The one thing I always do with a password manager

I’ve set up multiple password managers, as part of my testing and reviews for PCWorld. And every time, I always take a moment right after creating an account to do one very, very important thing: saving all the codes I need for account recovery.

This involves two steps:

1. Setting up a recovery key
2. Downloading backup keys for two-factor authentication

These small pieces of info will save your bacon if you ever forget the password for your account, or you lose your two-factor authentication method. Or both.

By the way, this idea still applies if you use Google, Apple, or Microsoft’s built-in password management! You’ll be saving recovery info and backup codes for those accounts.

What’s a recovery key? 

A recovery key lets you access your password manager account if you’ve forgotten your password. Typically, it’s a random string of numbers and letters. You’ll enter this code during the account recovery process (typically started when you choose the Forgot password option at login).

What’s a backup code?

Backup codes let you access your account if your usual two-factor authentication method is unavailable. For example, you normally use a mobile app that generates one-time codes, but you lost your phone. You usually get a set of these when first setting up 2FA. You’ll enter just one of the codes after first successfully entering your password at login.

How do I find this information?

It depends on your password manager. Most make them available through account settings.

For recovery codes, you usually first have to set up the feature. Afterward, you can download the information.

For backup codes, most password managers only show them when you first set up 2FA. If you didn’t record them, or you need a new set, you will likely have to disable 2FA and then set it up again to get a fresh set of codes.

What’s the best way to store this information?

For safety, I use multiple methods. If your home location is secure (that is, you’re sure that people won’t rifle through your things), you can print or write down the codes and tuck them away.

Otherwise, you can create a secure file or folder (either on your PC or in the cloud), then store the codes in there. Alternatively, you can use a local password manager like KeePass and keep the info in an encrypted KeePass database. For these options, you’ll have to remember the passwords to decrypt the files!

What else is smart to do?

Make sure you know your email address password! If you lose access to your password manager, you can still at least access your other accounts through a Forgot password reset, if necessary.

My preference is to have it memorized and not stored in your password manager—especially if you’re storing passwords in the cloud. (Just as a precaution, in case your password vault ever becomes compromised.) But even if you do save it in your password manager, have it in your brain, too. 

Also, I recommend storing backup 2FA codes for other accounts (i.e., not your password manager) the same way you’d store your password manager’s recovery key and backup 2FA codes. Either written down and tucked away in a safe spot in your house, or in an encrypted file/folder. That way you’ve got an escape hatch for those accounts too, should catastrophe hit.