Ask Slashdot: How To Securely Share Passwords?

THE_WELL_HUNG_OYSTER writes "My tech-savvy father died suddenly and unexpectedly. He did everything online: bill-pay, banking, eBay sales (and other auction sites), PayPal, investing, etc. When he died, he still had online auctions up for sale, items I had no idea how to fulfill when sold. He still had unprocessed auction refunds, people claiming they returned items and are waiting for a refund. Fortunately, he left Gmail open and logged in when he died, so I was able to configure his account to forward to mine for any future emails he received. He even had his health insurance automatically debited from his checking account (who needs health insurance when they're dead?) I had no way to log into these systems to cancel pending transactions. I called every institution; some were willing to help while others required me to fax/mail death certificates and proof of executorship (which I didn't have yet). Meanwhile, auctions were selling for items I had no idea how to fulfill; debits from his checking account were occurring even though they were irrelevant; etc. You get the idea. How can I share my login credentials with my siblings so they don't have to go through this when I'm gone? I change my passwords every month and never use the same password on more than one site. I don't want my siblings to be able to impersonate me unless I'm dead, so publishing a monthly list to them won't help and would be insecure."

Dont worry about it

You'll be dead.

Re:Dont worry about it

[hedwards]

Yes, but there's plenty of files that I personally want protected against prying eyes while I'm alive, which I wouldn't mind relatives seeing after I've passed. It is private information, but once I'm dead, I do kind of like the idea of people getting to see the areas of my life which were too private for me to be comfortable sharing in life.

The challenge is finding a way of disclosing those passwords without the possibility of a subpoena getting at them. I think pretty much the only way is to involve an attorney so that you can have attorney client privileges and then have the attorney disclose those after you're dead.

I don't believe that wills are protected in that way typically, you probably could send it to yourself via the post office, but I'm unsure as to whether subpoenas could force you to open them. Sending them internationally certainly would allow for them to be opened by ICE.

Re:Dont worry about it

[peragrin]

It is easy store a copy of passwords on an ecrypted drive. In your will leave the password . It can't be touched until you die. Update the password with the will. Nothing can legally be touched with your accounts until your estate has been settled. So with the will is perfect.

Re:Dont worry about it

[betterunixthanunix]

It can't legally be touched until you die

FTFY. If you have secrets that might be worth using extralegal methods of obtaining, hiding it in a will may not be sufficient. Laws can only go so far in protecting people; sometimes you need to protect yourself.

Re:Dont worry about it

[Mister+Whirly]

Get a safety deposit box in a bank - it can be opened upon your death by anyone you designate. Include instructions of where everything is stored, and the passwords, or master password to a password manager, in the box.

KeePass

[click2005]

I use KeePass with the Firefox plugin.

Re:KeePass

[txoof]

KeePass is GREAT. I've talked my mom and wife into using it. My mom simply put the master password in her safe-deposit box and left instructions in her will to allow us access to it. My wife and I simply shared our strong master passwords with each other and stuck them into our respective KeePass DBs.

It is a bit of a hassle keeping everything up-to-date, but it is well worth the hassle you leave for your loved ones to try and sort out potentially dozens of passwords after you're gone. Just think about how hard it is sometimes to prove that you own an account that you've forgotten the password for. Now multiply that by the fact that you're dead and your loved ones have to prove that you intended for them to get into your accounts.

Do your family a favor and make it easy for them to find all your passwords in the event that you kick it sudenly.

Secret Sharing

[betterunixthanunix]

http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing

Give shares to relatives and trusted friends.

Keys to the kingdom

[RollingThunder]

I don't think it'll be too hard.

If you keep your passwords securely in a master storage system (IE: KeePass or the like), and keep the master password for that in a physical location that your siblings will be able to get access to in the event of your demise, then they can use that to get access to all the accounts you held.

Think along the lines of those "snap cards" that were in 1980's cold war movies. The sibs have to break it open to get the master password paper, so you know it continues to be secure. There could even be instructions on the paper along with the password.

Re:Keys to the kingdom

[ColdWetDog]

You may be able to access it but you are likely not able to legally access it.

The passwords are necessary, but not sufficient.

Short answer, seek appropriate legal advice. Laws change from place to place and time to time. Your specific requirements may not be generalizable. It might cost you a couple of hundred dollars and might save you thousands.

duh?

Write them down.
Leave the sheet of paper in your desk drawer, locked if you're paranoid.
Done.

Re:duh?

[davester666]

The CIA has a tiny little camera in there, so that's just not safe.

Re:duh?

[kesuki]

it's funny -- once you've been paranoid how things like that stop being funny.

i've seen people rip apart their rooms claiming there are cameras recording them.

i've been lucky i have only once have had auditory hallucination, though sometimes i vocalize things. the government pays for my drugs and my living costs, which is a good thing. the drugs have mellowed me out a lot. not having to worry about becoming homeless is also nice. but i had to change gears. the government might support me forever, but for that to happen there needs to be a government willing to support me. there was a time when they wouldn't medicate people like me, and i know some who stop taking medications. it just isn't pretty i fall apart when i stop taking the drugs my mind runs out of control it is a lot like black swan especially where she thinks she killed someone only to find out she attacked herself.

LastPass

[Wonko+the+Sane]

Using some kind of password manager, either a third-party service or a local application, would make that kind problem easier to solve.

Lastpass and safebox

[blindbat]

I keep my passwords in Lastpass (any similar program will do) and then keep the master password in my safe deposit box at the bank.

I also keep a list of all important accounts and sites (banking, etc.) so that whoever it may concern will be able to know where to find what is important.

My wife knows this, and she would then be able to access all relevant accounts, as well as know which accounts are important.

Well, the solution is obvious

[AdamJS]

Make it a part of your will. Store your passwords in a physical deposit box and have your relatives be given the key upon your death.

Re:Well, the solution is obvious

[poofmeisterp]

That's a good idea except for the fact that the execution of the will takes more than a few minutes to execute. Sometimes days, sometimes weeks. The post office and/or banks don't hand over the key fast and easy.

Best option is to have it held by a law office as a durable power of attorney. You get death certificate, law office hands you the holdings granted to you in the will.

Of course I don't understand the context of the poster's question; ending/paying auctions and satisfying debt isn't something that's gonna be easier with saved passwords. *shrug* /sidenote

We had similar problems

We had a similar issue when my father passed away. We quickly realized that we could easily pretend to be him, just tell people his SSN and other personal information, and we were able to handle nearly every circumstance. It was an eye opening experience just how easy it is to pretend to be someone else. This was about 7 years ago so things may be different. I assume that you can still get away with it more often than not.

What we did was get his personal information, spread it out on the table, and then call up the institution. When they asked a question it was a simple matter of looking up the information as necessary.

Re:We had similar problems

[dead_user]

My bank refuses to talk to me about my wife's account. Even with her sitting next to me telling them it is OK. Now when they ask for Jennifer, I say I'm her, in by best husky voice, provide the last 4 of the SSN, and magically I have full access to her account. I mean come on... I'm a 40 year old guy with an unmistakably male voice. How can they possible accept that I'm Jennifer? They don't give a shit about fraud. They just want to be able to tick their little boxes.

Re:We had similar problems

[DrgnDancer]

My parents still own my *great grandfather's* timeshare condo in his name. When he died my grandmother just took it over as "him" because it seemed easier than going through he whole rigmarole of death certificates, etc. When she died my parents were honestly a little afraid to rock the boat given that the man would be about 100 by now, so they didn't change it either. Someday I expect to pass my children a timeshare on an 110 year old condo theoretically owned by a 160 year old man.

Secure password storage and an attorney

[Jake73]

Place your passwords into a secure repository (like KeePass) and keep it updated. Give the password to the repository and other containers (I keep my KeePass in a TrueCrypt container) to someone you trust to execute when you die. An attorney. A trusted friend. Etc.

If required, make the password a two-part thing and give each part to different people.

Options

[Alter_3d]

Check this Wikipedia article
It contains a list of services you can use to "inherit" your personal info when you die.

Lawyer

[Stormthirst]

Have a standing arrangement with your lawyer - send him a letter every month with instructions that the letter is only to be opened in the event of your death and to destroy the previous month's letter. The letter of course contains all the passwords and a list of people the list of passwords is to be given to. He'll probably charge you a monthly fee for the service.

If that's too expensive, I'm sure a PO Box is cheaper, and leave the key with your spouse/siblings.

Dan Brown It

[broginator]

Set up a series of convoluted and ambiguous riddles and puzzles to lead your survivors on a wild adventure to recover your secret code.

My father died a few years ago - Morningstar

[93,000]

My mom wanted to get into their Morningstar account and didn't have the password. I called and explained the situation -- basically that her husband was deceased and she needed the password, and I said I'd call on her behalf. What steps do I need to take to get it? The rest of the conversation:

Operator: "What's the username he has the account under?"
Me: "Uh, billsmith2222 is the username."
Operator: "OK, let's see... looks like the password is Sarajane. The 'S' is uppercase."
Me: -- Stunned silence --- "Thanks?"

I was glad it went so quick, as I had expected to have to send a death cert and jump through god knows what other hoops, but it freaked me out how casually they gave it to me. I mean, I didn't do anything to verify that I was even any relation to the account. All I had was the username. Obviously someone was new, disgruntled, or just plain stupid, but it worked in my favor for once.

Re:My father died a few years ago - Morningstar

[Zmobie]

Another disturbing part is the fact that the passwords they have are obviously not hashed...

Dead Man's Switch

[CapnStank]

I've posted this previously but I keep thinking it deserves merit:

Dead Man's Switch

Its a project that emails you periodically. If you don't respond it fires off a pre-defined message to a set of individuals you've chosen. Full disclaimer here, I have nothing to do with the project and I have not yet tested it myself but it doesn't seem like a difficult system to set up.... cron job + mail server + port listening app.

passmywill.com

[SaxtusGR]

There is a site that will do just that: http://passmywill.com/

There is a service for that

[Riceballsan]

Lifehacker recently had an article on a service called "death switch" http://www.deathswitch.com/ Basically it e-mails you asking if you are still alive, if you don't respond back, after 3 e-mails, it sends out the assigned message to who you specified. It does cost $20 a year

Not your Will

[alexander_686]

Don't leave it in your will.

First, the Will will not be read for a while - sometime weeks - after the death. So if you want something with a quick turn around time (like e-Bay) then don't.

Second, a Will is a public document - which maans anybody can get ahold of it. Another issue.

In most cases leaving instructions with your trusted lawyer should be sufficent - unless you are truely paranoid. (and considering this is /. ....)

Re:Not your Will

[peragrin]

Will are only public after you are dead.

You missed the point that if you die your accounts are frozen as part of your estate. Joint accounts however remain un changed.

No one is to touch your ebay account even with auctions pending until after the will has been read. That is part of estate law.

Re:Think low tech

[kesuki]

not secure enough. manually invent(steal) an un cracked encryption, like the cia building cypher. to learn how to do cyphers there are plenty that work out there that can't easily be decrypted without the key(map) to the cypher. then split the key to the cypher to 5 pieces with instructions to collect and decypher in your will etc. this way you can safely generate (in paper) the new passwords every month which get sent to a 6th party that doesn't have access to the disassembled key. i suggest you learn how to do the cypher without a paper trail other than the reassembly papers. in this way it takes access to 6 physical layers of protection which should keep your passwords safe on your end, now don't be doing this for criminal activity because passwords are stored in a shadow file anyways and is often the first target of would be blackhat crackers. on my own hardware i have retrieved passwords from the shadow file just to know it is possible. (i really changed the shadow file with the password of my account to the root account,)

Password to encrypted file

[DaveGod]

Condolences for your loss.

Unfortunately many companies do not have good procedures in place to handle the death of a customer, adding frustration to an already unhappy time. However, it is the good ones who do require the death certificate.

You need to be executor in order to settle his affairs. These companies asking for death certificates aren't just doing it for their own security purposes. They are legally required to act only on instruction from your father or someone he has expressly authorised them to recognise as an agent (an executor is a form of agent that everyone is obliged to recognise).

There are many reasons for this. There are related frauds committed against people still alive, and frauds against the deceased. Families squabble a lot over these and related matters so the institutions rightfully want to ensure they deal with the appointed person. Even with the best of intentions, the deceased may have wanted someone specific to settle their affairs and the particular person might not be it.

As regards you personally, record passwords in an encrypted file, Keypass or whatever, and leave your lawyer with instructions and a sealed envelope containing the password to your encrypted file. Alternately use a safety deposit box, the bank is usually the first place anyone goes with the death certificates and they will advise of the box - however they charge an annual fee.

More importantly, arrange your will and set who will be executor while you're at your lawyer.

Re:Think low tech

[green1]

My thought is somewhat related, I haven't implemented this yet, but it is on my "to-do list".

My main plan is to put instructions in an envelope that is sealed near my will. Making sure that familly/friends know where it is. The instructions would direct the person to send a specific code/password to a specific email address on my hosted server. (could also be a private web form or some such) Once recieved the server would send me an email notifying me of the request, and giving me 4 days to cancel it. If I do not reply within 4 days (adjust to suit whatever length of time you think is the longest you could possibly go without finding a net connection while still being alive and well), it would automatically send the information to the original requestor.

This has the advantages of the sealed envelope where I can detect tampering, but where the information is still easily accessible to those who require it (without them really needing to remember how it all works), but with the added advantage that if I am still alive I can stop the process before any sensitive information is released (in case the original envelope is stolen/otherwise compromised). For added security you could add a list of IPs/email addresses who are authorized to trigger the system (of course that becomes one more thing that you have to remember to keep up to date) and if you are concerned about the security of the server being used, the file being sent back can be encrypted with the decryption information in the original envelope.

Setting up the scheme is relatively simple/straight forward the harder part is keeping all the data it needs to send back updated so that it is useful once recieved.

And for those who say "you won't care, you're dead", you're right in that I won't care then, but I do care now what I am going to put my loved ones through, so I'd rather make things as easy for them as I can, they'll be dealling with enough when I die that I don't want to make things any more difficult than they have to be.