I would like to know about your “hacks” in storing your 2FA recovery code for Bitwarden. Since Bitwarden stores all our private data, like passwords, credit cards, etc., everybody should enable 2-factor-authentication (2FA). But again, it might happen that you might not be able to reach your 2FA device, so that you have to use your recovery code in order to access your Bitwarden account. That’s why it is also required to note down your 2FA recovery code. How do you keep your 2FA recovery code safely stored? Do you write it on a piece of paper and stuck it in a wardrobe, or bury it, or what ever. I want to hear about your tips & tricks on this topic.
1 Like
I store it in an encrypted file in a sync service (pCloud).
Pros :
- I don’t worry about losing it since it’s stored in the cloud and replicated many times.
- I’m the only one to be able to decrypt it as long as AES 256 remains safe.
Cons:
- I have to trust pCloud’s privacy policy for them to not make a copy of my file for their own use and try to bruteforce it offline.
I don’t think of any other cons, but feel free to criticize my method 
1 Like
You could always go with the “on an encrypted flash drive in a safety deposit box” method.
1 Like
The best solution I ever heard was to use KeePass to store the login info for Bitwarden along with the recover code. It also doesn’t hurt to keep all the info you need for your emails along with their 2FA codes in the KeePass file because that is about all you need to recover any accounts if something were to happen to Bitwarden.
Just make sure the password you use to lock the KeePass file is long (20+ characters) and something you’ll remember.
Store the KeePass file on a Flash Drive along with the installer to install KeePass so you got version control. Keep one flash drive in your home and another not in your home in case of fire or other natural disasters. Every year set a reminder to plug in the flash drive to keep it up and alive and to make sure it hasn’t gone bad.
You could even store the KeePass file in a password manager of someone you trust and rest assured they can’t view it without your password. If you’re feeling froggy you could even export all of Bitwarden to CSV and import that into KeePass.
I would recommend you avoid storing the back up on a cloud server that you don’t own. Not because it’s not “safe” as many would assume but you run into the chicken and the egg problem. If the password to the cloud server is in your password manager and you don’t have access to your password manager then you’re double screwed.
1 Like
I love seeing different ideas on this subject! However, I am really surprised that all the methods described so far involve digital storing, that is, you keep your 2FA recovery codes on the form of bits and bytes on an electronic medium, whether encrypted on a cloud storage or encrypted on a USB storage.
Method of putting your 2FA recovery code on an encrypted flash drive, or encrypting the 2FA recovery file and uploading to cloud, forces you to memorize another long passphrase for the encrypted flash drive or the cloud storage itself. Many users already have around 20 character passphrases for their Bitwarden vaults, so, adding one more passphrase, I would argue, would put more strain on your memory.
I seem to sympathize with the idea of writing your 2FA recovery code on a piece of paper and storing it on a safe place in the house. It can be between the pages of an old notebook, or on a drawer that is out of sight, with no indication on the paper itself that is signaling that it is a recovery code for your Bitwarden vault. However, this method also has its risks: you might lose the piece of paper that you’ve put your recovery codes on, or someone might throw it away, or you might not always reach it (since it is at “home”), etc.
I also agree with this point of view. You are storing all your login data in a Bitwarden vault. But then, you store 2FA recovery codes for your Bitwarden vault -in an encrypted form- on a cloud. So, where are the passphrases for the cloud account and your 2FA recovery code file stored? On the Bitwarden vault? Chicken and egg problem.
Could simply store the info on paper and be done with it. The only thing I would suggest is store a back up copy not in your home incase of fire or other natural disasters.
Print → Laminate → Safety deposit box
I keep mine written on a piece of paper in a fire-proof safe.
I tend to do that with my master password in a wallet (with some sort of anti-theft feature).
I’ve been using the same master password for some time now, and I’ve been wondering what I’ll do to memorize fast and keep it safe. (Believe me, I’ve been asking this for a long time. xkcd password generator was the best that worked for me so far.)
My handwriting is horrible, which makes it almost incomprehensible. That’s why I prefer to type all the time.
1 Like
I keep mine stored in a GPG-encrypted file stored on 3 computers, at least one of which is in a remote location.
I print out multiple copies of the recovery code and scatter them amongst my personal property. Wallet, bag etc.
1 Like
My handwriting is horrible, which makes it almost incomprehensible. That’s why I prefer to type all the time.
I identify with this comment on a spiritual level.
2 Likes
How do you store ALL your recovery codes?
Currently I print them all on a sheet of paper. I use a Google Doc with a special procedure that allows me to print each new codes on the same sheet without storing them in the Google Doc (not even in the history of changes).
I’m sometimes thinking about how to store them also online. I don’t like the idea of storing everything in the same place. So I’m thinking about having multiple password manager accounts, using different services (like Bitwarden), and split the recovery codes across these accounts.
For example with 3 accounts and a 12-word code: words 1,4,7,10 on another Bitwarden account & 2,5,8,11 on 1Password & 3,6,9,12 on LastPass. (this is a basic example, we can imagine different ways to split the code)
We can also add fake words to make them all look like it’s the full recovery code.
Is this a bit overkill? 
Can also store your BW recovery code in a plain text file on a Proton Drive or MEGA account. In the extremely unlikely scenario someone mages to read the text file, they won’t know what the code is for, let alone which account it is for. I like best Proton Drive and MEGA for their zero-knowledge encryption models. Sync.com is zero-knowledge as well if you disable the password recovery option.
I use a combination of written records, local digital copies, and cloud accounts. With cloud accounts, you still have to write out your credentials on paper, which becomes your weakest link, but data reliability on the cloud is superior versus local USB drives.
Just have to be vigilant to keep active the cloud account if it is a free version. With MEGA, your account can be disabled/deleted if there is no activity for just 3 months. However, MEGA has an especially generous free option, and I like the browser extension they support and keep updated. It has some theoretical security advantages versus using the website since you interact with local code. They also support and keep updated a desktop application, including for Linux.
Pascal, yes, completely unnecessary busy work that is just complicating your life.
Come to think of it. If you have to write down your cloud credentials, it makes very little sense to use a cloud account to store your BW recovery code. Just write it down with your other emergency credentials.
If you split the recovery codes in different places as an online backup, it’s probably not too complicated as long as you can deal with the inconvenience. If it’s your only way to keep the codes, then in some situations, you may not be able to figure out how to put them together quickly enough. Security sometimes doesn’t go well with accessibility.
It depends a bit on for what purpose you are storing the information. If it is not for your own use then accessibility is not the primary issue, which largely removes the main advantage of a cloud option. USBs are not really archival media so you need more than one. Distributing copies in more places is more reliable but offers more points of loss, and unless another password is remembered (as noted above) then risk is much higher. Separating components to distribute can be safer and clumsier.
One option I have not seen proposed above, just a thought, is encipherment of text on paper. Something like a running key cipher is not difficult to implement. It is not meant to be wholly secure, just a protection against burglary because it will be good enough to stall even better than average thieves for the few hours necessary for you to discover the break-in and change your master password.
This idea amused me enough that I created two pass phrases using the standard diceware list. While I am sure most people have better things to do, I doubt the following would be broken within 2-3 hours by a thief rather than a knowledgeable, well-equipped user, yet they are not difficult to do.
The first is XEWVXI RZRIHXZ WNFWCK LGTA 0617
and the second is DLHOJQPXNEWHVUCJHCMFMMVCYXDQDJS 0205
the difference being the second encodes spaces where the first does not. The two random phrases used different pages of the same well-known book I have on my shelf. Encoding and decoding can be done entirely manually. You do need to remember which book. In this case I have not embedded coded page references, they are there if you can see them. Other rules were / clues are: not case sensitive, punctuation ignored, no spaces in the enciphering text.
I might consider using an improvement on the method as I keep no paper emergency sheet. It is a manually operable “stalling” backup for oneself, not a secure encryption. I’ll disclose the above in a day or so if uncracked. It should be crackable.
Although relevant to the topic, my post of the 18th was to some extent triggered by people in other threads asking for padlocks on their padlocks, reinforcing the already strong rather than surveying their realistic exposures. The general question should be to identify the use and access need for the information (as others have identified above), consider practical rather than merely theoretical threats, then an appropriate response which might not prove to be merely “more security”.
Here, I considered that one needs a backup of essential information not otherwise recoverable, that it should be in a reliable form, accessible with reasonable ease, and not readily leaked or observed. To “a sheet of paper hidden in a book” I added “simple cipher, probably in your purse or wallet” because the threat is principally personal theft, something one can readily observe, the obvious and effective response is to change your password, so the need is not “they shall not pass!” but simply “stall the enemy while you act”.
In practical terms a simple running cipher for a few words offers good time-to-break yet manageable by person, an autokey cipher even simpler yet buying quite some time. Remember, the opponent has not even identified which of many ciphers you have used let alone is a personal thief likely to be equipped with a computer, cryptographic knowledge and tools.
I am pretty confident that somewhere on the planet at least one Bitwarden Community reader looked at the cipher above, where I even left clues, and thought “No, why try?”. Do you expect more knowledgeable thieves? If and when it is broken, it will be too late for the thief.
Consider use and access needs for the information, consider practical rather than merely theoretical threats, then model appropriate responses which may include or permit conclusive action by you.
Nearly forgot to mention, the second (harder) Diceware pass phrase above is “outback unreached hate unskilled”, code text from page 57 of a 1910 edition of Darwin’s “Origin of Species”