Ask HN: Should I put our passwords in our wills?

23 points by ahmednuaman ↗ HN
I'm just thinking about if we died all our documents, financial records, etc... are on our machines and cloud services, but where's a good place to stick our passwords just in case something happened to us and our families needed to access the information?

Eg: http://www.bbc.co.uk/news/technology-26448158

14 comments

[ 2.8 ms ] story [ 46.8 ms ] thread
Safe Deposit box with emergency unlock codes for 1password or Last Pass maybe? That should be pretty straight-forward.

You would need to make clear that they would need your phone as well for MFA codes, so if you have a phone password (you should) make sure to put that in the deposit box or notes section of 1password/LastPass.

Requiring your phone would be problematic, since there are many ways you can die in which your phone could be lost or destroyed: fire, car crash, plane crash, drowning, a violent robbery, etc.
1password has the ability to generate one-time passwords for MFA. It shows up as a type of field in each entry.
I am using the emergency contacts feature in lastpass, this contact can ask for access, lastpass will contact and allow it if you don't respond in a configurable amount of time (i.e 24h, 1 week, etc). I have 2 emergency contacts, one with a long period and my wife with a shorter one. I also use secure notes to include information about important things that only I might be aware.
So does that mean they store your passwords in some other way as opposed to only storing those encrypted with your master password? I’ve only used 1pass, so maybe it’s different, but that seems sketchy that they can just access your data without your master password to decrypt things. Or is this recovery system all handled locally on a machine you own?
https://helpdesk.lastpass.com/emergency-access/

From the documention:

LastPass uses public-private key cryptography with RSA-2048 to allow users to share the key to their vault with trusted parties, without ever passing that information in an unencrypted format to LastPass. When Emergency Access is activated, each user has a pair of cryptographic keys – a public key to allow others to encrypt data for the user, and a private key that allows the user to decrypt the data that others have encrypted for them.

The key used to encrypt and decrypt your vault data is encrypted with the Emergency Access contact’s public key, and can be decrypted only with their corresponding private key. When setting up Emergency Access, you are using the recipient’s public key, encrypting your vault key with that public key, and then LastPass stores that RSA-2048 encrypted data until it’s released after the waiting period you specify. Only the recipient can decrypt the data, so no one else can decrypt it without access to the private key of the recipient you’re sharing it with, which is encrypted with their master password key. This process is completely automated, with no action required by the end user, and ensures that the data is inaccessible by LastPass or outside parties.

Awesome! Thanks for the info.
There was a newspaper column a decade ago urging people to write a "Read This If I am Dead" document describing how to actually find and do all the large and small things that you want done when the contents of your brain are gone. Thinking carefully about that, writing, revising and simplifying it to the point that someone will be able to actually do that when I am gone is probably the best thing I ever did. Google used to be able to find the contents of that column, but it appears gone now. There is a book now "Read This When I am Dead" by Presley and Howard on likely the same subject.
Humberto Cruz, "A family records organizer", in the Boston Globe, 2007 ---- https://archive.is/SjTWI

"In essence, "Read This If I Am Dead" is a living, loving, and constantly evolving little book I write for my family. You can do the same..."

I’m not sure about passwords. But I have left clearly explained how my family should use my private keys for my Bitcoin and Ethereum cold wallets.
"Do not hastily throw any hard drives away."
It would be better if you put a password hint on your will that only your beneficiaries could figure out; do not directly give the password.