Sharing my Master Password securely when I "pass away"

Hi,

Not the most "happy" of subjects but something AgileBits support suggested I float with the community to see if they have considered approaches to this.

Having lost my mum last Summer, I came to understand in the following months how many accounts needed to be closed, companies/people notified and online services de-registered for. This involved trawling physical correspondence, in part, but also trying to find out more about her online registrations. Fortunately, I set up her gmail so was able to dig into emails for registrations, visit the sites and trigger "forgot my password" so I could then login and delete/close the accounts.

This has left me considering my own future arrangements for when I pass, especially if that was suddenly. The majority of the information my family would need is held in my 1Password account. I would not want to share my Master Password with anyone (including family members) whilst I am alive, but I want to be comfortable I could do this securely if something did happen to me.

Obviously, AgileBits do not store the password so even if they were asked by the Executor of my will, they wouldn’t be able to provide it.

The AgileBits support team provided the following which I'm posting as is:

"_Ultimately... it depends on how comfortable you are with different levels of security and trust with those around you.

I think it will ultimately involve writing it down physically. Leaving it somewhere digitally just means having to save it somewhere that could be compromised. Or it would have to be encrypted... which then you're back into the same boat of where to keep that key.

So after it's written down... where do you keep it? A sealed envelope in a filing cabinet or locked drawer? Perhaps in a safety deposit box at the bank? These all bring the security back to a physical key. And then you're just left with... who do I trust to know where this key is and what to do with it? And how do I make sure that everyone who knows where the key is wouldn't all be involved in the same kind of accident... essentially erasing the chain that leads to unlocking 1Password. (I'm starting to think about Dan Brown movies like The Da Vinci Code as I'm writing now... hopefully you've seen it so you catch my reference.)

So ultimately, the answer comes down to your feeling of security and who you have to trust around you. Then leaving them enough knowledge that they could get into 1Password, but only after enough headache that you trust they wouldn't do it unless they had to._”

So, my question would be to the community - have others considered this matter, and what solutions have you come up with?

With thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • rudyrudy

    Team Member
    edited December 2017

    @TheRealMrC,

    Safety deposit box copy of the most up to date emergency kit with your password written on it can certainly be a useful thing. I've got my parents setup in a Family account where i'm the recovery agent, but that would only really be useful if i have their computer and direct access to their email accounts to be able to recover the 1Password account.

    An interesting idea might be some form of escrow access within a Family account.

    Rudy

  • Emergency kit is printed out in a shoebox where my wife can find it. No joke.

  • brentybrenty

    Team Member

    @AlwaysSortaCurious: Yeah, depending on the situation, sometimes that's all it takes. :)

    @TheRealMrC: Thanks for taking the time to reach out about this. I'm sorry for your loss. I can only imagine what it's like to have to try to figure all of that out under those circumstances, when I'm sure it's difficult even under much better circumstances.

    The tough thing is that sharing something securely (like a password) means that the recipient needs to have the "keys" to access it, so it's inherently something that needs to be planned for in advance. And of course we often don't fully understand what more we could have done to prepare except in hindsight.

    I don't know who wrote that response you posted, but I really think that's a good overview, even though this is something with more questions than answers. We'd like 1Password to do more in this area in the future as well, so it's really helpful to hear more from you and others on this topic. :blush:

  • Here is my solution.

    My wife and both use the standalone version of 1Password with vaults synced through iCloud between our respective MacOS and iOS devices. In addition we share a “Family Vault” synced through DropBox.

    The “Family Vault” contains a "Secure Note" with the login information for my MacOS and iOS devices and my 1Password Master Password. In this way my wife can access my accounts in an emergency. Whenever I change my login or Master Passwords I update my information in the “Family Vault” so it is always current. My wife shares her information on another "Secure Note".

    I don’t like sharing my Master Password but in an emergency my wife must be able to access it. I like the shared vault solution better than writing down passwords physically. Writing down would be hard to do in my case. My Master Password is a long string of random Chinese characters, which I have no hope of remembering or typing correctly. Therefore my Master Password is stored is a small text file, encrypted with a passphrase I can remember and type. After decrypting I copy and paste the Master Password into 1Password.

    This solution doesn’t address a scenario where my wife and I would be involved in the same accident. But I consider the likelihood of that happening small. On the other hand the likelihood of passing at some point is 100%.

  • There's some complicated solutions here @TheRealMrC which introduce various points of failure so let's keep it simple.

    In most jurisdictions a Last Will and Testament is a confidential document stored by your lawyer/attorney which can only be opened upon receipt of your Death Certificate. Assuming this is true in your country, here's the solution:

    • Staple your secret key to your Will. Then, on the same piece of paper, write the location/s of your master password
    • Write your master password on a piece of paper and store it in 1-2 very secure places, separate from your will

    In the event of your demise your authorised representative would be given the secret key. They'd then locate the master password and that's it.

    By keeping your secret key and password in separate places greatly increases your security and makes it hacker-proof.

    The reason I suggest keeping your master password separate from your Will (such as at home) is in the event you change it - it'd prevent you from needing to go back to your lawyer and asking to open your Will.

    Your secret key looks like this: A3-HTBX87-9VZC73-QFFT6-9EBAV-L66V7-G33HB and this should never need changing.

  • rudyrudy

    Team Member

    @darrenNZ,

    There are events that will trigger a new Secret Key to be generated as well. Such as if you've got a family account and you at some point need to have your account recovered. But you can also manually cause it to be regenerated from your Profile page.

    Rudy

  • Sorry for not replying sooner to all who left a reply on this. Some very interesting discussion and observations.

    I did consider the "Will" approach, but we're using the Which? (UK consumer association) Legal service to write our wills so it's all done online, then we get a print copy, as well as them legally storing - hence, hard to include a note in this.

    I may consider storing with local solicitor, but think my preference is likely a physical version - probably a note in an "emergency kit" but which points to something only my partner will be able to find.

    I also do think would be interesting to see what AgileBits could do in future - though as I understand it, they've removed themselves as a backdoor to the chain quite successfully, so I'm not sure I can think of a solution they could implement which doesn't in itself introduce a backdoor back in. Maybe a good first step would be a knowledge base article on the topic, providing the context of why AgileBits wouldn't be able to provide the MasterPass (even if you had a death certificate and power of attorney), then maybe proposing some different options people could consider.

    Anyhow, thanks all for your replies!

  • brentybrenty

    Team Member

    Sorry for not replying sooner to all who left a reply on this. Some very interesting discussion and observations.

    @TheRealMrC: Sure thing! And happy new year to you! :chuffed:

    I did consider the "Will" approach, but we're using the Which? (UK consumer association) Legal service to write our wills so it's all done online, then we get a print copy, as well as them legally storing - hence, hard to include a note in this.

    Ah, that's a really interesting solution...but I can see the dilemma.

    I may consider storing with local solicitor, but think my preference is likely a physical version - probably a note in an "emergency kit" but which points to something only my partner will be able to find.

    Yeah, that's the tough thing: there is no one-size-fits-all solution; we all have things arranged a bit differently.

    I also do think would be interesting to see what AgileBits could do in future - though as I understand it, they've removed themselves as a backdoor to the chain quite successfully, so I'm not sure I can think of a solution they could implement which doesn't in itself introduce a backdoor back in. Maybe a good first step would be a knowledge base article on the topic, providing the context of why AgileBits wouldn't be able to provide the MasterPass (even if you had a death certificate and power of attorney), then maybe proposing some different options people could consider. Anyhow, thanks all for your replies!

    Hmm. I wouldn't mind writing something like that myself, but I wouldn't know where to begin. It's such a broad topic! But I agree that it's an important one, so hopefully I (or someone smarter) will be able to come up with something solid. Cheers! :)

  • Hi,
    I'm in the process of thinking about this unfortunate event myself.

    I think that a quite simple solution could be provided at least for family account subscribers (and would even be a nice selling point for that :)).
    Currently, the only thing preventing a family organizer to access the data of a family member who passed away is the fact that the recovery email is only sent to the owner of the data.
    (That's even problematic without any death issue, because if the email account is well protected, it would be using a random generated password stored in 1password as well. That's the only thing currently preventing me from using a really strong password on my email account).

    Three solutions I can think of:

    1/ As suggested in another post, in case the owner of the data doesn't click the link in a certain amount of time (that he could set up, or with no delay at all if wanted), another email would be sent to the family organizer who initiated the recovery, who could then do the recovery process on behalf of the data owner.

    2/ Users could designate one or multiple organizers/members who would receive the recovery email, with the same (no-)delay options as in 1/, and do the recovery on behalf. You could even add an option to accept or decline this responsibility as the recipient. And cherry on the top, even a non-1password user could receive the email.
    All things considered, it could simply be a list of email addresses to send the recovery email to.

    3/ Same as 1/, but instead of sending an email to the recovery initiator after the delay, all or some vaults of the data owner would be automatically "attached" in read-only mode to the account of the recovery initiator. Although I'm not sure this option could be technically possible, given all the encryption stuff.

    I'm sure at least options 1 & 2 are technically possible.
    Regarding security, as long as every family member/organizer is able to set things up the way he wants, and give the recovery option only if he wants, I don't see any concern.
    The only safeguard I think would be needed, is that the data owner would need to be informed by email if a recovery is initiated on his account, with the ability to block this recovery, in case it is "fraudulent".

    @brenty @rudy what do you think ?
    To me, this really needs to be addressed ASAP, as we use more and more accounts every day in this digital age, and it can become a real disaster to lose access to these sensitive information. But you know that, that's the reason 1Password even exists ;)

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @Djeross!

    I'm in the process of thinking about this unfortunate event myself.

    Yeah, I think a lot of us ponder it at some point -- not the most enjoyable topic, is it? But certainly one of the most important, at least potentially, in some cases.

    In fact, you've hit upon one of the features we've got on a wish-list for things that we can really spend some time digging into, and come up with an elegant and more importantly secure way to do. In other words, we need to make sure we're doing it right, in a way that doesn't allow for social engineering or simple treachery to defeat it. We've got a few high-level ideas we're kicking around, but for the moment, nothing to announce in regard to this. I don't get to make the decisions about what gets worked on and what doesn't here (darn it! ;) ), but I'm personally a big proponent of adding this kind of functionality to 1Password accounts -- it's one of those additions that can really bring value to users that doesn't exist right now. I'll pass along your thoughts to the developers, and we thank you for taking the time to think scenarios through in such detail. We appreciate it. :)

  • Thanks @Lars !
    Yep, not the most enjoyable, but so much needed to be sure everything goes smoothly in case of unfortunate event.
    As you said, that would be a true valuable feature.

    I'm glad to hear it's on your to-do list, hope to see something soon.
    Keep up the good work.

  • brentybrenty

    Team Member

    Indeed, we're not sure what form features in this vein might take in the future, but it's an important topic. Thank you for your feedback and suggestions! :)

  • @Lars @brenty Just came back round to my original post on this and caught up on the discussion. Firstly, thanks for all the community participation. Secondly, it's one of those types of dev problems which would be easy to distance yourself from ("it's outside our system boundary", etc) . It's a credit to Agilebits that you're the sort of business that see this as a potentially valuable feature, prepared to do some hard thinking on it, and not dismiss a functional solution in future (even if it is a hard problem). So, cheers!

  • brentybrenty

    Team Member

    Likewise, thanks for your passion. I wish we had a clever solution already, but hopefully we'll be able to come up with something that helps people even more in the future. :)

  • I'm also thinking of how to manage my passwords after I die. I use 1Password for all my userids, passwords and associated stuff and most of these should be given to my kids after I die, but there are some userids and their passwords that I would like to go to the grave with me. How best to do this?
    Maybe: If I create a new vault and put the private stuff in there and then have some way to give access to only my main vault and not the private one, would that work?
    Also, from posts above it looked like the experts at AgileBits were working on a process to handle what to do when a user dies. Any news on how that's going?
    Thanks to AgileBits for a great product!

  • I have the Emergency Kit stored in a bank lock box where my wife has access as well. To access the bank lock box you need to identify yourself with the bank, so having only the key is not enough. You need to be an authorized person to access the lock box and bring the corresponding key. That is safe enough in my opinion and also an actionable way for my wife to get my affairs in order in case I am not dead but maybe in a coma or something similar.

  • Doodler_BenjiDoodler_Benji

    Team Member

    With such a sensitive subject, we are taking our time to make sure it is designed and engineered in a way where, there isn't a better way. We want to make sure when we ship the solution, that the need for it to change, is next to zero. So you can set it up once, forget about it until others need to action it. No one likes to have to deal with the sadness of a loved one, it is a horrendous time and you want things to be as painless and as easy as possible — while being able to rest assured that the sensitive information is only ever going to be in the hands you choose when you cannot hand it over personally yourself. In the meantime, there are quite a few personal choices for how we all choose to manage this data ourselves, ( storing the emergency kit in a safe, leaving data with someone you ultimately trust etc.)

  • What about implementing a similar solution as LastPass, where members can request access, and if it is not declined within a certain period of time, it is granted to the requester. The requester has to be a family member within the same family account.

  • BenBen AWS Team

    Team Member
    edited March 6

    @thimplicity

    I bellieve that would require us storing the decryption keys, which is not something we're willing to do. Not doing so is one of the core tenets of how we protect your data. Otherwise I'm not sure how we could give someone something that we don't have.

    Ultimately this may end up being a problem that 1Password cannot address directly, but we'll keep looking for creative ways to help with this problem. It is something we'll all have to face some day after all.

    Ben

  • @Ben - Thanks for looking into this. I have of course no real idea how things are stored, but maybe there can be a solution, where the respective vault is given a new owner. So that new owner can use his/her credentials. I assume this is probably difficult/impossible, as stuff is encrypted with the first owners credentials. At the same time, one idea could be that as soon as the first owner puts in the second one as the owner, the vault is connected to the credentials of the second one. And by the time access is not declined, the vault is re-encrypted with the new owners credentials.

    This is probably a stupid idea, but maybe it creates new idea with people who know what they are talking about

  • LarsLars Junior Member

    Team Member

    @thimplicity - it's certainly something we can pass along to the dev and security teams. As you suspected, it's considerably more intricate underneath than we go to great lengths to disguise in the UI -- not because we're trying to hide the ugly truth from anyone, but because being able to have and use good security confidently shouldn't require a CS degree or intricate knowledge of Public Key Infrastructure or Diffie-Hellman or...you get the point. I honestly don't know what a good solution to this is going to eventually look like, but until we can roll out something your mom can use (well, not yours specifically ;) ), we're just probably not going to be doing half-measures and we definitely won't, as Ben says, be doing anything that will cause us to retain encryption keys or the secrets with which to derive them. Definitely an area where we want to make sure to get it right, and that means taking into account multiple factors. Thanks for the suggestion! :)

  • greeninggreening Junior Member

    There are encryption techniques that allow a quorum or a subset of trusted people each with their own distinct keys to decrypt something. You can say “any 3 of these 5 people must submit keys to decrypt this item.”

    Agilebits could let you designate N trusted people, with you specifying the minimum number that can request an unlock . Agilebits could have you specify a minimum time delay. Agilebits could email and text you whenever anyone submitted a “trusted friend unlock request.” If you specified a reasonable minimum delay, you could “belay that order,” saying “I’m not dead yet!” as in Monte Python.

    This would totally work for me, because my friends are tech savvy enough to know what to do. However, it could also reasonably work with non-tech-savvy folks by leaving the unlock keys with escrow officers instructed to submit an unlock request survivors only after being presented with a death certificate.

    I do want this service. We’re all going to die. Like most of us, I want to protect my assets while alive, and unlock them after death.

    Agilebits is pretty much the organization that needs to do it.

  • ag_anaag_ana

    Team Member

    Thank you for sharing your idea @greening!

  • BenBen AWS Team

    Team Member

    @greening

    It sounds like you're describing Shamir's Secret Sharing. That is something we think is very interesting with regard to this subject. Our security team is familiar with the concept and plans to discuss the possibility further. I can't make any promises, but that is indeed one of the ideas that has been put forward.

    Ben

  • greeninggreening Junior Member

    Thanks @Ben, yes, Shamir's Secret Sharing is exactly the algorithm. I read Shamir's CACM paper back in undergrad school, and in those ancient days it didn't have that cool name,

  • brentybrenty

    Team Member

    :) :+1:

  • greeninggreening Junior Member

    Is there activity around this? I find myself traveling, with instructions on how to get into an AirBnB on my phone, wondering if I need to carry around my phone AND my iPad to ensure if something breaks the other one will work. And then I started to think about "what if I'm incapacitated?" and then I looked to see if there was anything happening. Not seeing anything... :)

  • ag_anaag_ana

    Team Member

    We don't have anything to announce around this yet @greening, sorry. For now, the best solution to access your account in an emergency is with a copy of your Emergency Kit .

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file