A key floating in thin air in front of a keyhole.

How to back up your password manager

Password managers aren’t infallible. They suffer service outages like every other service. Yet, password managers ask their customers to trust them completely. They’re a single point of failure and are difficult to back up.

A password manager is good for your security hygiene and you should definitely use one. They help us avoid reusing the same password all over the place and ease the mental burden of having to remember all those passwords.

You quickly grow completely dependent on your password manager, however. It’s an incredibly sticky product that guards everything from high-value assets and access to our bank to that one account you made to comment on a comic on that weird site.

LastPass markets itself as “the last password you need to remember.” That promise leaves a huge unanswered question: What do you do when you suddenly don’t have access to your password manager and you don’t remember any of your passwords?

How would you get access to your email and critical work-related services if your password manager disappeared overnight? Or what if you simply forget the password to your password manager (the “master password”)?

Backups are a possible solution to this problem. If you have a backup of your password manager then you have a backup plan in case of a problem with your password manager. When was the last time you backed up your password vault, though?

Many password managers, the good ones anyway, store their customers’ passwords on their servers in an encrypted format. The best password manager services store them so securely that not even they can access your passwords if you forget your master password.

Almost all password manager services let you export an unencrypted data-dump containing all your passwords. This option is often hidden deep down in a settings screen somewhere in your password manager. This is the file that lets you migrate between two password managers without having to copy over your passwords one at a time.

You could periodically download a copy of all your passwords and store them in a managed storage service like DropBox, Apple iCloud, or Microsoft OneDrive. It would be a boring task and you wouldn’t remember to do it after a month or two. You’d also take on additional risk as anyone who’d gain access to your files (including employees at the storage service provider) would have a copy of all your authentication data.

The various password managers could offer to sync encrypted backups to a cloud service as a feature. However, I understand why none of the leading providers currently offer this service. It could make their customers more aware that their blind trust in their provider’s infallibility might be misplaced.

It’s risky even to download this file and store it on your computer. You can mitigate this by re-encrypting the file. However, then you’d need to remember an additional password or somehow securely store an encryption key-pair. These are paradoxically tasks you’d normally trust your password manager to handle.

You could periodically print a hard-copy of the exported password dump. However, not many still own a printer nor have a secure way to store such sensitive papers. You don’t want to print it through a printer controlled by anyone else, such as your employer, as printers can retain copies of what they’ve printed for some time.

Pro-users can cobble together a secure and automated back up solution using various command-line tools. Many password managers offer advanced users command-line access to their password vaults.

However, these methods may be unavailable if you use two-factor authentication or other additional security mechanisms. It also adds significant complexity and requires ongoing monitoring and maintenance. I don’t recommend that anyone attempt this.

Unfortunately, there are no easy solutions for securely backing up your password manager. You most definitively should have a backup, however!

The only solution is to use two different password managers. This method has some drawbacks, however. You obviously introduce more complexity as you must make sure to keep the items in your two password managers in sync. If you add or change a password to one then you must make sure to mirror the change in the other.

You also double the risk of having your password vault be compromised if you use two password managers. Any critical security flaw or intrusion into either of your password managers could expose the contents of your vault.

Using two password managers is less convenient than trusting one password manager. It’s relatively easy compared to the other methods I’ve discussed in this article. You can even use this method with a smartphone without the need for a computer.