Historically, sorting through a recently deceased loved one’s paperwork was an arduous and painstaking task. It is also prone to missed, missing or physically damaged documents. Times have changed and with most accounts now online has it helped or just turned an old problem into a new one?
In times gone by…
Most of us have experienced first-hand or indirectly the amount of time and effort it can take to sort through a family or friends affairs. I’ve seen it myself when my parents have had to sort through mounds of paperwork trying to piece together my grandparents accounts. That is of course if any paperwork even existed and if you know where it is.
Times are a changin’
With most accounts now accessible online in some manner, we are seeing an increasing shift towards dealing with digital accounts rather than paperwork. But does this help make a horrible task easier? Without a central list of accounts and relevant details, it is likely people will end up in the same position as they did before. This time sifting through digital accounts rather than paperwork.
My Dad being the organised man he is, wanted to ensure his digital affairs would all be in order. He wanted a solution that is easy to manage but also secure. He asked what I’d recommend which got me thinking. My immediate thought was obviously some form of password manager, but how to handle this securely? Most password managers use a concept of a “master password” which is used to decrypt the secure database – what options would he have to provide me access?
- Just tell me the master password now. I could store it in my own password manager and promise not to use it. This would also mean I could potentially access his data at any time (not that I would)
- Include his master password somehow in his last will and testament. Again – I don’t like this (for obvious reasons). Giving a third party the key to all your passwords isn’t a good idea
- Something else – but what?
Clearly option one and two don’t seem acceptable. Option three needed a bit more investigation, so I had a look at the password manager that I use – Dashlane.
A possible solution
On looking at my password manager I noticed there was emergency contact option – could this be of use?
I’d seen the sharing option before but had never really taken any notice of the emergency one. Having a look on Dashlane’s support forums I came across this article – looks like it will achieve what I’m looking for. I’d have the ability to access an account and all the credentials without the need to know his master password. Great! So how does it work?
I won’t re-write the article I linked to above – it already gives a good overview of how it all works. The TL;DR version of it however is shown below:
- You create one or more emergency contacts in your Dashlane app
- When creating the emergency contact you also specify a “waiting period” – this setting defines a period of time that gives you an opportunity to approve/or deny requests
- Optionally this waiting period can be set to “require a response” – so if you don’t approve it, they don’t get access. Obviously won’t help if you’ve passed away though and can’t approve the request!
- If you wish to restrict access to certain passwords rather them all then you can also do this as well
Once the emergency contact has accepted the invitation and setup their Dashlane account/app they will be able to request access to your credentials at any time. Depending on how you configured your settings they will either have to wait for you to approve access or wait for a specified period of time (two days by default) after which they will be provided read-only access.
How it works
Reading through the article it is clear that the process somehow utilises public/private keypairs to encrypt/decrypt. This allows the emergency contact to gain access without the need for knowing the other person’s master password. If you’re not familiar with public/private key encryption – in a very brief nutshell anything you encrypt with your public key can ONLY be decrypted with your private key. Everyone in the world could have a copy of your public key, but without the private key it is useless. For this reason, your private key must be kept just that – private. Fortunately, in Dashlane your private key used for this feature is further protected by your master password.
Back to the technical workings – I believe the process must use the emergency contact’s public key to encrypt a copy of the other person’s Dashlane database. When access is granted to the person’s data the emergency contact’s private key must then be used to decrypt it. What isn’t too clear to me from reading the article is how the emergency contact has access to the database to decrypt the data. The article says that a premium account isn’t required to use the feature (which typically is for any cloud sync), however I can only imagine that this still syncs data to their cloud infrastructure for sharing with the emergency contact. Without this the data would become out of sync or would require the emergency contact to have access to the database file stored on the person’s computer – neither of which would seem a good solution.
I will be looking to follow up with Dashlane on this and will provide an update if I get an answer.
Dashlane got back to me and the way I explained above is indeed correct!
The final takeaway
Hopefully this post has made you think about how you manage your accounts for the future. I’m not saying this is the only or best option – just one to help make things a little easier. Similarly, Dashlane is not the only password manager to provide this sort of feature. Other major password managers such as LastPass also support similar. I’d suggest doing your research; understand what each provides, any limitations they may have and then pick one that is best for you.
Obviously, this will also only work as a solution if you actually populate the manager with all your account details and of course maintain it securely during your lifetime. This means strong passwords people (or even better – passphrases)!
As an added bonus, the use of a password manager (which is a REALLY good thing to do) will hopefully help promote good password habits with people using secure random passwords for each of their accounts. No need to remember them all when your password manager can do it for you.
I’d love to hear your thoughts on this. Do you plan on setting something similar up? Do you already? Have you come across any better ways of doing it?
Comment below or drop me an email/tweet using the buttons at the top of the page.
2018-05-30 01:00 +0100