What to Do If You Have Lost Your Master Password for Password Manager
Using a password manager is smart security. Nothing new . However, the best password managers store your credentials with one “master” password that only you know. But what happens if you lose this master password?
If you lose or forget your Master Password, logging in is usually not as easy as clicking the “forgot password” button like any other account on the Internet. Most of the time, you need to jump over a few hoops – otherwise you won’t be able to do that. In this post, we’ll take a look at some of the popular password managers and what you can do to avoid getting into such an unfortunate situation.
Popular password managers and their master password policies
When you start using a password manager, it will most likely warn you that it is important to remember your master password. If there is any password that you absolutely must remember, this is your master password. After all, that’s the whole point: it’s easier to remember (or protect) one strong and secure password and let it generate the rest for you.
Depending on the order , a password manager you choose , the loss of a master password can be easily corrected, or recover from it becomes a nightmare. Here are some of the most popular and how they handle lost master passwords.
LastPass
LastPass has an entire guide dedicated to recovering your account if you’ve lost your master password. In short, if you truly forgot or lost your password, you can activate a one-time password (OTP) to access your vault. It will fire once (you’ll have to reset your password later), you need to use the computer you used for LastPass earlier for security reasons ( thanks Snow Dog for pointing this out! ) And you need access to the email account you are using for your LastPass account.
If the problem is that you recently changed your master password and are unable to log in, you can return your vault to its previous state. You will be able to log in using your old password, but any changes you made after the old version will be lost. Of course, this all assumes you’ve lost your master password, but you DO NOT remember (or can access) the email account associated with LastPass, which could be catch-22.
If that doesn’t work, or you no longer have access to that email address, you’re unfortunately out of luck – and you will lose your account. You can delete your vault and start over, but your passwords will be lost and you have to start over.
Dashlane
Dashlane is a little more limited than LastPass, which is both good and bad. In short, no one at Dashlane can access or grant access to your account . This means that if you lose your master password, your vault will be locked forever, even if it’s synced across devices or saved to the cloud.
If you are using the Dashlane mobile apps and have a device PIN configured (and have an app configured to only ask for a password when you restart your phone), you may have access to your passwords long enough to write them down elsewhere. You cannot change your master password from the mobile apps. Other than that, your only option is to create a new account or reset your existing one (so you can reuse the same email address). However, this deletes all data in your account, so you start from scratch.
This may sound harsh, but for a password manager, it’s really good. While this can be inconvenient, it also means that no one can use social media to break into your account.
KeePass
KeePass lets you protect your vault with a master password, a “key file”, or both. Since your password vault is always stored on your computer, you never have to worry about a third party getting their hands on it. You can sync it between devices using Dropbox or Google Drive, but you still need your password or key file to open it.
But here’s the catch: since KeePass is free, open source, and not really maintained by the central team, if you lose your master password or key file, you’re out of luck. No backdoor, no password reset feature, nothing. If you are locked out because you changed your password and you have backups of your old vault, you can restore the data from the backups and use the old password. Read more about it here .
Now you can try to hack your KeePass database. This is probably a bad idea. KeePass has built-in protection against brute force and hacking attempts, but there are tutorials out there that try to show you how to do it anyway . However, if your master password or key was strong (and it should be), most experts agree that there is no secret method that works and is not really worth the time and effort . This is an option, but we do not recommend it.
1 Password
1Password’s approach to password storage is very similar to Dashlane’s. They don’t have access to your vault or its encryption key, so they don’t have the ability to reset your password or give you access to your data. They explain why here and offer some tips that might help here , but they boil down to the same as before: if you can restore from a backup where you know the password, do so, but any changes between now and then lost.
If you’re signed in to 1Password on a different device, you can access and save your passwords, but as soon as you’re asked to sign in again, you’ll be locked out. Likewise, 1Password doesn’t support two-factor authentication for your account, so there’s nothing to lose here (but no additional protection either). In any case, the result is the same – lost the master password? You’re out of luck.
Roboform
Roboform has been around password management for a long time, but if you forget your master password, you’re out of luck like any other service. They explain in more detail here , but the point is this: if you log out of Roboform and forget your master password, you can reset it, but in the process you will delete all your data . If you’ve configured Roboform to remember your master password at all times, you will never get into this situation (unless something causes you to log out, such as a software update or reinstallation). Roboform will allow you to password protect some things but not others once, but if you are logged out and cannot log back in, you will have to start from scratch.
How to prevent this from happening to you
If you notice the topic, then you are very screwed up if you lose your password. Most password managers require you to either take a backup when you knew the password or start over. The best way to get into the password vault later is to prepare now. Here are a few things you can do before it’s too late:
- Write down or export your backup codes / one-time passwords: Many password managers support backup codes and other one-time passwords that can be used in an emergency. They are usually presented to you once, for example when you set up an account or when you create them upon request. They will work as a way to change your password or go back to your account, but you must write them down or store them in a safe place outside of your password store. The process is similar to what happens if you lose your phone and have two-factor authentication set up . If you export these codes and store them in a safe place now, you can access your data later.
- Write down your master password and keep it somewhere safe : we generally do not recommend writing down your password at all, as your master password is the key to all of your passwords. Of course , don’t keep it somewhere obvious, but sometimes it makes sense to write down your password in a safe place in case you forget it or something else crazy happens to it. You can even encrypt it somewhere in the file, but then you need the encryption key and then you go down the rabbit hole of encrypting the things you need to decrypt the encrypted stuff. You can even write it down on a piece of paper and put it in a fireproof safe in case something crazy happens and you forget what it is, but remember it’s there.
- Use emergency contacts : If your favorite password manager supports password sharing or emergency contacts, make sure you have an emergency contact set up. Dashlane, for example, maintains emergency contacts who can access your storage if you can’t. This feature is usually for things like medical emergencies, but it also works for forgotten passwords. They won’t be able to reset your password and get you back in, but they’ll have access to your accounts, which is more than you. With their help, you can record, export or reset other passwords.
- Export your passwords right now while you have access : it is important to choose services that give you “data freedom” or the ability to easily export your data and take it with you if it ever goes out or if you want to try something new. … Make sure your password manager provides you with this option. Even if they don’t, they should be able to export, even if it just dumps a plain text CSV file from the user credentials and passwords on the desktop. If so, export your data and then save this file in a safe place. There are obvious drawbacks here: any updates or password changes mean you have to upload a new file, and if the file is not encrypted, you probably want to put it somewhere safe, like a USB stick, which you can hide somewhere. … secure or somewhere encrypted with another method (which then injects another password into the mix). However, having a dump of passwords that are a few days old when you are locked in your vault is better than having nothing at all.
- Backing up your data : Just like backing up your password store to a safe place, make sure you back up your data in general . It is good practice to have reliable backups, but most password managers store your encrypted data locally. If you restore an older version of the application and its files, you can log in using the old password (you will have an older version of your storage, but again, this is better than nothing). This will only help you if the problem is that you changed your master password and cannot use it or the new one, but restoring an old version is a general advice from support for all popular password managers.
Of course, it’s best to prepare for losing your master password before you lose it. It goes without saying that you should try not to forget or lose your master password, even if you choose to back it up somewhere safe. If you do, most of these methods will make you work in some state if something happens.
Either way, it’s important to remember that password managers are not like your email or online banking account – they won’t just send you an email with a link to reset your password, after which everything will be fine. Most assume that if you are discreet enough to protect all of your passwords, you are discreet enough to ensure that you have constant access to your vault.