I thought this was going to be interesting but it’s a markdown file of information your partner should already have.
The lesson from this markdown file is that if your partner can’t figure this stuff out on their own you need to sort it out yesterday. I doubt that the information being open source or being in markdown format is going to help out your partner whatsoever.
This is valuable in the sense that it accomplishes like 80% of what you need to think about when establishing a doc like this, and the open source nature of it is novel because you can crowd-source updates more effectively than via a comment section.
There's an increasing number of single people and lone-livers.
> if your partner can’t figure this stuff out on their own you need to sort it out yesterday.
I don't know how common it is, but I know there are some couples who just don't think of this kind of stuff, at all, until it's too late.
Mostly I've heard of it through a sudden death - the other person now has to figure out what and how all the things are paid for and handled.
I know of another where one partner got ownership of a small business after a divorce, but had no idea how to handle personal or business taxes/paperwork/etc. Had never done much more than sign their name under tax records, or whatever - and suddenly had to figure out all of that on their own.
That's a little unfair. When you lose someone, a very many things have to happen almost immediately. It can be quite overwhelming. Especially given the stress and trauma of just losing a loved one. Having everything "you should already have" in one place makes a lot of sense. And there's nothing to say that this has to remain only in MD format. A printed copy in the safe would be helpful.
Of course, using your logic, getting is sorted "yesterday" could mean sitting down and having your loved one understand how to access all this data using MD. Even better would be to have them build the data up with you.
The big problem with this that I don't have a good answer to... we've been told to use a password manager and have it secured with a long passphrase... and now we write down the username/passphrase on a piece of paper or somewhere else easily accessible - how to adequately secure that?
Maybe encrypt the passphrase under an m of n scheme and distribute to family & friends that you can trust to not collaborate unless you are truly incapacitated?
I've been (lightly) thinking about this with regard to digital identity.
One of the few use cases that I find very compelling with regard to blockchain/web3 tech is as a means of ID/auth much in the same way that many sites now offer options to log in with FB/Google/etc.
One big obstacle (I imagine, I haven't really looked into this that far) is that of the password reset. Some non-trivial amount of people will forget the passwords to their identity tool, and in this scenario there's no central power with the capability to reset it for them.
The simplest option is to designate trusted friends who you could delegate authority to in order to perform some multi-sig reset, but then there's the issue of a FriendCoup. If you strike it big and turn on or ignore your friends, there's nothing stopping them from getting together and performing a takeover. Even if there are individual objectors, because it's blockchain, everything's public, and these are identity wallet contraptions, everyone knows who the hold out is and can lean on them or find some way to get their password, etc.
Even outside of a FriendCoup scenario, a FedCoup scenario where the government just leans on your buddies to grant them control is pretty plausible.
So I guess the question is, what sort of strategy for this is FriendCoup/FedCoup resistant but still grants the necessary amount of delegated power?
Not entirely relevant to the above, as doing this pen and paper for a password manager is a little harder for outsiders to game given that the holders aren't public, but still a question I've been batting around. Curious about anyone's thoughts/ideas or any existing work in this space.
Edit: After thinking about this for an extra minute, if it's not time sensitive a deadman switch could probably do it. If your friends perform the multi-sig and you haven't logged in in X days, then and only then will the reset occur, so you can void an attempt. That said, falls down on the FedCoup scenario since you'd presumably have restricted access to the internet.
I think blockchain keys could work for identity, but you need another layer for authentication. Perhaps a smart contract could be used to generate and authenticate one time access codes?
I think that blockchain is not the solution here. The fundamental problem is trust: do you or do you not trust n other parties with the information required to take over your digital life, no amount of fancy crypto engineering will get around that.
No amount if crypto will stand up to a Russian mobster with a crowbar and some creativity, like the xkcd https://xkcd.com/538/.
What you need is to develop a threat model and then select an appropriate solution that matches your threat model. If the threat is the KGB might torture me and my buddies, then kill switches are appropriate. Otherwise it’s no solution.
Perfect security doesn’t exist, it’s all about tradeoffs.
That has failure modes, though, especially death on one of the N (might seem unlikely but I just had to help a friend unfuck a family member's finances after he died in a car accident next to the one trusted associate who had all his logins saved in an account locked behind 2FA secured by his iPhone which he didn't leave the unlock code to with anyone). I know there are other schemes where you only need M of N to turn the key, but really...
Leave. Your. Passwords. With. An. Attorney. And also your phone unlock code. A reputable attorney (preferably attached to a big firm) won't lose your stuff, and if they die or go out of practice they will have procedures in place to make sure you are set. This is not a situation where you want some clever DIY scheme that might fail and leave your loved ones scrambling to sort your finances when they are already devastated and mourning.
Better use three attorneys on at least two continents, one of them in the other hemisphere. Otherwise a single medium-size asteroid could easily wipe out all your backups and what then.
Actually LastPass has a solution to this they call Emergency Access. You set up loved ones, heirs, colleagues etc with their own LastPass account, and at any time they can challenge your account. After a given (variable) waiting period, if you do not cancel their challenge, the credentials in your account revert to their account. The credentials are inherited. In the case of your own cheat sheet (I have something similar), you can save the actual cheat sheet as an attachment to a Note saved in LastPass. Every now and then we test it, and it works great.
Leave it in escrow with a lawyer, along with a copy of your will.
If you are super cautious, leave an encrypted copy (or half the passwords etc) with one lawyer/escrow, and have a separate lawyer/escrow hold the decryption key/other half of the passwords etc. Along with easy instructions on how to decrypt!
End of the day, if I die at an old age, my heirs will also be old and possibly not into computers/tech. I prefer a simple approach that requires minimum skill/effort on their part aside from presenting the relevant death certificate/paperwork to the lawyer.
We don't have to outlive you! If the service shuts down while you're alive, we'll send you an email well in advance so you can switch services. That said, the service has been running successfully since 2007.
In the spirit of the OP, and finding an enduring solution... something like the deadmans switch should be implemented in a de facto utility like browser password recovery but extended with a weighted audience tied to the time elapsed. Why not have that same function that keeps up with your authentications notify X audience in Y time - 30 minutes even or 30 years with an emphasis on how perpetual. Reasonably I say we all got a good hundred years to plan for.
What about keeping the passphrase in a safe deposit box in a bank? In the best case, you have a trusted person with whom you can share access to the box. Otherwise your executor or a court could gain access, but at least the info wouldn't disappear.
I’ve got one of these in 1Password that is shared with my wife. It’s a great idea.
When my mom passed away 18 years ago, we looked high and low for every paper and file to help my dad start to become competent with the household finances. It was a big challenge at an already challenging time.
One weird problem I learned of is that you shouldn't store your will in your safety deposit box, because it will be tied up in legal wrangling when it is needed the most.
I think this was more to inspire a rough contents and format, rather than actually proposing GitHub is a good place to store this stuff - print it out and stick it in a safe.
The important thing is that it be easily accessible...printed for example. No, you don't want all your passwords on a piece of paper. But pointers to where the passwords are, how someone can get emergency access to them, as well as locations of other accounts, documents, etc. is what's important.
Somethings like the above. I've added more info such as 2FA etc in a separate sheet and saved all QR Codes for all the 2FA in my Authenticator apps, and printed them and kept two copies of it in two different locations known to family members. Updates are added as additional sheets to the binder as new codes are added and as a practice, one full dump around a 6 months to 8 months is also added.
do you actually need to share bank passwords, or is just the account # enough? then wifey can contact them and tell them im dead. i think i put her as beneficiary on everything
If you're not married or a domestic partner you might want to talk to a lawyer. You don't know what your partner or friend might not be allowed access to depending on your local laws or the business's requirements. But power of attorney will remain with.... your attorney.
A friend of a relative had their house burglarized over a weekend. The burglars took their time and took apart everything, cutting all pictures out of their frames, etc. If a written password existed, they would have found it.
The "give it to an attorney" plan would also worry me, unless I knew exactly who/what/when/where/why/how access was controlled and GUARANTEED (after all, an attorney's system could break down as easily as any other).
You could probably use Shamir Secret Sharing so you'd need to have k out of n parts to recover the information. Downside is that this complicates what is supposed to be simple.
edit: I see other commenters shared this idea too.
Also true. Slightly weird instruction though :D "Here are 5 keys for 5 people, if something happens to me you'll need any 3 of those keys, then the neighbor kid will be able to help you get the password".
My parents had a break-in as well but they collect all kinds of paper notes and irrelevant stuff, magazines etc. Their documents are organized according to some eldritch principle - it's all there but you'll need some time to find it. The burglars gave up and only took a camera.
Ideally this should be stored at a safety deposit box in that case. There are certainly risks with having this information all in one place like you said.
Unfortunately safe deposit boxes aren't available everywhere - newly built banks often don't have them, and some banks that have them no longer accept new customers. --They're expensive to build and maintain, and they're seen as being in a somewhat grey area with regards to KYC laws.
Having a safe at home is an option, but it needs to be mounted properly to prevent a burglar from being able to simply carry it out and try and access later.
At the end of the day, your best bet is to keep instructions on accessing your data (minus the actual code that is needed) somewhere it can easily be found by your family, and make sure that one or more family members have copies of the code but don't know the full details of where to use it without those instructions.
> The burglars took their time and took apart everything, cutting all pictures out of their frames, etc. If a written password existed, they would have found it.
That seems astonishingly thorough, as if it must have been targeted? The burglaries I've heard of locally just grab the most reachable items, especially car keys.
> GUARANTEED
The thing with giving it to an attorney is you would have an contract, and I would expect them to explain very clearly what liability they would have in the event of this kind of mistake. I would also expect them to be good at keeping paper secrets in boxes, that's a very traditional practice.
Just give the attorney a sealed printed list of 10,000 numbered passwords. Someone with the passwords won't know what they are for. Even if they can guess that one of them is for your email account and they know your email account, they'll have to try thousands of passwords before they find the right one.
In your house, and maybe with trusted friends, keep the instructions sheet with logins and a reference to the relevant password number. "To access my email account, username is foo@gmail.com and use password #5122 from the password list".
You could also use a simple one-time-pad here to split the password. Generate two alphabetic passwords, one for your attorney and one for a trusted friend. Actual password is these mixed with alphabetic rotation character-by-character (anyone ought to be able to figure out how to do this given a short guide).
Simple, and provably useless to an adversary unless they have both passwords (aside from knowing password length/format with one).
Cutting paintings from frames allow them to be rolled up and be easily transported (much less obtrusive or easy to spot compared to a picture in a frame). They can then be fenced like other merchandise.
I am lucky to have offspring and friends who know how to drive a keystore so my version of this starts with: "ask one of <x> to unlock the device, or if need be use the backup keystore in technology <z> and here is the passphrase"
And then the rest is the set of URLs which point to the various things, having a key/URL in the keystore, which own the DNS, the VM, the mailboxes, the bank accounts, you-name-it
the keystore also has QR codes to restore the 2FA. It has the unlock for the devices which are live on the 2FA codes, but can recover most of them. The exception is a single bank token which seems to use the secure region on my phone to bootstrap its one-time state, and so you have to re-initialize through the bank.
Since the only account of merit is a joint account, either I'm survived by the person who has access anyway, or we're both gone and legally the account is frozen.
What it also says is "FOR GOODNESS SAKE DO NOT TELL <FAANG> I AM GONE" because they will lock things up: Better to gain access, learn what you need torrid or not, and then let them do it.
I'm banking on the emergency access feature [1] of Bitwarden (available in self-hosted version too [2]).
The "how it works" section has more information [3] but it essentially boils down to trusted individuals requesting access - which can be manually approved by account holder or they are automatically granted access after a pre-defined wait time.
Bitwarden (paid version) also claims this - "If your premium features are cancelled or lapses due to failed payment method, your trusted emergency contacts will still be able to request and obtain access to your Vault. You will, however, not be able to add new or edit existing trusted emergency contacts."
This means that the time delay could be theoretically bypassed by someone other than you (as time delay access is not a cryptographic construction), which means that someone else has access today (likely Bitwarden the company), which means the end-to-end encryption has been circumvented to enable this feature, which means they could be issued a search warrant to yield all of your passwords to law enforcement immediately, prior to your being convicted of a crime.
Self host with Vaultwarden and do not use this feature.
I would assume that only the "trusted individual(s)" - a spouse or whatever - has the "private key" of the vault, so only that person can access it (not Bitwarden, and nothing can be circumvented.)
Can't it be handled e.g by the spouse having "half" the key, bitwarden the other "half", which they only gives out after the timeout. Ok, bitwarden and your "trusted one" can collude to open it before, but they must both be in on it.
If you have a house, which has windows, your locks do not provide security against someone smashing open the window. Key cutting schemes are a bit like this - no key offers security, only one of several access routes.
Having multiple access routes may be desirable and simultaneously a concern - a fireman smashing through your window to save your life is desirable, a burglar slitting your throat after smashing through your window is not.
Encryption is more like a lockbox or a safe room - having a burglar compromise your safe room is undesirable, and going into one during a fire is also undesirable. But you do want to use one in the event of a burglary.
A key cutting scheme may be useful in the case of mutli tenancy, but it is not a reasonable dead man switch - if your data needs to be re-encrypted either the keys themselves must be related (calling into question the security of the keys), or the encrypting party must multi encrypt the data, meaning whomever does the encrypting has full access to all the key data.
If e.g. you are yourself encrypting the data, you must multi encrypt - it would be faster just to share the key yourself, as you already have all the keys. If the third party is encrypting, this means they have side channeled your data such that they can decrypt at any point.
Again, even in the case there are e.g. two mathematically related keys, you cannot then enforce a timeout without first referencing and thus controlling the original key. You MUST distribute your keys yourself to your 3rd parties, or your data cannot be secure.
You could instead construct a key by appending two securely-long passphrases together (which will then go through a KDF in any good encryption software). Give each passphrase half to one person. Recombining them is as simple as typing both of them into the passphrase input in the decryption software.
You can cut a key in half without literally cutting it in half. Like: generate random 256bit number, xor with the key, and hand the random number to one party, and the xor'd value to the other party.
The link to the feature provided here explains how it works. Your Bitwarden client has a master key that opens your vault. This is your own private key. Bitwarden the server doesn't have a copy of it. If you choose to designate a trusted successor in the case of your incapacitation, you send a request to that person. If they accept the request, Bitwarden the client will generate a public/private key pair for them. They keep the private key in their client. Bitwarden the server gets a copy of their public key and sends it to you. Now your Bitwarden client encrypts your private key with their public key and Bitwarden the server gets a copy of that. In the event of your incapacitation, they send a request to get a copy of that encrypted key. After the timeout period, Bitwarden the server will send your encrypted master key to them. Then their copy of Bitwarden the client, which has their private key, can decrypt it, and now they have a copy of your private key as well.
At no point does Bitwarden the server have a copy of anyone's private key. And no splitting of keys is necessary. This is just the normal way asymmetric encryption works.
This, of course, all breaks down if you don't trust Bitwarden the company, since they provide you the client. As far as I understand, US law enforcement doesn't have the legal ability to force a company to modify their own software to make it malicious (as opposed to doing something much simpler like forcing them to turn on IP logging on a VPN server). But if your threat model includes the possibility of US covert intelligence services MITM-ing Bitwarden the company and sending you their own malicious client, then yeah, keep your secrets in a physical vault guarded by people willing to die in a shootout with the FBI before betraying you. Make sure they'll answer to your successor if you die.
Ok then, so one search warrant to Bitwarden to get the encrypted key and your encrypted passwords, and another to the authorized party to get their private key.
It still comprises a break in the end-to-end crypto, and can still bypass the time delay and decrypt your passwords today without your involvement.
This is the paradox. You want trusted parties to have access, only when you are unable to access it yourself, in cases such as your death, or Alzheimer.
But you _don't_ want trusted parties to be able to access this in case you are incapable due to being arrested, or choosing to simply elope.
But the wait time process only bypasses the manual approval step, not the private key step right? So you would still need a private key to initiate the time delay
I used KeePass with google drive sync before, so cant speak to LastPass.
What got me interested is that Bitwarden is open-source and empowers you to self-host, which for me goes a long way for establishing trust. It has a modern interface through desktop, browser extensions and CLI. You can choose to cloud-host your vault on bitwarden servers, for convenience, with a very generous free tier. Which is what i've been doing for years now, no complaints really.
I can't speak for everyone, but I made the switch after there was some drama with LastPass not reporting security problems in a timely manner a while back (https://news.ycombinator.com/item?id=29737973)
I had used LastPass for a few years, and begrudgingly started paying when they went the "desktop or mobile only" option for free accounts - I need both for complicated reasons. The switch made me pretty bitter with them over the whole thing. It was like I was tricked into trusting them to deliver one thing, then they started to charge me for the "privilege", with no tangible improvement to the service they were providing.
Personally, I've had nothing but great things to say about Bitwarden since moving over. The import from one to the other was pretty painless.
I still have to interact with LastPass for certain job-related things, and the difference is really very noticeable. Much easier to generate usernames and passwords in the web extensions on BW. Things are laid out a bit more logically, in my opinion. It also feels like BW signs in/loads significantly faster in the browser extension (I might just be imagining things). It just feels less cumbersome than LP is.
The only negative I can think of is that LP is a bit prettier to look at.
Where? And how to stop your spouse from spying on you? I suppose notification of "Login from new device" would be a tell. But that would also be a shitty situation if you end up in a fight.
The Bitwarden access request seems cool since it has a "quarantine period" where the owner gets notified of the access request and can deny it, if still alive (against a malicious spouse request).
If you're sure you never face the "malicious spouse" scenario, then sure, but how many marriages end up in divorce again?
Perhaps, but I still wouldn't want anyone prying into my private stuff (while I'm alive).
Also, tracking back, what I'd need to store somewhere (hence I asked "Where?" originally) is:
- password to password manager
- password to encrypted laptop
- password to email account (not stored in password manager)
- frequently used PIN codes (mobile screen lock and various apps)
I could store the PIN codes in the password manager to make things a bit easier, but I'd still be storing the two passwords somewhere that can unlock my online identity, plus the laptop password that unlocks some really private stuff. None of these would be acceptable to me to get into the hands of a nefarious spouse, whether or not I could sue for it later.
As to "Where?"... an alternative to the Bitwarden feature could be to store these passwords using some sort of 3/5 multi-sig encryption with friends and family members where they'd have to collude in order to get a hold of my stuff. But I wouldn't want to give them access either, my spouse only. But then again, what if we both die in a plane crash?
Perhaps there's no optimal solution. Maybe the good ol' lawyer would work. Give a lawyer the passwords, along with contacts to hand over the information in an order of precedence, like spouse->brother->mother->friend. If something happens, give first person alive in the list the information in X weeks.
Essentially you grant another BitWarden user as an emergency access user. They can request access, and you have 7 days to decline access. After 7 days it grants them access to your vault.
To add another layer: It could also youself who might need such an 'cheat sheet': My dad suffers from an previously undiagnosed heart problem which escalated pretty badly last year, with a multi month long stay in hospital, coma etc.. He is now back and well, but time in a coma can do bad fuckery to your brain, in part to ones memory... He simply lost some significant parts and now he is pretty good occupied untangling the 'insane security fuckup' (his words) he had constructed around his passwords, bank accounts and investment schemes...
So... keep it simple and be NOT the 'Family patriarch silver back' who is the only one who has full knowledge ;-)
Wow I had not thought about losing my own memory. This is my first step in untangling that mess that I have made whole also reducing dependencies on myself.
A similar situation can arise under duress. On the contrary to what people claim online, in dangerous places you want to cooperate with criminals, not get in between them and your stuff.
Under that type of stress it's very easy to forget passwords which might make criminals believe you're not cooperating. Having some things writen down (probably not all?) has come in handy for me personally.
yeah, long story short, I was unfortunately kidnapped in Caracas 13 years ago. Thankfully everything turned out "fine", a ransom was paid and I was released.
But, in the middle of the ordeal and panic I had to give them access to my car which had a security code to be able to turn the engine on. My family had prepared for this (the reality of the city at the time) so we had the code writen down somewhere in the car. I just gave them the piece of paper to avoid errors or hesitation as I was quite nervous, I didn't want ANY mistakes :/
I think the best place for most of that information is a keepass file stored in an E2E-encrypted cloud (the non-sensitive stuff should be known to more than one person in the household anyway - but if you're single it can be a good idea to leave a printed sheet with contacts for all the electricity,... suppliers somewhere in your flat). The main question is how do you keep the master password both safe and accessible in emergencies?
I see some people here suggested Samir Secret sharing which sounds like a great idea. But how do you make that practical for non-technical relatives?
My dad unexpectedly passed away recently, and there were a lot of problems because we didn't even know his phone unlock PIN (to be fair, he did told us several time, just that none of us bothered to remember). But one of the main problems is that tons of research fund is tied up in my dad account, so it's basically frozen until we can execute his will.
My mom manage my dad tax return so at least we think we know where all his money and debts are.
This event prompted most of my dad co-worker to create something like this cheat-sheet.
I would be surprised if you were legally allowed to go and modify assets before the will is executed.
I know when my partner died that I was not supposed to log in to her accounts and just transfer shit around; banks instead have very well defined processes for working out who is the legally correct person to do that and then empowering them to do so.
Remember, banks and other big companies deal with this all the time. They necessarily must have robust processes for doing it with the existing societal/legal systems of establishing who is the ‘right person’.
It's perfectly legal to do that in my country as long as no benefactors is unhappy. In fact, we are encouraged (by the bank) to do that as the execution of will is painfully slow (at least 6 months).
This is one of the reasons it's good (where possible) to have co-ownership of things like checking accounts. Though my mother is primary owner of her bank account, my sister and I can write checks, move money around as needed without waiting for any permission. My wife had the same arrangement with her father before he died, and it was a life-saver (so to speak).
As far as assets in the estate, the job of the executor is to preserve, as far as possible, the value of the assets at the time of death until they can be disbursed. That means, for example, don't take any intentional action to increase the value of the assets after the date of death, such as moving checking accounts higher yielding to certificates of deposit, etc.
I feel for this kind of stuff, you want to have a local, air gapped computer, maybe a Raspberry that has an encrypted drive. A little computer that is just going to work X years down the line.
Edit: Or alternatively, keep a printed document and copies of all of that in a bank vault. Document lockers cost less than 100EUR per year.
The problem with bank safes is that the moment you die, it's going to be frozen and will only be opened when you have probate. That's why it's not recommended to keep your will in a bank safe.
I think it is super important that you give this information to lawyer who makes your will and no one else. Especially not your spouse. Why? Statistically, 30% of spouses cheat and get deeply enamored in affairs where anything can happen. It's one of the most fascinating facets of human relationship. Most people think it will never happen to them but it is extraordinarily random with no rhyme or reason. There are people who donated their kidney to their spouse and even that didn't prevent affairs. So, when it comes to spouses, you are always tossing a biased coin, every day. In Western world, the chanced that you will be eventually end up divorced is 50%. The smartest and most desirable people, everyone from von Neumann to Brad Pitt, have ended up in affairs and divorces.
The cheating and divorce rate probability density function is much more dense for men in the dimensions of physical appearance and economic stability when they are both average or low.
I have planned something like this when I was mentally down years ago. Basically a dead man switch, where it would send an email to my family if I did not extend it every 3 months. Yeah, I might forget, but I am a neat and good with memory and it didn't happen trigger.
I turned it off after about a year, after I got better and finally see it as meaningless.
Even now, I always think: After all, nothing would matter if I am gone. Why bother with all of that?
For the sake of people you care about. Speaking from recent experience. Loved ones have an easier time grieving if they don't have to tackle banks/government/vendor issues as well. I feel it incumbent on me to maintain my affairs in such a manner that they are less of an issue for people I love, should I unexpectedly kick the bucket.
I am glad that you are doing better. The purpose for this is to reduce stress on my loved ones. Including in something that I might recover from like a coma or potential degradation of cognitive skills.
For me the problem with password managers, etc. is that it assumes that there will be a somehow tech savvy partner or relative left behind with all the knowledge of how to open it.
I prefer a method that can work in case me and my partner pass at the same time (e.g. accident). A paper will work for my partner, parents, siblings or an attorney in case of emergency.
Whenever I think of this problem I figure it would be best to have a key that you split into N parts and give it to N people you trust. That way if you're gone they come together and unlock it. More secure because if any of them is individually compromised, your information is still safe.
That also means higher risk of failure, doesn't it? If just one of the N people isn't able to attend for whatever reason, your stuff is gone for good. If I give the key to my spouse, they can just use it. If I give it to 5 people, chance, one of those is unreachable when I'm gone, is 5 times as high.
That's why there should be another parameter: you should split the key into N parts so that any M <= N can open the lock. You can increase M adding people you don't trust 100%, say to 8, but leave N at your comfortable level, 5. Even if those 3 conspire, they would still be 2 people short of being able to break the lock.
You can do 12:5, give 5 parts to your spouse and spread the remaining 7 among your relatives and friends. There will still be a single point of failure, though, if somebody steals all 5 parts from him/her. You can decide to decrease allocation to only 4 parts so that your spouse would need to cooperate with any of the other trusted parties.
The point is there is enough room for designing a scheme that is both secure and reliable.
Eh, if I have a document somewhere that explains how to access all of my personal accounts and finances, it's a not-very-well-known target for a very targeted attack with limited payoff.
If I'm running a service that manages these documents for thousands, millions of people I know have a well known target appealing to a wide array of actors with nearly unlimited payoff.
On a more serious note though, on a social level, I think «if I'm gone» is much better phrasing than «when I'm gone» if the intention is to be prepared for unforeseen tragic events. Unless one is facing a terminal illness or is past a certain age, using when is too melodramatic, especially when the target audience are close loved ones. It doesn't only imply the inevitability of being gone some day, but also implies the certainty that ones current loved ones will have to face it and must know what to do.
I imagine that the author hopes to live to a ripe old age and probably outlive his "somewhat complex" home setup. In that regard, the if makes more sense, as it is nowhere near certain that anyone will have to deal with his home setup when he is gone.
Thanks. I actually tried to put a lot of thought into the naming of this. For me, "When I'm gone" sounded too much like I was contemplating suicide. Also, I do hope that we will eventually outgrow the mess of passwords and usernames that the web is built on now.
193 comments
[ 4.8 ms ] story [ 230 ms ] threadThe lesson from this markdown file is that if your partner can’t figure this stuff out on their own you need to sort it out yesterday. I doubt that the information being open source or being in markdown format is going to help out your partner whatsoever.
There's an increasing number of single people and lone-livers.
> if your partner can’t figure this stuff out on their own you need to sort it out yesterday.
I don't know how common it is, but I know there are some couples who just don't think of this kind of stuff, at all, until it's too late.
Mostly I've heard of it through a sudden death - the other person now has to figure out what and how all the things are paid for and handled.
I know of another where one partner got ownership of a small business after a divorce, but had no idea how to handle personal or business taxes/paperwork/etc. Had never done much more than sign their name under tax records, or whatever - and suddenly had to figure out all of that on their own.
Of course, using your logic, getting is sorted "yesterday" could mean sitting down and having your loved one understand how to access all this data using MD. Even better would be to have them build the data up with you.
Maybe encrypt the passphrase under an m of n scheme and distribute to family & friends that you can trust to not collaborate unless you are truly incapacitated?
Give a chunk of your password to N friends who you trust, with instructions to recombine it.
One of the few use cases that I find very compelling with regard to blockchain/web3 tech is as a means of ID/auth much in the same way that many sites now offer options to log in with FB/Google/etc.
One big obstacle (I imagine, I haven't really looked into this that far) is that of the password reset. Some non-trivial amount of people will forget the passwords to their identity tool, and in this scenario there's no central power with the capability to reset it for them.
The simplest option is to designate trusted friends who you could delegate authority to in order to perform some multi-sig reset, but then there's the issue of a FriendCoup. If you strike it big and turn on or ignore your friends, there's nothing stopping them from getting together and performing a takeover. Even if there are individual objectors, because it's blockchain, everything's public, and these are identity wallet contraptions, everyone knows who the hold out is and can lean on them or find some way to get their password, etc.
Even outside of a FriendCoup scenario, a FedCoup scenario where the government just leans on your buddies to grant them control is pretty plausible.
So I guess the question is, what sort of strategy for this is FriendCoup/FedCoup resistant but still grants the necessary amount of delegated power?
Not entirely relevant to the above, as doing this pen and paper for a password manager is a little harder for outsiders to game given that the holders aren't public, but still a question I've been batting around. Curious about anyone's thoughts/ideas or any existing work in this space.
Edit: After thinking about this for an extra minute, if it's not time sensitive a deadman switch could probably do it. If your friends perform the multi-sig and you haven't logged in in X days, then and only then will the reset occur, so you can void an attempt. That said, falls down on the FedCoup scenario since you'd presumably have restricted access to the internet.
No amount if crypto will stand up to a Russian mobster with a crowbar and some creativity, like the xkcd https://xkcd.com/538/.
What you need is to develop a threat model and then select an appropriate solution that matches your threat model. If the threat is the KGB might torture me and my buddies, then kill switches are appropriate. Otherwise it’s no solution.
Perfect security doesn’t exist, it’s all about tradeoffs.
Leave. Your. Passwords. With. An. Attorney. And also your phone unlock code. A reputable attorney (preferably attached to a big firm) won't lose your stuff, and if they die or go out of practice they will have procedures in place to make sure you are set. This is not a situation where you want some clever DIY scheme that might fail and leave your loved ones scrambling to sort your finances when they are already devastated and mourning.
That's what OP suggests (Shamir's Secret Sharing).
It is geared for a BIP-39 seed phrase, but those also make excellent master passphrases for almost any other application.
If you are super cautious, leave an encrypted copy (or half the passwords etc) with one lawyer/escrow, and have a separate lawyer/escrow hold the decryption key/other half of the passwords etc. Along with easy instructions on how to decrypt!
End of the day, if I die at an old age, my heirs will also be old and possibly not into computers/tech. I prefer a simple approach that requires minimum skill/effort on their part aside from presenting the relevant death certificate/paperwork to the lawyer.
https://www.deadmansswitch.net/help/
How can I be sure you'll outlive me?
We don't have to outlive you! If the service shuts down while you're alive, we'll send you an email well in advance so you can switch services. That said, the service has been running successfully since 2007.
https://myaccount.google.com/inactive
When my mom passed away 18 years ago, we looked high and low for every paper and file to help my dad start to become competent with the household finances. It was a big challenge at an already challenging time.
keepass database with passwords and secrets, paswword protected archive of 2FA qr codes, on usb drives, in two locations.
Master key and phone pin in the safe at the bank
https://lifehacker.com/organize-your-familys-essential-infor...
and what my family should know incase if something happen to me.
https://ussvicb.org/documents/What%20My%20Family%20Should%20...
Somethings like the above. I've added more info such as 2FA etc in a separate sheet and saved all QR Codes for all the 2FA in my Authenticator apps, and printed them and kept two copies of it in two different locations known to family members. Updates are added as additional sheets to the binder as new codes are added and as a practice, one full dump around a 6 months to 8 months is also added.
You never know what emergency might come in.
I'm always surprised to see the amount of external trash/bloat scripts loaded by some websites. Thank god for uBlock Origin 'Medium Mode'...
[/offtopic]
I would add: Do you have any private investments? Convertible notes or stocks?
Should have a login for AngelList or whatever platform if it’s through one.
Then other assets like bank account, brokerage account, deeds to house and car.
And I agree this is stuff that — if possible — should be shared and discussed in real time.
The "give it to an attorney" plan would also worry me, unless I knew exactly who/what/when/where/why/how access was controlled and GUARANTEED (after all, an attorney's system could break down as easily as any other).
edit: I see other commenters shared this idea too.
Having a safe at home is an option, but it needs to be mounted properly to prevent a burglar from being able to simply carry it out and try and access later.
At the end of the day, your best bet is to keep instructions on accessing your data (minus the actual code that is needed) somewhere it can easily be found by your family, and make sure that one or more family members have copies of the code but don't know the full details of where to use it without those instructions.
That seems astonishingly thorough, as if it must have been targeted? The burglaries I've heard of locally just grab the most reachable items, especially car keys.
> GUARANTEED
The thing with giving it to an attorney is you would have an contract, and I would expect them to explain very clearly what liability they would have in the event of this kind of mistake. I would also expect them to be good at keeping paper secrets in boxes, that's a very traditional practice.
In your house, and maybe with trusted friends, keep the instructions sheet with logins and a reference to the relevant password number. "To access my email account, username is foo@gmail.com and use password #5122 from the password list".
Simple, and provably useless to an adversary unless they have both passwords (aside from knowing password length/format with one).
And then the rest is the set of URLs which point to the various things, having a key/URL in the keystore, which own the DNS, the VM, the mailboxes, the bank accounts, you-name-it
the keystore also has QR codes to restore the 2FA. It has the unlock for the devices which are live on the 2FA codes, but can recover most of them. The exception is a single bank token which seems to use the secure region on my phone to bootstrap its one-time state, and so you have to re-initialize through the bank.
Since the only account of merit is a joint account, either I'm survived by the person who has access anyway, or we're both gone and legally the account is frozen.
What it also says is "FOR GOODNESS SAKE DO NOT TELL <FAANG> I AM GONE" because they will lock things up: Better to gain access, learn what you need torrid or not, and then let them do it.
The "how it works" section has more information [3] but it essentially boils down to trusted individuals requesting access - which can be manually approved by account holder or they are automatically granted access after a pre-defined wait time.
Bitwarden (paid version) also claims this - "If your premium features are cancelled or lapses due to failed payment method, your trusted emergency contacts will still be able to request and obtain access to your Vault. You will, however, not be able to add new or edit existing trusted emergency contacts."
[1] - https://bitwarden.com/help/emergency-access/ [2] - https://github.com/dani-garcia/vaultwarden/wiki/ [3] - https://bitwarden.com/help/emergency-access/#how-it-works
Self host with Vaultwarden and do not use this feature.
I would assume that only the "trusted individual(s)" - a spouse or whatever - has the "private key" of the vault, so only that person can access it (not Bitwarden, and nothing can be circumvented.)
If you have a house, which has windows, your locks do not provide security against someone smashing open the window. Key cutting schemes are a bit like this - no key offers security, only one of several access routes.
Having multiple access routes may be desirable and simultaneously a concern - a fireman smashing through your window to save your life is desirable, a burglar slitting your throat after smashing through your window is not.
Encryption is more like a lockbox or a safe room - having a burglar compromise your safe room is undesirable, and going into one during a fire is also undesirable. But you do want to use one in the event of a burglary.
A key cutting scheme may be useful in the case of mutli tenancy, but it is not a reasonable dead man switch - if your data needs to be re-encrypted either the keys themselves must be related (calling into question the security of the keys), or the encrypting party must multi encrypt the data, meaning whomever does the encrypting has full access to all the key data.
If e.g. you are yourself encrypting the data, you must multi encrypt - it would be faster just to share the key yourself, as you already have all the keys. If the third party is encrypting, this means they have side channeled your data such that they can decrypt at any point.
Again, even in the case there are e.g. two mathematically related keys, you cannot then enforce a timeout without first referencing and thus controlling the original key. You MUST distribute your keys yourself to your 3rd parties, or your data cannot be secure.
No. Cutting a key in half doesn't halve its security, but it reduces it exponentially.
256 bits = 2^256 possibilities for bruteforcing
255 bits = 2^255 possibilities for bruteforcing, or half
128 bits = 2^128 possibilities, or 1/(2^128) the security
2. Half of K is a random 256 bit X
3. Other half is (K xor X), still 256 bit
Having half of key is still 256 bit bruteforcing.
256 bits = 2^256 possibilities for bruteforcing
255 bits = 2^255 possibilities for bruteforcing, or half the security of 256 bits
128 bits = 2^128 possibilities, or 1/(2^128) the security
But you can have encryption schemes requiring N-of-M private keys to decrypt.
At no point does Bitwarden the server have a copy of anyone's private key. And no splitting of keys is necessary. This is just the normal way asymmetric encryption works.
This, of course, all breaks down if you don't trust Bitwarden the company, since they provide you the client. As far as I understand, US law enforcement doesn't have the legal ability to force a company to modify their own software to make it malicious (as opposed to doing something much simpler like forcing them to turn on IP logging on a VPN server). But if your threat model includes the possibility of US covert intelligence services MITM-ing Bitwarden the company and sending you their own malicious client, then yeah, keep your secrets in a physical vault guarded by people willing to die in a shootout with the FBI before betraying you. Make sure they'll answer to your successor if you die.
It still comprises a break in the end-to-end crypto, and can still bypass the time delay and decrypt your passwords today without your involvement.
But you _don't_ want trusted parties to be able to access this in case you are incapable due to being arrested, or choosing to simply elope.
What got me interested is that Bitwarden is open-source and empowers you to self-host, which for me goes a long way for establishing trust. It has a modern interface through desktop, browser extensions and CLI. You can choose to cloud-host your vault on bitwarden servers, for convenience, with a very generous free tier. Which is what i've been doing for years now, no complaints really.
I had used LastPass for a few years, and begrudgingly started paying when they went the "desktop or mobile only" option for free accounts - I need both for complicated reasons. The switch made me pretty bitter with them over the whole thing. It was like I was tricked into trusting them to deliver one thing, then they started to charge me for the "privilege", with no tangible improvement to the service they were providing.
After I saw the thread and started to read up a bit on their past issues (https://en.wikipedia.org/wiki/LastPass#Security_issues), I was motivated enough to make the switch.
Personally, I've had nothing but great things to say about Bitwarden since moving over. The import from one to the other was pretty painless.
I still have to interact with LastPass for certain job-related things, and the difference is really very noticeable. Much easier to generate usernames and passwords in the web extensions on BW. Things are laid out a bit more logically, in my opinion. It also feels like BW signs in/loads significantly faster in the browser extension (I might just be imagining things). It just feels less cumbersome than LP is.
The only negative I can think of is that LP is a bit prettier to look at.
The Bitwarden access request seems cool since it has a "quarantine period" where the owner gets notified of the access request and can deny it, if still alive (against a malicious spouse request).
If you're sure you never face the "malicious spouse" scenario, then sure, but how many marriages end up in divorce again?
I dunno about you, but I kind of got married to them because I trust them.
Also, tracking back, what I'd need to store somewhere (hence I asked "Where?" originally) is:
- password to password manager
- password to encrypted laptop
- password to email account (not stored in password manager)
- frequently used PIN codes (mobile screen lock and various apps)
I could store the PIN codes in the password manager to make things a bit easier, but I'd still be storing the two passwords somewhere that can unlock my online identity, plus the laptop password that unlocks some really private stuff. None of these would be acceptable to me to get into the hands of a nefarious spouse, whether or not I could sue for it later.
As to "Where?"... an alternative to the Bitwarden feature could be to store these passwords using some sort of 3/5 multi-sig encryption with friends and family members where they'd have to collude in order to get a hold of my stuff. But I wouldn't want to give them access either, my spouse only. But then again, what if we both die in a plane crash?
Perhaps there's no optimal solution. Maybe the good ol' lawyer would work. Give a lawyer the passwords, along with contacts to hand over the information in an order of precedence, like spouse->brother->mother->friend. If something happens, give first person alive in the list the information in X weeks.
https://bitwarden.com/help/emergency-access/
Essentially you grant another BitWarden user as an emergency access user. They can request access, and you have 7 days to decline access. After 7 days it grants them access to your vault.
https://bitwarden.com/help/about-organizations/
Which are perfect for sharing access to logins like utilities or insurance.
So... keep it simple and be NOT the 'Family patriarch silver back' who is the only one who has full knowledge ;-)
Under that type of stress it's very easy to forget passwords which might make criminals believe you're not cooperating. Having some things writen down (probably not all?) has come in handy for me personally.
But besides this, yeah, this may also be a valid case for some simple recovery strategy.
But, in the middle of the ordeal and panic I had to give them access to my car which had a security code to be able to turn the engine on. My family had prepared for this (the reality of the city at the time) so we had the code writen down somewhere in the car. I just gave them the piece of paper to avoid errors or hesitation as I was quite nervous, I didn't want ANY mistakes :/
I see some people here suggested Samir Secret sharing which sounds like a great idea. But how do you make that practical for non-technical relatives?
My dad unexpectedly passed away recently, and there were a lot of problems because we didn't even know his phone unlock PIN (to be fair, he did told us several time, just that none of us bothered to remember). But one of the main problems is that tons of research fund is tied up in my dad account, so it's basically frozen until we can execute his will.
My mom manage my dad tax return so at least we think we know where all his money and debts are.
This event prompted most of my dad co-worker to create something like this cheat-sheet.
I know when my partner died that I was not supposed to log in to her accounts and just transfer shit around; banks instead have very well defined processes for working out who is the legally correct person to do that and then empowering them to do so.
Remember, banks and other big companies deal with this all the time. They necessarily must have robust processes for doing it with the existing societal/legal systems of establishing who is the ‘right person’.
As far as assets in the estate, the job of the executor is to preserve, as far as possible, the value of the assets at the time of death until they can be disbursed. That means, for example, don't take any intentional action to increase the value of the assets after the date of death, such as moving checking accounts higher yielding to certificates of deposit, etc.
Edit: Or alternatively, keep a printed document and copies of all of that in a bank vault. Document lockers cost less than 100EUR per year.
1. Update it every year or so, and 2. Everytime you update it you print a copy version and distribute that as needed.
Even now, I always think: After all, nothing would matter if I am gone. Why bother with all of that?
To you, perhaps; but I would guess most everyone else would disagree.
> Why bother with all of that?
It's not for you.
Consider that relationships among your heirs and assigns are not always good, and death and money have a way of making things worse.
I prefer a method that can work in case me and my partner pass at the same time (e.g. accident). A paper will work for my partner, parents, siblings or an attorney in case of emergency.
If I'm running a service that manages these documents for thousands, millions of people I know have a well known target appealing to a wide array of actors with nearly unlimited payoff.
On a more serious note though, on a social level, I think «if I'm gone» is much better phrasing than «when I'm gone» if the intention is to be prepared for unforeseen tragic events. Unless one is facing a terminal illness or is past a certain age, using when is too melodramatic, especially when the target audience are close loved ones. It doesn't only imply the inevitability of being gone some day, but also implies the certainty that ones current loved ones will have to face it and must know what to do.
I imagine that the author hopes to live to a ripe old age and probably outlive his "somewhat complex" home setup. In that regard, the if makes more sense, as it is nowhere near certain that anyone will have to deal with his home setup when he is gone.