Great write-up, I remember going through this chain of thought myself a few years back and the conclusion I ended at was: you need at minimum one password that you never forget. If you try to create a recovery mechanism, like using a physical safe like OP suggested, then now all your security efforts just shift towards securing that safe instead. Not to mention in some countries the cops can break open your safe but they can’t force you to give up your password (aside from using rubber-hose cryptoanalysis).
The good news is, you only need to remember one master password. At least with the system I’ve been using (feedback welcome). I organize everything into a hierarchy of trust rings. At the root, ring 0, is a single device secured with the master password, and it stores the passwords needed for things in ring 1. Then the devices in ring 1 store passwords and credentials for ring 2, etc. If I ever forget a password I can always go up a ring to find it. Here’s a rough idea of my rings:
Ring 0
I use a Pixel phone with GrapheneOS, and a very strong master password. It is permanently in airplane mode so that it is effectively air-gapped. GrapheneOS also supposed a “duress” password, a fake password which can be used to surreptitiously wipe the device if somebody tries to force you to unlock the device. Thus, it is the most secure device I have. It’s also a phone so that it’s portable enough to carry while traveling. The only thing on it is a KeePass database (which uses the same password as the device itself, for simplicity). This KeePass database contains the disk encryption passwords, login passwords, and BIOS/UEFI passwords for my ring 1 devices
Ring 1
Ring 1 devices are still relatively secure but they are connected to the internet so not as secure as ring 0. I only have 4 things in ring 1: my everyday password manager, my main PC, my phone (also GrapheneOS), and my backup NAS. My everyday password manager contains passwords for things in ring 2.
Ring 2
Ring 2 is for things that I consider untrusted and insecure. This includes online accounts, which are ultimately out of my control. Or devices that run untrusted operating systems, like from Microsoft or Apple.
Ring 3?
Sometimes on my ring 2 devices I make throwaway accounts and store the passwords on the device itself, so I guess you could call these throwaway accounts ring 3. But generally everything I own is in ring 0, ring 1, and ring 2.
So there you have it, everything secured with a single password, and I consider it secure enough for most threat models. No need to for physical safes or hiding 2fa keys. It’s a little expensive since you have a pixel phone just for storing passwords, but I think it’s worth it. It’s also a little inconvenient to have to read passwords off the screen and then manually type them in, but I found that I usually remember the passwords for my ring 1 devices so I rarely need to use my ring 0 device.
Some tips:
for ring 0, you don’t need a separate device if you use Qubes OS. Just use the built-in password vault in Qubes, which I consider as secure as an air-gapped device
to prevent an attacker from disabling airplane mode on my ring 0 Pixel phone, I couldn’t find a way to disable the Android quick settings from the lockscreen, so instead I just removed all airplane/wifi/cellular/bluetooth related toggles from the quick settings
for the master password, I recommend using a passphrase. The GrapheneOS community recommends 6 random diceware words (KeePass can generate these for you completely offline), but at least for my master passphrase I prefer to create my own phrase, to make it more memorable. However since humans are unreliable sources of randomness, I make my passphrase 8 words or longer to compensate
make sure to have a backup of your ring 0 device contents. I store a backup of my pixel phone’s KeePass database on a usb drive. No need for any extra security there, the KeePass database is already encrypted with the master password
if you find yourself rarely needing your ring 0 device, you might want to schedule a monthly routine to unlock it just so you don’t forget your master password
if you use a Pixel phone as your ring 0 device like I do, you will want to replace it every few years. Cops have Celebrite machines that can crack any phone except newer Pixel phones.
Great write-up, I remember going through this chain of thought myself a few years back and the conclusion I ended at was: you need at minimum one password that you never forget. If you try to create a recovery mechanism, like using a physical safe like OP suggested, then now all your security efforts just shift towards securing that safe instead. Not to mention in some countries the cops can break open your safe but they can’t force you to give up your password (aside from using rubber-hose cryptoanalysis).
The good news is, you only need to remember one master password. At least with the system I’ve been using (feedback welcome). I organize everything into a hierarchy of trust rings. At the root,
ring 0, is a single device secured with the master password, and it stores the passwords needed for things inring 1. Then the devices inring 1store passwords and credentials forring 2, etc. If I ever forget a password I can always go up a ring to find it. Here’s a rough idea of my rings:Ring 0
I use a Pixel phone with GrapheneOS, and a very strong master password. It is permanently in airplane mode so that it is effectively air-gapped. GrapheneOS also supposed a “duress” password, a fake password which can be used to surreptitiously wipe the device if somebody tries to force you to unlock the device. Thus, it is the most secure device I have. It’s also a phone so that it’s portable enough to carry while traveling. The only thing on it is a KeePass database (which uses the same password as the device itself, for simplicity). This KeePass database contains the disk encryption passwords, login passwords, and BIOS/UEFI passwords for my
ring 1devicesRing 1
Ring 1devices are still relatively secure but they are connected to the internet so not as secure asring 0. I only have 4 things inring 1: my everyday password manager, my main PC, my phone (also GrapheneOS), and my backup NAS. My everyday password manager contains passwords for things inring 2.Ring 2
Ring 2is for things that I consider untrusted and insecure. This includes online accounts, which are ultimately out of my control. Or devices that run untrusted operating systems, like from Microsoft or Apple.Ring 3?
Sometimes on my
ring 2devices I make throwaway accounts and store the passwords on the device itself, so I guess you could call these throwaway accountsring 3. But generally everything I own is inring 0,ring 1, andring 2.So there you have it, everything secured with a single password, and I consider it secure enough for most threat models. No need to for physical safes or hiding 2fa keys. It’s a little expensive since you have a pixel phone just for storing passwords, but I think it’s worth it. It’s also a little inconvenient to have to read passwords off the screen and then manually type them in, but I found that I usually remember the passwords for my
ring 1devices so I rarely need to use myring 0device.Some tips:
ring 0, you don’t need a separate device if you use Qubes OS. Just use the built-in password vault in Qubes, which I consider as secure as an air-gapped devicering 0Pixel phone, I couldn’t find a way to disable the Android quick settings from the lockscreen, so instead I just removed all airplane/wifi/cellular/bluetooth related toggles from the quick settingsring 0device contents. I store a backup of my pixel phone’s KeePass database on a usb drive. No need for any extra security there, the KeePass database is already encrypted with the master passwordring 0device, you might want to schedule a monthly routine to unlock it just so you don’t forget your master passwordring 0device like I do, you will want to replace it every few years. Cops have Celebrite machines that can crack any phone except newer Pixel phones.