Ask Slashdot: How To Securely Share Passwords?

THE_WELL_HUNG_OYSTER writes "My tech-savvy father died suddenly and unexpectedly. He did everything online: bill-pay, banking, eBay sales (and other auction sites), PayPal, investing, etc. When he died, he still had online auctions up for sale, items I had no idea how to fulfill when sold. He still had unprocessed auction refunds, people claiming they returned items and are waiting for a refund. Fortunately, he left Gmail open and logged in when he died, so I was able to configure his account to forward to mine for any future emails he received. He even had his health insurance automatically debited from his checking account (who needs health insurance when they're dead?) I had no way to log into these systems to cancel pending transactions. I called every institution; some were willing to help while others required me to fax/mail death certificates and proof of executorship (which I didn't have yet). Meanwhile, auctions were selling for items I had no idea how to fulfill; debits from his checking account were occurring even though they were irrelevant; etc. You get the idea. How can I share my login credentials with my siblings so they don't have to go through this when I'm gone? I change my passwords every month and never use the same password on more than one site. I don't want my siblings to be able to impersonate me unless I'm dead, so publishing a monthly list to them won't help and would be insecure."

Secret Sharing

[betterunixthanunix]

http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing [wikipedia.org]

Give shares to relatives and trusted friends.

Options

[Alter_3d]

Check this Wikipedia article [wikipedia.org]
It contains a list of services you can use to "inherit" your personal info when you die.

Lawyer

[Stormthirst]

Have a standing arrangement with your lawyer - send him a letter every month with instructions that the letter is only to be opened in the event of your death and to destroy the previous month's letter. The letter of course contains all the passwords and a list of people the list of passwords is to be given to. He'll probably charge you a monthly fee for the service.

If that's too expensive, I'm sure a PO Box is cheaper, and leave the key with your spouse/siblings.

There is a service for that

[Riceballsan]

Lifehacker recently had an article on a service called "death switch" http://www.deathswitch.com/ [deathswitch.com] Basically it e-mails you asking if you are still alive, if you don't respond back, after 3 e-mails, it sends out the assigned message to who you specified. It does cost $20 a year

Re:Think low tech

[green1]

My thought is somewhat related, I haven't implemented this yet, but it is on my "to-do list".

My main plan is to put instructions in an envelope that is sealed near my will. Making sure that familly/friends know where it is. The instructions would direct the person to send a specific code/password to a specific email address on my hosted server. (could also be a private web form or some such) Once recieved the server would send me an email notifying me of the request, and giving me 4 days to cancel it. If I do not reply within 4 days (adjust to suit whatever length of time you think is the longest you could possibly go without finding a net connection while still being alive and well), it would automatically send the information to the original requestor.

This has the advantages of the sealed envelope where I can detect tampering, but where the information is still easily accessible to those who require it (without them really needing to remember how it all works), but with the added advantage that if I am still alive I can stop the process before any sensitive information is released (in case the original envelope is stolen/otherwise compromised). For added security you could add a list of IPs/email addresses who are authorized to trigger the system (of course that becomes one more thing that you have to remember to keep up to date) and if you are concerned about the security of the server being used, the file being sent back can be encrypted with the decryption information in the original envelope.

Setting up the scheme is relatively simple/straight forward the harder part is keeping all the data it needs to send back updated so that it is useful once recieved.

And for those who say "you won't care, you're dead", you're right in that I won't care then, but I do care now what I am going to put my loved ones through, so I'd rather make things as easy for them as I can, they'll be dealling with enough when I die that I don't want to make things any more difficult than they have to be.