#cybersecurity zealots often shame humans for writing down their passwords, but as someone who just had to excavate the digital remains of a loved one who died suddenly:
*please* write down your credentials somewhere a trusted human can find them, especially your phone passcode and any primary passwords (like for email accounts, password manager, etc.)
the humans who care about you will need that access for many reasons; a "badass" threat model will only add helplessness to their grief
if you want to still be sneaky, hide your critical passwords (and backup MFA codes!) behind a photo frame or in a random book or whatever, but *tell* whomever you trust most where that place is, or at least write it down in the place they're most likely to look if you pass unexpectedly.
ask the same of your loved ones, too.
no one deserves the pain of navigating customer support trees and the other kafkaesque hells of accessing accounts when they're already submerged in grief. loving is leet.
another key takeaway for me from excavating the digital remains of a loved one who died suddenly:
usable security or bust. in my case, the iOS Password Manager saved the day because it stored their creds by default as they used their devices.
...but they found the 2FA app so confusing that they offloaded it and never saved the password to it.
SMS 2FA may be more insecure, but it confused them less and meant my access to their phone = access to 2FA. Security isn't the only thing that matters.
@shortridge Went through this a year ago and had similar experiences. If I hadn't been a very knowledgeable tech person I would not have been able to get it done, and that's a bad situation for all those who are not.
Since there are lots of #infosec people here now, I've got a serious question. Recently I had to help handle the affairs of a relative who passed away. This included getting access to email/bank/credit/social accounts. I was able to do this because their phone was relatively easily unlocked as we had been told the passcode. While biometric authentication is far more secure and should be preferred, what does this mean for those who come after and need to make use of the device?
@shortridge NIST dropped the verbot on writing down passwords. Writing down is a good idea. A better idea is to use a password manager, which would also document all the accounts you have. The password manager also generates high entropy passwords.
You can give your loved one an uptodate copy. Have it password protected, but then there is only one password to have on paper.
I use Keepass
@ljrk
> Most digital solutions provide measures to setup a trusted person
I've seen proposals for account restoration for pure P2P apps, involving giving a group of trusted people partial keys to the kingdom. They can only use them to access the account if a minimum number of partial keys are assembled (eg 5-7).
This kind of design needs to be built into all digital accounts, so there is always a way to access someone's data if they're incapacitated or dead.
@claudius BitWarden and the Apple Keychain both do, probably others as well – I mostly know these the best :)
Also note that it doesn't require any cloud: If you're not into using synchronizing password managers, you can just do regular off-site backups/exports of your KeePassXC DB to a person you trust.
@claudius @ljrk Bitwarden has a dead man's switch system, kinda.
You place an access key, encrypted with the trusted person's public key, into escrow with Bitwarden. In the event of your death, that person can request the key from Bitwarden, who ask you to confirm or deny the request. If you fail to respond and refuse the request in the specified time, the previously escrowed access key is sent to the trusted party.
This ensures that Bitwarden can't access the encryption key, and the trusted person also doesn't have it unless they ask and you fail to say no.
@mathew @claudius @ljrk you beat me to it. Here's the link for quick reference:
#Bitwarden Emergency Access
https://bitwarden.com/help/emergency-access/
@claudius As discussed by the others: That's how they work :)
But I'm only competing against "a paper copy" which is insecure as fuck since not only the trusted person can always access it, but also anyone breaking in or the fuckin cops raiding your house.
@shortridge And it can’t wait until you’re dead. You can become temporarily or permanently disabled and need a delegate to handle things for you.
@wendynather precisely. we live in a stochastic reality and must prepare for that, even if it creates some existential dread in the meantime.
that's why I don't recommend just putting it in your will, too; put it somewhere in your residence.
(and like, if someone is breaking in for the purpose of accessing your devices, they can just wait until you're home and break your kneecaps anyway if you haven't written it down. for the vast majority of ppl, it's such a silly threat model)
@shortridge @wendynather This is a great resource to prepare for the EOL DR
🕊️ A crowd-sourced guide to help techs help their non-tech spouses / partners / parents / kids when we are at the end-of-life - potatoqualitee/eol-dr
@sassdawe @wendynather this does look really useful, thank you for sharing it.
listing out subscriptions is useful for anyone, too. another thing I had to do was scrutinize credit card statements over the past ~12-14 months to enumerate services and subscriptions.
thankfully, this person purchased a lot of subscriptions through the App Store, which made it much easier to cancel.
most of the others had creds stored in their iOS Password Manager, so it was easier than it might have been.
@shortridge My family has a list of four words, a symbol, and a number. At home I have a small booklet with all my passwords written as (for example) 4ws# indicating all 4 words, followed by the symbol, followed by the number.
If I update my passwords, I write down the new 4 words, new symbol, new number, give it to family (I think my Dad keeps it in a fireproof safe deposit box hidden somewhere in his house), and don't have to update anything in my own password keeping booklet.
Kelly Shortridge
Cedric Chin
Laukidh
Kevin P. Fleming
rrb
standev
Jan Wildeboer 😷
lj·rk
Strypey
Claudius
mathew
Mark Crocker
Kenneth
David Zaslavsky
Andrew Kalat
Eli the Bearded
Wendy Nather
Sass, David
Anthony Dardis
Cassandrich
MaineC
Ben Zanin
Robert Marks Esq
Tim Ward ⭐🇪🇺🔶 #FBPE
2¢
Earthshine --> moved
Old One Eye
Larry
Callalily