I recently received an email from my close friend, Gabriel. He is deployed to a very dangerous corner of the globe. In it he asked me to handle some of his digital affairs in the event of his death. Of course I agreed, and the conversation started a train of thought: if I died, what would happen to all my electronic files? With no way to access these, everything I have created would be forever lost upon my death. Worse still would be a scenario where, as the result of injury or illness, I could not remember or enter my own password(s). These are my ideas: one workable yet secure solution to the “death and passwords” problem, and one perfect world scenario.
Death and Passwords
If you are like most people it is very likely that, at some point, you will die. You may wish to setup a recovery mechanism for your digital “stuff” now, as it will be somewhat difficult to do so afterward. The system I have devised here is very heavy on security (mostly for my sanity before death) while still providing a workable mechanism for my survivors. The first step in this process is to determine what information other parties need access to. I like to think of this as triage of sorts, with four categories: Must Have, Nice to Have, Don’t Need, Must NOT Have.
Must Have: This category is information that would be essential to the execution of my estate. This would include digital copies of wills, healthcare directives, and perhaps instructions for the disposition of my corpse. Logins for financial accounts (banks, retirement, etc.) would be critical, as would information for accessing health and life insurance accounts.
Nice to Have: Things in this category would include items intended for those who survive me. Things like photographs, personalized correspondence, or other sentimental “stuff”. Not necessary, but things people will (may) treasure. This will require allowing access to my computer’s hard drive, or (better yet from a security standpoint) a hard drive that contains only the items I wish to share.
Don’t Need: No one really needs access to my Amazon account, Netflix account, or any number of trivial accounts. I will leave these out of the death database to avoid confusion and streamline things.
Must Not Have: Hey, we all have something we wouldn’t want the entire world to see. I recommend encrypting any such information separately, and not sharing the password in your death database.
The idea that I plan to implement requires five individuals. A “Hardware”, three “Keyholders”, and a “Radio”. I have attempted to set this up like the “Chicken Crossing Puzzle” in that I don’t want any one person to have access to more than one element. Ideally these people will not have access to each other.
Death and Passwords: In a Perfect World
Hardware: This individual would have possess a 4GB IronKey secure flash drive. The drive would contain one file, a password manager database. This file would be behind three discrete layers of encryption: the IronKey’s native crypto, a VeraCrypt Volume, and the password manager’s native encryption. He or she would also have contact information for “Radio”. “Hardware” needs to be a person that would know about my death in a timely fashion: spouse, parent, child, best friend – someone close.
Keyholders 1-3: Each keyholder would have access to a password to one layer of encryption. Each of these passwords would be long and randomly generated, and stored inside a tamper-evident bag. A short series of codewords would be written on the exterior of the bag.
Radio: The “Radio” would be the fifth person. He or she would hold the contact information for the three keyholders, as well as the codewords written on each bag.
In the event of my death, Hardware would contact Radio. He would provide radio with compelling evidence of my demise (a death certificate would be ideal). Upon receipt of such evidence Radio would reach out to each of the three Keyholders. Upon receipt of the correct codeword(s), each Keyholder would open the tamper-evident bag and retrieve the password. It would then be relayed to Radio.
When Radio has retrieved all of the passwords they are forwarded to Hardware. Because each Keyholder only knows a password (NOT what it unlocks) Hardware must attempt each of the three against the IronKey’s encryption. Because the IronKey only allows 10 attempts each will be carefully transcribed and tested. Hardware has three attempts at each, which should be sufficient. Next, the remaining two passwords will be tested against the VeraCrypt volume. The final password (by process of elimination) will open the password manager.
There is good security in this system because no one has the entire picture. “Hardware” does not know who any of the keyholders are. Radio does not know who Hardware is. Each key holder only knows him- or herself. This prevents any individual in the system from social engineering the rest. The person with the most information is Hardware. Hardware both holds the data that is being protected, and the information to set everything else in motion. One strategy for protecting the data from Hardware would be to hire an attorney to act as Radio. This would accomplish a couple things: first, an attorney would be a disinterested third party. He or she could also be legally bound to require an appropriate level of evidence before taking any further action.
Problems? There are numerous other strategies one could put in play to make this a more secure system. However, this is already fairly complex, the there are some inherent problems. If the data you want to make available contains time sensitive instructions, coordinating efforts between five people that don’t know each other may be a challenge. There is also the possiblity that these individuals will lose the password or be otherwise unable to retrieve it when needed. Finally, if any of the passwords are ever changed, it is up to you to update the USB flash drive. This would be easy to forget or postpone. Most of us probably have someone in our lives that we trust with a password or two. This is really just an exercise in “gaming the game” and seeing how secure I can make the system. Now let’s look at a more realistic solution.
Death and Passwords: Real World Solution
Scenario 1: In a perfect world the plan above would work. In the real world, maybe not so much. In a real world I would use a much simplified version of this plan, perhaps something along these lines: Hire an attorney and have him or her hold the key to a safe deposit box. The safe deposit box would contain the USB flash drive. My next of kin would have the password, and be required to show the attorney some proof of my death prior to being granted access to the safe deposit box. This would still provide a good security margin against the password being lost, stolen, or captured through social engineering. Anyone who captured the password would still have to go through the attorney to get the flash drive.
Scenario 2: An alternate real-world scenario would involve a person you trust. That person could hold both the flash drive and the password, both to be used upon your death. If you trust them but not fully, both the password and drive could be stored in a tamper-evident bag.
These are just some ideas. I’m sure you have some of your own, and I’d love to hear them. Please comment or email me directly. Thanks!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.