Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.
A Bad Solution
Let’s start with the simplest solution: using the same password everywhere. Great, all you need to do is put this on a Post-it note, stuff it in an envelope, and let someone know where to find it. Unfortunately, using a single password for many services is a terrible idea. Password breaches happen, and if you’re using a single password across the internet, they can be disastrous.
Password breaches are usually the result of an attacker finding a vulnerability that allows reading password data from an application’s database. Odds are high that your information has been leaked in one of these breaches. You can check if your email is on a list of known breaches with Have I Been Pwned. Don’t feel bad if you’ve been pwned, my email shows up on six different breaches, and this service only indexes publicly known breaches!
Depending on the competency of the company that was breached, your password may have been stolen in a few different formats. In the worst case, the passwords were stored as-is (i.e., cleartext), and the breach contains your actual password. Nowadays, storing passwords in cleartext is never considered acceptable. A hash of the password is stored instead. Attackers need to use a tool like hashcat to try to recover the passwords via brute force hash cracking. This is slow for complex passwords, but is always getting faster as GPUs improve.
So we really need to use different passwords everywhere, or our Tumblr account from 2013 could give access to our bank account. Given the large number of services we use and our inability to remember passwords, we’re going to need to use a password manager.
You Want a Password Manager
A password manager is any tool that lets you securely store a large number of passwords. These will let you randomly generate a long, secure passphrase that you’d never want to remember. This lets use unique passwords for each service, and passwords that are sufficiently complex that they would be tough to crack.
We will also need to think about emergency access to these tools. How will someone be granted access to your password manager, and how can we protect that process? The goal is to create a backdoor to all your accounts, then ensure it is reasonably well protected.
There are a lot of password managers out there, and this isn’t intended to be a comparison of them. In fact, security experts disagree about what tools are best. To generalize, these tools fall into two categories: hosted and self-managed.
Hosted Password Managers
These are Software-as-a-Service (SaaS) tools that handle storing your passwords and provide access across devices. Most will have desktop, mobile, and web extension clients. Firefox and Chrome both have built in password managers that also fall into this camp. Other popular products include LastPass, 1Password, and Dashlane.
These tools tend to be the easiest to use, since all the data is managed for you. Downsides include subscription fees and the need to trust a third-party with your password data. While most management services are designed so that only you can decrypt the password database, you still need to trust the software they provide. In general, browser extensions for these services are considered less secure. For more on this, see Tavis Ormandy’s article on password managers.
When it comes to emergency access, many of these tools provide features to help. LassPass and Dashlane both allow for “emergency contacts” who can be request access to your account. If you don’t decline access within a time period, access is granted. 1Password uses a low-tech solution, providing a printable Emergency Kit document which contains everything needed to access your account.
Self-Managed Password Managers
The other password management option is to manage your own data using local software. KeePass (and KeePassXC) and pass are two popular open-source options. With these tools, it’s up to you keep your password database safe and synced between devices. It’s also up to you to figure out emergency access.
If you’re going to use these tools, it’s probably worth thinking about the person who will be getting access in an emergency. Will they be able to identify what software is required, install it, get access to the database file, and decrypt it? While the pass tool provides some interesting options via gpg, such as using a a hardware token for decryption, this additional complexity may make emergency access harder.
If using a self-managed solution, you’ll want to build your own version Emergency Kit for access. This should include everything needed to view the password data and instructions on accessing the encrypted password database.
Trust and Storage
It goes without saying that you’ll need to trust whomever you’re providing with emergency access. Some hosted services provide features to minimize this trust by requiring a timeout before access is granted. For services that allow an emergency contact, this means trusting you designated contacts. For solutions that require storage of an Emergency Kit, this means ensuring only trusted parties have physical access.
Another concern is knowing that emergency access has been used. If an attacker gains access to your password manager without your knowledge, they can potentially maintain access indefinitely. Hosted services will provide notifications about new logins from unknown devices. For self-managed services, this is up to you. Tamper evident envelopes and boxes are an option, but these are never perfect.
Don’t Forget 2FA
You have two-factor authentication (2FA) enabled on your accounts, right? If not, go turn it on, we’ll wait here. If so, have you ever lost access to your authentication codes?
Some services will allow resetting 2FA via email. This isn’t great from a security prospective, but means that losing your 2FA codes is a minor inconvenience. Other services make this process much more difficult. For example, losing all access to 2FA for Google requires going through a manual support process that can take days. It’s worth thinking about how someone would get access to your 2FA backup codes, at least for critical accounts.
No Perfect Solution
Providing emergency access will always make your password management less secure, and that’s okay. In this case, we’re compromising security for a specific, important reason. There’s no perfect solution here, but the goal is to balance security and usability. This delicate balance is unfortunately unavoidable when designing secure systems.