Web of Trust

May 04, 2016

I’ve been using the excellent KeePass password manager for many years. It helps me keep track of hundreds of passwords with various sites and services. It syncs securely through Dropbox so I can manage my accounts from all connected devices. It’s a great tool that I would (and do) recommend to everybody.

Today though, I had a striking realization: I have no way back in. If all of my devices were to be lost, destroyed, or stolen, I would lose access to everything.

Consider the web of trust. I can’t download my KeePass database without access to my Dropbox. I can’t reset my Dropbox password without access to my email. Each service relies on authentication from somebody else, yet there’s no way back in should I lose access. That’s dangerous.

Thinking about it, the safest entry point is probably email. You can reset almost any account through your email, and if something goes wrong it’s much easier to contact support.

So starting today, I’ll have memorized two accounts: My master password, and my email. For other KeePass users out there, I’d suggest thinking about your web of trust too. It’s the kind of problem you don’t realize you have until it’s too late.