|
Top-level
if you want to still be sneaky, hide your critical passwords (and backup MFA codes!) behind a photo frame or in a random book or whatever, but *tell* whomever you trust most where that place is, or at least write it down in the place they're most likely to look if you pass unexpectedly. ask the same of your loved ones, too. no one deserves the pain of navigating customer support trees and the other kafkaesque hells of accessing accounts when they're already submerged in grief. loving is leet. 36 comments
@wendynather precisely. we live in a stochastic reality and must prepare for that, even if it creates some existential dread in the meantime. that's why I don't recommend just putting it in your will, too; put it somewhere in your residence. (and like, if someone is breaking in for the purpose of accessing your devices, they can just wait until you're home and break your kneecaps anyway if you haven't written it down. for the vast majority of ppl, it's such a silly threat model) @sassdawe @wendynather this does look really useful, thank you for sharing it. listing out subscriptions is useful for anyone, too. another thing I had to do was scrutinize credit card statements over the past ~12-14 months to enumerate services and subscriptions. thankfully, this person purchased a lot of subscriptions through the App Store, which made it much easier to cancel. most of the others had creds stored in their iOS Password Manager, so it was easier than it might have been. @shortridge @wendynather I did this for my wife about a year ago and it's a really nice peace of mind thing. In our case it's a laminated page with a few of the most important login creds, plus the login to a password manager for all the rest. It's kept in a lock box with other important docs, hidden in the house. It's actually come in handy a couple times without any tragedies happening! @shortridge another key takeaway for me from excavating the digital remains of a loved one who died suddenly: usable security or bust. in my case, the iOS Password Manager saved the day because it stored their creds by default as they used their devices. ...but they found the 2FA app so confusing that they offloaded it and never saved the password to it. SMS 2FA may be more insecure, but it confused them less and meant my access to their phone = access to 2FA. Security isn't the only thing that matters. @shortridge now that iPhone keychain can also act as a 2FA device I bet that’ll get easier. Not easy.  @shortridge Ugh. My tax account uses SMS 2FA. Will have to tell my spouse to hang onto my phone for a while until everything is sorted. She has the password to my password manager. But soon Apple will require touch or Face ID to change some security settings. Can't wait to see how this shakes out. @dan613 there was a very real moment when I told the deceased person's spouse that we might have to wait on cremating them to use their thumbprint. thankfully, we guessed their device passcode correctly (it wasn't written down anywhere). it's uncomfortable to think about this "use case" when designing or implementing, but sudden incapacitation can happen to anyone so imo should be taken more seriously.  @dan613 @shortridge pretty sure you can have 2 faces, something "alternate appearance", cant check right now, @cy @shortridge Yes, for wearing glasses or a mask. Not sure if there has to be some overlap in the faces or if they can be completely different. @dan613 @shortridge anyway, since face/touch is only a convenience option for the phone password, just write Up that password and put it somewhere safe next to the others :) @shortridge Went through this a year ago and had similar experiences. If I hadn't been a very knowledgeable tech person I would not have been able to get it done, and that's a bad situation for all those who are not.  @shortridge NIST dropped the verbot on writing down passwords. Writing down is a good idea. A better idea is to use a password manager, which would also document all the accounts you have. The password manager also generates high entropy passwords. You can give your loved one an uptodate copy. Have it password protected, but then there is only one password to have on paper. I use Keepass @shortridge I would prefer webauthn/passkey with yubikey. You'll need a backup token anyway, so just tell your person how to use it. (actually get them yubikeys for their own accounts, too) @cy you are vastly overestimating the usability of yubikeys for non technical people, especially the elderly. many elderly people no longer even have fingerprints, too @shortridge it is "plug into USB, press button when prompted", how is this more complicated than typing a code from an SMS? And you don't need fingerprint for it @cy @shortridge This is so far from the truth for non-tech savvy people. For me it's ok if my mum builds passwords from the first letters of long sentences like I explained to her 10 years ago, she can cope with that, I won't explain new ways of managing pwds to her every 2 years because that only makes her insecure and then she just takes insecure pwds  @cy @shortridge bro, I have worked in tech for 30 years and Yubikeys are still largely unusable to me. Because in order to use them you need to A) know where they are, B) have a device with the right port and software, C) have everything configured, and D) have *physical access* to the relevant port, while also seeing the relevant screen. As a disabled person with severe ADHD, chronic pain, and other health problems, coordinating all those variable for every logging is fucking impossible. @cakeisnotalie @shortridge still unusable for non-techies. MAYBE one should include a techie-friend into the last-resort recovery plan for your non-techie person @shortridge Also, if you're a geek, setting up a mini "corporation" with a password manager that allows takeovers is also an option. FWIW, the Bitwarden approach seems quite elegant (although thankfully I've never had to use it in a real situation). Definitely not a good approach for a non-techy person, though. @tyler the non-techy vs. techy approach is so important. because if you're a techy person and have an unexpected health crisis or pass, the non-techy people who care about you will struggle to navigate everything, compounding their sense of helplessness. and, in my case, I deeply regret setting up an important account for them (photo storage) with app 2FA vs. SMS 2FA. It clearly confused them, so they offloaded the app and it means I still don't have access yet (but working on it).  @tyler @shortridge this is great until the non techy person you leave behind can't figure out how to use or maintain the bitwarden server. @shortridge Yes! And if you're SUPER SUPER paranoid about someone stumbling across the keys, break it up like the Dragon Balls or Coke secret recipe. Give part of the password or some of them to one person, others to another. Just make sure to let them know WHO to work with. Definitely more risky for your loved ones, so consider that, but at least choose this over not doing at all. @shortridge yes, *tell*. In our case, the person didn't, so whatever was on those machines is gone forever.  @shortridge The right options really depend on your life circumstances, threat model, who you'll be leaving behind, etc. But regardless everyone should think about this and make a plan that works for their circumstances. @dalias @shortridge that is the one thing where GitHub is ahead compared to many services: there you can leave a 'who should inherit my account should I die' contact behind. @shortridge I have a digital assets section in the wills I do for my clients just for this reason.  @shortridge It's bad enough getting financial institutions to take any notice of a power of attorney when the person involved is still alive.  @shortridge also have a will. Put it on your will. They might forget. Put it in the document @shortridge My family has a list of four words, a symbol, and a number. At home I have a small booklet with all my passwords written as (for example) 4ws# indicating all 4 words, followed by the symbol, followed by the number. If I update my passwords, I write down the new 4 words, new symbol, new number, give it to family (I think my Dad keeps it in a fireproof safe deposit box hidden somewhere in his house), and don't have to update anything in my own password keeping booklet. |
Gregory's Server
@shortridge And it can’t wait until you’re dead. You can become temporarily or permanently disabled and need a delegate to handle things for you.
https://youtu.be/lU8_S0V_zOQ