Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Have you set up a procedure to disclose your passwords in case of death?
340 points by bsjaux628 on Oct 31, 2022 | hide | past | favorite | 253 comments
After coming back from my home country where the insecurity is a big part of the daily life (armed robbery, kidnapping, murder), I started thinking of what would happen if something happened to me and how would I be able to ease the burden on my love ones to manage my digital assets (cancel subscriptions, keep my digital libraries, etc). So I ask: do you have a procedure in place to grant or transfer access in case of death?

My first idea would be using a password manager for everything, list every device used for 2SA and confine within my will a master password.




No.

Things that really matter (banks, etc.) have well-established next-of-kin processes. You can cause problems if you subvert them, as there's processes to go through to prove who might have claim to the estate and if necessary divide it between multiple parties. Similarly, subscriptions will just bounce once you inform the banks of the death and they freeze further transactions as part of said process. In my experience, your next of kin don't want to be dealing with cancelling a bunch of subscriptions when they're already planning your funeral, informing loved ones, etc. - there's already heaps of shit you have to consider and it's a very stressful, emotional time.

Giving over passwords implies that you expect someone to log in and do something with them, so it's not really important for them to have it for these reasons.

Secondly, I doubt any of my next of kin care about e.g. my Steam library or my Reddit account. As I've gotten older, I've realised that people don't really want to inherit the overwhelming majority of your stuff (they have their own stuff). If you think someone really does want something in particular, you can have that conversation with them specifically, but that's going to be very few and far between.


In the early COVID days, a friend got really sick and then in a comma for 4 weeks, followed by a few weeks where he couldn't talk.

His wife, who also helped with running his business (small shop, 4 employees), tried to get access to the business bank account in order to pay the bills. Cloud services would expire, services shutdown, they would lose a lot of clients.

She couldn't pay the bills, because while she was his next of kin, that only works if he dies.

So anyway, having procedures for death is one thing, but don't forget scenarios like being in a coma for a few weeks, or being kidnapped, etc.


This is a hard realization that not many people internalize. Incapacitation can actually be more painful for your loved ones and business associates than your death. Death has a lot of ritual / legal step in society, but incapacitation requires you to prepare for the scenario. Having some step-by-steps and legal work done will make everyone's life simpler.


This is exactly the sort of nightmare scenario that (in the US, anyway) a durable power of attorney document is supposed to help with!


Except everything these days is moving to SaaS webservices, most of which are moving too fast and breaking too many things to bother with a process for delegated access with or without power-of-attorney (or with having any customer support process at all). This will sort itself out in the coming decades, but for now, you have to manage this on your own.


this was a big issue for me with crypto exchanges last decade. they could not understand the concept of anything besides a single-user personal account. KYC can only be tied to one account.

have a trust? LLC? non-profit? corporation? anything? whoosh, right over their heads

now? the exchanges all have this, pretty easy to onboard a whole hedge fund onto them now. but the crypto tax services, single-user personal account incapable of understanding other tax circumstances. there are ways (like exporting data to more robust software), just wish it was easier already.

but don't get me started on the on-chain stuff...


Not to mention simple 99/1% split co-ownership of an actual corporation, so legal power to act on behalf of the business without the ability to takeover full ownership pre-death.


This comment needs to be pinned. We've had a similar situation where the person in coma took a bunch of loans in secret. We don't know why. We couldn't access any information. The bank doesn't reveal any of the process. We don't know if there is hidden property that we can inherit. We don't know if it was gambling, or charity, or if he was paying for someone's addiction. The whole family had to pool money to save the widow. He died a few weeks later and we have no idea where all the money went 'till this day.


Did this person happen to ever talk about cryptocurrency?


I don't know, why?


Surely you can see where I was going with this?

A lot of people leveraged into cryptocurrencies the past few years. So if money seems to have disappeared, it could be something to look into if this person had ever talked about it. If he/she did, I'd be loooking for handwritten twelve word phrases, using the grep/find commands to search electronic records, etc...

Probably not in your case, but just a thought.


Another scenario is recovering from a stroke and realizing you don’t know your master password(s) anymore.


The tricky thing is that if no one from family knows you have $$$ in Bank Foo, this money can just lie there unclaimed forever (until taken by the government after N years).

Even if theoretically those institutions should proactively search for deceased owners' heirs in some jurisdictions, I wouldn't trust this to happen.

At least listing all banks, stocks accounts & insurances you have might be really useful. Just set a yearly reminder to self in calendar to send such an email to your closest family member.


A colleague of mine has some inheritance in a European country; he's been taking trips out there every few years to try and get hold of it; every time he does, the new guy who runs the place needs _some other_ document, some dozens of _other_ documents later, still no money.

This is in part because said country's process requires a document that literally doesn't exist for the home country of either party in this inheritance; they won't give him the money, and they won't take the money, so it just sits there indefinitely.


Sounds like somebody maybe wants a bribe and he's not picking up on that.


Why do you not name the country?


The story is pretty unusual, I don't want to dox anyone by giving specifics.


I made a document of important details like this. Where my various accounts are, what they are etc.


> Even if theoretically those institutions should proactively search for deceased owners' heirs in some jurisdictions, I wouldn't trust this to happen.

It happens all the time.

https://www.cbsnews.com/chicago/news/the-countrys-largest-re...

It took them years to find distant relatives; none knew about the guy or his money. Why didn't the state workers just do nothing and keep the money? Because they actually do their job, that's why.


So make a list. You don't need to disclose the passwords, just make a list.

Also, just keep your mail. Everything important in your life will send you mail.


Not really. There is a legal process for returning/forwarding unclaimed property.

www.Unclaimed.org,


There is more than one country in the world I believe, and details and laws differ in each country.


Hey! Fair point but don't be snarky.


In case of my death, I want to make it as easy as possible for my wife to carry on. Having access to our accounts (which I mostly manage) so she can do whatever she needs is a lot more important than the well-established processes you mentioned. Those processes would have gone to her anyway.

If we both die, then our extended family will have to work through the legal system but our will + a lawyer should help out a lot.

Edit: To answer the original question - I documented how my wife could do this before going on a week long motorcycle ride in 2019 :).


OK but those are passwords she should have now, not only when you die.


She does have (access to) them now but she'll likely only ever use or need to use them after I die. It's a lot easier for her to ask me a question than figure out how to log in and find it herself.


This might be a naïve young person take, but consider that we're in very early days of 'people with passwords dying', really. Nobody has grown up with digital assets and died of 'old age'.

I don't want to overstate the value of random digital assets, like you say your Steam library or Reddit account likely has far more (even exclusively) value to you, but many things that do have sentimental value, or might for some, are ever increasingly digital where they historically obviously weren't.

Even just correspondence that might make it easier to sort things out is now predominantly email. (And to my point above, more recently born people more likely to have opted in to 'paperless'.)


And those places, do, in fact have processes regarding deceased and/or power of attorney. [0] This is not something that has sprung up out of nowhere. People die, everyday, which means that these companies have to deal with that fallout, today, not at some strange point out in the distant future.

[0] https://support.google.com/accounts/troubleshooter/6357590?h...


My point is it's happened to a miniscule number of people compared to the (roughly) steady state we'll eventually reach when it's not just the relatively 'techie' older generations & newer ones dying 'before their time'. 'People', as opposed to the companies that you say deal with the fallout everyday, will be a lot more aware of the scenarios and problems it might cause, and what they can or cannot do to ease it.


I don't think Google's preparedness in this area is representative of the average company's preparedness.


Not at all, I do think that in the next de cates there will be a push to regulate the transfers of digital assets as inheritance; hell it might force companies to stop with the bs of selling you a license but wording it always as if you owned the product


If you want a simple example of that, think Google Photos. Lots of sentimental value there.

(Google has "Inactive Account Manager" you can set up to hand off / delete data if you don't log in for a long time.)


> Things that really matter (banks, etc.) have well-established next-of-kin processes.

I would say that the exception might be for local/non-cloud things - for instance your phone, laptop, NAS, etc.

If you are the controller/admin of data that might be good for others to have (family photos/videos/etc) - then setting up some process for handing passwords over for that to Next of Kin would be good.

As for services, utilities, etc - having literally just been through this in the past few weeks, it's incredibly frustrating that so many businesses don't have well established and functional processes for dealing with accounts owned by the deceased.

The executor reached out to the services that needed to be terminated with sale of the house, and without fail they all screwed up in some dumb way. Most of them keep insisting on only being able to talk to the deceased person, even when you're the executor of the estate. (And they don't understand that, either).

We ended up having to send registered tracked letters to their formal mailing addresses for several because of how insistent they were on sticking to their "only the account holder can make changes" script. Despite them having copies of the death certificate, extracts from the will, etc.


You should share shared content with them now, not after you die.


They may already have access to it, or some subset of it. You might not share all of it for various reasons, including not wanting to just dump years of photos on them that they have no interest in.

That access might go away though and they might need information about how certain bits of that information are stored, and what they need to do in order to preserve it.


My brother recently passed away unexpectedly and I can say with certainty that the well established processes are not smooth, and in fact I’d say that it’s a 50/50 shot that even when you follow each step to a “T” - have all of the paperwork and talk with everyone you can reach - you’ll receive no help at all. After weeks you’ll simply be told the accounts can’t be made available to you and there is nothing you can do. Trying to navigate these processes while also managing your grief, increases the level of difficulty By a magnitude. Apart from that, an unexpected death leaves a hole that your loved ones will try to fill with anything you have left behind, it’s impossible to anticipate what they will want to keep of yours when you’re gone. All I can say is that if you ever have the thought that it would be helpful to write a few things down in case the worst were to happen, do it. It’s hard to fully explain how much easier it will make the grieving process.


>Things that really matter (banks, etc.) have well-established next-of-kin processes.

Banks have next-of-kin processes because they're required to, most companies are not.

With banks, it can take weeks or months to access an account after someone has died. Even when they let you freeze an account, what if that account was also paying for your family’s life insurance or health insurance?

This would be easy if you can just share passwords, but it is illegal to access someone’s bank account or email account after they die without having all the legal docs and following the company’s process. Even if you do everything right, some companies may never give you access. When a girl died of mysterious circumstances, Facebook refused to help her family determine whether her death was suicide or murder: https://www.cnet.com/tech/tech-industry/facebook-fights-for-...

If I ever die of mysterious circumstances…


Some things became a pain in the butt after my mom passed away and her accounts were frozen (like they bounced her income tax payment, and her electricity bill, and hijacking some other utilities was a pain). But we decided not to mess too much with the legal process anyway, because we didn’t feel like we knew enough to intervene (and we did not inherit for months, so we legally had limited standing).


> I doubt any of my next of kin care about e.g. my Steam library

Okay but can I get it then?

On a serious note, I doubt it is something inheritable. I haven't read the terms of use but I am 100% sure you cannot inherit a Steam account, the same way you're not authorize to buy one.

I'm sure it goes the same with 99% of the online services that you may be subscribed to.


There's no need to "inherit" a steam account. If you have the credentials to log in, you can update the payment methods with new ones and just continue to use the account. Everything, including save files that are stored on their servers for supported games, will continue to simply work as long as steam exists. People actually can and do swap accounts and sell credentials all the time. There are third party sites that are made selling steam accounts for money

So far, I've been too young to actually set anything up but with all these things stored in my 1Password and other storage accounts, I need some way to legally hand down credentials to my next of kin


My pet peeve here is that they should be forced to change the "buy" button to a "rent" button or something.

All of this digital assetry we're "buying" isn't actually ours, and that's one of the greatest annoyances of the "digital future" for me.

That said, I couldn't give a shit, nor, I suspect could my wife and kids, whether my Steam library and Google Movies (or whatever) stick around after I expire.


I have 663 Steam games, you bet your sweet bippy that’s going in the will


You will own nothing and be happy.


I believe Steam explicitly states that accounts are non-transferable.


How do they check if people are still alive or not?


Why would they need to, if it's not transferable?


You can just give them your hard drive, why bother with the account?


Subscriptions might not fail--what if they are tied to an account that's retained?


I have.

I had most of this done already, but about a year ago a friend of mine -- very healthy! younger than me! -- literally dropped dead. It was a bolt from the blue, for sure, and the trouble that followed for his widow was a wake-up call.

For some reason, he and his wife weren't on a "family" plan with Apple, which meant, from Apple's POV, they were just two customers, and lawyer letters and whatnot would be required to get her access to even his pictures on the phone.

Apple NOW has a feature that allows you to nominate a "digital legacy contact" for your Apple data. If you're on iOS, I RECOMMEND IN THE STRONGEST POSSIBLE TERMS THAT YOU CONFIGURE THIS IMMEDIATELY.

https://support.apple.com/en-us/HT208510

As for the rest of my digital life, everything is in a password manager, and my wife understands that the master password for said vault is in the safe.


Google has Inactive Account Manager, which is a dead man's switch for your account. Everyone should set that up too. https://support.google.com/accounts/answer/3036546?hl=en


Anecdote: I'm the account manager for most family members. One day my sister was angry with me, removed me as the account manager, and some months later locked herself out of her account after having trashed her phone and forgot her password.


She sounds like a rational actor.


I like that they have this, it means if I ever go missing unexpectedly that there'll be someone who can access my last known location, and access to social media comms to understand why.


I just tried to set that up and got a page that says it’s not available for my account.


You must already be deceased to use this service.


Probably not available for business & education accounts. Maybe not available in all countries?


Same here. In fact, I took it one step further and drafted a document that outlines all the important business contacts I have the she would need to contact in case of my death. To liquidate assets, and/or help with keeping the businesses I have running. Online services, hosting providers, etc.


Man, that's probably the smart way to go.. I just told my wife to take my half-assedly secured computer to one of my tech friends to break into it


That's a good idea.


I've done the same with taking the password manager approach and putting the master password in the safe. I've also place a "death envelope" in there that outlines who would need to be notified from my employer and other important contacts. We also have "safe opening" class every so often.


This doesn't give the contact access to your keychain. Only messages, files, photos, etc. In order for them to inherit things like cloud passwords you'll need to set that up yourself somehow.


Will your paper in the safe survive in the case of a house fire that kills you?


If it's a fire-rated safe, probably. Good point about paper, though, electronic media likely wouldn't survive. I'm going to update my records--the main stuff goes in a cloud account, but paper in the safe with the credentials.


Now that I read it again, the comment was about storing the master password in a safe, in which case, you could stamp it into a metal plate or some other solid that has a high enough melting point. Steel seems like a good choice of melting temperature, with titanium even better. Or try tungsten, for a much higher melting point.


My neighborhood burned up a couple years ago, and safes were fairly worthless, fire-rated or not. Papers were ash, precious metals were all melted. Many safes had shattered, or were so degraded they could be broken with a kick. Just a warning... I'm sure some safes can withstand intense housefires, but it seems like most claiming so, can't.


How do you protect against government accessing your safe, getting your master password and accessing all your digital files. If I am not mistaken, Fifth Amendment protects one from incriminating themselves by giving up their own password, but in your case they just need to confiscate and open your safe.


I don't.

If one has something going on such that state-level actors might want nefarious / adversarial access, well, one should be taking MUCH MORE SERIOUS STEPS about personal digital security.

Your "regular everyday normal mfer" (as the song apparently incessantly looped on Instagram goes) has no such enemies. My personal digital opsec is designed to keep me and mine safe from likely threats, and the threats I face are pretty banal -- brute force attacks, mostly. I am 100% unconcerned about governmental intrusion into my safe to gain access to, e.g., my online banking passwords.


You do realize state actors include the IRS, the FBI on a fishing expedition for a crime that occurred near your house, being framed for a crime because you look similar, false DNA matches, etc, right? All of these things are non-zero, and significantly above non-zero that everyone and their grandmother should consider it. Unfortunately, pandora's box opened with Snowden. We are all targets. The only difference is what degree of a target you've made yourself. If you work in tech, you're already high on a priority target list somewhere.


By the time the FBI gets a warrant and takes my safe with all my secrets, it's too late. Maybe I'm naive but I don't have time to live my life with your degree of paranoia. Good luck to you in your endeavours to avoid anyone knowing anything about your life.


It's not about preventing people from knowing anything about my life. It's about control and threat surface. You can do these things without thinking after a little practice. I would like to present the version of myself I want the public to know about and have full control over that. Incursions into my privacy violate that idea.

It's not paranoia. That would imply they aren't out to get you. They are. Leave the government out of it for a second. If someone's phone is stolen it's very likely their entire identity, a majority of their secrets, documents like medical ID cards, credit cards, etc have been compromised. This is akin to "getting a warrant to a safe" (which in reality is just court-ordered theft) and it will completely destroy a person. In the context of the discussion if you were able to break into a dead person's phone you could very likely build a complete picture of their life. Perhaps one they weren't interested in you knowing about.

I'd prefer to avoid those situations. First, by not making myself a target, and second by protecting any and all data I have the best I can. I rarely think about it but I know if my phone is stolen, my computers are taken, or I get caught up in a fishing expedition the threat surface is extremely limited (provided the information isn't beaten out of me).


You have chosen to have a different risk tolerance than the person you’re replying to. They explained their threat model, you disagree. That doesn’t make you right or them wrong.

It’s simultaneously true that for your model they’re being naive and for theirs you’re being paranoid. That’s fine.


Well said, good sir!


Oh, for fuck's sake.


I'm pretty sure that song is a blatant ripoff of "Regular Everyday Normal Guy" which predates it by about a decade. https://www.youtube.com/watch?v=5PsnxDQvQpw


I googled the lyric when posted because I only have it from the contextless world of Instagram reels, and I have a fetish for accuracy.

It was indeed from Jon Lajoie, but not the song you link. It looks like he did a followup track called "Everyday Normal Guy 2" which includes exactly the loop you hear (with "motherfucker" and not "guy" in the refrain) everywhere on social media right now.

https://www.youtube.com/watch?v=GmG4X9PGOXs


TIL, thanks! Takes me back


If they get a warrant from a court, they can open the safe.

As the question is about granting access to accounts after death, it seems an odd worry. The government is also likely to get access to your data from your Google, Facebook, etc. If you have a server in the cloud, they can probably go to your hosting provider to get physical access.

So unless you have data in secret offshore servers in countries that won't cooperate with the US government, then a safe is not your weakest link.


My question was regarding about having secret to your password manager in a safe, which I agree think is still on-point with the topic for "Have you set up a procedure to disclose your passwords in case of death?".

Storing secret to password manager that can be easily accessed by government and state actors negates all the trouble that password managers went through ensuring no one besides you can access it. I believe every good password manager encrypts data in a manner so that the provider itself can't decrypt it if government tries to get access to it.


I think for 99%+ of people that’s not much of a concern, but if it is for you, what’d be wrong with burying it under a rock in the yard, or any of the 100+ sneaky ways one could secret a envelope somewhere for safe keeping (there is a slip of paper in the copy of Moby Dick at Bob’s house in the library, and if it’s not there, there is backup one at uncle Jim’s in the NE ceiling tile of the ground floor guest bathroom).

I’m sure others have much better ideas…


I think your statement about 99% of people it not being concern is true at any given snapshot of time, but not true across the lifetime of those 99% people. Case in point: Harvard student gets denied entry because of his friends' social media posts which were discovered upon searching his phone [https://techcrunch.com/2019/09/02/denied-entry-united-states...]. If you were to ask him, he would say he is part of 99% and has nothing to hide or be concerned about, and is probably true for most of his life, besides that period where his friend posted something on whatsapp and his phone being searched.


> How do you protect against government

In general; you don't. If the gov. wants to make you do something, you're going to have to do it. In many western countries, that's only a vague threat, an many others it's a lot more real.

Theoretically, you could have two components to the password: something long and random that is written down, and something easily remembered and personal. A special moment, a place, an anniversary only the two of you would know, etc.


What benefit does the long random part provide?


It prevents it being guessed. The memorable part protects against someone finding the written down/recorded random portion and using it since they don't have the remembered part, but the remembered part on it's own is somewhat vulnerable to guess work


Bruteforce protection.


I prefer to think of the NSA as my cloud backup provider of last resort, paid for by my (overly abundant) tax dollars and responsive to a FOIA request ;)

/s


If the feds want your data and are willing to confiscate your safe to get it, they can probably get your data without confiscating your safe.


Don’t keep anything behind that password that the government doesn’t already have access to!

Government already has access to banking and phone records, most online accounts and data from Apple, MS and Google.


https://xkcd.com/538/


Wow this was quite possibly the most helpful Hacker News comment to date.


I have the appropriate tarsnap key printed out and stored in a physical location known to my loved ones.

They're not particularly keen on the idea of having to type in two pages of private key but as I point out, it's both (a) a good opportunity to learn about OCR and (b) not my problem.


OCR doesn't help when you have to find the wrong character in two pages of random stuff. QR codes are your friend.


That's why the Tarsnap key file format includes a checksum on each line, so tarsnap can tell you which line to look for the OCR (or typing) error on.

When I was writing this code I wasn't sure if it would ever matter but figured "hey, why not..." -- but I've probably had a dozen emails since then from users thanking me for including those.


Oh nice, I didn't realize it was a custom format.


It's base64, but with added checksums, yeah. There's very little that I use off-the-shelf in Tarsnap -- generally speaking I take existing standards and then make tweaks as needed to optimize for Tarsnap's use case. (Sometimes, as with scrypt, I decide that existing standards simply aren't any good and develop my own from the ground up.)


I came to say the same. I’ve had long encryptions keys printed out as QR codes and it works surprisingly well. You can still have the text of the key, but the QR code makes it a much easier process.

Especially in a situation where you won’t be around to help troubleshoot.


And whoever does help has the keys to the kingdom


We’re talking about keys and accounts where the credentials (print outs) are stored securely. In my case, it was a safe deposit box.

You’d have to expect that whomever is helping to manage that kind of transition is trustworthy. Or at least that the people left behind trust them.


You can literally copy and paste text out of an image on iOS these days. Your next of kin will be fine.


I'd be worried any secrets that had been printed would persisted on the internal printer storage, eg. https://www.bitraser.com/article/innocuous-printer-can-leak-...


Then go "Office Space" on it - Damn it feels good to be a gangsta!


That made me think of MC Frontalot's "Secrets From the Future" https://www.youtube.com/watch?v=FUPstXCqyus

"by 2025 a children's Speak-and-Spell could crack it"


Two pages is overkill for symmetric encryption.


The most important asset I have is my bank account. In case of death, wife can take over (the only thing needed from wife is to proof she's my wife... so pretty much her ID card and marriage papers). That's it. Subscriptions? GitHub account with private side projects? Digital libraries? HN account? Email? All of that is not that important. If my wife has access to my bank account she can either transfer all of it to hers and effectively cancelling all my subscriptions or reject individual subscriptions manually.


I agree, but also make sure your life insurance is setup properly along with retirement/brokerage/crypto accounts.

I would also suggest things like your primary Google and/or Apple account to make sure she ends up with access to photo libraries and the like.

After that, most things are less important.


A note on photos: If you use Google Photos you can have photos with a specific person automatically added to a shared album. So my wife can always see every photo I take of her or our daughter. I just did it for day to day convenience but it'll also come in handy if I pass since she'll have all the most important photos already.

Though after seeing this thread I went ahead and just gave her access to my photos once I go inactive using this service: https://support.google.com/accounts/answer/3036546?hl=en


Yep, 95% of anyone's needs in this regard can be taken care of by a spouse or relative, possibly with the aid of a death certificate. I highly doubt anyone would be interested in taking over most of my digital files.


What if you have children? In Turkey the bank account can be taken over only by legal inheritors, and all of them should be present together physically at the same time in the bank with a document, most of the time obtained from notary, called inheritance document (plus a document that shows that there is no debt). Inheritors in a normal family are spouse and children. Ratio for inheritance for a children and spouse are different. Spouse gets most of the inheritance.


There is the situation where you and your spouse both die in m accident. Depending on whether you have kids you might want a Plan B as well.


Having a will is the correct Plan B.

It needs to be Plan A, as well. But a shortcut to get access to your accounts without having to go through a will and lawyer will be appreciated by your wife if only you die.


Yes, I have set this up to give my wife access after 14 days: https://www.lastpass.com/features/emergency-access The long delay is simply for security purposes so there's not instant access for someone who hacks _her_ accounts.

> Give someone you trust access to your vault. When your trusted contact requests Emergency Access, you can decline their request within the specified waiting period. Otherwise, your vault is added to their LastPass account.


Are there any technical details of how this works on the backend?

I thought LastPass only kept encrypted user data that only the master password can decrypt. Would this process mean they keep an accessible copy?

I suppose the process could be to encrypt my master password with a public key generated by the spouse account (with the private key stored in their encrypted bundle), that LastPass servers can store and provide on delayed request?


I would imagine it involves something like encrypting your master password (or more likely some other encryption key that won't change) with their master password as if it were anything else they had stored in their account. The difference is that it's blocked by the time delay.


I think something like that might be how it's done. I don't think they could use the master password directly (at least I hope not, wouldn't that mean transmission of a master password from the client?), though I suppose they might have a mechanism of generating a consistent key pair just from the master password.

However it works, I think LastPass should have a technical section that describes the mechanism in more detail


LastPass describes how it works at [1].

They also have a technical whitepaper describing a lot of their cryptography including shared folders and recover codes. I found the current version[2] which disables ctrl-f for some reason, and an older version[3] which allows ctrl-f.

[1] https://support.lastpass.com/help/how-is-emergency-access-se...

[2] https://support.lastpass.com/download/lastpass-technical-whi...

[3] https://assets.cdngetgo.com/da/ce/d211c1074dea84e06cad6f2c8b...


I believe, when you set this up, they re-encrypt your data with the other user's keys so it's never accessible by Lastpass.


I think the problem with that would be the copy would go stale fairly quickly right? I suppose the process could make it so the data set is encrypted with all associated keys everytime it's uploaded from the client


Shared key.

You have a key, which encrypts a shared key.

Your spouse has a key, which encrypts the same shared key.

Vault is encrypted with the shared key.

Access is controlled separately. But upon successful share, their existing key can decrypt the shared key which decrypts the vault.


The real last pass!


Bitwarden has this feature too.


Where?


https://bitwarden.com/help/emergency-access/

requires premium or self-hosting. But it doesn't expire if you stop paying.


Bitwarden has an emergency contact feature if you have a premium membership. My wife and our lawyer have emergency access. They can request it anytime. If I approve they have access right away or if I reject it is denied. If I cannot or do not take action access is granted after five days. It's well thought out and a nice feature for $10/year https://bitwarden.com/help/emergency-access/


One thing to consider, is that even if you have 2FA keys and full access to an account and can do things with it, you may be illegally doing such after the account-holder's death.

For example, depending on how your bank account is setup, it may be legal for your wife to take money from it while you are alive but become illegal after death until probate is complete. The reality is nobody cares because 90% of the time the surviving spouse gets everything anyway, but it's there.

Check your local laws.


This. I have set up automatic wire so my employees receive one or two month automatically, but the truth is, it’s probably illegal for the to receive that money.

Same goes for next of kin’s access to my accounts. Uncharted territory, but those are assets, and I don’t think people should be able to peruse assets of a defunct.


If you care you could discuss it with a business/estate lawyer and setup some sort of a trust - but the complications may be not worth it.

It’d only come up in an adversarial inheritance scenario so make sure you have a bulletproof will.


More importantly, do you have instructions and descriptions of everything?

Sure, my wife could access my accounts, but she'll be lost - which are important? which can be ignored? What do you do once you have access?

Where are all the bank accounts, credit cards, loans, and how are they setup w/autopayments & withdrawls?

Ditto for insurance policies, your random toys and tech stuff. E.g. what should be done with your random websites/URLs - let them expire, archive them, ?

And my social accounts too...

It's not good enough to just go over it together one night, you need clear documentation that can be quickly referenced and followed during a time of immense stress and grief. And then keep those docs updated!


It seems a little weird that your wife is so removed from the financial side of your setup. Does she really not know where your credit accounts are and how much are on them?


Not the OP, but for my prior relationship my ex wanted to be divested of that knowledge. I tried early on to keep them abreast of what was going on, but they were "not a numbers person," and whenever I tried to explain our complicated financial structures and how assets were liquidated and passed through various accounts to accomplish large projects their eyes glazed over. So, they trusted me to keep us solvent, and I made just about any request of theirs happen (which sometimes required a lot of juggling).

All relationships are different. :)


My partner is the same. I have a document that says "here is the name of our accountant. I recommend you do X for now".


Yup, my wife doesn't want to deal with such things. Total assets, yes, but the details of managing them are entirely my job. She doesn't want to deal with it and I don't want her to have online access because she would be way too easy to phish.


> where your credit accounts are

I don't know all of ours. I know our shared bank account, and that's about it (well, we have a shared password manager, so I could probably figure it out). It doesn't seem useful to have the knowledge, and when she dies, the least of my worries is a missed payment or two.

> how much are on them

I doubt most people on HN carry credit card debt.


It's not really necessary (though it might be helpful). For important accounts (financial, mostly) there will be a policy and process for granting access to the estate upon presentation of acceptable proof of death.

A credit report will identify any open credit accounts and those creditors can also be instructed to provide payoff information and close the accounts.

The main thing you will need to handle the death are lots of certified copies of the death certificate. One per account, generally, and copies/digital scans are not accepted.


Who cares about the debt? Trust me. The debtors will find your estate and if they don’t, your dead anyway.

The main area to record would be asset accounts, valuables held in safe deposit boxes, files, or secret locations holding things like cash, stamps, coins, treasury certificates, partnership agreements, titles, deeds, etc.


Well, if the estate has any assets, the creditors legally have a claim. Just makes things smoother and quicker to identify all of them up front.


You don't need certified death certificates for creditors and the like, only for assets you want to claim.

When my mother died multiple places *asked for* certified copies, I simply told them she's dead, there will never be another authorized charge, nothing is currently owed so no payments will be made, do what you will with the account.


> A credit report will identify any open credit accounts

In the US, for most traditional assets, sure, but not necessarily elsewhere. If you have accounts your spouse/partner/next of kin doesn't know about, then you should list them somewhere and include that list in your end-of-life paperwork.


Yes. I have set up a minimal server that performs two daily checks of the modification date of an empty text file. If the last modification date is behind by a week, my loved ones get an email announcing another mail that will be sent a week later. This email includes descriptions to my KeePass containers and where to access them. In addition to a goodbye message for my close ones.

The one week buffer has saved my butt a couple of times already. And the callback is really simple. I created a Tasker task that touches the file in the morning once I unlocked my phone. So there is really not much work involved.


You put yourself in a situation where you can't even stay away from your computer for one week before your relatives get a weirdly alarming email?


I think your system is brilliant. I definitely want to implement something like this. thanks for sharing. is there anything that would motivate you to write a more detailed blog post? ( asking for a friend ;D /s)


And you're sure you won't wind up in the hospital for a week in a wreck that smashed your phone?


I've thought about this a lot. In my old smart house I had a couple of dead man mechanisms that would trigger escalating alerts and finally an outcome. The highest order of which was to alert someone that my dog needed help because I was incapacitated or at worst dead. The house could take care of my dog on its own for at least a week, so I had built in some buffer time.

I then read about how Feynman's notes were, somewhat recklessly, given to his estate and then auctioned off. I found the thought of that very violating, especially how certain people react to his own personal dilemmas and thoughts.

Now my will makes pretty clear what will be released, how it will be released, and to whom. It also includes penalties should those things not be followed and gives people the option to take them, with the consequences, or not at all.

All that to say, I would never hand over the keys to my own kingdom. It dies when I die, unless our society somehow transforms between now and then.


I've set up Bitwarden granting time-delayed emergency access to a couple of family members.

I've also left a thumb drive with a Bitwarden export and printed paper in a safe place for my family, describing how to access everything important.

I trust my family not to abuse that, but if I was less trusting I'd look at Samir's Secret Sharing to ensure family members had to collaborate to retrieve my sensitive info. Or leave the data with a lawyer.

I made sure to pass on my 2FA secrets too.


There is a massive wave of estate issues rising as a result of digital assets, in fact, The Society for Trusts and Estate Planners released a white paper on the implications here: https://preprd.com/STEP-Digital-Assets

This is what my company solves - While our B2C offering is still limited to a waitlist, I am more than happy to recommend a provider in most countries to anyone who wants a vault.

Dylan @ https://bepreparedapp.com


I have spent a lot of time thinking about this after handling an estate for a loved one and then salvaging a business after suddenly losing a business partner. These were extremely difficult situations to navigate because neither of them had a plan. I cannot emphasize this enough: make a plan or risk losing it all.

Digital assets are significantly more complex than traditional assets, and the estate planning industry is still trying to figure out what do with them because the legal landscape has made this very difficult for consumers like me and you. Many of you mentioned 1Password, LastPass, Bitwarden or info in a sealed envelope. Pw managers are great for organizing your digital assets, but beware... they are not enough for this. If your spouse accesses your pw manager after you pass away, and logs into your email, your spouse may have violated 2 US federal laws, a state law and your email provider's TOS. Who cares if people access their deceased spouse's accounts? If you find yourself in this position, be cautious and call a lawyer before you do anything. Companies take your privacy very very seriously, and they have not hesitated to enforce their rights and do what they think is right.

Most states have adopted a form of RUFADAA (Revised Uniform Fiduciary Access to Digital Assets Act) that governs who can access digital assets, but each state might be a little different. Google, Facebook, Apple, and Github have released online tools to set up a legacy contact or inactive account manager -- I agree with @ubermonkey that if you use services provided by these companies, you absolutely should start by using their tools. However, you should also recognize that these tools are LIMITED and are NOT intended to grant full access. Does anyone know if any other companies have provided tools like this? For other digital assets, you should consult an estate planning lawyer in your state (many of the laws are state-specific) and make sure they have expertise planning and managing digital assets.

Disclaimer: there's a group of us working on solutions that operate within the legal requirements so that our heirs/executors aren't left worse off, and we're always interested in new ideas! Also, none of this is legal advice :)


Absolutely not. Everything dies with me.


I'm only afraid that if I go quickly, I won't be able to destroy everything I've written and drawn. If I want people to know something of me, I'll present it to them. I'm not looking to be mined for content after death and recontextualized.

My passwords and encryption are to enforce that policy digitally.


My son has biometric access to my phone. From there, he can do everything. It works for me.

My son is the one human who matters the most to me -- there's a letter in there for him, too. I add to it periodically.


At least on an iPhone, biometric access won’t work if the phone has been powered off, such as due to the battery running out.


On my Samsung, it is probably the same on iPhone, i always need to enter my pin/password to be able to unlock it after a restart. After that 99% works with Biometric access but some things still need the pin/password.


Ahh yes, he knows the code too. But that’s a good point for others.


What if the phone is destroyed or lost or stolen?


We have multiple iOS devices in our family plan, including multiple iPads.

This works for now, with our current array of tech. My company offers a free sponsored account with one of those companies that offers after-death account and paperwork services. I intend to look into it, but don’t want anything tied to employment or to a company that’s not as likely to survive as it is for 20 years.

Also, I should mention, all my passwords are in 1Password. That’s a known password too.


As others have said, lock code is safer. iPhones sometimes will demand the code instead of biometrics from time to time. Also, any app protected with biometrics can be unlocked with the code, so the code is the safer bet.


I use Dark Crystal (https://darkcrystal.pw/) to distribute my secrets within my social network (scuttlebutt and email mostly). It utilizes Shamir's Secret sharing.


How do you use it? The website does not have any link to a ui?


Like many others here, I also have a 1Password account shared with my wife so she has access to all of our accounts.

Besides that, I have a tag called `after-he-dies` with some secure notes in it, including a note that tags every account at a bank or investment account where we have money, so that she won't risk losing 20k or something because she doesn't know where every money account is or whatever.

That tag also includes a note with instructions for how to make sure that the accounts that automated bills pull out of don't run out of money.


The self-hostable Bitwarden server also has this functionality.

https://bitwarden.com/help/emergency-access/


Related:

* Cheat sheet for if I'm gone – https://news.ycombinator.com/item?id=31748553

* What to Do Before You Die: A Tech Checklist – https://archive.is/dy81b


Lastpass has this as a built in feature for at least their family plan. You can set another account to be an emergency access account. The owner of that account can initiate a request for access to your passwords. You'll get an email informing you of the request, and you have a configurable amount of time to reject it. Failure to do so will lead to them getting access to your vault.

Not sure the security mechanics involved that allow for it, but it seemed like a very neat product for this very thing (and I've added requesting access to the death checklist I gave to my wife), since it means I'm not having to provide my password to anyone (or even get it out of my head and enclose it somewhere physical), but my wife can still get access to it in the event of my death (or my being incapacitated for a sufficiently long period of time that she needs it).


Not really. I'm honestly kind of surprised at the preparation some people have put into the expectation they might die soon. All of our accounts are joint and I'm not hiding any assets. I have pretty sizable life insurance policies that will make her a millionaire overnight. If a porn subscription refuses to cancel when she shows a death certificate, I'm guessing she can find a way to cope. I know she can cancel my debit card all the subscriptions charge because I accidentally canceled hers just last week. I don't think I have anything I would call a digital library. Not really much of a data hoarder. I don't rewatch movies much and haven't take photos regularly since 2002 or so, and most of those I never bothered to develop, though I actually still have the film in a shoebox in the closet if she wants to try.


I created https://www.deadmansswitch.net a while ago for this purpose, though I wouldn't use any third party app for passwords. "The password is printed and hidden in X" is a good message, though.


Yes. Password manager with all essential entries shared between spouses. Plus a written document describing how to get into the password manager should we both go. We shared the location of the document with key people.

Still, there's probably more we could do, and a number of bases left uncovered. For example, we each have a number of monthly subscriptions that are auto-drafted but won't need to continue after death. We should identify those and have cancellation plans.

Plus we both have lots of crap, and possibly some important in various online/cloud storage services. Even with password access, it would be hard for survivors to know what to look at and why.

And then there are the accounts with two-factor auth. What if one of us goes with our phone? Oy!


No. Nothing that I have protected by a password is of any use or interest to anyone but me. When I die, the things that have actual value will migrate wherever they're going to via the normal legal processes. Anything else will die with me.


I rely on a combination of 1Password and some offline SSDs. Key passwords/passphrases are in our shared safe. Nothing is perfect. While in theory, in the US at least, your executor should be able to gain access to whatever is necessary, in my personal experience as a two-time executor companies and organizations are rarely prepared to deal with estate issues. It's a lot easier to tell my spouse "all of the passwords are here".

Previous related discussion: https://news.ycombinator.com/item?id=31027766#31031202


I did that recently as a backup measure, 1Password comes with a good "emergency kit" that you can print out and store in a safe place. It has instructions on how to access the vault and the password in plain text.

The big advantage of a password manager that is consumer friendly (Like 1Password) is that you can store everything in there (documents, passport, notes) and it will be accessible to whoever needs access to it. Not some obscure command line knowledge necessary.

It is also a lot easier than having hundreds of papers / letters in your house. Even if it's not about the security aspect, having everything in one place is a big advantage.


I also use 1PW and agree it is a good choice. I would be cautious with saving too much information and files (documents, keyfiles etc) in it. With their latest update to v8 they removed the ability to print as PDF or save an attachment, so you will have a very hard time getting it out. Only way seems to be screenshot (too bad if the text is longer than a screen) or sharing via mail (you get the draft and from there copy the attachment). Am not sure if they try to hold your data hostage (VC "capture value" play) or greatly overshot on security.


> With their latest update to v8 they removed the ability to print as PDF or save an attachment

That's not true, there's a "Download" button that downloads the raw file. Just tested that on the latest Beta of v8 on macOS.


i asked their support and they acknowledged the removal of PDF-printing, regarding attachment: i didnt mean an attached file but the ability to e.g. save a secure note as an attachment. my fault for using bad english. your remark that you can save an attachment via download button is correct.


My wife and I use 1Password. We know each other's master passwords.

In 1Password we have a note that lists all of our key info: bank account numbers, etc. I have a scheduled task that reminds me to review the note at least once a year.

When we went on vacation this summer I came up with a temporary mechanism to give our daughters our master passwords in case anything happened to us. The mechanism was set up so that they'd both have to participate to recover the secret. It was also set up to self-destruct in 30 days.

That was the temporary mechanism. The permanent mechanism will use secret sharing (https://en.wikipedia.org/wiki/Secret_sharing). There are many implementations available; I want to self-host one so that we aren't relying on anyone else. (There's no server component; a static site would be good enough.)

We plan to use an "any 2 of 4" setup; any 2 of 4 trusted people could, working together, recover our master passwords.


My master password is written down in a sealed envelope, which has been placed in a secret place that my wife knows (but always forgets). My lawyer has a sealed envelope with the location of the secret place, and my will has instructions to give that envelope to my wife (in case she forgets the secret place, which is often). The will also says who gets ownership of the secret place and the envelope in the case with both die together.

When my kids get older they'll move to the top of the access list for the envelope with the location of the secret place and ownership of said place.


Gonna suck if you die in a house fire that also burns up that sealed envelope, though.


The envelope is not in the house. :) That would be silly.


Why don't you encrypt your password twice, give the resulting file or string to both of them, replicated twice or more ?

And each one of them has the password for one of the two encryption layers ?

This way it won't get lost.


My family isn't that technically savvy and would probably require help with the decryption, but I'd be dead.


There’s probably a way to low-tech it by printing half of each password glyph (with a suitably ambiguous design) on transparent slides that you need to overlay with each other to be able to read the password.


oh, that's a good point, indeed.

I didn't factor in the technical ability of my relatives. I guess I should.


> I guess I should.

Not just technical ability, but state of mind etc. Anything needed quickly (not everyone will have such) should be straightforwardly accessible by someone who is both distracted and busy.


I used to sort my data into organised archives on USB HDDs, until I went to college.

Then I found it time consuming and began to just dump home folders and SD cards onto SATA HDDs for back ups

And now I haven't even done back ups since I began to work.

Tagging some USB stuff would be the most straightforward for them, I guess. A bit like a "play me if I don't come back" VHS as seen in movies.

And I would include the letters to unsubscribe to everything, and GDPR requests to delete my data as mentioned by the creator of the thread in

>So I ask: do you have a procedure in place to grant or transfer access in case of death?


Yes, my wife will have access my LastPass account and a backup of all my 2FA codes. I have emergency access set up with Lastpass, and Inactive Account Manager [2] for my Gmail account. I would recommend Cryptosteel for backing up important passwords and secret keys: https://cryptosteel.com

I'm a solo founder, so I've also set up some contingency plans for my company. However, I really need to work on a "family manual" that has all the details about our finances, bills, rental agreements, and other personal details. I handle a lot of things that I haven't really documented anywhere (just lots of files that are semi-organized in Dropbox and Google Drive.)

The most important thing is to have disability and life insurance. PSA from @patio11: https://threadreaderapp.com/thread/988094196274769920.html

This should be considered mandatory if you have any dependents.

[1] https://www.lastpass.com/features/emergency-access

[2] https://support.google.com/accounts/answer/3036546?hl=en


I've set up a Legacy Contact with my Apple ID, since that provides access to all of my data, with a close friend in the event of my death. It was fairly easy to set everything up and I just had to provide their email address and send them a document produced after the setup was complete.

It's definitely given me peace of mind, as I wouldn't want them to be in a situation where my entire digital life was lost to them. They would also then be able to close all of my accounts and notify others of my passing.


Consider looking into Shamir’s Secret Sharing Scheme.

I am toying with starting an online service/company where users would elect a backup group where M of N people in the group can unlock the secrets. Use case would be secrets, passwords, Trusts, Instructions.

This issue confronted me when we put our living trust docs in our safe bit didn’t have a good way for our executor to get into the safe.

Would any of you use this service? Secure s3/Dropbox with SSSS access. Secure online safety deposit box with multiparty encryption.


In the US (no idea about other countries):

Put everything you own in the name of a living trust. You can still control the assets, or take them back out of the trust if you want.

Then your will names the living trust as the beneficiary. Your executor thus has access to all of it and you don't have to tell him/her about every single thing in advance.

But IANAL. I've probably left out a lot of details. See an estate lawyer.


Good for the stuff with legal identities like bank accounts and property. Useless for digital stuff.


You never know until you ask a lawyer. They're not as dumb as you think (and no, I'm not one).


Yes.

I use https://www.passwordstore.org/. It's hosted in a git repo. My significant other has access to the repo, a private key copy on encrypted USB drive (plus backup) and its password in owns password manager. It helps that we both know how to use these tools (otherwise, I'd try to keep my important passwords in sync with my significant others password manager).

Detailed instructions are stored in the unencrypted part of USB drive which holds the private key. Plus backup. We revisit it on yearly basis.

I partially rely on the well established procedures offered by banks etc., but don't believe they'll do it in a timely manner and without much friction. There are many cases where I'm the main account holder for the whole family (often enforced by the institution or good deals). Having access to my email & phone removes a lot of friction from the whole process.


I created https://pingmy.life specifically to email my wife if I don't check in after a set period of time. It'll send her a PDF I put together with details on how to access the important life bits. I'm hoping it doesn't get triggered anytime soon.


> It'll send her a PDF I put together with details on how to access the important life bits.

Does any of this need to be secret from her now?

I just have a Google Doc called Our Finances and Other Important Things which list various accounts and stuff. It's shared with her.


Looks like it is down, not great for such a vital service!


It got hugged!


No.

Any password to a bank, or credit card, or whatever dies with me. It's for their own safety. Lest lawyers in some future time come collect a bill that my dead self forgot to pay for.

Everything important is either written into a will, or has a well establish next of kin process associated with it. All other things die with me.


There's a service named Everplans that walks you through passwords, important documents, making an end of life plan, other stuff. They released a whole book on it that I haven't finished yet.

You setup contacts in the app and the contacts confirm they want to be involved. They receive a special link (or some other access method, I can't remember) and when you die, your contacts can say "(person) died, give me access to their information."

A confirmation is sent to the person that setup the account, they have a pre-determined amount of time to block the request. If the request is ignored the data is released to either some or all contacts. It's pretty slick but I would be terrified to start a business like that, with something like this you can't just let the business go under if things aren't going well.


I build Legapass exactly for this purpose. We keep safe, encrypted and store off line in vault, like bank vault all your credentials.

If something happens to you ? Our process guarantee the transfer of the content to your hairs nominate or not. Everything is totally confidential and a bailiff is involved in each restitution case. You can use it free, but fee will be ask to access the data. Or you can pay annually you get more features and if something happens to you, your hairs will not have to pay anything. We are European based company but we can work with clients all around the world. Just try it on https://Legapass.com


Wife and I use Bitwarden. My master password is in hers and hers is stored in mine. I once toyed with the idea of building a "dead man's switch"-type service that requires clicking a confirmation button of some sort at a regular interval and which would then send any info you want in the form of emails and/or a physical courier. I looked around and saw a few available so I dropped it. But I haven't subscribed to such a service myself.


I have printed keys at work. For my personal stuff no I don't.

My fathers friend had a stroke. He was left alive but not able to use more than a few words. It was a huge problem trying to make arrangements for him. If we'd had even his phone password months could have been saved.


More important is what you want done with it all, or at least what it all means.

My wife knows my password already (this is sensible redundancy). But she doesn't know what I use or do, or who I might like her to tell etc.

So by all means leave your password, but also leave a digital "will".


It's one of those things that I'm thinking about every once in a while but never get round to doing it, also because it's not clear to me what the optimal solution would be. A relative has set it up with LastPass, there are a few email addresses that issue an access request access that has to be actively denied within a week or so before it is granted. Seems reasonable to me, except that I don't use LastPass.

But I think the more important thing than that would be to keep a file outlining what the things to look for are. You should also add in contact info for landlords, employers, attorneys, important contracts,... those sort of things. And to set up a testament.


Here is what I am thinking:

- Setup keypassx with all key accounts/passwords

- Setup 2FA on a phone app such as Google Authenticator. Then make a backup on another phone (you can copy Authenticator app data on another phone easily). Bonus: setup Authy app on a desktop as well.

- Record a video of you showing anything critical

- Write down any details that only you know.

-Put all this in a simple HTML/Markdown page and save on an encrypted disk and/or S3. For backup, save a copy on a flash drive.

- Keep the encryption key and flash drive in a physical locker that only is accessible to your spouse (if any) or anyone else whom you want to. If you are using a physical 2FA device such as Yubikey, then keep a copy in this locker as well.

- Make a Will which explains who/how can access all this if you die suddenly.


Seems a little overkill? 2FA isn't even really necessary if you have a password manager. Write down the master passwords on some paper, put it with the rest of your documents in a fire safe. Access to someone's email account is the biggest thing you need anyway since everything can be reset through it.


Or just use a password manager as usual but distribute your password with shamir split between several trustworthy parties, one of whom would be a solicitor or someone like that (along with your will)


No. I don't want them to see unfinished projects.


“If you’re not ashamed when you launch, you’ve launched too late.”


The project may not be a business idea, or professional work, good enough is not always applicable even if it is professional it could be a book, a composition or painting .

many creator have had unpublished manuscripts specifically taken care of in a way to preserve their brand legacy


Yes. A password manager and a written document in my successors hands with the passphrases for it and the home laptop with crypted disk. Plus Google account handover logic with dead man's switch, and list of domain and virtual host providers.


My husband and I share a 1Password library. We initially toyed with the idea of having a separate "shared" library but deciding what we did and didn't want to share seemed like a lot of effort so now we just share everything.


Shared library? Simply barbaric!

Read the other comments and learn how to set up 10-out-of-17 secret sharing across your relatives and friends, how to have at least 3 secret spots to stash encrypted passwords, and how to configure online services to alert those relatives and friends when you are dead.


Lots of great info on access and account stuff here. I'd like to also add that i'm putting together a short "biography" to hand to my children in case I die young. I'd like them to know more about how I grew up, my parents, grandparents, and people around me that influenced and cared for me. Maybe some light lessons-learned, but not too preachy I hope.

I spent a lot of time with my mother in her final few years, heard lots of stories and details of her life (and even my own early life) that I hadn't known yet.

I hope I can give the same to my children if something happens.


All my passwords and access tokens are on a pair of encrypted flash drives in my gun safe. My family knows the drive password but not the safe combination. When I die they'll have to cut the hinges off with an angle grinder.


LastPass has this functionality. You designate a person who can request access and a timeframe and once they request it notifies you everywhere and if you don’t respond in the timeframe it grants them access.


I just have the computer and emails passwords and my phone pin stored in a safe place. I have a few critical MFA codes stored as well in case my phone suffers the same fate I do.

Any other important password can be reset from those things and discovery of accounts can be done via email and credit card statements.

My odds of dying in the next year are remote enough that I don't feel the need to get the process perfectly laid out when it probably change in the >40+ years I expect to live.


I didn't do anything with digital things yet, although I've created a doc (literally just an email) with "where to look for my money just in case":

- insurances

- bank accounts

- stocks

with names of institutions, emails etc.

This is especially tricky since I live abroad in a country whose language no one else from my family speaks; so I included some links to a list of dual-language lawyers who could potentially help handling the cases; plus contact points to a few close friends who could be of help too.


I have a pretty simple system in place. One family member knows the password to my computer, one trusted friend knows the password to my password manager.

Neither of them know what their passwords go to, but they know about each other, so I figure with some coordination they’ll figure out how to unlock both.

My password manager has, obviously, all of my passwords but also has some letters to family and friends and some instructions on what I want done with my body.


I’ve got a document shared with my wife that explains all of the various technology in the house, and various access methods. Additionally, I explain our domain names, our password manager, anything I have been able to think of.

We have a password manager together, and share each others master passwords, as well as a shared credentials.

I probably need to add some messages to post to various accounts, just to save her the trouble.


I contributed to a really nice project on GitHub, called https://weexpire.org/.

Basically, you create encrypted notes that are readable by the people you shared the link with only if you do not respond to an automatic email. Simple, yet efficient.


Not yet, but it is on my todo list. There are multiple projects/companies/groups that I am the bus factor of 1 for any of the technical parts (hosting, code repository, etc). This is a real concern to ensure they continue on without me, and hit me hard one night when I had to be rescued from a flood.

I am a paying customer of Bitwarden, so that's the easiest path for me, but I like complicated things.

My plan is to use Shamir's Secret Sharing. Specifically I was thinking of using Klaus Post's Reed-Solomon (golang) which is a port of Backblazes JavaReedSolomon. One could perform an All-or-nothing Transformation first depending on the security level needed.

The primary advantage of this compared to Emergency Access with Bitwarden is that it isn't reliant on a single person surviving me. I would give my wife the emergency access, but if we became incapacitated at the same time (almost happened in the flood), then other trusted people can come together to assemble the keys to unlock the data.

Additionally I can give different people different weights. Perhaps my wife and my mom have enough keys by themselves to unlock, or maybe just a couple or a few keys short. Whereas my trusted friends have enough keys that would require X amount of them to agree to unlock my vault, and people that have an incentive to kill me have the least amount of keys :)

I would likely just store my password to my Bitwarden account, my email account, and my note-taking application. That way I don't need to update it except when I need to change the password. Which is also how I could revoke someone from holding a key, change my password and re-run RS and redistribute keys. Realistically if you gain access to my Bitwarden then you have the keys to the other places, but not necessarily the ability to pass a 2 Factor Authentication, so I could include recovery codes for 2FA.

There is no reason I couldn't have multiple vaults for different things with different levels of keys needed to open, so for a non-profit I work with it only takes a few key people to come together to unlock but only gets them access to stuff relevant for that organization.

If someone loses a key, or it gets corrupted, it just takes more people to agree to use their key to gain access.

In addition to death, something could happen to cause me to forget my master password, but otherwise I'm still capable of doing things. So it is also a backup for myself.


I have all the documents and photos shared in iCloud already that I want shared. I am fine with everything else being irretrievable.

Anything I am proud of has been shared in a shared iCloud Drive. Any important documents (life insurance), etc has been shared in an iCloud Drive. Any photos I want shared are already in shared albums. Financial accounts already have a beneficiary.


Similar thread a few days back: https://news.ycombinator.com/item?id=33324964

My comment there: https://news.ycombinator.com/item?id=33326468


Yes.

I have a document called “in case of emergency” that lays out where everything is—important contact information, bank accounts, files, backups—and it includes a section for sensitive information such as the master password for my password manager. I keep a copy with the passwords filled in at a secure off-site location that my wife has access to.


I’m using 1Password Family with my partner which provides the functionality for defined users to recover all passwords for the other user. [^1]

So in case of my death or my partners death, we can recover each others passwords.

[^1]: https://support.1password.com/recovery/


As long as they can get into the email, they can eventually get into everything else. If there are second factors in the way, I have backup codes printed out and stored in a safe location that they will be able to access. And this only matters if the official facilities, e.g.: Apple Legacy Contact, don't pan out.


My dog has likely seen me type in my password at some point, but otherwise, no one else gets access even after death.


I think the same

Why would anyone access my Discord account, or my kawaii and punk music playlists on Deezer. This quality content goes with me into the grave.

OK content is unencrypted on my computer, anyway


Yes. Trusted relative has a letter with info how to find the master pw in case both of us die or become incapacitated. It is physically on paper they need to find, stored in our residence and in a bank sd box (in case of fire), so they won't be tempted ahead of time. Set it up years ago.


I use syncthing to sync a keepass database between my wife's laptop and my own. We also have off site backups which she can access. If we're both dead then it doesn't matter we've no dependants. Where possible our financial accounts are all joint.


http://deadmansswitch.net

Pings you on Telegram every few days to see if you are alive. If you don’t respond, it will send out email to whoever you have it configured for.


Yes. I run a small website and a friend of mine has agreed to take it over if I die. I've shared the passwords of the services that the website is hosted on with them via a package manager.

I do not have anything similar for my bank accounts or personal subscriptions.


I regularly print my whole keepass database and I keep it in a safe fireproof place. And my family know the location. It is also a failsafe for me if my house burn down with all my digital copies in it. I do have off site backup, but you never know.


For anyone interested in this sort of thing check out Sarcophagus: https://sarcophagus.io/


I have. I have a password manager containing everything, with the password to that enclosed in my end of life paperwork with the lawyer/in the bank vault. My will spells out who is to do what with that information.


Nope, I'll be dead so I'm not interested in creating an ongoing security hole for myself to worry about while I'm still alive.

Important things like banks already have next-of-kin covered, insurance is sorted out etc.


I have made an encrypted USB disk with a manual, then handed my parents a part of my key and another part is in my house where only they would find it. Also a name of a friend that could help them with it etc.


Hi, last month I have discovered, Legapass, a French startup who solve this problem. I use Legapass to secure the transmission of my digital assets and even more my cryptocurrencies.


Seems like an envelope in your joint safe deposit box or with your lawyer with you phone+computer password and master password for your password manager is all you need?


I'm surprised at how many people here don't already have their spouses on a shared password manager. I'm not saying it's bad, just surprising.


Some of us have non-tech spouses.


We need an on blockchain escrow service with smart contracts.


There's already https://sarcophagus.io/

I haven't used it (yet) though it's been on my radar for a while


it's the only way to be sure


No. And I'm not going to.

For encryption to work in practice, certain things, like master passwords can NEVER leave your head. I'm not going to print out my private keys and master passwords and put them in a safe, because in the unlikely scenario a state actor would raid my safe, it's a free-for-all on everything.

The only thing I should probably sort out is give my wife access to Cloudflare DNS and Microsoft 365 Admin panel (we both have emails under the same custom domain, hosted at Outlook)

However I also have several other domains, and she'd have no business accessing or doing anything with those.


i have.

basically i created separate KeePass database and put all things i want to disclose there (like banks passwords, mobile unlock pattern etc.). what's nice about keepass is that you can store media files like images besides passwords.

this database is in Google Drive and shared with my relative. the password to the database is printed on paper and stored in the envelope - any my relative knows where to search for this envelope in case something happens.


No, I want all my accounts to be forever lost when I die!


Yes. Printed on paper in a sealed envelope. My wife knows where it is. Every 5 or 6 years I update it.


Yes, I've done this with bitwarden which has the option to grant full access after a grace period.


I just use the same password everywhere, only a matter of time before it is publicly available.


Yes.

SO has a paper sheet with all important ones and the algo which changes them (depending upon date).


What about crypto seed phrase? Best I can come up with is safe deposit box and will.


I use a password manager. I regularly remind my wife what the passphrase is


Thank god I have regular bank/broker accounts and no crypto.


Printed list in safe deposit box.


Written down on paper in a safe


no if i die im dead and everything goes down with me :D


Password1234

Please use it, only if I don't post in a year.


No.


I am gonna drop my will in the little library thingy with a copy of sun tzu later, for now I wanna let kids enjoy the holiday without having to wander around some stoner.

(My passphrases will cause a nuclear war if read in open court, fuck around and find out, consent matters.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: