Schneier on Security
A blog covering security and security technology.
« New Voting Protocol |
| This Is What Vigilantism Looks Like »
October 3, 2006
Dying with your Passwords
Interesting story on the risks of dying without telling anyone your computer passwords.
Posted on October 3, 2006 at 6:23 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
....being of sound mind and body do hereby bequeath my password list stored in my PasswordSafe, and my PGP keys to....
For every positive use of technology, there is always a drawback, at least for the things we want those we leave behind to access.....
What's the secure way to avoid this? I think the best solutions probably involve secret sharing...
DMS aka Dead Man's Switch by DaisyMan
You can set Dead Man's Switch to perform a number of tasks if you don't log on to your computer for a specified period of time. It can send out e-mail, encrypt or delete files, and post to web sites.
Sounds to me like crypto-key/password-escrow facilities could become a profitable service for attorneys to offer for the future.
Though it'd have to work at several different levels: there are certain parts of my life [emails for example] that I'd rather not want to fall into the hands of certain family-members even after I'm dead.
"To uncle George I do hereby bequeath my 75-gigabyte collection of porn and viagra-spams; he probably needs them more than I do"
Is this going to be another argument for enforcing an overarching escrow agent? Don't tell the NSA (or in my case ASIO), they will jump at the chance of forcing everybody to assign all passwords into a federally protected escrow account.
Otherwise we are looking at a completely new problem of linking our password accounts to a personal escrow system that can be linked to the executor of our last will and testament to be passed on to one's immediate hiers.
There is, of course, a strong security requirement here as the need for password security is paramount while you are living, but it may well be, as here, necessary to pass on some, but not all, of the passwords to ones relations/hiers in a timely manner.
There is also the possibility that one may want to take one's secrets to the grave...
Another related problem. When you cease working for a company, in a certain sense you die for that company. The intranet and webmail services with that company are closed and you are left with no documentation of your activity with that company. That is how it should be because the data you use and generate as an employee belongs to the employer.
The question arises: If employee rights have been violated by the employer, can the employee retain copies of incriminating evidence against his employer in the form of an audit trail of the activities pertainning to that situation?
Moral of the story: Generate PDFs of everything you do onlineand archive on your local private disk.
To solve the problem of no one being able to notify those I would want notified about my death...
I own my own domain name. I've set up an email address which is an alias to everyone I want notified in the case of my untimely passing. Someone who is geographically and relationally close to me (who rarely rides in the same car as me) has instructions to send an email to that address (and thus to everyone who is on the alias....which I personally maintain) in the case of my untimely passing.
Just a thought :)
I use a program to store all my passwords, but I suck at backing stuff up and don't trust that so I also keep a rolodex with them as well. It's sitting on my desk, and anyone who cared to could open it up and find all my passwords any time they wanted. It also nicely solves that whole "Hey, guys, just wanted to let you know Ian died." problem.
This subject is a little close to home right now, as I'm on the board of the Peer Directed Projects Center, which operates the Freenode IRC network. Our founder, Rob Levin, was recently knocked off his bicycle and left for dead by a hit-and-run driver in Houston, Texas; he suffered head injuries, and died four days later without ever recovering consciousness. He took his passwords with him, and along with them, access to a lot of key PDPC data.
We at PDPC and Freenode are now experiencing first-hand the problems that can occur when a key person dies without passing on passwords or access codes for data in their possession.
The main problem lies in that we just don't plan for these events (after all, it's usually just too morbid to think about for most people). I started a blog (BeforeYouAreGone.com) to get a dialog going on this topic, but not just as related to emails, but what happens to all our online (virtual) property (if it is truly ours). Email accounts are just scratching the surface when it comes to what people do online (banking, investing, gaming, selling, buying, etc.).
Something I've long considered (but never actually gotten do doing) is PGP key-splitting, requiring a particular quorum of "shareholders" to reconstitute the original key. You could distribute an encrypted archive (PGP or something, containing other secrets in less secure form), instructions and the key share to a few people who you may not even fully trust individually.
Provided there's no conspiracy against you, a fair quorum of such shareholders would need to agree that you're dead in order to have access to all your secrets.
Problem comes in picking the right people. They have to all be reasonably techno-savvy, fairly honest, not likely to all die at the same time, etc.
An email notification system / dead man's switch as mentioned in other posts would make a nice complement to such a system.
What happens if the key has a biometric component? You can't really leave your fingerprints to your heirs, can you?
Passwords in a safe-deposit box?
There are established means of getting into such boxes upon the death of their renter.
My passwords are in a sealed envelope stored in my safe with my other important papers.
Imagine getting an e-mail from the dead person's account - Subject - Re: I'm dead!
Interesting post indeed. Although, being an old beatnik I bet his password will be fairly trivial to guess. Most of the people I know have passwords that I can guess with some 5-15 tries as most tend to choose birthdays, favorite songs, girlfriends, wives, dogs as basis for a password.
Possibly the escrow route would work if there were a key (or a number of keys) in use by coroner's departments (or the Registrar of Births, Deaths and Marriages here in the UK) - then you could have an archive which would only be unlocked on "official" recognition of your death, and in the presence of someone you trust.
For most cases, it would be sufficient to have a file that you distribute to a handful of trusted individuals that is encrypted with a password that is stored in your safe deposit box. The password alone is not sufficient, nor is the file alone sufficient. This allows the rules for getting access to a deceased person's safe deposit box to protect the password.
While you may want your passwords revealed to certain people in the event of your death, there is no way to prevent that same mechanism from being circumvented by a court. For most people, this would not be a problem, but the majority of people who use strong passwords are more paranoid than that. Courts have taken the position that once a piece of information leaves your head (such as putting it in an encrypted file), it's fair game and they can force you to provide the key.
It would be fairly difficult to come up with a system that doesn't have gaping holes. For example, if someone has all of my passwords, they become me as far as the outside world can tell. There's no common way of providing a failsafe account that has implicit permission to everything of mine without including the ability to act as if it were me.
It's not that difficult to design a system that would allow someone to act as me without actually being me. Ie, for work systems, allowing someone else to "sudo -u mike" would allow them to do anything I could do, but it would log who did that and wouldn't allow them to log in and impersonate me. There's no way to get that kind of functionality from the 100% (with some statistically irrelevant margin of error) of the systems out there that can only cope with the concept of a username and password. The vast majority of systems authenticate the account, not the user. For example, my online banking account allows access to my joint checking account. From the system's perspective, the account is the person, so the way to share a joint account is to share the username/password. There is no way to differentiate between my wife and I doing things with the account. Most systems don't need this level of accountability, so they ignore the individual vs account distinction. By doing so, they do not distinguish between authority to act by being the individual and delegated authority given by the individual.
I'm reminded of a Frantics skit (http://www.thefrantics.com/) I heard recently. Guy goes up to Heaven and meets up with an angel ("I don't understand! I was just driving around in downtown Montreal..." "Ahh, yes, we get a lot of that."). Guy insists he has to go back, that he only needs five minutes. The angel asks, "Five minutes? What can you possibly do in five minutes?"
Guy looks embarrassed and says, "I can... erase my hard drive."
Three seconds later, the entire audience dissolves into laughter.
The obvious solution to this problem is, of course, a list of passwords stored in your safe-deposit box. The problem with that solution is that password aging schemes interfere with it. Everytime you are forced to change on of your passwords (or change it on your own), you should make a change to your stored password list.
If you're like me, you're not likely to always be on top of such things.
I like to keep things really simple:
If you don't know my password it is because you aren't supposed to.
It's amazing to me that the dead ...err... Living Impaired fail to hand over their passwords but still manage to cast their votes for the democrats. Maybe they could be intercepted between grave and poll station and politely asked for the passwords?
Regarding dead man's switch, how long do you wait? How long do I have to detain you before your own systems compromises your secrets because it assumes you are dead?
One benefit of password safe is that you only need to store one password in your safe deposit box (or otherwise share with someone you trust). It doesn't have to change on the ignorant whims of password policy "police" who believe the TSA's security systems are top notch and sensible.
Compare that to biometric systems that could not be recovered as easily and you see why the password is BETTER than other forms of securing your info. Passwords are good precisely because they can be shared when needed.
If you are sick, on vacation, quit or otherwise need help from a co-worker/friend/etc, it's not only nice, but often required, that you divulge a password to resolve something when you are not able to be present. That's the real world.
Biometric systems even tout that their finger print readers, for example, won't work if the finger is severed or otherwise doesn't appear to be "living," meaning that such systems won't work even if you also get the corresponding PIN/password.
I've been considering this for a while. While I'm not quite in Unixronin's position I am the sysadmin for a small company and a couple of small volunteer organizations as well as owner of the email & financial info at home.
The best I've come up with so far is to split a password file amongst multiple (at least semi-)trusted parties per Justin's description. Not all of them have to be tech-savvy, just enough to guarantee that the most-mortum quarum will have at least one. The rest just have to be unlikely to betray my trust.
I've considered using the Usenet "Par2" program for this but don't fully understand the security consequences of doing so. Anyone have any insight?
I have a very simple mechanism for this.
My passwords are all stored in an encrypted database (I use Keyring for PalmOS [GnuPG-based]), protected by a fairly complex password.
I have given a portion of this password to two different attorneys with no affiliation. Should I pass, they can break the tamper-evident seal on the envelopes I've left with them, and by combining the information, they can provide the password to an executor.
In my will and letters accompanying it, there are instructions to the executor regarding retrieval of a backup copy of the password database and access to important resources.
It's not perfect, but it's pretty damn safe.
Besides, the concern only applies to accounts where there is no admin who can comply with a legal request for access. Passwords protecting bank accounts and the like, for example, need not be escrowed, as your executor has the legal right to gain access to those accounts and the provider must comply with their requests (provided adequate documentation).
On the other hand, the encrypted volume where I do all my business book-keeping can not reasonably be accessed by anyone but me: so the password is escrowed using the system above.
Re: "dead man's switch" approaches: not fun when a software bug causes all your friends and family to be told that you're dead.
That reminds me of the time that journalist Josh Marshall caused a panic in the left-blogosphere. His RSS feed, for some reason, chops the first three words off of each post to form the headline. One day, he began a posting with the phrase "Atrios is dead right about ..." (Atrios is well-known blogger Duncan Black), and everyone getting Josh's RSS feed saw "Atrios is dead".
A novel way to extract data from a dead person's PC... Unplug the PC from the Internet, wait for the next security hole in the OS and take control of it that way.
So I die and nobody knows my passwords. Well, my question is, so what? There are three kind of passwords I use.
First, those related to money matters (online banking, ATM PINs, credit card PINs, etc), and I'll be quite happy to take them to the grave. My wife can use theirs, or wait for the banks and the IRS to clear the paperwork.
Second, those related to my work. I'm a physicist involved in computer simulation, so there is no problem if nobody can get my passwords for scientific computing. My University's root administrator might be able to access it, or just erase my account.
Third, my email password. It's embedded in my email program, so my wife and colleagues won't need them. But in any case, they don't need to read my zillion emails on crypto, or last year's message interchange with a friend in Canada. Or well, and I wouldn't like my wife to read about that blonde I once met in Barcelona, ahem.
If I do want others to access information I have already under password, I'll find a way, be it sealed envelopes or PGP split keys. And if nobody can use my email to warn my friends and colleagues I'm dead, well, mi father didn't find time to say goodbye, he just laid in bed and died. And I'm sure he didn't give a damn about his PINs in that last moment...
Re: "Although, being an old beatnik I bet his password will be fairly trivial to guess."
According to the article he worked as a mainframe programmer inbetween travelling, so don't bet all your money on the password being so easy. Him having had all his stuff digital and online also points to a certain technognosis...
I definitely don't want any company that has data of mine on their systems, behind a password or any other protection, giving it out after my death. It isn't my secrets I am concerned about, but those of other people that I may have known and recorded.
Anything that I mean to have released under those circumstances is already in places set up so that people can find it.
I've been considering assembling a dead-man switch for the system my shell account is on so that I don't "vanish without a trace" from my virtual life. Cron is good at this and I've already written tools that do something _like_ this so it's not very challenging.
Mind you, I probably should have a network of at least three people in widely distributed areas to get the e-mail to hunt down what ever happened to me.
The real question is what I should be telling them in my e-mail, you know. Some things are too damn morbid to deliver with humor... and, at the same time, you don't want to get smacked down by a spam filter.
But, then, when your on-line identity doesn't quite match your meatspace identity, well...
@Israel Torres - my thoughts exactly, thats why we use passwords after all. Thats specifically why we dont tell everyone what they are, why we keep them in a password safe, why we make them hard to guess, etc etc. Appropriate people have access to things (real and virtual) that I feel they will need access to or that I want them to have access to. The rest can die with me.
Shame the clipper chip never got up, then the CIA could have made some money on the side assisting bereaved families ;-)
I like Justin's idea (above) of PGP key-splitting. I've considered something like that, but it's probably overkill for me. My solution (well, if I could be bothered to implement it) is:
Use two envelopes, each with a tamper-evident seal and instructions to open only in the event of my death. The one in my draw at work will have a password/key and the one in my draw at home will have a CD with encrypted info that I want to leave behind.
These draws are likely to be opened when I die. Before then, getting access to the data would require: someone snooping through my stuff, opening the envelope knowing that I'll be able to tell, and convincing the other party (employer/spouse) to combine the two pieces of the puzzle.
Next step is to tell my theatre group how they can get access to our web hosting if I disappear.
What and have my family members read all the emails to my everyday friends, intimate friends, and other girlfriends?
Most of the comments above are meaningless without the fantasy of unbreakable encryption, plus the inclination to hide everything (which is to say, paranoia).
In the real world, people write wills naming and disposing valuables, which would include account numbers and passwords. They trust some person, perhaps a lawyer, to hold or to know the location of the will.
In the real world, some people bury their shekels, others neglect to write wills. In these cases, states imposes rules which often appear to abuse the survivors' notions of fairness.
In the Anglo world, if your lawyer cannot protect your secrets, neither can you. Wherever you live, if you have secrets which cannot be entrusted to a lawyer, they should never be mixed with trivia, probably there should be no record of their existence, and certainly they should die with you.
I almost said Talcott did not appear to wish his list of private correspondents to be known and revealed to the world. Like Milan, above, I would agree. Perhaps that was Talcott's wish. In any case, his friends have learned of his death by now, via the grapevine and CNET... pretty much the same ways they would have learned in the dark ages, even if he had left a neatly organized shoebox.
However, it seems Talcott was also negligent in the provision of a will, so it is more likely he didn't give a damn.
He is not a victim of encyption. He is just somebody who failed to consider his heirs.
I was the funeral of a friend a few years ago, and the FreeBSD box he used as an internet gateway stopped working. I think his ghost was taunting all the geeks in the house.
Unfortunately, of course, nobody knew his passwords - including his widow. We had to hack root to fix the problems.
Somehow, hacking root on the deceased's computer seemed like an appropriate thing to do at a geek's funeral.
I think "passwords" might be taken too literally by some here.
Note that if you can prove you are the rightful heir you can usually get the goods you are after. The problem is what may legally constitute those rights, and the cost of proving them true. The providers are essentially saying "use the secret we recognize or bring us *legal* proof of identity" (last time I checked they're still bound by the laws of the countries they operate in).
So if you don't leave your actual passwords behind, you can at least leave your heirs empowered to retrieve what you wish. I noted a bit of irony in the article about this:
"Talcott didn't leave a will, unless it is stored on his computer somewhere, so his family is still working out who will be his executor, his daughter said. Once that is established, Talcott-Fuller said she will approach Yahoo again for access to his e-mails."
C'mon now. It is so easy to find out or break most Windows passwords. There are lots of utilities available on the net.
Most good geeks know how to remove or reset Windows login passwords using one of the Linux distro's that are pre-configured to do this or getting the SID hash. I had occasion to do this a few weeks ago for a co-worker who had an old laptop but didn't know the Windows password. Check out:
Once in, simple utilities like the one's below can either find the passwords you need or give you clues that will help you guess them. Check out:
If you've got time and have the physical machine in your possession, there are cracking programs that can get most passwords. Check out:
If you don't mind paying cash for such programs, check out:
This is not really a new problem.
Having problems contacting people who knew a recently deceased person is an age old problem and it is also one of the main reasons why people in the old days and still today put up ads in newspapers about deaths.
Thing is even if the deceased had a physical adress book, it might not be up to date or you might not be able to find it (at least not before the funeral). It's a hard time when someone you like/love dies. You may not feel like losing your time trying to dig out his adress book.
So in the end you end up contacting the people you knew he knew and it ends to that. Some people who knew the deceased do not get to learn about it until some time and sometimes never.
Concerning electronic data that people would like to have access to after a person dies, the solution to the problem is just plain preparadness.
People should think in advance about what information they would like to be public and share it while they can.
Leaving access to one's private passwords in whatever way is not a good idea because even after one's death you don't want people to come and look at your private stuff.
I have two "zones" on my computer. My /home directory is where I keep private stuff and I also have a public folder to which my wife has access through our private network (and also family and friends through an FTP).
I don't want anybody looking at anything else thant the stuff in my public zone even if I'm dead.
Leaving one's passwords after death is a bit akin to security through obscurity. People don't really know what to expect and they might not be able to access your stuff, just because you forgot to update the password file you sent them.
Better think now about what you want public and what you want private, and share the public stuff now.
Of course this is the ideal situation and often people don't think about doing this before they die and untimely events ensure that the proper measures are in place when need comes.
Well that's life, you will always end up with situations that nobody thought of and where you will be stuffed. But then if you're working on a project with someone, you have the responsability of thinking about the what ifs situation. If you don't ensure that you will have access to the date in every circumstances, tough for you.
For those of you concerned about police-access to your passwords, a bank-deposit-box is not sufficient, as a court may order these to be opened without your agreement.
Depending on the legislation in your country, you could entrust your lawyer or notary with the password along with orders not to reveal it unless you are proven to be dead.
In most jurisdictions, information exchanged between lawyer and client is considered sacrosanct and the lawyer cannot be legally forced to reveal the password. Usually, he may not even do so voluntarily, as it would constitute a major (criminal) offense.
Technically, you can come up with clever things like regularly encrypting your password-list to a special public-key whose private part is only known to your lawyer or the like. Leave that on your PC with instructions how to reach the lawyer in the sad case...
This way, you can get around password-aging rather easily and even if the lawyer was untrustworthy, he would first have to access your computer to obtain your passwords.
Any physical lock can be circumvented given enough time and access. Isn't this also true of virtual locks? Neither physical nor virtual locks are absolute, they only change the cost/benefit ratio of unauthorized access to make it unattractive.
In other words, I don't see the problem here. I want the things I've password protected to be damn hard to break into, but I also know it's still possible.
I'm more concerned that most password protection schemes don't have any function to notify me of attempts at unauth access. If someone is trying to break into my garage, it takes time and makes noise, in effect notifying me of the attempt. This is usually not so in the digital world.
I think the only real problem here is with encryption, not passwords. Anyone reasonably computer aware can take the hard drive out of your machine and mount it on a linux box (or maybe just run knoppix and mount the drive R/W on the original machine), then do anything they want to.
I've had occaision to do this myself, both for my own stuff and for others. Amazing what isn't deleted on a computer even though the opsys has marked it gone. You can usually find out more about the other user than they know/remember about themselves.
That might help recover keys as well. Often cypto implementations are done by people who don't realize that a key (or plaintext) in memory might wind up in a swap file as cleartext, for just one example. Many opsys "features" are in fact security problems, and most programmers don't consider the whole shebang.
Taking my secrets to the grave is the whole idea, dummy!
@ Dewey "[...]
I've considered using the Usenet "Par2" program for this but don't fully understand the security consequences of doing so. Anyone have any insight?"
PAR2 is not a Usenet program. It is merely used a lot _on_ binary Usenet groups.
IMO using PAR2 to serve this purpose is needlessly complex, but could PAR2 could achieve your goal indeed. If you have one password which opens the gates to say an encrypted password file as outlined above by "radiantmatrix", "justin" and others, all what has to be done is glue them together. Its either part1 + part2 or part2 + part1 (ie. x^2; where x == # of parts). Let me assume you have 2 trusted parties, and that you trust them equally and wish to give each 50% of the password to your protected file of secrets. Using PAR2 with -n 2 (2 recovery files) -r 100 (100% redundancy; 0% of the data is known) and -u switch (distributed evenly) (see manpage) you could distribute the key evenly to 2 trusted parties so each party has the equal percent, 50%, of the key. Then, it is essentially similar as earlier described by e.g. "radiantmatrix" and "justin", except digital using PAR2 files and the people who get those PAR2 files after you've passed away ofcourse need to be able to use them (as said: additional complexity IMO). For both solutions counts: be aware, that the key has to be strong enough to not be broken if 1 of the 2 trusted parties gives it out to a non-legit person.
PS: I don't know much about quantum cryptography except some basics. Would quantum cryptography influence situations such as this?
--"Imagine getting an e-mail from the dead person's account - Subject - Re: I'm dead!
That's how the series "Serial Experiments Lain" starts...
The issue with a "Dead man's switch" becomes interesting if you were someone who was targeted for rendition. How long are you going to leave it able to run for, if the CIA send you to Gitmo or someplace undisclosed?
See Bruce's post on the Arar case: http://www.schneier.com/blog/archives/2006/09/...
I know one case where a rendidtion subject was declared dead by his wife after a year or so, and turned up alive, naked, bagged and bound by the side of a country road some years later... Somehow I feel it would be worse for your PC to do it after three weeks!
Perhaps you could use 'Dead Man's Switch' or a similar program to send messages like the following:
"This automated message was sent because it has been at least (length of time) since I checked in... (explain the mechanism)... In the event of my disappearance, rest assured that I have not joined the circus, I haven't run off with a mistress, I have never been suicidal, and are probably not deceased, but that I suspect that my continued activities protesting... (oh, whoever)... has unfortunately resulted in some sort of foul play. The way our laws have changed recently, this could include rendition, mistreatment, and imprisonment without legal recourse. Please educate yourself about these things, and be strong... Here is a list of people I trust that can personally help you... Here is a list of sources to help (please) take my story public... If at all possible I will be seeing you sometime, hopefully not to distant..."
(this is surprisingly hard to compose, who'd guess)
Greetings from Draco Horriblis. Speaking as someone who has lost his lap top, do to theft. I am serious about having a dead man switch running on my laptop from now on. For the purpose of having personal information wiped, Along with that of my clients, thus keeping it out of the hands of criminals. For all you pornsters out there yes I do have a few wickedweasel bikini pictures. What can I say I'm a guy. However they aren't my concern. To respond to issues of forgotten passwords. Just remember the first three rules of computer using, back-up, back-up, and back-up. Now while I was using encrypted containers, one for each client. I would sleep better at night knowing that some geek wouldn't be cracking an AES-Twofish encrypted container someday in the future. For those of you who might respond "oh they can't do that" just remember what can't be done today, can be done tomorrow.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.