Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Preparing for the Ultimate Disaster

What happens to your important data when you’re not around?

If you're not around to unlock all the digital data you take such care to secure, who will be able to access it, and how?
Open view...
(Image: canva.com)

Making technology convenient and secure is a problem we deal with daily. We make trade-offs and use techniques to hopefully strike an appropriate balance.

A more difficult dilemma that we rarely think about, however, is death, serious illness, or injury. If something were to happen to you, would the people you leave behind be able to access the information they need? What happens to your encrypted data, online accounts, social media, online finances, pictures, and digital-whatever-else if you’re not around to access it?

I hear regularly from people frantically trying to access sentimental or critical data that a recently deceased or incapacitated friend or family member has locked up tightly.

It’s not particularly pleasant to think about, but with all the security measures we put into place to keep bad people out, it’s worth having a plan for letting good people in.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Preparation

Disaster planning feels at odds with security. Someone other than yourself needs to have access to your critical accounts and data if you’re unavailable. Depending on who you trust and how much you trust them, you might share passwords or partial passwords between more than one person. Some password managers include account recovery mechanisms for just this situation. Above all, document what needs to be documented, and make sure there’s a way for your loved ones or co-workers to gain access should the worst happen.

Left behind

The wife of a military member killed overseas wanted access to her husband’s email account to retrieve critical information as well as to get a glimpse into the last days of his life. The service was a free email account with no customer support. There was nothing I could do to help.

The children of an elderly gentleman needed to access his password-protected computer to retrieve the only copies of some very important family pictures. Fortunately, there are ways to break into many (though not all) Windows machines if you have physical access.

These are just two examples of scenarios I hear regularly. Sometimes, I can help. More often, I cannot.

These are also scenarios I worry about myself. I have a large amount of encrypted data and do many things online that require secure access. If something were to happen to me, what would my wife do?

At odds with security

This kind of disaster planning is at direct odds with the conventional wisdom that says, “Never share your password with anyone.” Yet that’s exactly what you must do in case something happens.

It’s not an easy scenario to solve, and not all solutions work for every person… but solve it you must.

For those of us who would leave behind a confusing, encrypted, password-protected digital mess, it’s critical to ensure that the right people are able to access and make sense of it all.

Who do you trust?

As with so many things, it boils down to trust. Who do you trust?

And are you certain that you will still trust them a year from now? Five years from now? Twenty years from now? How many friendships, relationships, and even marriages last that long?

Fortunately, you don’t have to commit to twenty years of trust. Set up properly, a timely password change or two can protect you when trust is lost. But the fact that trust can be lost must be built into the system.

Whenever the answer to “Do I trust them this much?” changes, it’s time to take action to protect yourself and find a new trustee.

It’s not always easy, but it is important.

What do you trust them with?

Once you have someone you trust, what exactly do you give them?

On one hand, you don’t want it to be every single password to every possible account or encrypted thing you have. That’s a maintenance nightmare, as you’d have to update your friend every time you add or change a password without fail. Chances are you won’t, and the passwords held by your friend would quickly end up out of date.

You definitely don’t want to use a single password everywhere. While easier to maintain with your trusted friend, it would also make it easier for a hacker to instantly have access to everything should that password ever leak out.

The ideal solution is to give them access to exactly one thing — one account or one encrypted file — in which you either automatically or periodically keep your information up to date.

One approach: password vault access

Using a password manager or vault such as Bitwarden or 1Password can help in a disaster situation.

You keep information in your Bitwarden vault up-to-date simply by using it. You can even add secure notes to Bitwarden for items that aren’t covered by its online database.

The (very inexpensive) premium version of Bitwarden has a feature called emergency access for just this scenario. You give a trusted friend the ability to ask for access. If you don’t deny access within a certain time period — presumably because you’re no longer with us — that trusted friend gets access.1

That’s it. When disaster strikes, your trusted contact has access to any of your online accounts maintained in the vault.

Another approach: explicit encryption

I now rely on Bitwarden as above, but in the past, my approach to disaster access used explicit encryption in the form of a TrueCrypt volume I used every day.

Anything important was stored inside the encrypted container. Once again, simply mounting and using it — which was a side effect of simply using the computer — naturally kept the contents up to date.

All I needed to share with my trusted friend was the location of the container and the passphrase to open it up. Once inside, everything was there, including files containing additional instructions. And once again, should trust be lost, I could simply change the passphrase.

There are a variety of encryption tools that work well in this scenario, including VeraCrypt, Cryptomator, and others.

How do you trust them with it?

Simply giving someone complete access to your password manager or your entire collection of personal files can feel scary — and rightfully so. It’s not something to do lightly.

To be honest, if you’re not sure a specific individual can be trusted with the information, it’s likely they shouldn’t be. You want someone you can really trust.

One way I’ve found that helps a little is to provide that critical information on paper in a sealed envelope. The implication is that you could ask for the envelope back, and, seeing it still sealed, know your trust was not misplaced.

Two-man variation

A variation of this approach is the “two-person rule“. With this approach, you never give a single person your complete password, but instead, select two (or more) individuals and give each of them a portion of it. Only when they agree can they assemble the pieces and gain access.

A lengthy password (or a passphrase) is ideal for this as long as the phrase is nonsensical. You should not be able to guess a missing piece of the phrase with only the portion you’ve been given. “Correct horse battery staple” is a good example of this, since (aside from its notoriety as an example passphrase) the words are completely unrelated to one another.

A little documentation and a lot of trust

It all boils down to a little documentation and perhaps a couple of simple additions to your existing routine. You should already be making sure that your data, passwords, and identity are secure. Building in a secure mechanism for disaster recovery shouldn’t be all that difficult.

Choosing the right person requires the most thought. The rest is essentially just paperwork.

Do this

My view is that as the “keeper of the technology” for your family or business, you have a responsibility to make sure that if something happens, they’re protected.

Your needs might be different. Your solutions might be different. A thumb drive in a safety deposit box might be enough (perhaps use two, for redundancy, and make sure they’re up to date periodically). Perhaps keeping certain information with a family lawyer is right for you.

Or perhaps the password vault approach I’ve outlined above works for you.

But most important of all is to simply realize what not to do.

Don’t leave your family, friends, or business without access to the information they need should you become unavailable.

That could elevate a tragedy into an even worse disaster.

Podcast audio

Play

Footnotes & References

1: Even though I use 1Password myself, for a variety of reasons, I also have a Bitwarden account simply for this purpose. It contains further instructions that would allow my emergency contact to access more.

92 comments on “Preparing for the Ultimate Disaster”

  1. One thing that just came to mind is LastPass, it not only stores all of your passwords, but it also lists all of your websites that have passwords. That means if you have some way of letting people know your LastPass email and password, they can get into all of your accounts anywhere in the world. You can, for example, give 2 or 3 people 1/2 or 1/3 of the password which they can use to reconstruct your password. One good thing about a program like LastPass is that it’s always up-to-date and available on the cloud so they don’t even need access to your computer.

    In addition to the two person rule of splitting your password between two or more people, I’d use a two by two person rule where two or more people have the same portion of the password so you have a backup in case one of your password portion holders dies.

    Reply
  2. I’d burn a CD (it will last longer than a piece of paper) with a couple text files and tape it to the bottom-inside of my system. If someone really wanted the data on my boxes in the case of my death, most likely they would try and bring it to a professional who might open the case and see it.

    The text files would include all my passwords (system/emails/school account), a request file of what I would like people to do with my stuff when I’m gone, and a file detailing paths to all 3 of my system backups saved on a sep drive on my main box (if they get axx to that 1 system, they get everything from all my systems).

    How’s that for an idea?

    It’s good, but I have two issues with it: 1) I’m not convinced a CD will last longer than paper. (Let’s face it, we’ve got multiple-hundred year old paper documents lying around, and my 20-year old music CDs are starting to show bad-bits), and 2) if someone ever steals your computer and happens to look inside (perhaps as they prepare to part it out), they instantly get the keys to your kingdom.

    -Leo

    Reply
      • Oh, and what about new or updated passwords AFTER you put the CD in the PC case? How often are you going to change out that CD?

        I don’t see that as manageable.

        Reply
    • Ignoring item two (which, in the case of a desktop computer, isn’t especially likely anyway), there are gold-formula “archival grade” CD’s and DVD’s, which are especially designed to last for many decades.(Naturally, they’re expensive as all h*ll, but for this purpose they’re worth it.)

      My own concern would be the environmental conditions which any such CD or DVD would be exposed to. The interior of a computer gets hot — very hot. Perhaps even hot enough to warp, or even outright melt, plastic! Not even your expensive-as-all-hell gold-formulated CD or DVD would survive in that scenario! :(

      Reply
  3. Keeping that password etc stuff in a locker with your bank is another option. A person’s legal heirs would get access to it after that person’s death.

    Banks can be always trusted and they are more organized than an average person who may lose the stuff or accidently expose it to unwanted persons. But rest assured recovery would take a few days unless it’s a joint locker.

    If the information retrieval is needed to be faster, Leo’s approach is pretty safe.

    Also known as “safety deposit boxes”, they are also a good solution, though there are limitations. The mere act of putting or updating something in it can be enough of a barrier that it’s not always as up to date as you might want it. Also, as you allude to, the contents of the box may not always be immediately available to the heirs. Even worse, if it’s not a death but an incapacitation situation the contents may not be available at all, or at least not without even lengthier legal proceedings.

    And then there are people like me who don’t even have a safety deposit box any more. :-)

    -Leo

    Reply
    • The banks in South Africa get rid of deposit boxes because of risks. Criminals have repeatedly broken into the deposit box rooms and stolen everything they can.

      Reply
  4. Interesting question. I have often been thinking about this and there is no easy answer. But I think the solution has to be simple. You can tell someone where and how to get your passwords, but that person will also have to have some sort of “mnemonics system” of their own. It is easy after one week, one month, but not after years.

    Also, even if we give someone’s a list today, this list will become quickly obsolete and we might not remember to update it. This is the same thing with wills; we do it and forget about updating it; we think this is good forever.

    The only way to do it, if we have a partner in life, is to involve that person with our choice of passwords. If we are alone, hum…, not sure what would be good.

    We have to hope that some genius will solve that problem in the future, but I am rather skeptical about this.

    Reply
  5. Chris’ idea has one flaw that makes me very uncomfortable. If the computer was ever stolen, it would contains not only all the data, but also the passwords to access it.
    I suppose, that it might be acceptable for someone who was extremely sure of the physical security of the computer.

    One option for those who want a secure setup like Leo uses, but don’t want to share the password with anyone until they are gone (or at least incapacitated) is to setup an automated email that would be sent in such a case. A simple (free) way would be to setup a calendar reminder with email notification on Yahoo (or one of the other free email services with a calendar) to send the password required to get into your stuff to the person you designate. You would then have to periodically reschedule this event before it went out. If you became unavailable to reset, the email would be sent. This scenario has the advantage that you do not have to update anyone with your password changes, but would probably require another (calendar/email) reminder to reset the “dead-man-switch”. There would also be a delay before your email went out corresponding to how often you wanted to perform the reset maintenance.

    I suppose you’d have to be quite paranoid to go to this much effort… Well, time to go reset my switch.

    Reply
    • There actually used to be an online service — deathswitch(dot)com — which did all of this for you automatically. Unfortunately, there is a serious problem with any and all such services: the problem of continuity. This particular service went defunct on Thursday, October 22, 2015 (which, BTW, is why I give their URL the way I do — I specifically did NOT want that URL to become clickable, since the site is dead).

      Even the scheme you mention has the same problem — can you really be certain that Yahoo![tm] will l still exist by the time you croak…?

      Reply
  6. To brand that stuf on a CD sounds good. But to put that CD in the system and hope then that the system will be brought to a professional and than hope too that that professional will do the right things, is too much. I would not count on that. I would put that CD on a safe place and give instructions to the person(s) who would otherwise take care in these situations.

    Reply
    • It’s essential that everyone understand that CD’s, especially ones burned on a home computer, are NOT a reliable long-term backup solution! They can go bad surprisingly fast, even just a few years, especially if they’re not stored in a cool dark place. Therefore, Chris’s idea of putting it inside a computer case, which would almost always be quite warm, wouldn’t be a good idea at all.

      Reply
      • There are archival-grade CD’s and DVD’s, both recognizable by the gold color of their writable surface, that can store data reliably for decades.

        Reply
  7. How about one of the Password key systems that hold all your passwords on a USB memory stick. You would have to give that passowrd to your trusted people but it would not be of use until they were able to get your USB key?

    Interesting, but a couple of assumptions I don’t like: to keep it up to date you would have to keep it with you and use it regularly. So there’s a likelihood that it might disappear when you do, depending on exactly what happened to you. :-) Also, flash memory wears out. Better than some, worst than others, but I’d be reluctant to put something this critical on it with the assumption I could use it daily and it would still be a sole repository or “long term storage” for my heirs.

    -Leo

    Reply
  8. I’ve given out my passwords to everyone i trust..
    .
    plus.. there’s text a file straight in my open hard disk that contains all the passwords and stuff required to open my accounts..
    .
    sensitive data that i don’t want ANYONE else knowing will be lost with the password that’s in my head =P

    Reply
  9. I have an almost identical arrangement to Leo’s. Except my passphrases are all contained in RoboForm (so one master passphrase can access all the others). That master password is in a sealed envelope in a secret place in my house – and my family know where that place is.

    Reply
  10. I have often thought about this scenario (dying). My user files are stored on an external hard-drive, so it is accessible on ANY machine (family pics and stuff) – all one would have to do is remove it (it’s USB), and plug it into a different computer. My main hard-drive just contains Windows and programs – all one has to do is insert the recovery disk and format the hard-drive. As it stands right now, nobody can access my external hard-drive until I actually get past the sign-on screen for Windows, so I guess it is SOMEWHAT safe, and yet easily accessible if I die. If somebody is going to steal my machine, a password will likely not stop them anyway. One advantage to this is in the case of fire – I can safe important files/pics/data just by yanking out the USB cable – the machine can stay where it is. Another advantage of this is that the main drive doesn’t get as fragmented.

    Reply
    • But you’re talking about pictures and things on your harddrive. The issue is passwords on websites – banking, credit cards, investment accounts, even sites like Facebook/Ebay/ Amazon; not to mention multiple email accounts.

      I don’t use a password manager, so mine is a significant list that I keep in my head. I guess the best thing is to print out all the information a couple of times a year and put it in a folder somewhere – for instance, the life insurance folder that I have.

      Reply
  11. IMHO, like Leo says, every solution ultimately depends on trusting someone. A friend’s wife walked out on him and filed for divorce. But before moving out on my clueless friend, she cleaned out their joint bank account to the extent that my friend had to depend on his family for even day-to-day support. And she was “the” loved one. Who can you “really” trust in today’s world?

    Banks or established Law Firms are neutral safe places. The account and safe deposit box can have a nomination facility whereby the nominated person has to produce a death certificate or a living trust assignment to access the account/box without a lengthy legal proceedings.

    Reply
  12. Three words: “Safe Deposit Box”.

    Keep an envelope containing a list of your major passwords (no need to disclose them ALL, only the ones your loved ones are likely to need!) in your Safe Deposit Box. Safe Deposit Boxes ONLY become accessible to someone else after you’re dead, so by definition there is no risk of premature access by anyone else.

    Yes, of course, there are problems. There always are! First, there is a yearly rental fee, typically around $30.00 or so; this isn’t much but it may be a nuisance. Then, you need to update the secured information regularly, which usually means a special trip to the bank (another nuisance); and for your loved ones, there will almost certainly be a significant delay before access to the Box can be obtained. Still, it’s a good sight better than no plan at all, and for many (perhaps even most) purposes it may well suffice.

    Hope this helps!

    Reply
  13. Reading your current newsletter I came accross REXFORDS solution to “WHEN I DIE”.
    His methods are the same that I use with my trusted heirs, with 1 additional step. Every week I send an encrypted e-mail that includes any NEW or updated accounts with the passwords for them, that I have started so that they are ALWAYS up to date on what & where my accounts are.

    Reply
    • I’m a meticulous kind of person but even this sounds too tedious for me to follow through on. If I was receiving emails from a close friend/family member on a weekly basis and I was required to update their “legacy information” (as Dave Ramsey calls it), I’d simply ask to be taken off the list. Heck, I can barely keep up with my wife’s and my changes. Those that are doing this for you must really care about you. I mean no offense, I’m simply stating this sounds too tedious. I’m glad this works for you but doubt the majority could do this.

      Reply
  14. I have since found some online “Death Notification Services” that will allow you to set rules to determine if/when you have died, and to convey certain information — and in some cases, even certain digital files! — to designated individuals or E-Mail addresses upon the occurence of the Sad Event. Check out the following:

              https://slightlymorbid.com

              http://legacylocker.com

              http://www.deathswitch.com

    Good luck!     :)

    Reply
      • TheGrandRascal: Thanks for pointing that out. One more reason not to trust technology with our technology access. Frankly, I don’t trust LastPass either. There are nations that have teams of hackers that look for ways to exploit technology. I’d be willing to bet that things like LastPass are on their radar. There’s no replacement for simply writing it down and burying it in the back yard.

        Reply
  15. What about including the passwords in your will?

    I don’t believe you can count on your will remaining secure prior to your death, and it may even become public record thereafter, making those passwords available to many many more people than you want.

    Leo
    15-Sep-2011

    Reply
  16. There is a web site called Deathswitch.com where you can arrange for an email message to be sent if you do not respond to prompts. There is a free version and a paid version. I have used this, and tested it sending info to my other email adress, and it does work. Because of my health I currently have it set to one year.

    Reply
      • Not to mention, email isn’t reliable. It’s quick, easy, and when it works, it’s arguably one of the best forms of communication available. When it doesn’t work, it really confuses people. It’s quite possible for an email to get delays or even never delivered and based on the OTHER server’s settings, you may never even know that the person didn’t get it! My mantra has always been, never trust email. It’s damn convenient but too many variables to be trustworthy.

        Reply
  17. I don’t know if anyone has mentioned Google’s Inactive Account Manager? You’ll find it under the account security setting (Personal Info & Privacy) and it allows you to nominate a friend or family member to download “some of your account content in the event it is left unattended for an amount of time that you’ve specified.”

    After the specified time Google will contact your account trustee to manage your account.

    Every now and then Google will send you a reminder should you wish to change your trustee. I think this is an excellent feature.

    Reply
      • That stuff on Google only needs to be an encrypted file in which all the information is stored that you want your trustee to know. Give him the key to decrypt the file. He can only access the file after your death, provided that you regularly use your Google account, so he cannot peek into it before you pass away. Once Google decides that you are indeed no longer alive, your trustee can download the file, decrypt it, and use everything that’s in there.

        As long as you are alive you can update that file at will. Your trustee wouldn’t even know this. He can only access the latest version, so as long as you keep that file up to date you can add or remove information that you (don’t) want to share (anymore).

        Any drawbacks to this solution (apart from the fact that you need to keep the file up to date)?

        Reply
        • It seems to me that as you get older, forgetfulness can set in and you can forget to access the files. In my case, I trust my kids. I have a joint account and shared assets. Any photos and videos are all shared by all. Any other data is irrelevant. It all depends on the individual circumstances. I’m saying this because there are probably a lot of people who don’t need special security precautions.

          Reply
          • I’m not talking about photos and videos, these a public to my family too. I’m talking about financial data. Bank accounts, insurances, deposits, investments, credit cards, tax data, etc. Everything that needs to be arranged after I pass away. Memberships and subscriptions that need to be cancelled. Logon data for all kinds of online accounts. Plus a personal message for my beloved ones.

            And forgetting to access ‘the files’ as you call it will hardly be possible if you’re a regular Google user. Any activity on your Google account will do. (In my case, gmail is my main mail service, so I check it almost every day.) And should you still forget it, you’ll be warned more than once by Google (by SMS and by mail to your recovery address) a month before the data is opened up for your trustee.

            To me this a perfect solution.

  18. I have a HP computer that has “Simple Pass” fingerprint recognition software… I have chosen to not use it… If I were in a hospital, or dead, my wife would have to cut off my finger in order to scan my fingerprint to reach important data. Just a thought…

    Reply
  19. I live a simple life in retirement. I have a wife, 4 children, and 10 grandchildren. The inevitable will happen, I will die. My family will remember what I accomplished and created over my lifetime as they look through my paperwork, pictures, and computer files. Therefore, I am very concerned about my family having access to all my images — where ever they are!

    Because I have so many free places where I can write emails, blog, and share pictures I consider special, I keep all my passwords to those sites on a word document. It is stored off my computer on a couple of memory sticks. I also make a fresh printout about every 3-6 months — or whenever I update my passwords.

    The password list is stored in my filing cabinet or lays on my computer desk, near to me when I’m on the computer because I usually forget passwords I don’t use all that often. Senior Moments… My wife and children know of this list of passwords, and can easily get into my personal files, if they want. We don’t have dark secrets in this family any more than your average mafia member, so what the heck, right? Regardless, we have some integrity in this family, and we rarely need to snoop. Besides, the older one gets, the less one gives a damn. Just ask Rhett Butler… ( a “Gone with the Wind” character with a similar line, for all you non-movie buffs).

    My digital photography (and written documents) are stored on personal internal and external (back up) hard drives, and many duplicated memory sticks. Sadly at times, many memory sticks… sigh…. The drives also house over five decades of figure art photography, spectacular landscapes, photojournalist photos, and an anthology of family images . I was fortunate to have been a professional photographer, broadcast media producer, and adjunct college professor who enjoyed experimenting with a multitude of interesting visions. I also have thousands of negatives, slides, and prints for my surviving family to eventually wade through — with many a potential “masterpiece” to keep, sell, or burn!

    Frankly, I do not look favorably on putting my images and writings on mega-computers commonly referred to as “cloud”. I’m sure a significant amount of my personal work has already been stored on those things, but I do not have a personal membership with any master filing bank and don’t ever plan to do so. No matter what anyone says, I do not consider such services safe or secure from thievery. Even if electricity and isolated digital devises survive forever, I have to wonder who will be controlling and profiting from all that data accumulated over the coming centuries. Having such knowledge and creative work at the disposal of mega-corporations or governments just doesn’t feel comfortable to me. My fear is that since they have all this information on their hardware they will “logically” justify profiting from what others have created with little or no concern for rightful heirs. There’s also that little problem spoken about in books like “Brave New World” and “1984”. If you think Big Brother has your number now, just you wait for the future reign of clouds!

    Reply
    • Tom, One problem i see with your system is that you are keeping all your eggs in one basket.
      Now god forbid this ever happens to you, But House fires are incredibly common and fire does not discriminate, I can vouch that it leaves nothing behind.
      I would assume that all your children have left home, I also note that you said “I am very concerned about my family having access to all my images — where ever they are!” This is a very good reason to back up online, So your family ( only the ones you give permission) can also access all of your data and pictures, If you are concerned about security you can encrypt it all before you upload. But i would also assume that you have nothing that the NSA or CIA would be concerned about, Needles to say if it is encrypted with good encryption even they cannot see it.

      Reply
  20. I have VERY simple solution to this problem.

    I build a new computer every 2 years; plus folks are always taking their old machines to the to the recyclers. So I take an old machine (has 1.25 and 1.4 Mb floppy drives, and a read-only CD drive) and simply keep only those files that are of a personal nature + mostly old archives. I have a removable HD that mirrors everything on the main drive and it stays at the house of a neighbour (note: NOT family). The only password-protected file, is my asset sheet in Lotus 1-2-3. This p/w is shared with a couple of trusted friends. No other passwords, nothing tricky. I enter new data about every 8 weeks when both main and removable drives are made current. No screen icons to indicate the content.

    Sits in a dry basement room under a dust sheet.

    And of course, no connection to the outside world – no modem or ethernet port.

    Gord Clark
    Rockburn, Qué.

    Reply
  21. A couple of observations. 1) There is no single solution which is applicable to everyone. What works for me, married to the same woman for over 30 years, isn’t going to be relevant to a guy in his twenties with a different girlfriend every month 2) We aren’t talking about a backup strategy for your PC. Regularly securing your half terabyte of selfies, pirated films or the next great American novel is something you need to do regardless. We’re focusing on the things your relatives and friends will need to be able to access QUICKLY if you drop dead, and also information that isn’t readily discoverable even if someone can be bother to work through half a terabyte.
    My wife and I have a Word file called “InformationAndCopingVn.n”
    The purpose of this document is:
    • To document the family finances (bills, bank accounts, superannuation accounts etc) so that if either or both of us should pass away or become ill then the family will be able to manage things properly
    • To provide a simple written plan that helps the family understand what to do in the event that one or either of us should suffer a major illness or death
    We update it every few months (changing the Version number) and each have a copy. It identifies key IT information: the password to my PC, where on the PC is the plain text file that lists my accounts and passwords, and what the file is called. (As a nod to security it’s called an innocuous name – not passwrds.txt – and lives in a “Miscellaneous” directory with lots of rubbish.) And it contains the same info for my wife. Our kids know the document exists and know to look for it in the top drawer of my filing cabinet, if the need ever arises.
    As for backup, I secure to external media – a couple of memory sticks which I rotate, with new ones every twelve months. I keep them in a small fireproof safe ($250) in the shed at the bottom of the garden.

    As Leo said, the critical thing is to find someone to trust. The second critical aspect is to write down the information which will be useful. This planning is not primarily a technology problem

    Reply
  22. Handing over one’s digital assets to the heir(s) after death/incapacitation is definitely as important as the one available for physical assets. So, will the government enact laws to make all Online accounts to collect information of legal heirs from members for hand over?
    As we have seen here, many of our own methods have inherent drawbacks. It’s time both government and Web entities do something about it.

    Reply
  23. How do I re-save my operating system, all programs, all files, etc., that are on my computer, to my Seagate external hard drive? I already did this initially (when I first got my external hard drive) and I’ve been frequently saving all new files/documents/pictures. However, recently a window popped up onscreen stating that my computer can’t find my hard drive. Then yesterday when I tried again a window popped up saying that I need to format my external hard drive (again, apparently) before it can be recognized. What the heck??!! I’m afraid that if I simply re-format it, I will lose everything initially saved on my external hard drive that my computer uses to run. How do I re-save it ALL so I can be back to square one? I want to be able to restore it all if my computer should ever crash, or something.

    Reply
    • 1. What you are asking about here is a full image backup. Leo has dozens of articles on backing up. Just search for “backup” on the Ask Leo! site.
      I’ll start you here: How Do I Back Up My Computer?

      2. I suggest plugging that external drive into another machine. More often than not that works. If it does, you can copy everything to a new external drive. If you still have trouble with the drive, you can format it, and if you continue using it keep a backup copy of everything.

      Reply
  24. ‘Cynic’ is on the right track, and ‘Joseph’ to a lesser extent. Those people who say “… list of passwords in a sealed envelope…(somewhere)” are on the wrong track – it will never be continually updated with your latest password additions (new websites, etc) and changes.

    Anyone REALLY prepared for their own death has a will, and it’s frequently stored securely by their lawyer or trustee (usually an ongoing company, rather than an individual). Put all your passwords in a text file on your own PC, zipped and encrypted (e.g. using WinZip) with a LONG pass-phrase (mine has over 13 characters). Update that text file anytime you add a new website log-in or change any. And be sure to shred the ‘free space’ on your disc drive to remove any traces of the plain text file.

    Put that one-and-only pass-phrase on a piece of paper (with instructions on what it’s for and how to use it) in a sealed envelope, and mark it “To be opened only on my death by one of my beneficiaries”. Assuming you update your will if your desired beneficiaries change, then the right person will get to open it. Give it to your lawyer holding your will, and ask them to store it securely WITH your will, so it can be handed to the right person at the reading of the will.

    Reply
  25. I am 77, live alone, but next-door to my daughter. I have a very low-tech way of storing my access info. I have a 5×6.5″ index card file-box sitting on my computer desk. In it are alphabetized cards with the ID, password, security questions, and URLs for all the sites that I use, including mail programs. I seldom change my passwords, but when I do, a new card goes in the box. My daughter is a signer on my financial accounts, so she already has access to them. With the information in my file-box, my tech-savvy son and daughter will be able to access, close, delete, and unsubscribe me from any accounts that I have, as well as notify my friends of my death. This is enough for me, since I don’t do Facebook or the like.
    I also like having the box handy for when I forget a password that I haven’t needed to use for a while.
    All of those sites that I use, including two webmail programs, are online, so they can be accessed from any other computer (except for my Office Outlook program), with the index cards in the box, in case mine should be damaged.

    Reply
  26. It’s important to discuss such thems and I think I found a very good way. It’ snot just about inheritance but also about safety of datas in the cloud. Just have a look at http://www.securesafe.com/en/faq/, its a Swiss Company and offers a super solution. I would be happy to read your comment about that service Leo !

    Reply
  27. Wife and I agreed to take steps when there was just one of us left. To my surprise and pain, she went first. I copied all my financial information, accounts, passwords, contacts, etc., along with all computer information into a doc file, encrypted it, and sent to my oldest son. I learned this lesson while wife was in her final days at a hospice, and I heard so many horror stories from family members of other patients who had no information. “Does grandpa have a checking account?” “Where does grandma keep her records”? It was very sad.

    Reply
  28. At the risk of shocking people, which of course I don’t want, I’m a bit surprised by all these precautions for computer stuff “when I’m dead”. I would think that if there is important stuff you want to share with your family (such as family pictures and the like), why would these NOT be given before you’re gone ? If they are important to your family (and/or friends) let them have a copy before you’re dead. There’s no reason why they should have to wait for your dead to have those pictures and other documents.
    I would think that everything concerning financial matters is better arranged without any computer or internet.
    So in the end I fail to see what would be so important to your “online” existence and computer content to leave it to relatives, if you couldn’t leave it to them earlier…

    If it wasn’t their business when you were alive, then why should it become their business afterwards, and if it is their business, then why should they only find it on your computer or on-line accounts after you’re gone ?
    I would think that my private e-mail, in as much as I didn’t send it to my relatives, is not their business after I’m gone ; and in as much as they have anything to know or access, I should have given it to them already (on shared accounts or whatever).

    Reply
  29. Patrick, I believe you are thinking too narrowly. In an instant, unexpected things can happen. People are killed in car accidents. Unexpected illness takes young people. Random terrorist attacks occur. Yes – people should be sharing important things with their relatives while they are alive and in control. Yes, they always plan to – but time passes and other things get in the way.

    At one time, I was the Executor of four different estates (some take a very long time to complete). Since so much correspondence now is handled by email, in a short period of time lots of important information can accrue. On one of these Estates, in particular, there was almost daily correspondence using email between myself and various lawyers. It is hard to overstate the panic I felt when I experienced a failure in Outlook Express (which stored everything on my old XP machine as opposed to in the cloud). While “compacting”, I lost access to the folder in which my Estate correspondence was stored. Fortunately, I discovered it immediately so the rest of the day was spent restoring files from a backup to regain access and then doing a successful “compact”.

    You say that your private emails are “not their business” in regard to relatives, but I suspect that one of those relatives in the Executor of your Estate (you do have a will and Estate plan, do you not?). If you do not, then you will be like my daughter, who died Intestate (ie., without a will). In cases like this, one would want to know as much as possible to make sure that nothing important had slipped through the cracks.

    You say “If it wasn’t their business when you were alive, then why should it become their business afterwards, and if it is their business, then why should they only find it on your computer or on-line accounts after you’re gone ?” Well, I hope that my personal examples offer reasons why it might be “their business”.

    I personally use software called MailStore to back up my emails on my computer. It also has a great search capability. While I had one of those four Estates open, I ran MailStore every day.

    Reply
  30. Here is what I did Leo

    My wife knows nothing about PC’s and technology. That is why it is my youngest daughter (my oldest daughter not as computer savvy as my youngest) who will look after my “technology estate” after my death. I have full trust in her.

    I registered a domain of my own and created an email account that only me and her (my youngest daughter) have access to. As a matter of fact, only both of us know that this account even exists. I have given instructions to my daughter that in the event of my death, the first place where she must go is this email account. She will find there last minutes updates of things I consider important for her to know.

    Then, I have created a document that is stored both on my computer (in a TrueCrypt container–password close to 30 letters and numbers and signs) and on a usb flash drive that I keep in a specific envelope (she knows which) in a metal cabinet that contains many different envelopes of all kinds. She has the password to access the document stored on the flash drive. On that flash drive are things like, password to my computer, master password of my Roboform password manager, bank accounts numbers and balances in each (balances are updated on the first of every month), life insurance policies numbers and amounts including benefiary, bank and credit card numbers and PIN for each, name of the resource person to deal with at my bank (with telephone number), investment accounts including RRSP’s (again here, balances are updated every month), email accounts passwords, domain name account (through Roboform), safety box at my bank (she knows where to find the key), utilities accounts (Electricity, telephone etc…) that will need to be transferred to my wife’s name after I pass away, notary will etc.

    If I find that I have forgotten something, I add it to the flash drive. A copy of that flash drive is also stored in my safety box at my bank.

    So, I think I am pretty well covered. I’ve been doing this never ending task (I always find new data to add) for the last two to three years. This I think is going to be of great help to my loved ones for the liquidation of my estate.

    Reply
    • Andre,

      You said “I registered a domain of my own and created an email account that only me and her (my youngest daughter) have access to. As a matter of fact, only both of us know that this account even exists. I have given instructions to my daughter that in the event of my death, the first place where she must go is this email account. She will find there last minutes updates of things I consider important for her to know.”

      I am not sure that I understand the interaction between the Domain and the Email Account. I can visualize having an Email Account that only the two of you know exists. Seems like just that Email Account would be sufficient for her to know where to go to get the latest instructions. Would you please give us a little more detail as to why and the Domain and the Email Account interact.

      Just interested – does the Email Account have two factor authentication?

      Reply
      • Thanks John for your comment.

        Instead of using Yahoo, Gmail or Outlook.com to create an email account, I registered my own domain and created an email account for this purpose only. If I find something that I consider relevant for my daughter to know (something that has not yet found its way to the flash drive), I will send an email to that account with the information (example: I could send an email stating that my condo fees have been paid to October 31, 2016). Once, this info has been included on the flash drive, I will delete the email as it will no longer be needed. So, if I should die suddenly of a heart attack (before I find the time to put the info on the flash drive), the info will be available to her. This email account is like a temporary repository. However, it never contains information useful to anybody else. This is why I did not include two factor authentication for this account (Should this account be hacked, the emails contained therein are totally useless to anyone as I never put sensitive information in the emails that I send to this account. In the example above, what would you care about my condo fees being paid or not ? My daughter would need to know but nobody else would care.

        I hope this makes it a little clearer.

        Thanks again.

        Reply
  31. Leo
    I have enjoyed & utilized you newsletter for years.
    However, this one, “What Happens When I Die?”, was a real kick in my 67 yo pants.
    As always, well written, highly detailed and a path toward a solution.
    Now I have a new journey to embark upon. One I didn’t know lay before me but one I must begin.
    Thank You Leo…………………..I think?

    God Bless

    Reply
  32. Hello Leo,
    This was a very informative article, thank you. Gave me some new ideas. However, my present setup is as follows:
    My wife and I between us created a Word document containing all relevant information related to computers, bank accounts, emails, passwords etc. However, every password was omitted and replaced with a consecutive number, like [018]. A separate list was drawn up with the password shown at the side of all these consecutive numbers. So both documents are needed together.
    The main document is kept up to date and in an encrypted file (which is also in DropBox), as well as her having a printed copy. The linked password document I have sent to 2 trusted friends in other countries who don’t even know what it’s for. So if and when she needs the information, she knows to bring the 2 documents together.
    This is fairly simple now it’s set up, and seems to satisfy our requirements to thwart thieves and hackers etc. Hopefully!
    All the best, Dawei

    Reply
    • Sounds like a good plan. It would be safer to have more than 2 people to hold those pairs of documents as a backup in case one fails to be available.

      Reply
      • The fact that the other two people “don’t know what the document is for” begs for casual treatment by those people — like, forgetting them, or even accidentally discarding them…?

        Also, the fact that they are in other countries raises questions of availability.

        I must also note that your solution is of limited applicability — how many people have friends or relatives living in two foreign countries…?!

        Reply
        • I don’t understand your comment. I never mentioned anything about different countries. I just mentioned instead of only two people each having half of the password, you can have a backup peson for each half in case something happens to one of them before you have a chance to find a replacement for them.

          Reply
  33. This is a very, very well writen article. My sincere compliments.
    The “two-man rule” is the way to go! And it’s also the solution to the second question: “What happens when WE die?”

    If I die there is no problem: my wife can access all my data. Conveniently we use the same passphrase for both our computers&password-managers. (Thus bypassing the insurmountable problem the wife of a former colleague had, when he died and – amoungst all other problems – lots of former colleagues never received a notification.)

    In addition we both have a secret passphrase for a personal password-manager which contains the access-codes for our private bank-accounts. But no problem here, after a death the surviving partner can get access (through legal notary ways) because the account-names&numbers are known to each other.

    The real problem is dying simultaneously. A house-fire, a terrorist-attack, a plane-accident, etc. Lot’s of real possibilities.
    After a long thinking-process, back in 2015, I had choosen a “one-man rule” and gave my brother an encrypted document-with-instructions and the corresponding password.
    Later on, I realised that a “one-man rule” is just too much of a risk. Because my data is not only stored on my computers and backup-drives, my data is also backed-up in the cloud and can be accessed at all times from any location. You don’t wanna think about what’s gonna happen if someone with bad intentions (child, spouse, computer-repair-man) finds both document&password…
    So recently I’ve implemented the “two-man rule”. An encrypted document-with-instructions for my brother and the corresponding password I handed over to a close friend.

    Reply
  34. Many of us now use 2 step verification, which sends a code to our cell phones. Now what happens if I and my phone are lost at sea or in an airplane or something just as bad? Knowing my passwords won’t help here, it’s not enough. Nothing was mentioned about this. I just started to add my trusted person’s phone number as an alternative one, but I’m not sure all institutions have this option. Nothing was mentioned about this.

    Reply
    • With two factor all institutions have contingency plans for your simply having lost your second factor (i.e. you don’t have to die to lose your phone). The contingencies vary depending on the two-factor implementations, but you need to:

      1. Make sure they’re in place. As I said, you don’t have to die to need them.
      2. Make sure they’re part of your digital disaster plan in case you do.

      It could be as simple as saving backup codes, or one time passwords in a place your heirs could access, or making sure that they have a way to access the recovery email associated with your account as well.

      Reply
  35. HEY! That post was supposed to be a “Reply” to the Tape-a-CD-Inside-Your-Computer suggestion!!
    It makes no sense at all here at the end of the list!?!

    Reply
  36. So many ways of “how to do it”, but clear is: these days one needs to keep track of one’s “digital life”!

    I personally use encrypted files, stored off-line in several locations. Trusted family members overseas know where these files are and can get access, should they be called upon.
    Once you start to actually track online services, you likely end up with several hundred different log-ons and passwords. Important to keep track of what, where, when (when you signed up and when you changed password), e-mails and phone numbers associated with account, if you use 2FA and what type (app or SMS), which recovery e-mail etc, etc.
    So many times people have changed an e-mail address or a phone number used for “recovery” address somewhere, then forgetting to update it, and subsequently have been locked out of an account for good.
    It can be a lot to track, but once one start and get a tiny structure set up, easy to keep it all updated. I sort of started “by mistake” back in the 90s, as corporate and irratic PW change rules could drive anyone nuts in those days…

    Reply
  37. I just have them written on a sheet of paper in a file that says “Will” on it. Anyone burglarizing my house is not likely to waste time look through my paper files. They are probably looking for jewelry or cash. Takes a while to write them down, or keep them updated, and I suspect I do not have them all, but I don’t think my password to the New York Times is critical.
    Thanks for your great work Leo!

    Reply
    • Yes – I have all my “after death” documents and explanations with my Will. Yes – disaster if the house burns down with me in it.

      Reply
  38. Wonderful article. I think I still have some work to do.

    At this point, I’ve been married for 31 years and know most of my wife’s passwords, while she knows some of mine. She has the password to my phone, and I know the pattern unlock for hers. We share access to bank accounts so no problem there, but over the years I’ve transitioned to online banking and online bill payments. Recently been thinking I need to give her those passwords as well.

    My elderly parents are different. My mother touches nothing financial or technological, so it will be me or my brother to handle stuff if my father dies first. I set up his computer, my daughter set up his email account, and my brother’s daughter set up his phone. So at least there’s sure to be somebody who knows something.

    Reply
  39. Leo,
    After I am dead, I really don’t care because I am not here anymore. I do not password protect my computers because it is a nuisance to start them if protected. I demand paper documents and and all statements are mailed to me. After my demise all that is needed is to check my file cabinet and/or wait for bills/statements in the mail!

    Reply
  40. Let’s assume a most simple scenario. You have invested all of the 10mill USD you have in Bitcoin and you die. How would the people you want to get this money get it?
    As Bitcoin transfers are untraceable no person on his/her own should ever get to see the login details of this Bitcoin account and get sufficient time alone to login and effect a transfer to their own Bitcoin account. That would be about 5 minutes.
    It means that there must always be more than one person involved to assemble the key information. Maybe a few more people who will witness and verify the balance when the account is first opened.

    If one can secure such an account then the same principles could go for everything else.

    Reply
  41. I’ve made up a document that contains information as to which entities need to be contacted upon my death or incapacitation. It also has information as to how to access my LastPass account and my Microsoft account. Also, I use a Yubikey for my LastPass, Microsoft and Google accounts and keep a spare with the document. These are kept in a fire-resistant chest, along with a list of one-time passwords for LastPass and a copy of my Microsoft account recovery code.
    Periodically I review this document for any changes and make sure it is up to date, as well as checking the Yubikey. The executor(s) named in my will know of the location.
    Unfortunately, even though I make the effort to cover all the bases, I’ll never know if it actually worked. :)
    P.S. I’ve set up emergency access to my LastPass account for my wife.

    Reply
  42. My family 1100 miles away have access to my LastPass, and I love 2FA. Lastpass allows confirmation by cell phone code or email. Perfect. But I had to move a few investments away from some financial sites that have 2FA, BUT they ONLY send the second code to MY PHONE!

    And they refuse to add my email, so how’s my family 1100 miles away supposed to do that? I found financial sites that use phone codes and / or email.

    Something to consider.

    Reply
  43. I really like to read your work and the comments by other readers. But there is one aspect of this that I would prefer you not include. Your current topic and comments on it are great, but including comments on the subject made many years before dilutes the effectiveness and becomes irrelevant.

    Reply
  44. Upon careful consideration, I’ve decided that a variation on the “VeraCrypt” solution is probably best:

    (1) Download VeraCrypt, and set up an encrypted Vera Crypt volume.

    (2.a) Place all of you confidential files in it.

    (2.b) Of course, there are secrets, and there are secrets — things you might want anybody but yourself to have access to, and would want to go with you to the grave. For those, download a good file-encryption program that uses a secure algorithm such as Twofish, Blowfish, Serpent, or Gost. (I do not recommend AES. It’s a fine algorithm, but it’s ubiquity makes it a target for every cryptanalyst under the sun — the first person to break AES would have the world at his fingertips — so I much prefer less-common algorithms that don’t make themselves so much of a target. I much prefer “Twofish,” myself, since it was a close runner-up to what is now AES.) Use this program to encrypt you super-secret files, inside your VeraCrypt volume. Do use a long, and good, passphrase for both the file encryption program, AND your VeraCrypt volume.

    (3) Use your favorite method, ensure that the password (or passphrase) to your VeraCrypt volume gets delivered to your beneficiaries after your death. Do not divulge the passphrase to you file-encryptor to anyone, ever.

    END RESULT: Your beneficiaries will have access to your “secret” files, but not to your “ultra-secret” files. :)

    Have “personal” files to deliver to separate beneficiaries? Create (within your VeraCrypt volume) different directories, each named for a different beneficiary (i.e., “To Sharon” or “To Eric” etc.). Within each of these directories, move and then file-encrypt your personal messages; then insure that each beneficiary gets his or her own personal passphrase as well as the “global” VeraCrypt passphrase. (The difficulty here will be seeing to it that the “private” passphrases are each delivered privately to the correct beneficiary. Sorry — I’ve no idea how to accomplish that.)

    This should go a long way (but, alas, not quite the whole distance) to solving the “postmortem problem” of file retrieval.

    Hope this helps!

    Reply
  45. but what if the user name typically uses the email account that the deceased had and uses 2 factor authentication , like verifies the phone number that was used on file. how do you access ?

    Reply
  46. IMO the more steps (hoops) the surviving person has to jump through the more you increase the chance for failure. Keep it tight and simple. I use Bitwarden for all passwords. I enabled Emergency Access (as Leo mentions) years ago. She literally has to do nothing or remember anything and she’ll still get the keys to the castle.

    One thing not mentioned…with Bitwarden premium (maybe even free??) you can create an organization that allows you to share passwords with another BW user. Every important account she’d need access to is shared between us as part of that organization, so if I get hit by a bus tomorrow, she already can go on without missing a beat.

    No paper notes taped to a drawer bottom (or burned up in a fire), no CD’s hidden in PC cases, no safe deposit boxes where you can lose the key, or other schemes that require a lot of extra work to maintain and update….or that can easily fail.

    Reply
  47. Does “Trusted Friend” know how to turn ON your PC and navigate to the appropriate file(s)?
    If CD/DVD’s are used, will players be available to read the data?
    Thoughts…

    Reply
  48. For day-to-day use, I access Windows using Windows Hello and my fingerprint scanner on all three of my PCs (my desktop and two laptops). I also have Windows on my desktop PC set up with a Yubikey that I have stored away in an envelope with the note “Open in the event of my passing . . .” (stored in a drawer in my ‘computer room), so my adult sons and daughter-in-law can access my desktop PC. and deal with any data I have there or on OneDrive, etc. as well as closing any of my Internet accounts (Facebook, et-al). I keep that envelope up to date with any documents they will need (Insurance, Niche where I’ll be interned, etc.) as my situation changes. I’m in my mid-seventies and I’m not expecting to go anywhere any time soon, but I do like to be pro-active/prepared. I hope my preparations will make my passing a bit more bearable for my children.

    Note to others: Please take time to prepare because you can never really know when/how your end will come. If you’re prepared, at least your loved ones will have some idea what to do and know where what they need can be found.

    My2Cents,

    Ernie (Oldster)

    Reply
  49. I reside in the state of Georgia, USA. My wife and I are in the process of setting up a revocable trust, which will allow us to designate who can do what in the event of either of us dies without having to go through the probate courts.
    Georgia passed a law a few years back making it illegal to use someone else’s computer and online accounts without authorization. One of the documents in our trust paperwork is a Digital Assets Power of Attorney, which grants our agent the ability to legally access our computers and accounts.
    According to the attorney we are working with, a general power of attorney that usually accompanies a will doesn’t grant an agent the ability to do so, thus the separate document.
    I mention this to alert followers of Ask Leo! to check the laws in their communities. It will be difficult enough for someone trying to access a family member’s digital life without worrying about getting charged for breaking the law.
    Just one more item on the list.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.