PassMyWill Is A Will For Your Online Assets And Passwords
techcrunch.comPretty sure these guys have been doing something similar for a while now: https://www.lifeensured.com/
I wonder if PassMyWill has ever been audited for security vulnerabilities? LifeEnsured has: https://www.lifeensured.com/faqs#security
EDIT: lol. The login form on PassMyWill gets POST'd over HTTP.
EDIT2: Nope, the entire server doesn't support SSL. facepalm
I love how companies play up the security theater they have in place in their datacenters. If someone is going to try to get your data, the last place they're going to get it from is in person at your DC.
I think it's kind of a standard disclaimer. Notice they got the most important part right: independent review by experts.
Even people that do security well need to engage in security theater.
At any case, the data is encrypted in JS, so the transferred piece is worthless, anyway.
I wish I could dig up the HN story from a few months ago. Basically JS encryption is horribly broken and essentially worthless
Edit: ah, here it is http://news.ycombinator.com/item?id=2935220
Another problem is keeping your backup passwords in sync with your day to day use passwords, especially if you're not going to die to 40-80 years.
Probably the best solution is to have something like 1Password set to automatically manage passwords, encrypted with a master password, and then disclose only enough information to get to the daily-use 1Password. Disclosing a single password like that is probably better accomplished in a paper will, stored with a lawyer/executor.
Although there's also some value in an "I'm dead" script which deletes porn, porn passwords, information about your affairs, criminal activity, compromising photos involving porn and crime and drugs, the Guatemalan second family you support, etc., before turning over things like facebook passwords to next of kin.
Even better, use KeePass (and sync/backup into the cloud like Dropbox, etc) and have an open source solution that is safe and encrypted from end to end, without trusting a company to not be stupid.
Then, just leave your master password(s) for the encrypted database in your will, or safely amongst your personal belongings.
After they die, I don't see why someone would want their family to have their passwords. Every email, IM and Google search? Even if you don't do anything "wrong," there's still probably a ton of stuff you wouldn't want anyone reading (especially out of context).
My father passed last summer.
He had a busy life online, post-retirement - built and ran a website for a yacht club, used the computer to book stand-by travel with his former employer (American Airlines), online banking, etc.
Nothing where the lack of access would have been a killer. But not having them would have been inconvenient for a lot of people.
Happily, he kept his accounts and passwords in a tablet, on his desk. Single-space, filled the page. So I was able to hand the 'keys' of the website over to his backup, get my mother logged in to the website so she can book tickets, and so on.
Every single online account would have been excessive. But the ones he documented, I'm glade he did: saved a lot of people some inconvenience.
This is an interesting start up and concept but it seems like there's a pretty high barrier to entry. In order to use this site you have to place a lot of trust in it to:
* Be secure with your credentials to sites * Reliably figure out that you are dead * Trust that your next of kin will figure out the key you've set up
It's certainly a useful concept and much better than hoping your loved one placed the credentials somewhere you could access them.
An easy solution:
Encrypt your package using a fresh private key. Send the package to the will handler (such as PassMyWill), but not the key. Send the key to all the will recipients.
Upon the execution of your will, your recipients get the package that they can already open with their key.
The trick becomes to keep the package opaque to the will handler, and to keep the recipients from gaining access to the package prematurely.
I think the best solution in this space would be to implement this: http://en.wikipedia.org/wiki/Shamirs_Secret_Sharing
Then you could nominate some family members, friends, significant other, such that some minimum number of them were required to collaborate to decrypt the files.
Double-encrypt the package with a key that you give to PassMyWill and that you give to the recipients. Give the package to everyone.
What benefit would this provide over simply having an encrypted memory stick (or similar) containing all of the necessary account information and leaving the password with someone trusted (e.g., lawyer responsible for will, family member friend, etc)? (or, as troels suggests, leaving the password or even the stick in a safe)
The benefit is that if you did it with an encrypted USB that you keep with a lawyer, every time you make a new account or change your username or password, you would have to get the USB back, re-write the txt file, then give it back. Whereas here, it may be easier to update your information in this fashion
Well, you could keep the USB stick and give the lawyer the decryption key.
Entrustet.com has been doing this for several years now. They have been on TC in some capacity a few times:
I really don't see it competing much with having an envelope with a master password (e.g. my gmail password) in my safe?
Same here, only leaving the master password for my laptop and 1Password in my parent's safe. They would need to fly 2,000 miles to get physical access since the passwords don't work on my gmail account.
What a great way to get your passwords stolen.