Ask HN: Have you set up a procedure to disclose your passwords in case of death?
After coming back from my home country where the insecurity is a big part of the daily life (armed robbery, kidnapping, murder), I started thinking of what would happen if something happened to me and how would I be able to ease the burden on my love ones to manage my digital assets (cancel subscriptions, keep my digital libraries, etc). So I ask: do you have a procedure in place to grant or transfer access in case of death?
My first idea would be using a password manager for everything, list every device used for 2SA and confine within my will a master password.
260 comments
[ 3.7 ms ] story [ 305 ms ] thread- Setup keypassx with all key accounts/passwords
- Setup 2FA on a phone app such as Google Authenticator. Then make a backup on another phone (you can copy Authenticator app data on another phone easily). Bonus: setup Authy app on a desktop as well.
- Record a video of you showing anything critical
- Write down any details that only you know.
-Put all this in a simple HTML/Markdown page and save on an encrypted disk and/or S3. For backup, save a copy on a flash drive.
- Keep the encryption key and flash drive in a physical locker that only is accessible to your spouse (if any) or anyone else whom you want to. If you are using a physical 2FA device such as Yubikey, then keep a copy in this locker as well.
- Make a Will which explains who/how can access all this if you die suddenly.
The big advantage of a password manager that is consumer friendly (Like 1Password) is that you can store everything in there (documents, passport, notes) and it will be accessible to whoever needs access to it. Not some obscure command line knowledge necessary.
It is also a lot easier than having hundreds of papers / letters in your house. Even if it's not about the security aspect, having everything in one place is a big advantage.
That's not true, there's a "Download" button that downloads the raw file. Just tested that on the latest Beta of v8 on macOS.
My passwords and encryption are to enforce that policy digitally.
So in case of my death or my partners death, we can recover each others passwords.
[^1]: https://support.1password.com/recovery/
Not sure the security mechanics involved that allow for it, but it seemed like a very neat product for this very thing (and I've added requesting access to the death checklist I gave to my wife), since it means I'm not having to provide my password to anyone (or even get it out of my head and enclose it somewhere physical), but my wife can still get access to it in the event of my death (or my being incapacitated for a sufficiently long period of time that she needs it).
When my kids get older they'll move to the top of the access list for the envelope with the location of the secret place and ownership of said place.
And each one of them has the password for one of the two encryption layers ?
This way it won't get lost.
I didn't factor in the technical ability of my relatives. I guess I should.
Not just technical ability, but state of mind etc. Anything needed quickly (not everyone will have such) should be straightforwardly accessible by someone who is both distracted and busy.
Then I found it time consuming and began to just dump home folders and SD cards onto SATA HDDs for back ups
And now I haven't even done back ups since I began to work.
Tagging some USB stuff would be the most straightforward for them, I guess. A bit like a "play me if I don't come back" VHS as seen in movies.
And I would include the letters to unsubscribe to everything, and GDPR requests to delete my data as mentioned by the creator of the thread in
>So I ask: do you have a procedure in place to grant or transfer access in case of death?
Still, there's probably more we could do, and a number of bases left uncovered. For example, we each have a number of monthly subscriptions that are auto-drafted but won't need to continue after death. We should identify those and have cancellation plans.
Plus we both have lots of crap, and possibly some important in various online/cloud storage services. Even with password access, it would be hard for survivors to know what to look at and why.
And then there are the accounts with two-factor auth. What if one of us goes with our phone? Oy!
Any other important password can be reset from those things and discovery of accounts can be done via email and credit card statements.
My odds of dying in the next year are remote enough that I don't feel the need to get the process perfectly laid out when it probably change in the >40+ years I expect to live.
> Give someone you trust access to your vault. When your trusted contact requests Emergency Access, you can decline their request within the specified waiting period. Otherwise, your vault is added to their LastPass account.
requires premium or self-hosting. But it doesn't expire if you stop paying.
I thought LastPass only kept encrypted user data that only the master password can decrypt. Would this process mean they keep an accessible copy?
I suppose the process could be to encrypt my master password with a public key generated by the spouse account (with the private key stored in their encrypted bundle), that LastPass servers can store and provide on delayed request?
However it works, I think LastPass should have a technical section that describes the mechanism in more detail
They also have a technical whitepaper describing a lot of their cryptography including shared folders and recover codes. I found the current version[2] which disables ctrl-f for some reason, and an older version[3] which allows ctrl-f.
[1] https://support.lastpass.com/help/how-is-emergency-access-se...
[2] https://support.lastpass.com/download/lastpass-technical-whi...
[3] https://assets.cdngetgo.com/da/ce/d211c1074dea84e06cad6f2c8b...
You have a key, which encrypts a shared key.
Your spouse has a key, which encrypts the same shared key.
Vault is encrypted with the shared key.
Access is controlled separately. But upon successful share, their existing key can decrypt the shared key which decrypts the vault.
Why would anyone access my Discord account, or my kawaii and punk music playlists on Deezer. This quality content goes with me into the grave.
OK content is unencrypted on my computer, anyway
https://bitwarden.com/help/emergency-access/
My son is the one human who matters the most to me -- there's a letter in there for him, too. I add to it periodically.
This works for now, with our current array of tech. My company offers a free sponsored account with one of those companies that offers after-death account and paperwork services. I intend to look into it, but don’t want anything tied to employment or to a company that’s not as likely to survive as it is for 20 years.
Also, I should mention, all my passwords are in 1Password. That’s a known password too.
For example, depending on how your bank account is setup, it may be legal for your wife to take money from it while you are alive but become illegal after death until probate is complete. The reality is nobody cares because 90% of the time the surviving spouse gets everything anyway, but it's there.
Check your local laws.
Same goes for next of kin’s access to my accounts. Uncharted territory, but those are assets, and I don’t think people should be able to peruse assets of a defunct.
It’d only come up in an adversarial inheritance scenario so make sure you have a bulletproof will.
Sure, my wife could access my accounts, but she'll be lost - which are important? which can be ignored? What do you do once you have access?
Where are all the bank accounts, credit cards, loans, and how are they setup w/autopayments & withdrawls?
Ditto for insurance policies, your random toys and tech stuff. E.g. what should be done with your random websites/URLs - let them expire, archive them, ?
And my social accounts too...
It's not good enough to just go over it together one night, you need clear documentation that can be quickly referenced and followed during a time of immense stress and grief. And then keep those docs updated!
All relationships are different. :)
I don't know all of ours. I know our shared bank account, and that's about it (well, we have a shared password manager, so I could probably figure it out). It doesn't seem useful to have the knowledge, and when she dies, the least of my worries is a missed payment or two.
> how much are on them
I doubt most people on HN carry credit card debt.
(My passphrases will cause a nuclear war if read in open court, fuck around and find out, consent matters.)
I had most of this done already, but about a year ago a friend of mine -- very healthy! younger than me! -- literally dropped dead. It was a bolt from the blue, for sure, and the trouble that followed for his widow was a wake-up call.
For some reason, he and his wife weren't on a "family" plan with Apple, which meant, from Apple's POV, they were just two customers, and lawyer letters and whatnot would be required to get her access to even his pictures on the phone.
Apple NOW has a feature that allows you to nominate a "digital legacy contact" for your Apple data. If you're on iOS, I RECOMMEND IN THE STRONGEST POSSIBLE TERMS THAT YOU CONFIGURE THIS IMMEDIATELY.
https://support.apple.com/en-us/HT208510
As for the rest of my digital life, everything is in a password manager, and my wife understands that the master password for said vault is in the safe.
In general; you don't. If the gov. wants to make you do something, you're going to have to do it. In many western countries, that's only a vague threat, an many others it's a lot more real.
Theoretically, you could have two components to the password: something long and random that is written down, and something easily remembered and personal. A special moment, a place, an anniversary only the two of you would know, etc.
If one has something going on such that state-level actors might want nefarious / adversarial access, well, one should be taking MUCH MORE SERIOUS STEPS about personal digital security.
Your "regular everyday normal mfer" (as the song apparently incessantly looped on Instagram goes) has no such enemies. My personal digital opsec is designed to keep me and mine safe from likely threats, and the threats I face are pretty banal -- brute force attacks, mostly. I am 100% unconcerned about governmental intrusion into my safe to gain access to, e.g., my online banking passwords.
It's not paranoia. That would imply they aren't out to get you. They are. Leave the government out of it for a second. If someone's phone is stolen it's very likely their entire identity, a majority of their secrets, documents like medical ID cards, credit cards, etc have been compromised. This is akin to "getting a warrant to a safe" (which in reality is just court-ordered theft) and it will completely destroy a person. In the context of the discussion if you were able to break into a dead person's phone you could very likely build a complete picture of their life. Perhaps one they weren't interested in you knowing about.
I'd prefer to avoid those situations. First, by not making myself a target, and second by protecting any and all data I have the best I can. I rarely think about it but I know if my phone is stolen, my computers are taken, or I get caught up in a fishing expedition the threat surface is extremely limited (provided the information isn't beaten out of me).
It’s simultaneously true that for your model they’re being naive and for theirs you’re being paranoid. That’s fine.
It was indeed from Jon Lajoie, but not the song you link. It looks like he did a followup track called "Everyday Normal Guy 2" which includes exactly the loop you hear (with "motherfucker" and not "guy" in the refrain) everywhere on social media right now.
https://www.youtube.com/watch?v=GmG4X9PGOXs
As the question is about granting access to accounts after death, it seems an odd worry. The government is also likely to get access to your data from your Google, Facebook, etc. If you have a server in the cloud, they can probably go to your hosting provider to get physical access.
So unless you have data in secret offshore servers in countries that won't cooperate with the US government, then a safe is not your weakest link.
Storing secret to password manager that can be easily accessed by government and state actors negates all the trouble that password managers went through ensuring no one besides you can access it. I believe every good password manager encrypts data in a manner so that the provider itself can't decrypt it if government tries to get access to it.
Government already has access to banking and phone records, most online accounts and data from Apple, MS and Google.
/s
I’m sure others have much better ideas…
A credit report will identify any open credit accounts and those creditors can also be instructed to provide payoff information and close the accounts.
The main thing you will need to handle the death are lots of certified copies of the death certificate. One per account, generally, and copies/digital scans are not accepted.
In the US, for most traditional assets, sure, but not necessarily elsewhere. If you have accounts your spouse/partner/next of kin doesn't know about, then you should list them somewhere and include that list in your end-of-life paperwork.
The main area to record would be asset accounts, valuables held in safe deposit boxes, files, or secret locations holding things like cash, stamps, coins, treasury certificates, partnership agreements, titles, deeds, etc.
When my mother died multiple places *asked for* certified copies, I simply told them she's dead, there will never be another authorized charge, nothing is currently owed so no payments will be made, do what you will with the account.
many creator have had unpublished manuscripts specifically taken care of in a way to preserve their brand legacy
I've also left a thumb drive with a Bitwarden export and printed paper in a safe place for my family, describing how to access everything important.
I trust my family not to abuse that, but if I was less trusting I'd look at Samir's Secret Sharing to ensure family members had to collaborate to retrieve my sensitive info. Or leave the data with a lawyer.
I made sure to pass on my 2FA secrets too.
Besides that, I have a tag called `after-he-dies` with some secure notes in it, including a note that tags every account at a bank or investment account where we have money, so that she won't risk losing 20k or something because she doesn't know where every money account is or whatever.
That tag also includes a note with instructions for how to make sure that the accounts that automated bills pull out of don't run out of money.
I haven't used it (yet) though it's been on my radar for a while