The Security Lockout Dilemma

Hi folks,

This is a bit of an open discussion where I welcome options and comments from anyone and everyone!

I have a nagging concern that I will get caught out by a catch 22 situation. As unlikely as it is, it's still a possibility, but I'm worried that my iPhone, iPad and Mac could all get stolen, at which point I'm totally locked out of my online life, for good.

I have two factor authentication (2FA) enabled for Dropbox where my 1Password data is stored, and herein lies the issue. I WANT to have 2FA enabled wherever possible, but having it enabled on Dropbox (or iCloud if that's your bag - I have the non-App Store version of the Mac app so this is no longer an option for me) causes me this issue.

Essentially Dropbox is my "weak point" by virtue of my enabling top level security for it. I could turn off 2FA and try to keep a password for it that I remember and then commit to regularly changing it, but I'd rather not - I like having my 50 character nonsense passwords created by 1P.

What's the solution? I know all the 2FA services give you emergency backdoor codes to get into your account should you need them, but don't they also rely on you knowing the account password too? I don't know my Dropbox password, and don't want to. Even if they don't I don't really want to be having to find a safe place for scraps of paper for emergency one time passwords (OTPs).

To prove this to myself I just went through the process of assuming no access and failed at the first hurdle. Dropbox's password reset tool sends and email. I would never have access to my email!

Help! I'm panicking!! ;-)



  • Sorry, but some passwords you must remember:

    1) 1P Master Password. Pretty obvious. You must enter this regularly.
    2) Dropbox. To recover access to your vault.
    3) Your primary email account. As you've discovered, if all else fails then you need to be able to do password resets.

    I suppose that you could drop #2 and just password reset the Dropbox account if you need access without 1Password.

    Personally, I just use a decent length diceware password for these. You could continue to use a long random password, but you'd have to write it down and store it somewhere safe, although that doesn't help you recovery access if you're out on the road.

  • I have an emergency go-bag with a little cheatsheet for breaking back into Dropbox without any of my equipment. When you turn on 2FA for Dropbox, you are issued a secret key. I wrote this key very neatly on a post-it-note in the bag.

  • MeganMegan

    Team Member

    Hi @smallcheese‌

    As @RichardPayne‌ says, there are some situations where you might need to remember slightly more than just one password. His suggestion of Diceware passwords is a great way to make those passwords easy to remember. I've used Diceware to create my AppleID passwords as well, since Apple has a nasty habit of asking for them in pop-ups that makes navigating to 1Password to copy and paste.

    You can learn more about Diceware in this blog post by our security guru: Towards Better Master Passwords.

    Hi @Superfandominatrix‌

    What a great idea! :)

  • primeprime
    edited January 2015

    I have 2 step verification on my Dropbox and using an authenticatior app to get into it. I have my cell number as the back up and the recovery code hidden in my house for an emergency. So unless my house gets broken into, I'm not worried one bit at all.

    I don't see how this is an issue at all also. Your phone gets stolen, they are stealing your phone, not your phone number. You'll go to the cell phone place, get a new phone, and have the same phone number. And in the end, access to Dropbox.

    This is why I use Dropbox for syncing. I have all Apple products, but Apple is the only one who can use iCloud. If something happens to my phone, or change to Windows, I can still access 1Password using Dropbox. It's a great back up tool.

  • @prime That recovery code is only good if you can't use 2 step verification, so if you don't know your password for Dropbox then you'd still need access to your email to reset it, for which you'd need to have access to 1Password for the email account password, and then you're back in the loop.

    Thanks for the feedback folks. I'll have a think about creating a password for my email and/or Dropbox which I can remember. In the meantime, I'm living on the edge!

  • MeganMegan

    Team Member

    Hi @smallcheese,

    Wow, there's certainly a lot of fiddly bits that you need to consider when attempting to protect against a lost device - whenever these discussions pop up in the forums, I learn a lot. :) It's great to hear that you're thinking seriously about your security and looking for ways to ensure that you are never locked out of your digital life. I'll let our document team know about this conversation - I think it would be great to have a knowledgebase article that covers a situation like this.

    ref: DOCS-265

  • primeprime
    edited January 2015

    @smallcheese‌ for something like that, maybe have the password for Dropbox and the recovery key written down and hidden in your house. They only way anyone would get it is break into your house. Do not carry it around with you, ever.

    An idea too is just write both passwords down, hide them, and don't put what it's for or the user name too. This way if someone breaks into your house, finds them, they just see a bunch of characters and it could be for anything. It could be to get into the garage for all we know. Not sure how anyone feels about this, but I think it would work. Even keeping that info in a safty deposit box in a bank too is safe.

    But I see it if someone breaks into your house, you have others issues lol.

This discussion has been closed.