Email or username:

Password:

Forgot your password?
Kelly Shortridge

#cybersecurity zealots often shame humans for writing down their passwords, but as someone who just had to excavate the digital remains of a loved one who died suddenly:

*please* write down your credentials somewhere a trusted human can find them, especially your phone passcode and any primary passwords (like for email accounts, password manager, etc.)

the humans who care about you will need that access for many reasons; a "badass" threat model will only add helplessness to their grief

99 comments
DonatellaInCali

@shortridge

If possible leave them with your lawyer

Kelly Shortridge

@Donatella that, at a minimum, yes. safety deposit boxes can also work.

but I still believe the most compassionate thing is to make them accessible elsewhere, like in one's home. when there's an unforeseen crisis, not everyone may know who the lawyer is and may need immediate access into accounts (eg for bloodwork results from other providers, to cancel appointments and other financial burdens, etc.)

DonatellaInCali

@shortridge

great ideas. Joanie has all my logins but I can't keep track of her's at all lol

Kelly Shortridge

if you want to still be sneaky, hide your critical passwords (and backup MFA codes!) behind a photo frame or in a random book or whatever, but *tell* whomever you trust most where that place is, or at least write it down in the place they're most likely to look if you pass unexpectedly.

ask the same of your loved ones, too.

no one deserves the pain of navigating customer support trees and the other kafkaesque hells of accessing accounts when they're already submerged in grief. loving is leet.

Wendy Nather

@shortridge And it can’t wait until you’re dead. You can become temporarily or permanently disabled and need a delegate to handle things for you.

youtu.be/lU8_S0V_zOQ

Kelly Shortridge

@wendynather precisely. we live in a stochastic reality and must prepare for that, even if it creates some existential dread in the meantime.

that's why I don't recommend just putting it in your will, too; put it somewhere in your residence.

(and like, if someone is breaking in for the purpose of accessing your devices, they can just wait until you're home and break your kneecaps anyway if you haven't written it down. for the vast majority of ppl, it's such a silly threat model)

Kelly Shortridge

@sassdawe @wendynather this does look really useful, thank you for sharing it.

listing out subscriptions is useful for anyone, too. another thing I had to do was scrutinize credit card statements over the past ~12-14 months to enumerate services and subscriptions.

thankfully, this person purchased a lot of subscriptions through the App Store, which made it much easier to cancel.

most of the others had creds stored in their iOS Password Manager, so it was easier than it might have been.

Brett Haines

@shortridge @wendynather I did this for my wife about a year ago and it's a really nice peace of mind thing. In our case it's a laminated page with a few of the most important login creds, plus the login to a password manager for all the rest. It's kept in a lock box with other important docs, hidden in the house.

It's actually come in handy a couple times without any tragedies happening!

Tony Meredith

@shortridge
Yes, it's important practical stuff.
I learnt a lesson from my brother's terminal illness. Our laptop now has a "death" folder, including both subscription details and how the heating system works. Passwords are shared between the two of us; and the family executors know where to look.
@wendynather
@bretthaines

Kelly Shortridge

another key takeaway for me from excavating the digital remains of a loved one who died suddenly:

usable security or bust. in my case, the iOS Password Manager saved the day because it stored their creds by default as they used their devices.

...but they found the 2FA app so confusing that they offloaded it and never saved the password to it.

SMS 2FA may be more insecure, but it confused them less and meant my access to their phone = access to 2FA. Security isn't the only thing that matters.

Laukidh :ablobcool:

@shortridge now that iPhone keychain can also act as a 2FA device I bet that’ll get easier. Not easy.

Dan Neuman

@shortridge Ugh. My tax account uses SMS 2FA. Will have to tell my spouse to hang onto my phone for a while until everything is sorted. She has the password to my password manager. But soon Apple will require touch or Face ID to change some security settings. Can't wait to see how this shakes out.

Kelly Shortridge

@dan613 there was a very real moment when I told the deceased person's spouse that we might have to wait on cremating them to use their thumbprint.

thankfully, we guessed their device passcode correctly (it wasn't written down anywhere).

it's uncomfortable to think about this "use case" when designing or implementing, but sudden incapacitation can happen to anyone so imo should be taken more seriously.

Dan Neuman

@cy @shortridge Not on an iPhone anymore. (It only has Face ID and only 1 face)

Chris

@dan613 @shortridge pretty sure you can have 2 faces, something "alternate appearance", cant check right now,

Dan Neuman

@cy @shortridge Yes, for wearing glasses or a mask. Not sure if there has to be some overlap in the faces or if they can be completely different.

Chris

@dan613 @shortridge anyway, since face/touch is only a convenience option for the phone password, just write Up that password and put it somewhere safe next to the others :)

Kevin P. Fleming

@shortridge Went through this a year ago and had similar experiences. If I hadn't been a very knowledgeable tech person I would not have been able to get it done, and that's a bad situation for all those who are not.

mastodon.km6g.us/@kevin/109334

rrb

@shortridge NIST dropped the verbot on writing down passwords. Writing down is a good idea. A better idea is to use a password manager, which would also document all the accounts you have. The password manager also generates high entropy passwords.

You can give your loved one an uptodate copy. Have it password protected, but then there is only one password to have on paper.

I use Keepass

Chris

@shortridge I would prefer webauthn/passkey with yubikey. You'll need a backup token anyway, so just tell your person how to use it. (actually get them yubikeys for their own accounts, too)

Kelly Shortridge

@cy you are vastly overestimating the usability of yubikeys for non technical people, especially the elderly.

many elderly people no longer even have fingerprints, too

Chris

@shortridge it is "plug into USB, press button when prompted", how is this more complicated than typing a code from an SMS? And you don't need fingerprint for it

silvio

@cy @shortridge

This is so far from the truth for non-tech savvy people.

For me it's ok if my mum builds passwords from the first letters of long sentences like I explained to her 10 years ago, she can cope with that, I won't explain new ways of managing pwds to her every 2 years because that only makes her insecure and then she just takes insecure pwds

the cake is offline

@cy @shortridge bro, I have worked in tech for 30 years and Yubikeys are still largely unusable to me. Because in order to use them you need to A) know where they are, B) have a device with the right port and software, C) have everything configured, and D) have *physical access* to the relevant port, while also seeing the relevant screen.

As a disabled person with severe ADHD, chronic pain, and other health problems, coordinating all those variable for every logging is fucking impossible.

Tyler Griffin

@shortridge Also, if you're a geek, setting up a mini "corporation" with a password manager that allows takeovers is also an option. FWIW, the Bitwarden approach seems quite elegant (although thankfully I've never had to use it in a real situation). Definitely not a good approach for a non-techy person, though.

Kelly Shortridge

@tyler the non-techy vs. techy approach is so important.

because if you're a techy person and have an unexpected health crisis or pass, the non-techy people who care about you will struggle to navigate everything, compounding their sense of helplessness.

and, in my case, I deeply regret setting up an important account for them (photo storage) with app 2FA vs. SMS 2FA. It clearly confused them, so they offloaded the app and it means I still don't have access yet (but working on it).

Tyler Griffin

@shortridge This is such a great point. My "if I die" document for my wife has like three full pages just about tech stuff. It's almost a parallel will, which seems ridiculous but given the centrality of tech to our world. . . .

I struggle with the 2FA stuff. For an average person without a crypto wallet or something, SMS is probably just fine and seems more durable. That said, I recently read this horror story (arstechnica.com/tech-policy/20) where the SMS failed.

For immediate family, I've settled on OTPs stored in Vaultwarden, which I know reduces security a bit (since the secret is stored in multiple places), but it's still pretty secure, and more importantly, it's backed up. For non-immediate family, though, I'm with you: SMS is safer.

@shortridge This is such a great point. My "if I die" document for my wife has like three full pages just about tech stuff. It's almost a parallel will, which seems ridiculous but given the centrality of tech to our world. . . .

I struggle with the 2FA stuff. For an average person without a crypto wallet or something, SMS is probably just fine and seems more durable. That said, I recently read this horror story (arstechnica.com/tech-policy/20

Earthshine

@tyler @shortridge this is great until the non techy person you leave behind can't figure out how to use or maintain the bitwarden server.

Kevin Mirsky :donor:

@shortridge Yes! And if you're SUPER SUPER paranoid about someone stumbling across the keys, break it up like the Dragon Balls or Coke secret recipe. Give part of the password or some of them to one person, others to another. Just make sure to let them know WHO to work with.

Definitely more risky for your loved ones, so consider that, but at least choose this over not doing at all.

Anthony Dardis

@shortridge yes, *tell*. In our case, the person didn't, so whatever was on those machines is gone forever.

Rich Felker

@shortridge The right options really depend on your life circumstances, threat model, who you'll be leaving behind, etc. But regardless everyone should think about this and make a plan that works for their circumstances.

MaineC

@dalias @shortridge that is the one thing where GitHub is ahead compared to many services: there you can leave a 'who should inherit my account should I die' contact behind.

Robert

@shortridge I have a digital assets section in the wills I do for my clients just for this reason.

Tim Ward ⭐🇪🇺🔶 #FBPE

@shortridge It's bad enough getting financial institutions to take any notice of a power of attorney when the person involved is still alive.

Qbitzerre

@shortridge especially critical to include seed phrases in this info for your loved ones.

Earthshine

@shortridge also have a will. Put it on your will. They might forget. Put it in the document

Kevin Beaumont

@shortridge you should also do this in case you have a stroke (pretty common), too

zerbp

@shortridge
I regularly print out my password manager and seal the password in an labeled envelope

Avoid the Hack!

@shortridge first, sorry for your loss.

I’m one of those cybersecurity zealots (?) and this is a use cases where I can agree. I think the real trick is putting in a spot where its accessible but otherwise safely tucked away.

As morbid as this might sound everyone should have a “in case of death” folder/safe/lockbox/thing. Even before cybersecurity or smartphones or the internet were things, I’ve heard stories of so many households falling into disarray without one…

Kelly Shortridge

@avoidthehack it's true, a "in case of death / emergencies" file or box is so useful. and usually it's not that difficult to obscure it within a residence.

no one wants to think about their demise or incapacitation, but it's worth preparing the basics our trusted humans might need in that situation... and organizing it in a way that assumes those humans will not be thinking clearly, either.

Avoid the Hack!

@shortridge I agree. I’ve got what my family calls a digital Fort Knox so I should probably get on organizing my own in case (well, when) I bite the dust.

In any case, I hope you’re doing at least ok.

Callisto

@avoidthehack @shortridge Obv it's NOT morbid, and maybe a step toward reframing our inevitable mortality is to call it "UPON death," not "in case of," as though death were something that might or might not happen to us.

Avoid the Hack!

@callisto you’re not wrong. It’s wildly uncomfortable to think about your own mortality… even though it’s inevitable.

hal8999

@shortridge There some aids to succession or being locked out. Some credit card accounts and utilities will now accept payment without a logon. This can get someone out of a bind quickly, until you can sort out proper credentials.

Also LastPass (...cue the other zealots who decry anything commercial) has an emergency access path that triggers based on waiting time. You can make this short, like 48 hours. Or longer, like 30 days.

Personally, I don't see a problem with writing down passwords. I see a problem when they are displayed, posted in an uncontrolled place, or left in a drawer without any monitoring.

But, I also leave my medicines in the medicine cabinet. So, there's a grey area between most secure and accessible. Everyone lives in the grey.

Thanks for sharing.

@shortridge There some aids to succession or being locked out. Some credit card accounts and utilities will now accept payment without a logon. This can get someone out of a bind quickly, until you can sort out proper credentials.

Also LastPass (...cue the other zealots who decry anything commercial) has an emergency access path that triggers based on waiting time. You can make this short, like 48 hours. Or longer, like 30 days.

Sander Meijer

@shortridge I have seen in my immediate surroundings what a pain that is. Have configured Emergency Access in Bitwarden, so my wife (after 1 day) or my sister (after 7 days) can get access to my full vault in case something happens to me. Not a fun topic to discuss, but peace of mind now. Can only recommend.

St Paul Zamboni Confiscator

@shortridge As someone who hosts a bunch of stuff for my family, I have a document on what they need to know if something terrible happens to me. Armed with that, one of our geek friends should be able to help them recover everything.

Joseph Riparian 🏳️‍⚧️

@shortridge My condolences for the loss of your friend. I am sorry.

cliffle

@shortridge I'm really sorry for your loss and that you're having to do this.

Dennis Faucher :donor: :mastodon:

@shortridge Print mine monthly and place in the fire safe for my wife

Peter Butler

@shortridge I cannot second this advice strongly enough

Write down all your passwords (or at least all the important ones like mail, banking, etc.) and store them in a fireproof container with your will, passport, and other important legal documents

You might not be around to be thanked, but someone will be extremely appreciative

Jan Bosch

@shortridge I had a similar experience. Locked out of accounts after a sudden death.

Jan Bosch

@shortridge would add to consider a living will. "Should X befall me...."

Tim Bray

@shortridge Wise. ⬆️ Have done so. Opened a word-processor document, typed them in, printed it out, killed the doc without saving, put it in sealed envelope, gave to spouse. (That way spouse won't have to struggle with my appalling chicken-scratching.) Don't forget your phone PIN so people can do 2FA as necessary.

Pusher Of Pixels

@timbray @shortridge an example to explain this is logging into a TV streaming service without the primary acct holders phone. Not easy at all.

Gord Lau

@timbray @shortridge Perhaps along with some basic instructions about how things are linked together, especially for non-technical. For those of us that use our own domains for email (or maintain it for others), the list of infrastructure is longer.

Lord Kusuriya ​:tower:​

@timbray @shortridge Yeah I have something similar, I have credentials and info on how to use my password managers, a backup yubikey, and a informational document printed out that contains how to get into the various bits of my home services infrastructure laminated in a fireproof lockbox in a fireproof safe.
My phone is a weak spot though, the only two people that know the pin are my wife and myself. I may need to put some thought into that.
But like you have a will you should have a digital legacy plan. Someone will have to deal with your shit after you die, and if you're like me all of that shit is in digital lock boxes. Like unless my kids have degrees in forensic accounting they likely won't be able to piece my finances back together without access.

@timbray @shortridge Yeah I have something similar, I have credentials and info on how to use my password managers, a backup yubikey, and a informational document printed out that contains how to get into the various bits of my home services infrastructure laminated in a fireproof lockbox in a fireproof safe.
My phone is a weak spot though, the only two people that know the pin are my wife and myself. I may need to put some thought into that.
But like you have a will you should have a digital legacy...

:flan_reaper: - On Hiatus

@kusuriya

Convert SSH keys to QR codes. Printed, and then mailed to trusted individuals to be used to get into everything when I pass.

I should probably take more time to document what they are to be used for, but at least there is a way to get in to everything if that need arises.

@timbray @shortridge

Lord Kusuriya ​:tower:​

@lordbowlich Yeah thats part of why I treat some of my password manager vaults like the most secret of secret.
between 1Password and KeeAgent for KeePass all my SSH keys are stored in a password vault with MFA.
thats why my password manager doc is soo critical in my digital legacy plan.

@timbray @shortridge

m_eiman

@timbray @shortridge I’ve put my 1Password password into my wife’s 1Password

Jason Martens

@timbray @shortridge For Apple people, you can add a legacy contact, no need to share password files. support.apple.com/en-us/102631

Pusher Of Pixels

@shortridge and like data backups, do a test run once in a while. I use a password manager, and I need to remind my non tech spouse to practice with it so they can access things without being even more overwhelmed should catastrophe strike

ballpointcarrot

@shortridge

I have an "in case of emergency" thumb drive with access to the core keys that are needed to access anything else driven through my password management, as well as instructions on how to make use of it.

#cybersecurity

Mark Gardner

@shortridge @timbray I asked my parents to keep a hardbound notebook labeled “PASSWORDS” in a desk drawer containing a few master #passwords that are either direct or serve to unlock a #PasswordManager. I tell them that those should rarely change; otherwise, the book gets filled with sometimes-scribbled-out, sometimes-not entries, and only they know which is correct.

#infosec #cybersecurity

kidskylark

@shortridge Thank you so much for this. Seeing this is such a balm as someone who is currently also enduring this process.

WagesOf

@shortridge any online thing of value should have it's access information saved on paper or a usb stick in the same place you put your birth cert social card and the title to your car/house.

Fire safe, safety deposit box/etc.

Eric Beavers

@shortridge @Meyerweb My wife knows how to access my stuff. Maybe I should expand the circle to a trusted (grown and mature) child.

Bynkii (they/them)

@shortridge did that a while back, and I update it. Literally called “John done got hisself daid”

schrotthaufen

@shortridge I lost my yubikey once. I was the legit owner of the accounts I needed to regain access to, and it was a freaking annoying weeks long back and forth with customer service. I can only imagine how stressful it must be while grieving. On that note: I’m sorry for your loss.

Space Hobo Actual

@shortridge Somewhere we lost the distinction between "writing the password on a post-it on a monitor in a shared office" and "writing the password in a logbook kept in a safe place", and that's tragic.

OddOpinions5

@shortridge

[ US only ]
As someone who had to help his aged parents in their last few years

If possible, become an "joint owner" of all bank accounts
not sure, but joint owner with right of survivorship maybe better then joint tenant in common; the former means the money passes to you without need for will or probate

You may need 5 years (!!) of all financial documents - make sure you can get them !!

Make sure that IRS is sending you documents; it is hard to get the Power of Atty filled out

@shortridge

[ US only ]
As someone who had to help his aged parents in their last few years

If possible, become an "joint owner" of all bank accounts
not sure, but joint owner with right of survivorship maybe better then joint tenant in common; the former means the money passes to you without need for will or probate

Larry Garfield

@shortridge Another advantage of a password manager: You only need to leave behind one password for them, which unlocks the rest.

Steven Vore 🎩

@shortridge so much this, folks. I went through this when my (all-digital, no bills or statements via the postal service) father passed… and his phone was stolen which made all the 2FA even harder.

Megan B.

@shortridge When my Dad was dying, he gave me the master password to his password manager. I was able to log in, download the information as a plain text file.
It was /so helpful/ that I write (and update) my master password on a card that lives with my will.

DELETED

@shortridge
You are absolutely correct.
Too much sensitive Personal information is now only accessible online, especially if like me one is handicapped and cannot get to the bank, lawyer, medical professional easily.
👍

Andreas Fischinger

@shortridge hopefully I don’t need it any time soon, but on iOS there is the Legacy contact feature which would give my survivors access to my iOS Data… support.apple.com/en-us/102631

Clive Thompson

@shortridge

Yep, I used to be one of the people who snootily mocked those paper "password journal" books

Then I realized how sensible and practical a local paper home record of one's passwords are

I have one myself

Rachel Rawlings

@clive @shortridge Yep, a small index card with your main desktop/laptop login credentials and the way to log into the password safe thereon is a great thing to keep in a fireproof box for your spouse or children.

Clive Thompson

@LinuxAndYarn @shortridge

100%

requires no api to access

and can't be easily hacked/stolen by someone outside the house

Erik Ableson

@shortridge And it gets even more complicated if you use hardware based keys and it’s lost or destroyed (thinking car accident).

So we have a safety deposit box with the keys to the 1Password account and a backup Yubikey. Plus some instructions on where to find the documentation of the IT infrastructure and online services so that someone versed in these things can help wind stuff down.

Desert Plains

@shortridge

I often think about that. What if something happens to me and people that will take care of things that I left, will only have more trouble? I wonder... Thanks for sharing this 🙏

Marco Ivaldi

@shortridge sorry for your loss. I’ve been there recently and you’re 100% right

Steve Bellovin

@shortridge @briankrebs Yes, with a caveat. I've often endorsed writing down important passwords. (My spouse has a copy of mine; I know where there's are stored.) But—and for some people, this is significant—if you live with someone untrustworthy, including an intimate (and possibly abusive) partner, it could be a very dangerous thing to do.

Daniel

@shortridge Sorry for your loss and there being even more things to deal with on top! 😔

Lou Plummer :prami:

@shortridge I'm sorry you had to do that. #Apple and #Google have procedures in place to make provisions for this beforehand. My wife and I have done it.

Andrew Benedict-Nelson

@shortridge thank you for raising this issue. I had to deal with this when I became my father’s caregiver through dementia. By this time he was divorced and socially isolated, and even with a ton of his information, there were all sorts of things I couldn’t make heads or tails of.

Chris Real

@shortridge

The only people who need to exercise super-security are journalists who work in conflict zones.

The rest of us are not going to have identity thieves ransacking our homes. They'll do it on the web, from people who sign up for 'special offers' on youtube.

Sarah W

@shortridge
Yes, I can relate to this. When my mum died recently it was a lot easier to sort things out because she'd written down her passwords.

Kensan

@shortridge Sorry to hear you have to deal with this on top of grieving the loss of a loved one 😞 Hope you can take time to start processing at some point. Take care!

Denise G

@shortridge
After my son died unexpectedly at 21 years of age, I found myself unable to access some things of his, which, in some cases I’ve left alone, allowing him his privacy. Some passwords I was able to track down, but others I could not.

sss
@shortridge i think what make security less secure just in case is a bad idea which works against basic idea of security, all or nothing if put it simple.

i am evil selfish ass, and all my secrets will die with me, i am completely ok with it, and data intended for others should not be locked in the first place.
Go Up