Slashdot Mirror
Ask Slashdot: How To Securely Share Passwords?
THE_WELL_HUNG_OYSTER writes "My tech-savvy father died suddenly and unexpectedly. He did everything online: bill-pay, banking, eBay sales (and other auction sites), PayPal, investing, etc. When he died, he still had online auctions up for sale, items I had no idea how to fulfill when sold. He still had unprocessed auction refunds, people claiming they returned items and are waiting for a refund. Fortunately, he left Gmail open and logged in when he died, so I was able to configure his account to forward to mine for any future emails he received. He even had his health insurance automatically debited from his checking account (who needs health insurance when they're dead?) I had no way to log into these systems to cancel pending transactions. I called every institution; some were willing to help while others required me to fax/mail death certificates and proof of executorship (which I didn't have yet). Meanwhile, auctions were selling for items I had no idea how to fulfill; debits from his checking account were occurring even though they were irrelevant; etc. You get the idea. How can I share my login credentials with my siblings so they don't have to go through this when I'm gone? I change my passwords every month and never use the same password on more than one site. I don't want my siblings to be able to impersonate me unless I'm dead, so publishing a monthly list to them won't help and would be insecure."
You'll be dead.
http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing
Give shares to relatives and trusted friends.
Palm trees and 8
Write them down.
Leave the sheet of paper in your desk drawer, locked if you're paranoid.
Done.
We had a similar issue when my father passed away. We quickly realized that we could easily pretend to be him, just tell people his SSN and other personal information, and we were able to handle nearly every circumstance. It was an eye opening experience just how easy it is to pretend to be someone else. This was about 7 years ago so things may be different. I assume that you can still get away with it more often than not.
What we did was get his personal information, spread it out on the table, and then call up the institution. When they asked a question it was a simple matter of looking up the information as necessary.
Place your passwords into a secure repository (like KeePass) and keep it updated. Give the password to the repository and other containers (I keep my KeePass in a TrueCrypt container) to someone you trust to execute when you die. An attorney. A trusted friend. Etc.
If required, make the password a two-part thing and give each part to different people.
Check this Wikipedia article
It contains a list of services you can use to "inherit" your personal info when you die.
Have a standing arrangement with your lawyer - send him a letter every month with instructions that the letter is only to be opened in the event of your death and to destroy the previous month's letter. The letter of course contains all the passwords and a list of people the list of passwords is to be given to. He'll probably charge you a monthly fee for the service.
If that's too expensive, I'm sure a PO Box is cheaper, and leave the key with your spouse/siblings.
My mom wanted to get into their Morningstar account and didn't have the password. I called and explained the situation -- basically that her husband was deceased and she needed the password, and I said I'd call on her behalf. What steps do I need to take to get it? The rest of the conversation:
Operator: "What's the username he has the account under?"
Me: "Uh, billsmith2222 is the username."
Operator: "OK, let's see... looks like the password is Sarajane. The 'S' is uppercase."
Me: -- Stunned silence --- "Thanks?"
I was glad it went so quick, as I had expected to have to send a death cert and jump through god knows what other hoops, but it freaked me out how casually they gave it to me. I mean, I didn't do anything to verify that I was even any relation to the account. All I had was the username. Obviously someone was new, disgruntled, or just plain stupid, but it worked in my favor for once.
Sweet informative mod.
I've posted this previously but I keep thinking it deserves merit:
Dead Man's Switch
Its a project that emails you periodically. If you don't respond it fires off a pre-defined message to a set of individuals you've chosen. Full disclaimer here, I have nothing to do with the project and I have not yet tested it myself but it doesn't seem like a difficult system to set up.... cron job + mail server + port listening app.
You may be able to access it but you are likely not able to legally access it.
The passwords are necessary, but not sufficient.
Short answer, seek appropriate legal advice. Laws change from place to place and time to time. Your specific requirements may not be generalizable. It might cost you a couple of hundred dollars and might save you thousands.
Faster! Faster! Faster would be better!
KeePass is GREAT. I've talked my mom and wife into using it. My mom simply put the master password in her safe-deposit box and left instructions in her will to allow us access to it. My wife and I simply shared our strong master passwords with each other and stuck them into our respective KeePass DBs.
It is a bit of a hassle keeping everything up-to-date, but it is well worth the hassle you leave for your loved ones to try and sort out potentially dozens of passwords after you're gone. Just think about how hard it is sometimes to prove that you own an account that you've forgotten the password for. Now multiply that by the fact that you're dead and your loved ones have to prove that you intended for them to get into your accounts.
Do your family a favor and make it easy for them to find all your passwords in the event that you kick it sudenly.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
Lifehacker recently had an article on a service called "death switch" http://www.deathswitch.com/ Basically it e-mails you asking if you are still alive, if you don't respond back, after 3 e-mails, it sends out the assigned message to who you specified. It does cost $20 a year
Condolences for your loss.
Unfortunately many companies do not have good procedures in place to handle the death of a customer, adding frustration to an already unhappy time. However, it is the good ones who do require the death certificate.
You need to be executor in order to settle his affairs. These companies asking for death certificates aren't just doing it for their own security purposes. They are legally required to act only on instruction from your father or someone he has expressly authorised them to recognise as an agent (an executor is a form of agent that everyone is obliged to recognise).
There are many reasons for this. There are related frauds committed against people still alive, and frauds against the deceased. Families squabble a lot over these and related matters so the institutions rightfully want to ensure they deal with the appointed person. Even with the best of intentions, the deceased may have wanted someone specific to settle their affairs and the particular person might not be it.
As regards you personally, record passwords in an encrypted file, Keypass or whatever, and leave your lawyer with instructions and a sealed envelope containing the password to your encrypted file. Alternately use a safety deposit box, the bank is usually the first place anyone goes with the death certificates and they will advise of the box - however they charge an annual fee.
More importantly, arrange your will and set who will be executor while you're at your lawyer.
Will are only public after you are dead.
You missed the point that if you die your accounts are frozen as part of your estate. Joint accounts however remain un changed.
No one is to touch your ebay account even with auctions pending until after the will has been read. That is part of estate law.
i thought once I was found, but it was only a dream.
My thought is somewhat related, I haven't implemented this yet, but it is on my "to-do list".
My main plan is to put instructions in an envelope that is sealed near my will. Making sure that familly/friends know where it is. The instructions would direct the person to send a specific code/password to a specific email address on my hosted server. (could also be a private web form or some such) Once recieved the server would send me an email notifying me of the request, and giving me 4 days to cancel it. If I do not reply within 4 days (adjust to suit whatever length of time you think is the longest you could possibly go without finding a net connection while still being alive and well), it would automatically send the information to the original requestor.
This has the advantages of the sealed envelope where I can detect tampering, but where the information is still easily accessible to those who require it (without them really needing to remember how it all works), but with the added advantage that if I am still alive I can stop the process before any sensitive information is released (in case the original envelope is stolen/otherwise compromised). For added security you could add a list of IPs/email addresses who are authorized to trigger the system (of course that becomes one more thing that you have to remember to keep up to date) and if you are concerned about the security of the server being used, the file being sent back can be encrypted with the decryption information in the original envelope.
Setting up the scheme is relatively simple/straight forward the harder part is keeping all the data it needs to send back updated so that it is useful once recieved.
And for those who say "you won't care, you're dead", you're right in that I won't care then, but I do care now what I am going to put my loved ones through, so I'd rather make things as easy for them as I can, they'll be dealling with enough when I die that I don't want to make things any more difficult than they have to be.