Let me start off by saying that I don’t plan on dying any time soon. However, we’re all too familiar with the fact that we aren’t in control of our own mortality. This point was made painfully clear to me back in 2006 by the death of a close friend at the age of 21, killed by a drunk driver. Aside from the emotional fallout, one of the best pieces of luck was that her fiancée knew her every password and was able to recover every aspect of her digital identity. This is a post on planning for the future of your digital identity.
State of the Art (of Death)
It has been a recent trend in the technology world to start trying to figure out what happens to our digital identity after we die. Sites like 1000memories have begun cropping up and Facebook has developed memorialized profiles to address partial decommissioning of your social networking profile after death. But there are many other aspects of our digital identity which have upkeep costs: domain registrations, hosting, pro-level accounts for popular services, and more. Not maintaining these accounts can result in instant removal of of vast swaths of your online presence, pieces of which may have been either sentimental or valuable to many people (more discussion on that here).
Worse still, if you’re like me (and let’s be honest, if you’re reading this you probably are) you maintain accounts for a large number of people that I’ll term “Technology Dependents.” This can be as simple as being the only person with the password to the family router or fall along the gamut of registering and hosting domains for your family members to having unique and privileged access to systems at your workplace that would need to be recovered were you to die. Technology Dependents make up a special edge case of your digital identity that really needs to be addressed. They’re people who would be out of luck if you were hit by a bus and would have little-to-no recourse for getting back into systems that you set up for them.
What Can You Do?
I’ve not always had a great solution for this, but ever since 2006 I’ve had some method that would enable people to gain access to aspects of my digital identity. This past February I revisited my solution and came up with something I’m very comfortable with that addresses the problems of upkeep costs, Technology Dependents, and, as an added bonus, password management. Not only that, but it also works along two axes: the digital world and the physical world. The ingredients: a safe-deposit box, a USB key, 1Password, and Dropbox.
How I’m Using 1Password
With my primary operating systems both being provided by Apple, an application like 1Password that is oh-so-usable and very beautifully designed on both platforms (iOS, OS X) makes me happy. Also, 1Password isn’t just passwords, these guys get bonus points for creating a simple way for me to store other useful things like credit card information and license keys for programs I own–also important pieces of my identity that could be useful to somebody who is acting on my behalf.
I spent most of a month’s worth of downtime going through and recovering every single online account of mine (nearly 300 of them) and entered them into 1Password. The import work however is a one-time sunk cost and worth every bit of effort for the subsequent ease of use and peace of mind. For example, the vast majority of my passwords now look like this: BX[HxXap2@6KmXT. Good luck finding that in a rainbow table. :)
However, not all of my passwords look like that. I have an intentionally “low-security” password which I use across a number of sites such as Facebook and Twitter which, if it is compromised, can simply be changed in all cases with relatively minor inconvenience. In addition, I have three secure passwords that I keep memorized: my master password for 1Password, my email account, and my Dropbox account. With the combination of those three passwords I am able to either: get any password, reset any password, or have access to any site’s password from anywhere.
Adding in Dropbox
Access from anywhere? Yep. 1Password will sync your 1Password archive to Dropbox if you tell it to do so. This enables a couple of hacks. First, they include an HTML file in the password archive that will decrypt your archive with JavaScript. This, paired with my memorized Dropbox password, means that I don’t have to always be on my computer to access my passwords. I don’t recommend using the web-based approach, ever, but in an emergency it is available to you.
Second, and perhaps more importantly, Dropbox enables sharing. This means that I can share my (encrypted!) 1Password archive with people I trust and even if my computer were destroyed in an event that leads to my death they will have a copy of the archive available to them with no additional effort.
Family & Best Friends
Why would I do such a thing? One of the things I realized when I was going through all of my accounts and importing them was that my best friend and (to a lesser degree) my parents would be able to recover nearly all of them. They know the answers to all of my security questions and, upon calling customer service, could be me with no trouble. The realization that many of my accounts are only secure from them by their virtue made it easy to justify sharing my encrypted 1Password archive with them via Dropbox. Not everybody will have this privilege and I count myself lucky that it works this way for me.
Planning for Things to Go Wrong
I strongly suggest that, before you go and kick the bucket, you talk to somebody about being your “technology executor.” In addition to being highly trusted, this person should be technologically capable enough to wean your Technology Dependents off of your accounts onto their own and to make the final decisions regarding each scrap of your online identity. In my case, this person is my best friend. Having completed this step you’re now allowed to die.
All scraps of your digital identity are stored in a 1Password archive that is set up to sync with Dropbox, you’ve shared that archive with people you trust, and you’ve died. This is what your safe deposit box is for: the passing of physical things from one person to the next is a relatively solved problem in law these days. Eventually one of your heirs will collect the things from your safe deposit box which will include three things: a USB key with a semi-recent copy of the archive on it, a sealed envelope which contains your three master passwords (1Password, email, and Dropbox), and a letter explaining what to do with them.
For example, my letter describes that I have a group of items under the label “recurring,” all of which need to be addressed quickly to ensure that they don’t lapse before somebody has made an active decision about what to do with them.
Security
This isn’t necessarily a completely secure system, but the attack surface area isn’t particularly large: an encrypted 1Password archive. Theoretically, if my password to the archive is good enough and there are no weaknesses in 1Password’s algorithm I could simply post my password archive on the net, which I’m effectively doing with Dropbox (albeit, more limited). Posting publicly isn’t really the best of ideas (in case somebody is sitting on a 1Password encryption system vulnerability) but by providing a secondary limiting factor of Dropbox, I’m okay with it.
Yes, I’m accepting some risk in doing it this way, but I would say that the risk is marginal compared to using a single password for everything or writing down passwords on sticky notes.
Conclusion
So that is my system for managing my digital identity. In the event that I step out in front of a bus tomorrow everything entrusted to me by my Technology Dependents will be fully recoverable and there will be a complete listing of every single shred of my online persona with access for the executor of my estate.
You can discuss this post on Hacker News.