The Postmortem Password Problem

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

A Bad Solution

Let’s start with the simplest solution: using the same password everywhere.  Great, all you need to do is put this on a Post-it note, stuff it in an envelope, and let someone know where to find it. Unfortunately, using a single password for many services is a terrible idea. Password breaches happen, and if you’re using a single password across the internet, they can be disastrous.

Password breaches are usually the result of an attacker finding a vulnerability that allows reading password data from an application’s database. Odds are high that your information has been leaked in one of these breaches. You can check if your email is on a list of known breaches with Have I Been Pwned. Don’t feel bad if you’ve been pwned, my email shows up on six different breaches, and this service only indexes publicly known breaches!

Depending on the competency of the company that was breached, your password may have been stolen in a few different formats. In the worst case, the passwords were stored as-is (i.e., cleartext), and the breach contains your actual password. Nowadays, storing passwords in cleartext is never considered acceptable. A hash of the password is stored instead. Attackers need to use a tool like hashcat to try to recover the passwords via brute force hash cracking. This is slow for complex passwords, but is always getting faster as GPUs improve.

So we really need to use different passwords everywhere, or our Tumblr account from 2013 could give access to our bank account. Given the large number of services we use and our inability to remember passwords, we’re going to need to use a password manager.

You Want a Password Manager

A password manager is any tool that lets you securely store a large number of passwords. These will let you randomly generate a long, secure passphrase that you’d never want to remember. This lets use unique passwords for each service, and passwords that are sufficiently complex that they would be tough to crack.

We will also need to think about emergency access to these tools. How will someone be granted access to your password manager, and how can we protect that process? The goal is to create a backdoor to all your accounts, then ensure it is reasonably well protected.

There are a lot of password managers out there, and this isn’t intended to be a comparison of them. In fact, security experts disagree about what tools are best. To generalize, these tools fall into two categories: hosted and self-managed.

Hosted Password Managers

Dashlane hosted password safe
The interface Dashlane uses for storing and accessing your passwords

These are Software-as-a-Service (SaaS) tools that handle storing your passwords and provide access across devices. Most will have desktop, mobile, and web extension clients. Firefox and Chrome both have built in password managers that also fall into this camp. Other popular products include LastPass, 1Password, and Dashlane.

These tools tend to be the easiest to use, since all the data is managed for you. Downsides include subscription fees and the need to trust a third-party with your password data. While most management services are designed so that only you can decrypt the password database, you still need to trust the software they provide. In general, browser extensions for these services are considered less secure. For more on this, see Tavis Ormandy’s article on password managers.

When it comes to emergency access, many of these tools provide features to help. LassPass and Dashlane both allow for “emergency contacts” who can be request access to your account. If you don’t decline access within a time period, access is granted. 1Password uses a low-tech solution, providing a printable Emergency Kit document which contains everything needed to access your account.

Self-Managed Password Managers

KeepassX self-hosted-password manager
KeepassX interface

The other password management option is to manage your own data using local software. KeePass (and KeePassXC) and pass are two popular open-source options. With these tools, it’s up to you keep your password database safe and synced between devices. It’s also up to you to figure out emergency access.

If you’re going to use these tools, it’s probably worth thinking about the person who will be getting access in an emergency. Will they be able to identify what software is required, install it, get access to the database file, and decrypt it? While the pass tool provides some interesting options via gpg, such as using a a hardware token for decryption, this additional complexity may make emergency access harder.

If using a self-managed solution, you’ll want to build your own version Emergency Kit for access. This should include everything needed to view the password data and instructions on accessing the encrypted password database.

Trust and Storage

It goes without saying that you’ll need to trust whomever you’re providing with emergency access. Some hosted services provide features to minimize this trust by requiring a timeout before access is granted. For services that allow an emergency contact, this means trusting you designated contacts. For solutions that require storage of an Emergency Kit, this means ensuring only trusted parties have physical access.

LastPass email notification
Hosted services like LastPass include notification emails for logins and when settings are changed.

Another concern is knowing that emergency access has been used. If an attacker gains access to your password manager without your knowledge, they can potentially maintain access indefinitely. Hosted services will provide notifications about new logins from unknown devices. For self-managed services, this is up to you. Tamper evident envelopes and boxes are an option, but these are never perfect.

Don’t Forget 2FA

You have two-factor authentication (2FA) enabled on your accounts, right? If not, go turn it on, we’ll wait here. If so, have you ever lost access to your authentication codes?

Some services will allow resetting 2FA via email. This isn’t great from a security prospective, but means that losing your 2FA codes is a minor inconvenience. Other services make this process much more difficult. For example, losing all access to 2FA for Google requires going through a manual support process that can take days. It’s worth thinking about how someone would get access to your 2FA backup codes, at least for critical accounts.

No Perfect Solution

Providing emergency access will always make your password management less secure, and that’s okay. In this case, we’re compromising security for a specific, important reason. There’s no perfect solution here, but the goal is to balance security and usability. This delicate balance is unfortunately unavoidable when designing secure systems.

82 thoughts on “The Postmortem Password Problem

  1. Not a problem here, I simply do not exist. Other than a near empty Linkedin there is nothing about me. I am literally just pseudonyms on the net. And I don’t see a reason to let anyone log into my stuff and delete the near nothingness surrounding my identity. I don’t see a reason to become the actor of my physical reality on the net. As long as I am well adjusted, friendly and decent to my fellow human beings even in the face of anonymity.

    1. Great as long as you can manage it, but things relating to your finances etc are increasing moving online anyway, and generally need to be tied to the ‘real’ legal identity at some point. And its those sort of details your loved ones dealing with your death might actually have some need of…

      1. Screw that for a game of soldiers, as a computer professional I know how insecure this lot is (as well as myself LOL) so I have no online bank accounts, it’s all done through dead wood via snail mail.

  2. Well on google you have the backup codes, so you (or someone) can access your account and retrieve all the info or change the account auth. Mine were printed and stored in safe years ago…

  3. This is why I keep updated passwords in my document fire safe on a piece of old school storage…. paper sheet notebook. Successors have access through living trust and posession of safe key.

  4. I think that this article neglected an option that is equally important to consider: writing important passwords down, offline, in a a safe place. Keep a password book, put it in a safe place where your spouse / family knows where it is. I don’t do this for everything, but I do it for the really important items (email, bank accounts, credit cards, etc.).

    Password managers are great tools, but they can also become a single point of failure. If they do get breached or somehow subverted, then some / all of the accounts you manage could be exposed. LastPass, Dashlane, and others are still software and will inevitably have bugs and vulnerabilities.

    Don’t get me wrong, I use a password manager for the long list of less important accounts where the severity of exposure is low. I write down all of the more important ones.

    Michael Horowitz has a good study on this topic in his blog. https://www.michaelhorowitz.com/BestPasswordAdvice.php

    1. A single book is also a single point of failure.
      If you go that route, using a personal bank vault is a good start, and having a vault at home with an other copy gives it another point of failure.
      Loosing your spouse, house and bank access in a fire/flood/whatever is a rather horrible set of events.

  5. Google Account let you set up a “Inactive Account Manager”, so someone else can access you account after a set period of inactivity (for example 6 months, 1 year or 2). Seems like the perfect balance between reward/risks, as you do not need to send password or access just as a way to have a backup plan.

  6. A potential solution for this that I’ve thought about on and off is the concept of “secret sharing”. Wikipedia has a page on it — the idea is that you cryptographically divide something into a bunch of pieces, with a minimum number of some-but-not-all of the pieces being sufficient to reconstruct the original information. If the original information is, say, just a master encryption key, then each of the pieces could conceivably be base32 encoded and printed on physical cards (laminated paper, laser etched metal, or whatever) along with a link to the secret-piece-recombination software (and enough information on the algorithm for a technically competent person to reconstruct it should the link rot away). Then, you distribute these cards to your circle of trusted (but not quite 100% trusted) people. There’s no single point of failure — one friend could have their card lost/stolen or go rogue without compromising your security. It’d take a quorum of some minimum number of your trusted contacts to all get together and decide that you were really dead or whatever to be able to recover the key (or an elaborate scheme where an attacker progressively tracks down all your contacts and tortures them to collect your horcruxes).

    Some additional nuance is also possible: You could create a large number of “shards” and then distribute them proportionally — a spouse, say, could be trusted with enough shards to only need one other person to agree, while a less-close friend only gets a single shard. There’s also methods of distributing additional shards to effectively invalidate the old ones if someone falls out of your trust (since you can’t really revoke printed information that can be copied).

  7. There is a good approach for emergency access that’s not mentioned and somewhat solves the TBD issues, “Shamir’s Secret Sharing”.

    I’ve only personally seen it used with Hashicorp’s Vault (enterprise grade credentials/management server) for unsealing the credentials storage. You issue some number of trusted employees a key (shard) each, and configure some threshold of shards that meet an acceptable quorum. It’s even able ot

    The same approach would probably work with password managers – distribute keys to trusted friends/family/lawyer/post-it notes.

    1. Humans have really poor instincts when it comes to trusting other humans, might as well flip coins to decide if someone is trustworthy or not. Just admit, you have not even a glimmer of a clue as to whether your friends and family are trustworthy or not. Would they reveal your secrets for $1000? $100? You don’t know.

  8. Tattoo your master password somewhere only your undertaker will see it. I guess the tattoo artist will have to know it, too. Kill the tattoo artist afterwards. Or pay really well. And get dirt on the artist so if they squeal, it’s a scorched earth policy. Modern problems require modern solutions.

    1. Just use a “permanent” marker to write the passwords on your body, and then refresh as needed.

      You’re supposed to change passwords every so often, at least after breakins, so a tattoo is a bit permanent.

      Or you end up covering your body with passwords, crossed out when it changes.

      Then you get an Illustrated Man sort of situation, “tell me the story of this password”

  9. So I die, my family request Lastpass access which is granted after 3 months of not answering the email. Then said family tries to take care of my financial affairs, but the login requires 2FA which the authenticated device perished with me. They still don’t get in, and have the same problem on their hands. They know my login, but 2FA stops them. I HATE 2FA.

  10. The problem with 2fa is that it gives your phone number to exactly the people you don’t want to have it.

    I have an existing YouTube account that I can’t get into, because google now requires 2fa and I won’t give them my number, precisely because they’ll sell it to the world for use in advertizing.

    And no, trust is not warranted. Note that google went from a motto of “do no evil” to a guideline to eventually removing it altogether… along with a big pile of attempts to change the political landscape. From a human rights perspective, they are demonstrably bad and getting worse every year.

    I personally don’t think 2fa using a phone number is very good anyway, because your phone can be stolen or you can change numbers when you move to a different area code (and similar problems). What *do* you do when your phone is stolen anyway? If you can call up google and convince them of this… then it’s not really secure.

    (And note the head of the CIA a couple of years back had this exact thing happen to him. It was his personal E-mail account and nothing interesting was on it, but he did nothing wrong and someone convinced his provider that his phone was stolen and could they please unlock his account?)

    1. Worth pointing out that phones are not the only 2fa method, and the basic premise of 2FA is sound enough.

      But I agree using your phone, particularly these days when it almost certainly is your web browser and email client too – so holds 100% of the info you need to log in as you unhindered by 2FA using it is really, really, really, (continue till out of breath, gasp and repeat as long as you can be bothered) really stupid! I don’t know why anybody ever thought it was a ‘secure’ idea…

    2. Haha. Yes. Microsoft locked me out of my Skype account like that once. To reactivate it they claimed they need a Phonenumber. I never gave them one before. They also don’t want to delete the account without unlocking it before.
      I don’t want to get this post deleted, so i’m not saying what i’m thinking of those people.

      But what i actually want to say is: 2FA is not only SMS. It can be TOTP as well. For which you do not even have to use a phone. I know it defeats the purpose a little, but I use KeepassXCs TOTP function. This basically stores the second factor next to the password. But at least spying on my password alone wont let you into my stuff.
      And i don’t need my phone.

    3. Get a separate phone for that stuff. Leave it at home. Surely you can get another line for cheap on your plan. They already know where you live so don’t stress about location tracking.

  11. Passwords are both nice and not at the same time.

    I myself find the “forgot my password” link as a very good password, as in, tell the site that you forgot it, have them send a new one time password to your email (preferably encrypted), and then login to the session with that.

    This obviously isn’t “perfect”, and it would be nice if there were a standardized way of doing this that were less cumbersome. Downside is that this creates a huge single point of failure, but your email is already the keys to your kingdom… So I at least have multiple different email addresses for different things. And one is explicitly for regaining access to the others in the “worst case”.

    But authentication methods could see some major improvements, all though. I personally don’t think that any one system is ideal. The most ideal method for one group of people isn’t ideal for a lot of other groups of people, and vice versa. And there is many ways to skin this cat.

    1. Some websites do not require passwords, but send a session key to your email. Yes it won’t work anymore if you lose your email address, so it is a single point of failure. But for unimportant websites you often forget your password and if you do not have it saved you reset it to your email anyway.

      I used to be able to remember all my passwords until many websites forced frequent password changes and have annoying password requirements like maximum(no typo) password length, a special character but not % or & or _, etc.

  12. You’ve missed one of the easiest methods. I use strong passwords on important sites, like my bank, but I use a generic one on sites that have no real information on me, like one-time sites, blogs, Wikipedia, Stackexchange.

    I have 3 emails, one for important logins, one for semi-safe sites, and Gmail for generic sites that require a login.

    Also, I have Firefox store all the passwords, so my family *could* access the important ones after I’m dead. Presuming they would need/want to.

      1. Just have an encrypted disk drive, Linux can encrypt your home partition, Mac also comes with AES 256, windows has the bitlocker and probably a bunch of other protections, good luck decrypting that

  13. Paper notebook with site name, login email / name / password / signup date / other account ties

    Let loved ones know where it is in case of accidents. Have two, if you need the Not Safe For $Anyone version… label it “burn me”.

    Truly tho most people can’t seem to deal with passwords at *all*. The average citizen says “i was hacked” and resets their password every time they forget it, which is every time they’re asked for it. So “ideal password managers” are a bit of a niche.

    1. I too use a paper list. For generating passwords we do the Jumble Puzzle in the paper. There are often scrambled words that are pronounceable and silly sounding. I keep these in a list so if I need a password I pick, lets say pass word is scrambled as Dworpass i add special characters and numbers and voila Dworpass*#23 might be a new password. I then erase that from the list so i don’t use it again.

  14. Ultimately it comes down to lawyers and family. One has sizeable economic incentives to handle your trust, the other sizeable personal incentives. This is exactly the same as how you deal with physical assets. People typically trust their grown kids with house keys, and lawyers with their wills. This really isn’t that much different.

    Write a password on a folded piece of paper in a signed and sealed envelope. There are methods of making that tamper-evident. Deposit with lawyer with disbursement instructions upon death or mental incapacitation. You should likely choose the executors of your will for financial accounts. You can keep going in the same fashion for social accounts Maybe multiple envelopes if necessary. Tell your family what’s going on.

    The question remains as to whether those envelopes contain actual account passwords, or simply an abstraction to them (i.e. a password to a password keeper). The abstraction makes it much easier for the user to update passwords whilst alive but introduced the risk that the mechanism breaks during that time. (Executors can’t find the disk, or the online service folds).

  15. It’s simple. Use some hash function (say SHA256) and some secret to create an unigue password for everything. pass_hackaday=SHA256(“hackaday.com$secret”) Then coat thin (0.5mm) aluminium plate with paint. Write an exact algorithm (hash function, sequence, how you treat the service name, etc.) and the secret to the pain in the plate using something sharp. Etch it in the lye (NaOH – sink cleaner), hydrogen will be released from unpainted aluminium. Wash it in water, strip the paint with acetone or whatever is needed for your paint. Put the aluminium plate i between two bigger thick steel plates (10mm thick or more). Weld them together around. Don’t melt the aluminium (have the letters far enough from the seam). Grind the seam nice. Stamp some text around with hammer and some appropriate tool. Weld, screw or concrete the itim into your house. Tell relatives and friends what’s inside and where it is. Check, that at least one of them is knowing about existence of the angle grinder :-).

  16. May i add to that. I use pen and paper. And a simplistic scheme to memorize myself that may confuse most bots but not a sophisticated attack using multiple of my credentials.
    B.t.w. When i’m dead, all my data is yours. GL fighting over it.

  17. I have a hard copy of my important passwords in a file with my will so my family can take care of things in my absence….
    However I set one of my passwords to incorrect so if I forget and type it in wrong it says… “Your password is incorrect” 😁 (stolen) ……It was…1 2 3 4 5….but it was the same as on my luggage…

  18. I went the route of creating a USB drive with a portable Linux install that will bring up KeePass at boot. This drive is stored in a Safe Deposit box alongside copies of my important documents. The password to the KeePass database is trusted to my lawyer, and the key to the box to my spouse. Fortunately both my lawyer and spouse are tech savvy enough to know how to boot from a USB device, although I am considering using an RPi to make it easier to operate.

    In this way, my passwords stay protected and is highly survivable. My home, the bank, the lawyer’s office, and the backup storage facility that the lawyers use would all have to be destroyed either at the same time as my death, or in the few days while my will and associated documents are being processed (I have a fairly detailed list of instructions for dealing with my accounts, assets, etc).

      1. First thing the banks and other financial institutions did was block all online access to my father’s accounts as soon as they got notice of his death. We didn’t notify them, it was an automatic process. Social Security knew almost immediately. It cascaded from there. The bank where his SS was auto-deposited shut off the auto-payments, blocked online access, and notified the DOD (military pension). That resulted in another bank shutting down online access after they notified the brokerage where he kept his IRA’s.

        He had moved his safe deposit box contents to a different bank, and hadn’t gotten around to telling us to go to new bank and get our signature recorded for authorization to access the safe deposit box.

        He got paranoid right before he died and changed the password on his PC. He had a notebook of handwritten passwords in a small safe, but buy the time we located the key, all of the above happened.

        It’s just been one thing after another. Not quite the legacy he wanted to leave.

  19. USB drive with a text file, nothing else. site/login/password.
    Don’t do a lot of stuff online so only a couple of sites.
    Don’t need stuff in the cloud. Told Farcebook where to go when
    they wanted a copy of my government ID because I wasn’t using my real name.
    Told Farcebook they needed me more than I needed them. Been 5 years.
    They tried the “But you won’t be able to access your account” garbage.
    My reply, “So? You ever hear of email/phone/chat?” Haven’t been back.
    Another work site told me they wanted a video conference to prove I was
    who I said I was. Nope. Contacted all my clients directly and now don’t
    need to pay the site’s “job fee”. They lost out on making $$$ from me.
    Me? Didn’t lose a thing. Still have all my clients.
    Even my emails don’t have my real name and everyone and I mean
    everyone I email knows who John Q. Public is. A non-exisistent spam hating
    non-entity. So those spams that say “Dear John”, bye bye.
    Had one site tell me they were worried about and this is a direct quote
    “fraudsters and hackers”. My reply was, so, you’re worried about fraudsters
    and hackers and you want ME to trust YOU with personal information?
    The limitless of human stupidity never ceases to amaze me.
    My information is completely safe….with me and me alone.
    Once I’m dead, I’m not going to care.

  20. I’ve got a foot in each camp basically…

    My workplace uses LastPass for credential storage… prior to adopting that, they had “the Internet folder”: a ring-bound physical folder in the server room that basically served as the physical record of all their credentials. It doubled as a museum too, as there were pages there for every service they signed up to, including their very first Internet connection with the University of Queensland — that document also had ads for desktop PCs of the day (seems funny to see 4-figure price tags beside 486s today).

    LastPass supports the original Yubikey I received with my linux.conf.au 2011 admission; after carrying it with me for nearly 10 years, I finally had a use for it! My workplace has since adopted the Yubikey 5 and bought everybody one, so I am now using that for a “work” OpenPGP key (git code signing, SSH), and Yubico Authenticator used for services that need TOTP.

    For my personal stuff, I was using a system of passwords shared among “classes” of website, with certain sites getting dedicated passwords. The common ones were memorised, but the lesser used ones got stored as OpenPGP-encrypted files (private key stored on the local disk with a passphrase). Password generation was done by the command: `dd if=/dev/urandom bs=3 count=4 | base64`, with the numbers for `bs` and `count` sometimes tweaked depending on password length needed. Synchronisation between machines was done using `git` over `ssh` to local bare repositories on each machine.

    That approach happens to be how `pass` does it, last night I actually migrated my password store over to `pass`, with the cryptography key stored on a Yubikey 5C for now. Maybe later when shipping from Germany to Australia reduces from $extortionate (>€50 shipping for a €40 token is a bit much!) I might replace that with a Nitrokey 3, but this gets me by for now.

  21. I have unique passwords for online money stuff, and each email, and for the google account for my phone. I do use a set of other passwords for no-risk online stuff so I can easily go through them if I don’t remember which one is for a specific forum etc.

    I have made sure that family members know the money stuff passwords and an email password so in the event of my death they can access the money stuff and with the email password anything else they can use the forgot password thing to change the password to whatever they want. Not that anything other than money stuff and email is important for them to access after I die.

  22. Nobody has any physical vault anymore at home ?
    As long as you haven’t been robbed in the few weeks after your death. It still a pretty good and simple solution and plan a repudiation/revocation procedure in case of robbing.
    You could also put part of information on one of your family member’s device or linked to his/her account.

    For the online “social” identity, you can put in place a kill-switch solution (on your own or thru a SaaS).

  23. Parents and siblings know a few passwords I used to use. One of those locks my computers, another locks KeePass. Given I’m not too concerned about local attacks (live alone, the feline can’t type too well) I don’t have a complex password for Linux or Windows.

    Keepass generates keys even I don’t know. The few sites were I have legacy logins with dumb passwords are still stored in KeePass.

    Then there is 2FA. Benefit of a family cell phone plan, if my apartment burns down, they can get a cheap phone and attach it to my number. The other 2FA stuff, I have Google authenticator. Both the initial values and the emergency keys are, you guessed it, stored in KeePass databases.

    Probably should put a copy of the key file somewhere that isn’t my living space. The tornadoes this week have shown that if I and my gear were completely erased, there would be some difficulty accessing the “physical safe house” I call home.

  24. What possible reason is there to care what happens to online passwords after I die?

    Online banking will be totally irrelevant (a paper copy of the death cert would be needed, just taken to a branch office), same for any other financial or legal work needed.

    After that – who cares about the forum logins, Facebook, online shopping accounts etc?

    Even the broadband account would just happily roll along for months, plenty of time to just phone up and sort out a transfer of the payments.

    1. Online statements. Access to those would have shown that one of my Dad’s bank accounts was being drained by several online shopping sites before that account was emptied out. Still fighting the bank on that.

      It’s just one more frustrating hassle to deal with while still grieving.

    2. Relatives have logged into forums to make one last post, telling of the death of a relative.

      Someone died ten or fifteen years ago, the relatives decided to keep the page going.

      There might be material that relatives want to keep.

  25. You don’t have to die for this to be useful.

    It felt like I almost died two years ago, and while I had some things on the tablet, I didn’t have everything. It was a bad time, so I wasn’t sure if I remembered some passwords properly, others I really never remembered. It was six months before I got home.o

    I did keep track of passwords, but not in a great form. It would have been so much easier if it was in one place and easy to get.l

    You don’t plan on getting sick, but it happens anyway.

  26. No one mentioned trying the Have I Been Pwned check. I tried it. I have two email accounts. Both of which, according to that website, (which wants to sell its products), say have been Pwned, one with 6, one with 8. Given that I rarely receive even Spam email, and that the Pwned website is selling, should I believe , and/or care, about the 6, and 8 breaches? Thanks.

  27. I enconter, twice, websites allowing you to be password less by sending you a unique link by email to logon on their platform.

    The idea was nice, but if it become popular then your email must be bullet proof otherwise it is like breaching a password manager… you have total control.

    Also I’m still waiting for FIDO2/WebAuth to kick in ;(

Leave a Reply to GravisCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.