It's not the end of the world. At worst, it's an annoyance.
What then, indeed.
Make sure your master password is something you can remember. It might even be worth writing it down and then putting that into a safe or other extremely secure location.
But what if you didn't and you forget? Or what if something else prevents you from accessing the contents of your password vault?
It's not the big deal you might think it is.
Become a Patron of Ask Leo! and go ad-free!
Losing access to your password vault
Remember, you can always perform password resets / account recovery on every account for which you have no password. While a bit of work, it means you can regain access to your accounts even if you lose your password vault entirely. A little bit of preparation in the form of a dedicated recovery account, emergency access, or backups can make the process even easier.
The fear vs. the reality
The fear is that you'll lose access to all your accounts because you'll have lost all your passwords.
Technically true, but only for a short time.
The reality is you'll just need to do a password recovery -- "I forgot my password" -- for all the accounts for which you've lost your passwords. It's an annoyance, certainly, and perhaps a big one if you have many accounts.
But it's also something easily dealt with.
You'd set up a new password vault with a new master password (which you'll remember this time, right?), and as you reset the passwords on the accounts you access, you'll start saving them to the new vault.
Chicken and egg
If you're signed out of all your accounts when this happens, there is one interesting complication.
Let's say you want to recover your email account password. That process may send a password reset to your alternate email account. But you don't have the password for that, either! In fact, any email-based password recovery is doomed to fail initially. Once you get your alternate email account password reset, of course, you can carry on.
There are two ways to prepare for this:
- Make sure your alternate email account includes a non-email form of verification. A text/SMS message would do quite nicely in this scenario.
- Have that alternate email account's password written down and stored somewhere extremely secure (like where you might have stored the written copy of your password vault password).
In reality, we're typically still signed into our account somewhere, and that's often enough to bootstrap the recovery process.
An odd recovery method
Some password vaults have a feature called "Emergency Access" or similar. The intent is that if you are unable to access your account due to health reasons or even having passed away, then a pre-designated someone else can access the account.
You don't need to die to use this feature. This qualifies as an emergency, after all.
If you can't access your account for any reason, ask your trusted contact to do so. Depending on the vault and the choices you made when you enabled this feature, there may be a delay of a couple of days. Once they have access, they can then export the contents of your vault and get it to you some other secure way. You can then presumably import it into a replacement vault.1
Of course, there's another safety net
I recommend you back up the contents of your password vault periodically. Most can export the contents of your vault in some other format, such as a .csv file that you store securely elsewhere.
That backup covers this scenario as well. If you can't sign in to your vault, you can create a new one and restore its contents from your latest backup.
Do this
It's easy to say "Don't forget your master password", but -- stuff happens. Instead, prepare.
- Back up your vault regularly.
- Designate an emergency contact.
- Consider keeping your alternate email account's password in an additional, separate place.
Most importantly, do not let the fear of losing your master password prevent you from using a password vault. It's still your most secure option by far.
Need more help? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: This is also an argument for making an entry for your password vault's master password in the password vault itself. You could open your backup and look up your master password, avoiding this entire restoration process.
Hi, Leo,
I appreciate your commonsense approach to technical issues.
In this article you suggested an odd recovery method: Some password vaults have a feature called “Emergency Access” or similar. If you can’t access your account, ask your trusted contact to do so.
Couldn’t I eliminate the middleman by setting MYSELF up in advance as a trusted contact (with a different email address, of course)? I imagine there’s a reason why this wouldn’t work, or you would have suggested it. I just don’t know what that reason is.
Yes, it should work. But that middleman might be useful for other reasons … like an actual emergency.
That’s why I use two password managers side by side. If one fails I have an alternate. I use Bitwarden and Enpass.