passwords stored in your password vault.
Prevention
It’s easy to say, “Don’t forget your vault password” and leave it at that. But I realize that’s oversimplistic. It also doesn’t account for other things that can go wrong.
So, instead, fall back on my other most common recommendation: back up.
Specifically, back up the contents of your password vault. Ideally, back it up in an unencrypted form which you then save in some different, yet secure, way. For example, I regularly back up my LastPass vault, unencrypted, and save it in a different, secure location. Should I ever lose access to my LastPass account, I’ll always have that backup from which to start over.
Bottom line:
- Reset your passwords, one at a time.
- Remember those new passwords using a password vault.
- Back up the contents of your password vault regularly.
That way, you’ll never be in this position again.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Podcast audio
Download (right-click, Save-As) (Duration: 4:11 — 2.0MB)
Subscribe: Apple Podcasts | Android | RSS
That method isn’t always successful. It won’t work if you’ve lost access to your recovery email accounts for those lost passwords, as you said in:
https://askleo.com/a-one-step-way-to-lose-your-account-forever/
Back up your vault now and often.
Leo –
Hi. I’m not using LastPass (yet), so my apologies if these are stupid questions.
1) You mention early in the article that “if there’s a downside to using a password vault it’s that, used properly, you don’t know your own passwords.” Is this because LastPass doesn’t allow us to know or just that we don’t need to know the passwords? I’m guessing it’s the latter case as you do tell us later in the article to back up the contents of our password vault, which I assume means something like print out a list of your passwords.
2) You also mention in the article that “Using a password vault, you can (a) easily use longer, more secure passwords, and (b) easily use different passwords for every site. These two actions together increase your overall online security tremendously.” If I am already doing “a” and “b” without using LastPass (or some other password managers), will using LastPass anyway give me some additional benefits? For example, does the way LastPass inserts the password on the website make it more secure than if I manually type the password in? Does LastPass make it harder for keyloggers or some other malware to steal my password?
Thanks for your help.
1) You don’t need to. I can see my passwords, if I want, but because it enables my use of long complex passwords — like, say, 9cZBYrpvdYZ4Pn3uyr5q — I have no need, nor ability, to “know” or remember it.
2) No, vaults don’t improve the actual login technology, and they do not bypass malware. If you already have long (20 characters?) and strong (random characters?) without a vault or other tool, good on ya. 🙂
LastPass may not protect against malware or keyloggers but it can protect you against accidentally clicking on a phishing link because it won’t fill in the login information unless it detects it’s on the correct site. Additionally, if you don’t know the password, you won’t be able to log in manually.
I read your article on recovering passwords. It did not however address my issue. Last time I left my computer, it was doing updates. When I returned, it was asking for my login password. I do not remember that password. Is there any help for me?
If, this is your personal computer or laptop. . .Juar ask to “re-set” your password. Microsoft is very good at doing this. One other tip, always keep your initial password for starting your computer these days, on a piece of paper or my preference an index card. I am the one who ‘fixes’ my Hubby’s computer and I frequently forget his initial password, thank goodness for my index card. I don’t have to fix his computer often and it is easy to forget.
Now, if this computer is a work computer, you need to be very cautious and preferably use as simple of a password as possible, since, you do not want anyone to get into your files and claim to be you. I don’t mean 1234567 or password either, but something easy to remember, but would be hard for someone else to know. In a work environment, you will need to call the IT Team to get your password reset, at least that is what I have had to do, when I was working. In a small business office, you will need to talk with the Office’s Administrator.
Just an example: Th1s i5 m3 pa$$w0rD. . .And you can only use this, IF, your company allows capitial and small letters, symbols, spaces and numbers. I learned how to sort of create my own passwords from an AT&T Support Tech, late one night about 12 years ago. What the example password is saying is, “This is me password” by using all of the combination of the keyboard keys, you can create a simple, yet good password.
To me, there is no problem when using LastPass or RoboForm or DashLane and so on, in losing all of your passwords. I have had to reformat, start from scratch my computer several times and have used both LastPass and RoboForm. Yes, when you have to start from “scratch”, it is not easy to get all of your passwords back. Losing all of your passwords happens when you are using a Browser Password settings. . .Not when you are using LastPass or RoboForm or DashLane or any of the other password managers.
Why, isn’t there a problem? It simply, the good password managers are stored on a cloud these days. I am not sure which is worse. . .Losing all of your passwords without a password manager or having a breach in a cloud that stores the password managers passwords??? Six of one and a half a dozen of another.
I thank the heavenly stars that I did have a password manager when I had to reformat my computer or replace my hard drive. Even if you were using the paid version of the good password managers and the subscription has expired. . .You can always use the FREE version of your chosen password manager. This is what I have done and I must say, I am one thankful lady, too!!! So, have hope IF, you are using a good password manager, like I have in the past, as well as today. I refuse to be without either LastPass or RoboForm.
The problem is if you lose your master password to LastPass or Roboform … then you lose everything they might contain.
Even a lengthy complex password can be written on paper and stored in a physical file.
You can also export the passwords (and fields to be filled) to text files. From the LastPass menu, More Options/Advanced/Export will save passwords and form data.
When you make a new password or change one, write it down in your address book reserved for passwords. Then you have a local permanent document of all your important passwords. Keep the book in a secure location if necessary.
I use a “method” rather than software to create and remember passwords.
In its simplest form:
1. Create a 6 or more letter word or phrase that you’ll always remember: Got!Cha
2. Create a 6 or more digit number or numeral/punctuation that you’ll always remember: 200100!
3. When you have to CREATE a new password for a website, note the 2nd 3rd 4th 5th character of its name: (askleo would be: skle)
4. Place your results for item 1 first, then item 2, then item 3:
My PW for Leo’s website will be: Got!Chaskle200100!
You’ll always have the “Method” in your head, so you won’t (typically) lose it.
An article about this is here: http://silvermarc.com/password-please/
Not sure what “address book” you’re referring to, John…..but by “writing it down…and keeping it in a secure location”….haven’t you just defeated the entire purpose of having a password manager?
(My first comment above was for John Andrews)
Also, SilverMarc, that’s similar to a technique my wife uses, but a) it doesn’t allow you to take advantage of any of the “autologin” features of, say, LastPass, where even if you and your significant other both have account on the same site (eBay, for example) your password manager will “present you” with multiple login options (depending on the site, YOU might have two or three sign-ons of your own, one for business, personal, anonymous, etc.)
And b) what do you do when it’s time to “change” your password, for security purposes. That’s a lot of messing around if you’ve got 100 or 200 login ID’s and passwords to “methodize”! Just my 2 cents.
In my opinion, people over-estimate the strength of this method. Crackers are aware of these techniques – if your password is hacked on any one site, it isn’t really any better than “using the same password everywhere” – your “method” will likely be obvious, or at least trivial to deduce.
So, Leo, I’m inclined for the most part to give kudos to LastPass for simplifying my life over the last 8 or 10 years.
HOWEVER…..
1. Their MOBILE version of their vault system has never worked that well (at least not on Android, the most popular mobile OS on the planet……and,
2. They just DOUBLED their cost for using the mobile system. That’s right a nasty 100% price increase.
Is there a less expensive competitor that also addresses the mobile market?
Michael,
LastPass is free on desktop and mobile. That’s how I use it — free. You can pay for premium to get a few extra features, but free gets you the basics. See https://helpdesk.lastpass.com/lastpass-now-free-on-all-devices/
You might also look into KeePass – it is free and open-source. I have not actually used their mobile app, but I know that there is one, and I am extremely pleased with their desktop app (I use the portable version).
What’s the deal with 2 factor authentication passwords with thunderbird? (yes I know they’re called something else but it escapes me now) Since the last microsoft update, I have to input my email passwords every single time I call up thunderbird. I am about ready to leave the thunderbird app open every time I put the computer to sleep or do away with 2 factor authentication. They are stored in the thunderbird app but the app doesn’t find them in there anymore and the menu bar is grayed out at that point. I have to access the lastpass vault and copy and paste those two factor passwords stored in yahoo and hotmail accounts in the comments section. Or I can just go to the internet and sign in with the regular password/text message. Either way it’s an inconvenience and that’s not how thunderbird is supposed to work is it?
I have also been using the win10 mail app(and that problem is not there) but it saves the emails to a different location on my computer and that is a big problem. That’s just my rant for the day.
Personally, while vaults are useful for non-essential login/passwords I prefer the less hackable way of simply a pocket note book where I have the really important login/passwords down in it, I keep one copy in my safe deposit box, the other I keep in a locked place in home.
That way I have passwords I consider essential in a non-pc form
login and passwords for say online games, websites I browse that require such etc I can put in a vault…
Depending on a vault which itself is pass worded means if have a HDD crash requiring a new HDD, etc
or something happens to your PC and you have the situation of having to recover every site id vault is ko-ed
it can be a problem for essential ones.. I’m one of those I guess who prefers a non-pc form of backing up such
Certain login/passwords I will not save to pc nor even a vault…thats where a non-pc recording is better.
And where then should have a backup elsewhere like I have in my safe box
Like Karena, I have been very satisfied with Keepass. It’s slightly less convenient than Roboform or LastPass but it has several advantages that compensate for the slightly slower performance in auto-filling name and password. First, it’s open source – when I researched other password vault providers, I was uneasy about possible connections with Big Brothers here and abroad. Also, it’s completely free. Kept in your Dropbox, you have easy access to the vault on all your computers. Finally, it too allows export of material in a variety of different formats and it prints content in a nice format that can help you find duplicates or whatever if you have a large editing job to do.
Also, people should not overlook the potentials of the humble encrypted ZIP file for storing backup copies of exported passwords. Stored on a flash drive in a safe location away from home or even online, the ZIP file provides excellent protection against catastrophic loss.
Lastly, Keepass allows you to use a keyfile to encrypt the vault. The same is true of TrueCrypt and Veracrypt. In the real world, a keyfile provides far more protection than a password, since an intruder, even one who knows the password, cannot open the vault without access to the keyfile. If you are careful about camouflaging the identity of the file – for example, having a jpg buried among 1000’s of jpgs on your computer or storing it on a removable drive – the vault will not be vulnerable even if you use only a two or three letter password or no password at all.
So everyone: Use a good password manager, but be sure to follow the advice given above and BACKUP THE DATA!
You can also use steganography to hide the key inside an image, music or video file. Overkill for most, but for the truly paranoid . . .
I use Password Safe for my passwords, it is free except for a donation if you want. Every site seems to need a password so I must have 100 password or more.
One day a couple of monts ago I went brain dead and could not remember the password to Password Safe!
It took me half a day to finally remember the password.
Now I have the password for Password Safe written down, not the whole thing but enough to figure out what the password is.
There was once a cartoon “Frank and Ernest” where a group was sitting around a fire and in the background was a city in ruin. The caption “It all started when one day everyone forgot their passwords”.
I’m going to be a bit of a devil’s advocate here … one needs to weigh up the cost of having very strong (or even hidden) passwords against the convenience of having simple, easy to use ones. Ask youself what would be the consequences of someone guessing or cracking your password? Would it matter? Why would someone bother to crack the password of an old pensioner? The only thing I dont use autofill for is banking and other money sites.
I tutor an iPad class at my U3A … most are scared to use online banking or online shopping because they think it’s not safe. Where did they get thst idea from?
Actually I think people seriously underestimate the possibility of being hacked (with a poor password), and the eventual disruption and hassle it could cause. By that I mean, yes, even an old pensioner is a valuable target, and yes it would matter a great deal. They could use your account to impersonate you, fool your friends, steal your identity and more. PLEASE don’t think it won’t happen to you.
Online banking and shopping are safe — safer I’d argue than offline — but it’s only so with reasonable precautions, and one of those is taking appropriate steps like strong passwords to keep yourself safe.