I agree that I don't think anyone really needs to, but I saw my cousin handle my granddad's affairs when he was sick and having memory issues. It would have been a lot easier for him to log on and...
I agree that I don't think anyone really needs to, but I saw my cousin handle my granddad's affairs when he was sick and having memory issues. It would have been a lot easier for him to log on and pay bills during that time than call up each company and sort it out with customer service. Having said that, what my cousin needed wasn't necessarily passwords, but more account numbers.
It's more too many accounts and my granddad didn't speak English and give different spellings of his last name sometimes or let the guy on the phone make a guess, so looking him up was hard. And...
It's more too many accounts and my granddad didn't speak English and give different spellings of his last name sometimes or let the guy on the phone make a guess, so looking him up was hard. And this was a while ago, so I think a lot more workflows have been added to these system, so they accommodate these scenarios easier.
But having a list of accounts with access would have helped my cousin the most.
My point being that with standards for identification and consolidation of services, the problem simply wouldn't exist. I've known people who have 100s of accounts. It wouldn't surprise me to find...
My point being that with standards for identification and consolidation of services, the problem simply wouldn't exist.
I've known people who have 100s of accounts. It wouldn't surprise me to find that there are those with 1,000s.
The cognitive overhead of adulting is compounding rapidly.
Not quite. It's more an "unasking the question" of digital identity, asking how (and why) wegot here, and what alternatives exist. Usenaet can provide strong authentication without either...
Not quite.
It's more an "unasking the question" of digital identity, asking how (and why) wegot here, and what alternatives exist.
Usenaet can provide strong authentication without either accoounts or passwords.
Many sites have no functional need for authentication, for information delivery. The primary drivers are advertising tracking, in some cases subscriptions, and for delivery of suser-specific information (DMs, notifications).
How can we eliminate authentication entirely, or put it in the users' hands?
I sort of get what you're saying. There does seem to be a lot more places that require authentication nowadays, but I'm not sure if it's actually more. I mean, it probably is, if someone is signed...
I sort of get what you're saying. There does seem to be a lot more places that require authentication nowadays, but I'm not sure if it's actually more. I mean, it probably is, if someone is signed up for a million social networks, but for bills and such, I'm guessing it's about the same.
How can we eliminate authentication entirely, or put it in the users' hands?
Not entirely sure how this could work, but personally I do use my Google login where I can. So more uses of SAML maybe. However it always comes with the downside of having a possible single point of failure.
My thoughts lean toward PKI, physical tokens, standard protocols, and ... well, I'm not sure what else is required, though I'm sure I'm missing something. Some remnant of passwords or biometrics,...
My thoughts lean toward PKI, physical tokens, standard protocols, and ... well, I'm not sure what else is required, though I'm sure I'm missing something. Some remnant of passwords or biometrics, possibly path or location-based trust, possibly web-of-trust (or repudiation) elements. Possibly some mechanism for key recovery.
Public key encryption does away with shared secrets. User holds private key, remotes have public pairs. Subkey or user-remote key construction might provide for unique per-service keys, a critical element in avoiding global tracking. Key expiry is another element.
A physical, contact or very-near-field (cm or mm range) device (I picture a signet ring, and there are extant similar examples) would minimise both casual snooping or downsides of insertion-based mechanisms (e.g., Yubikey USB fobs). They also enable very freqent re-authentication -- simply touch the target sensor. Most otherr methods are far higher friction.
Avoiding inadvertant use is a remaining problem. Some user-triggered actvation or confirmation might work.
This all requires hardware, protocols, and widespread use.
A critical problem with PKI is that key loss renders all data encrypted to that key unobtainable. There are key quorum mechanisms which might (and I'll emphasise, optionally) be used to rebuild a lost key or token. These would likely have to be tied to legal and procedural requirements, but could be used to minimise catastrophic data loss.
I'd much rather my accounts stay frozen as to what I've said rather than memorialised for sure. Authors don't get their books added to (in forms of introductions etc. sure but not in terms of...
I'd much rather my accounts stay frozen as to what I've said rather than memorialised for sure. Authors don't get their books added to (in forms of introductions etc. sure but not in terms of content) so why should my content be able to be accessed by anyone but me. It seems that the general opinion relating to this is that social media is an extension of self but in reality it's owned by another company which is what makes legacy-building on these sites kinda dangerous if you're serious about leaving an impression at least in the near-future after you're dead.
To perhaps talk about a bit of a buzz, the idea of a blockchain-based social media would (in theory) probably solve this problem but leads to monetisation problems for the big companies now. Someone needs to smash up the corporate web by making these really neat ideas very easy for the least-computer literate.
What about accounts where you have a lot of digital content? For example, I have thousands of Kindle eBooks on my Amazon account, dozens in audible, movies and TV shows too. I'll definitely leave...
What about accounts where you have a lot of digital content? For example, I have thousands of Kindle eBooks on my Amazon account, dozens in audible, movies and TV shows too. I'll definitely leave my Amazon account to my children (after it passes through a brother, wife, or friend for some quick sanitization). Likewise Steam accounts, I have a Google account with extra features and interesting content.
I expect someday we'll see controversy over accounts getting deactivated because they're so old their owners must be dead. That'll be interesting.
That's a great point. I never really thought about it but I have a decade old steam account with 500+ games on it. That's actually worth quite a bit. I wonder what valve's policy is on death and...
That's a great point. I never really thought about it but I have a decade old steam account with 500+ games on it. That's actually worth quite a bit. I wonder what valve's policy is on death and selling/transfer of steam accounts.
… You may not reveal, share or otherwise allow others to use your password or Account except as otherwise specifically authorized by Valve. …
Your Account, including any information pertaining to it (e.g.: contact information, billing information, Account history and Subscriptions, etc.), is strictly personal. You may therefore not sell or charge others for the right to use your Account, or otherwise transfer your Account, nor may you sell, charge others for the right to use, or transfer any Subscriptions other than if and as expressly permitted by this Agreement (including any Subscription Terms or Rules of Use) or as otherwise specifically permitted by Valve.
Thanks! I guess in reality Valve would have little way of knowing if you didn't make it public knowledge, but they may also make an exception in a outlier case like this.
Thanks! I guess in reality Valve would have little way of knowing if you didn't make it public knowledge, but they may also make an exception in a outlier case like this.
It's way easier to deal with the "important" stuff if you have login details rather than just a death certificate. Some of my bank accounts don't even have physical branches you can visit.
It's way easier to deal with the "important" stuff if you have login details rather than just a death certificate. Some of my bank accounts don't even have physical branches you can visit.
I've changed mine many times and have adopted the offline solution of keepass. I have over 100 entries for passwords I would never have remembered. I figure if I'm going to have my passwords...
I've changed mine many times and have adopted the offline solution of keepass. I have over 100 entries for passwords I would never have remembered. I figure if I'm going to have my passwords stolen it's going to be on my terms and not some online solution.
Just a reminder to back them up occasionally! Some sites may not be able to perform email resets (or perhaps you have too many emails and won't remember which one to reset to), so having a copy...
Just a reminder to back them up occasionally!
Some sites may not be able to perform email resets (or perhaps you have too many emails and won't remember which one to reset to), so having a copy around can't go wrong.
Going on my buddy’s Instagram is one of the last things I have to remember him by. Sometimes I’ll even send a message. I’m glad his accounts have remained untouched. Sigh. It was super weird...
Going on my buddy’s Instagram is one of the last things I have to remember him by. Sometimes I’ll even send a message. I’m glad his accounts have remained untouched. Sigh.
It was super weird seeing activity after he passed. For example, about 3 months after the Venmo request I had to him was cancelled and I got a notification. That was a sobering moment when I looked down and saw that.
Lastpass lets you give people 'emergency access' to your passwords; when they request access, they have to wait a specified amount of time, during which you can refuse the request. Obviously you...
Lastpass lets you give people 'emergency access' to your passwords; when they request access, they have to wait a specified amount of time, during which you can refuse the request. Obviously you won't be refusing anything if you're dead.
While this is likely a convenient feature, doesn't it also mean that their passwords can be accessed/decrypted without the user's master password? For me, this sounds like a big security flaw.
While this is likely a convenient feature, doesn't it also mean that their passwords can be accessed/decrypted without the user's master password?
While I don't know how it is implemented, I believe that it is possible to do securely; when a user enables the emergency access, their passwords could be re-encrypted with a second key (this can...
While I don't know how it is implemented, I believe that it is possible to do securely; when a user enables the emergency access, their passwords could be re-encrypted with a second key (this can be performed locally, so would still be secure). This key would then be stored with the other user's account, and the passwords stored alongside the original copy encrypted with the master password. This method doesn't require Lastpass to be able to decrypt the passwords without the master password.
I recently went through all my user accounts & passwords and closed out all the unused accounts. The whole process made me think of this situation and here's what I came up with: I decided to use...
I recently went through all my user accounts & passwords and closed out all the unused accounts. The whole process made me think of this situation and here's what I came up with:
I decided to use KeePassXC and generate as complex passwords as the remote systems and the password manager allowed. I then wrote down my computer encryption password, system user account credentials and the password manager master password down on a piece of paper, laminated it and placed it in a safe.
It does require some work, especially because all the different service providers have not made closing out their accounts easy. But I like to think it's worth it in the end.
It does require some work, especially because all the different service providers have not made closing out their accounts easy. But I like to think it's worth it in the end.
I have some friends online. I wonder what would happen were I to spontaneously die. They'd see all of my accounts go dark and eventually assume I either ditched the online world entirely without...
I have some friends online. I wonder what would happen were I to spontaneously die. They'd see all of my accounts go dark and eventually assume I either ditched the online world entirely without notice or died. Would be nice for someone to be able to give notice.
I don't have a strong online presents, so I doubt many would think twice of me if I dropped off, but I've definitely had those thoughts about people I follow or game frequently with. It would...
I don't have a strong online presents, so I doubt many would think twice of me if I dropped off, but I've definitely had those thoughts about people I follow or game frequently with. It would definitely be nice to know.
But what if he dies before you? Or at the same time, in a freak accident? My wife knows how to access my passwords, but it's certainly something I've thought about. Then again, as someone...
But what if he dies before you? Or at the same time, in a freak accident? My wife knows how to access my passwords, but it's certainly something I've thought about. Then again, as someone mentioned above, most of the "important" stuff can be accessed offline, and social media accounts will just fade away as they should.
I don't think it's important; no one needs to close down my Facebook if I unexpectedly kick the bucket (although they certainly can do by contacting the company directly). That said, I have all my...
I don't think it's important; no one needs to close down my Facebook if I unexpectedly kick the bucket (although they certainly can do by contacting the company directly).
That said, I have all my credentials stored in KeePass to which my brother knows the master password for. He'll be able to log on to my machine and access everything if he needs to
Best case scenario? No one. This is the entire point of passwords. All this online stuff could go away one day, lord knows we've seen countless services rise and fall, so all the important stuff...
Best case scenario? No one. This is the entire point of passwords. All this online stuff could go away one day, lord knows we've seen countless services rise and fall, so all the important stuff gets written down in a journal, or is in a bank or is at the hospital as a health record.
I'm not suggesting the use of this or any other program, just thought the questions themselves were interesting. Personally, I don't really need anyone to go through my online accounts, unless my...
I'm not suggesting the use of this or any other program, just thought the questions themselves were interesting.
Personally, I don't really need anyone to go through my online accounts, unless my family wants to pull some photos I didn't get around to sharing or something. My personal computer, however, might be something my family needs access to, just for previous years' taxes, bill payments, contracts for various things.
Still, think it's important to give some thought to.
This is why the drive for online forms and payments and contracts is kinda bullshit; at the end of the day, you should have paper copies, multiple copies because paper has lasted far longer than...
just for previous years' taxes, bill payments, contracts for various things.
This is why the drive for online forms and payments and contracts is kinda bullshit; at the end of the day, you should have paper copies, multiple copies because paper has lasted far longer than most computers and online services.
I do have paper copies of everything because I'm actually technologically unlucky and sort of paranoid. But, there's definitely an ease to being able to access these things digitally. And if I'm...
I do have paper copies of everything because I'm actually technologically unlucky and sort of paranoid. But, there's definitely an ease to being able to access these things digitally. And if I'm gone, I want to make things as easy for my family as I can.
I kinda like the idea of this, but I also kinda like that idea that a little bit of everyone is there forever. Ultimately, it would be best to have a choice to do this.
I kinda like the idea of this, but I also kinda like that idea that a little bit of everyone is there forever. Ultimately, it would be best to have a choice to do this.
It's a bit fucked up that private companies can own a piece of your data after you're gone. I don't think we've had anything like this before in history.
It's a bit fucked up that private companies can own a piece of your data after you're gone. I don't think we've had anything like this before in history.
I've actually been thinking about this a lot lately. I have a ton of friends online who are often from other countries and I'd really like them to know if anything ever happened to me. So far, my...
I've actually been thinking about this a lot lately. I have a ton of friends online who are often from other countries and I'd really like them to know if anything ever happened to me. So far, my plan is giving my father a sealed letter that contains my last will (sounds spooky at a young age, but whatever, I had friends die way too young to not think about it) and the password to access my PC + instructions on whom to inform/what to do exactly.
Just need to figure out a way to tell this to my father without having him think I'm suicidal or something.
It's an interesting question, as to whether you want to leave access to your online services to someone else after you die. There's positives and negatives to each side and it's really dependent...
It's an interesting question, as to whether you want to leave access to your online services to someone else after you die. There's positives and negatives to each side and it's really dependent on what each individual's suite of online services look like.
In my case, it was one less thing that my sister and I had to worry about after our dad passed away. He had the foresight to write down and leave his login information for virtually everything he used online so that we'd be able to access it after he was gone. There's enough things to worry about when dealing with the death of a loved one without having to worry about account administration for utilities, subscriptions services, and a whole bunch of other stuff.
I agree that I don't think anyone really needs to, but I saw my cousin handle my granddad's affairs when he was sick and having memory issues. It would have been a lot easier for him to log on and pay bills during that time than call up each company and sort it out with customer service. Having said that, what my cousin needed wasn't necessarily passwords, but more account numbers.
Is the problem account access, or too many accounts and no standards for delegation?
It's more too many accounts and my granddad didn't speak English and give different spellings of his last name sometimes or let the guy on the phone make a guess, so looking him up was hard. And this was a while ago, so I think a lot more workflows have been added to these system, so they accommodate these scenarios easier.
But having a list of accounts with access would have helped my cousin the most.
My point being that with standards for identification and consolidation of services, the problem simply wouldn't exist.
I've known people who have 100s of accounts. It wouldn't surprise me to find that there are those with 1,000s.
The cognitive overhead of adulting is compounding rapidly.
Oh you're referring more of an access manager. That's probably overkill in our case, but I'm sure it's going to become more of a thing.
Not quite.
It's more an "unasking the question" of digital identity, asking how (and why) wegot here, and what alternatives exist.
Usenaet can provide strong authentication without either accoounts or passwords.
Many sites have no functional need for authentication, for information delivery. The primary drivers are advertising tracking, in some cases subscriptions, and for delivery of suser-specific information (DMs, notifications).
How can we eliminate authentication entirely, or put it in the users' hands?
I sort of get what you're saying. There does seem to be a lot more places that require authentication nowadays, but I'm not sure if it's actually more. I mean, it probably is, if someone is signed up for a million social networks, but for bills and such, I'm guessing it's about the same.
Not entirely sure how this could work, but personally I do use my Google login where I can. So more uses of SAML maybe. However it always comes with the downside of having a possible single point of failure.
My thoughts lean toward PKI, physical tokens, standard protocols, and ... well, I'm not sure what else is required, though I'm sure I'm missing something. Some remnant of passwords or biometrics, possibly path or location-based trust, possibly web-of-trust (or repudiation) elements. Possibly some mechanism for key recovery.
Public key encryption does away with shared secrets. User holds private key, remotes have public pairs. Subkey or user-remote key construction might provide for unique per-service keys, a critical element in avoiding global tracking. Key expiry is another element.
A physical, contact or very-near-field (cm or mm range) device (I picture a signet ring, and there are extant similar examples) would minimise both casual snooping or downsides of insertion-based mechanisms (e.g., Yubikey USB fobs). They also enable very freqent re-authentication -- simply touch the target sensor. Most otherr methods are far higher friction.
Avoiding inadvertant use is a remaining problem. Some user-triggered actvation or confirmation might work.
This all requires hardware, protocols, and widespread use.
A critical problem with PKI is that key loss renders all data encrypted to that key unobtainable. There are key quorum mechanisms which might (and I'll emphasise, optionally) be used to rebuild a lost key or token. These would likely have to be tied to legal and procedural requirements, but could be used to minimise catastrophic data loss.
But your twitter followers may want to know you have died? Just one situation out of a million possibilities.
I'd much rather my accounts stay frozen as to what I've said rather than memorialised for sure. Authors don't get their books added to (in forms of introductions etc. sure but not in terms of content) so why should my content be able to be accessed by anyone but me. It seems that the general opinion relating to this is that social media is an extension of self but in reality it's owned by another company which is what makes legacy-building on these sites kinda dangerous if you're serious about leaving an impression at least in the near-future after you're dead.
To perhaps talk about a bit of a buzz, the idea of a blockchain-based social media would (in theory) probably solve this problem but leads to monetisation problems for the big companies now. Someone needs to smash up the corporate web by making these really neat ideas very easy for the least-computer literate.
What about accounts where you have a lot of digital content? For example, I have thousands of Kindle eBooks on my Amazon account, dozens in audible, movies and TV shows too. I'll definitely leave my Amazon account to my children (after it passes through a brother, wife, or friend for some quick sanitization). Likewise Steam accounts, I have a Google account with extra features and interesting content.
I expect someday we'll see controversy over accounts getting deactivated because they're so old their owners must be dead. That'll be interesting.
That's a great point. I never really thought about it but I have a decade old steam account with 500+ games on it. That's actually worth quite a bit. I wonder what valve's policy is on death and selling/transfer of steam accounts.
Steam Subscriber Agreement, section 1, subsection C:
(emphasis added)
Thanks! I guess in reality Valve would have little way of knowing if you didn't make it public knowledge, but they may also make an exception in a outlier case like this.
It's way easier to deal with the "important" stuff if you have login details rather than just a death certificate. Some of my bank accounts don't even have physical branches you can visit.
I've changed mine many times and have adopted the offline solution of keepass. I have over 100 entries for passwords I would never have remembered. I figure if I'm going to have my passwords stolen it's going to be on my terms and not some online solution.
Just a reminder to back them up occasionally!
Some sites may not be able to perform email resets (or perhaps you have too many emails and won't remember which one to reset to), so having a copy around can't go wrong.
Hopefully no one! All the people that need to know I’m dead will know, online I’ll just disappear
Going on my buddy’s Instagram is one of the last things I have to remember him by. Sometimes I’ll even send a message. I’m glad his accounts have remained untouched. Sigh.
It was super weird seeing activity after he passed. For example, about 3 months after the Venmo request I had to him was cancelled and I got a notification. That was a sobering moment when I looked down and saw that.
Lastpass lets you give people 'emergency access' to your passwords; when they request access, they have to wait a specified amount of time, during which you can refuse the request. Obviously you won't be refusing anything if you're dead.
While this is likely a convenient feature, doesn't it also mean that their passwords can be accessed/decrypted without the user's master password?
For me, this sounds like a big security flaw.
While I don't know how it is implemented, I believe that it is possible to do securely; when a user enables the emergency access, their passwords could be re-encrypted with a second key (this can be performed locally, so would still be secure). This key would then be stored with the other user's account, and the passwords stored alongside the original copy encrypted with the master password. This method doesn't require Lastpass to be able to decrypt the passwords without the master password.
I guess that's would be one way to make it work.
Flaw or feature, guess it depends on marketing, but I believe LastPass has the ability to recovery, so this is not surprising.
I recently went through all my user accounts & passwords and closed out all the unused accounts. The whole process made me think of this situation and here's what I came up with:
I decided to use KeePassXC and generate as complex passwords as the remote systems and the password manager allowed. I then wrote down my computer encryption password, system user account credentials and the password manager master password down on a piece of paper, laminated it and placed it in a safe.
I'm debating doing something like this too. Currently, I have a recovery email and I wrote down its password and told my husband.
It does require some work, especially because all the different service providers have not made closing out their accounts easy. But I like to think it's worth it in the end.
I have some friends online. I wonder what would happen were I to spontaneously die. They'd see all of my accounts go dark and eventually assume I either ditched the online world entirely without notice or died. Would be nice for someone to be able to give notice.
I don't have a strong online presents, so I doubt many would think twice of me if I dropped off, but I've definitely had those thoughts about people I follow or game frequently with. It would definitely be nice to know.
My best man knows the algorithm I use to generate passwords.
Having had a friend die last year, it is important.
But what if he dies before you? Or at the same time, in a freak accident? My wife knows how to access my passwords, but it's certainly something I've thought about. Then again, as someone mentioned above, most of the "important" stuff can be accessed offline, and social media accounts will just fade away as they should.
I think I need to make a note of the algorithm so that it can be found.
What does that accomplish tho? Wouldn’t he need to know the input? Or is that listed as a hint, or is it the username?
Once he has access to my emails he is golden.
The algorithm could use the domain name + user name as inputs. It's security by obscurity without any extra hidden source of information.
This.
I said it to make it clear that it's a bad idea.
The cryptographic hash of Domain name + user name + salt would be secure and predictable once you knew the salt and the hash details.
I don't think it's important; no one needs to close down my Facebook if I unexpectedly kick the bucket (although they certainly can do by contacting the company directly).
That said, I have all my credentials stored in KeePass to which my brother knows the master password for. He'll be able to log on to my machine and access everything if he needs to
Best case scenario? No one. This is the entire point of passwords. All this online stuff could go away one day, lord knows we've seen countless services rise and fall, so all the important stuff gets written down in a journal, or is in a bank or is at the hospital as a health record.
I'm not suggesting the use of this or any other program, just thought the questions themselves were interesting.
Personally, I don't really need anyone to go through my online accounts, unless my family wants to pull some photos I didn't get around to sharing or something. My personal computer, however, might be something my family needs access to, just for previous years' taxes, bill payments, contracts for various things.
Still, think it's important to give some thought to.
This is why the drive for online forms and payments and contracts is kinda bullshit; at the end of the day, you should have paper copies, multiple copies because paper has lasted far longer than most computers and online services.
I do have paper copies of everything because I'm actually technologically unlucky and sort of paranoid. But, there's definitely an ease to being able to access these things digitally. And if I'm gone, I want to make things as easy for my family as I can.
I'm saving up the money to have them engraved on my tombstone. Or ceremonial urn. Whatever.
Oh fancy having a tombstone...I'll probably be in a shoebox. Even an urn too expensive... :P
Yes it's called the 'Save 'til you die' Plan.
I'd love for some private way to automatically delete all my accounts after I die... Just wipe them clean like I did a GDPR on them...
I kinda like the idea of this, but I also kinda like that idea that a little bit of everyone is there forever. Ultimately, it would be best to have a choice to do this.
It's a bit fucked up that private companies can own a piece of your data after you're gone. I don't think we've had anything like this before in history.
I've actually been thinking about this a lot lately. I have a ton of friends online who are often from other countries and I'd really like them to know if anything ever happened to me. So far, my plan is giving my father a sealed letter that contains my last will (sounds spooky at a young age, but whatever, I had friends die way too young to not think about it) and the password to access my PC + instructions on whom to inform/what to do exactly.
Just need to figure out a way to tell this to my father without having him think I'm suicidal or something.
It's an interesting question, as to whether you want to leave access to your online services to someone else after you die. There's positives and negatives to each side and it's really dependent on what each individual's suite of online services look like.
In my case, it was one less thing that my sister and I had to worry about after our dad passed away. He had the foresight to write down and leave his login information for virtually everything he used online so that we'd be able to access it after he was gone. There's enough things to worry about when dealing with the death of a loved one without having to worry about account administration for utilities, subscriptions services, and a whole bunch of other stuff.