Emergency-accessible secrets for the digital paranoid
October 5, 2019 2:04 PM Subscribe
I don't trust cloud services but I want someone trustworthy to be able to access my accounts in case of emergency. What services, products, or setups can make this happen? Also, as a matter of pure security-theory, what is the best possible way to do so with minimal trust?
I'm an old-school security fan, who broadly believes that access credentials, except for those for shared resources, are best not shared with anyone at all, because every access code is only as secure as the least secure place it's at (so the more people who have it, the less secure it is). I'm wondering how to interface this with in-case-of-emergency provision of those secrets to those whom I would need to trust in an emergency. I'm also a fan of security and cryptographic theory, so I have an intellectual interest in how to secure data in a cooperatively-reconstructable form, so broadly I want to satisfy two conditions: first, that no single party (individual or institutional) possesses those access codes in a usable form, and second, that any attempt to reconstruct those access codes would be something which I would necessarily be aware of. The second may not be possible without trusting _someone_, but I'm interested (as a theoretical matter, mostly) in how to do this with minimal trust, and also what solutions already exist.
Here's the sort of thing I have in mind: an online credential-accessed information store in which I could place an encrypted file of my important passwords and passphrases. I would then provide my in-case-of-emergency trustholders with both the credential to the online service and the decryption key. However --- and this seems to be the bit that I'm not sure is out there --- I'd want access to the service to be alarmed, to prevent or at least discourage access in non-emergency scenarios, so that the service would let me know when it's been accessed, possibly enforcing a significant delay before providing the access to the file. This is not absolutely airtight, inasmuch as it could be foiled by cooperation between the information-store and the individual trustholder, but I'm not that paranoid and would ultimately accept that as a manageable risk if both individual parties were reasonably trustworthy.
More generally: what do other cloud-averse security-conscious people do to ensure that, in case of emergency but not under other circumstances, a trusted party can access their information? This feels like it should be a solved problem.
I'm an old-school security fan, who broadly believes that access credentials, except for those for shared resources, are best not shared with anyone at all, because every access code is only as secure as the least secure place it's at (so the more people who have it, the less secure it is). I'm wondering how to interface this with in-case-of-emergency provision of those secrets to those whom I would need to trust in an emergency. I'm also a fan of security and cryptographic theory, so I have an intellectual interest in how to secure data in a cooperatively-reconstructable form, so broadly I want to satisfy two conditions: first, that no single party (individual or institutional) possesses those access codes in a usable form, and second, that any attempt to reconstruct those access codes would be something which I would necessarily be aware of. The second may not be possible without trusting _someone_, but I'm interested (as a theoretical matter, mostly) in how to do this with minimal trust, and also what solutions already exist.
Here's the sort of thing I have in mind: an online credential-accessed information store in which I could place an encrypted file of my important passwords and passphrases. I would then provide my in-case-of-emergency trustholders with both the credential to the online service and the decryption key. However --- and this seems to be the bit that I'm not sure is out there --- I'd want access to the service to be alarmed, to prevent or at least discourage access in non-emergency scenarios, so that the service would let me know when it's been accessed, possibly enforcing a significant delay before providing the access to the file. This is not absolutely airtight, inasmuch as it could be foiled by cooperation between the information-store and the individual trustholder, but I'm not that paranoid and would ultimately accept that as a manageable risk if both individual parties were reasonably trustworthy.
More generally: what do other cloud-averse security-conscious people do to ensure that, in case of emergency but not under other circumstances, a trusted party can access their information? This feels like it should be a solved problem.
I think it's a solved problem but not a digitally solved problem, if that makes sense? I get what you are after, but it may be that creating an analog part to this satisfies this situartion the best.
I guess part of the question here is what the "emergency" outlines are. Because I share a safety deposit box (at a local bank, not one that is likely to sell out their safety deposit box shit to others) with my sister. It's in the town that I live in which is hours from where she lives. If I died, it would be trivial for her to get up here, get into my house, get the key to the box and get the envelope called PASSWORDS and break into my shit in order to do other things. However, there is literally no reason she would do that unless I was dead. And no way at all for her to do this in a hurry. The big key to digital security that is non-cloud based, to my mind, is that time/distance/money is still a real barrier for a lot of people.
My sister does, however, know the PIN to my phone (and I hers) which means in an "I got into a wreck" emergency she could read my email, make phone calls, that sort of thing. I could lock down my phone more tightly with fingerprint codes so someone with access to my phone could get into less. Some of this relies on sophistication. My sister would have a hard time figuring out how the 2FA system on my email worked (she could ask someone) and that would introduce some friction.
When my mother died, she had a huge (paper) folder full of passwords. However, the passwords were in code, a really simple code. The key to the code were in her "in case I die" file on her computer which was buried in folders we knew to look in but no one else did. When my guy sends me racy photos, I keep them in a folder called TAXES because no one will look there.
So given that, I think what I'd do is... put a list of encoded passwords in the Cloud connected to an account you don't use for anything else. Put the key to those encoded passwords somewhere else and give your trusted people access to those. Set up access controls on that account (google or whatever) so that you get a text any time someone tries to access them. Let these people know that. Alternately, just give them to a lawyer who is not going to do absolutely anything unless you are dead and there is an estate/retainer.
posted by jessamyn at 2:29 PM on October 5, 2019 [2 favorites]
I guess part of the question here is what the "emergency" outlines are. Because I share a safety deposit box (at a local bank, not one that is likely to sell out their safety deposit box shit to others) with my sister. It's in the town that I live in which is hours from where she lives. If I died, it would be trivial for her to get up here, get into my house, get the key to the box and get the envelope called PASSWORDS and break into my shit in order to do other things. However, there is literally no reason she would do that unless I was dead. And no way at all for her to do this in a hurry. The big key to digital security that is non-cloud based, to my mind, is that time/distance/money is still a real barrier for a lot of people.
My sister does, however, know the PIN to my phone (and I hers) which means in an "I got into a wreck" emergency she could read my email, make phone calls, that sort of thing. I could lock down my phone more tightly with fingerprint codes so someone with access to my phone could get into less. Some of this relies on sophistication. My sister would have a hard time figuring out how the 2FA system on my email worked (she could ask someone) and that would introduce some friction.
When my mother died, she had a huge (paper) folder full of passwords. However, the passwords were in code, a really simple code. The key to the code were in her "in case I die" file on her computer which was buried in folders we knew to look in but no one else did. When my guy sends me racy photos, I keep them in a folder called TAXES because no one will look there.
So given that, I think what I'd do is... put a list of encoded passwords in the Cloud connected to an account you don't use for anything else. Put the key to those encoded passwords somewhere else and give your trusted people access to those. Set up access controls on that account (google or whatever) so that you get a text any time someone tries to access them. Let these people know that. Alternately, just give them to a lawyer who is not going to do absolutely anything unless you are dead and there is an estate/retainer.
posted by jessamyn at 2:29 PM on October 5, 2019 [2 favorites]
I don’t think you’re going to achieve the alarming without trusting the alarm service, but this kind of auditing is possible with AWS and I assume other providers.
One other option is to encrypt your stuff in a way that multiple trusted people need to work together to decrypt it. Basically, you distribute m keys, and need n<=m keys to decrypt, where m and n are chosen by you. I forget the term for this, but a few minutes of googling should find it.
posted by qxntpqbbbqxl at 2:33 PM on October 5, 2019 [1 favorite]
One other option is to encrypt your stuff in a way that multiple trusted people need to work together to decrypt it. Basically, you distribute m keys, and need n<=m keys to decrypt, where m and n are chosen by you. I forget the term for this, but a few minutes of googling should find it.
posted by qxntpqbbbqxl at 2:33 PM on October 5, 2019 [1 favorite]
My husband and a close friend both have a copy of the 1Password PDF emergency mentioned by migurski.
posted by KleenexMakesaVeryGoodHat at 2:47 PM on October 5, 2019
posted by KleenexMakesaVeryGoodHat at 2:47 PM on October 5, 2019
1Password emergency kit instructions. (I didn’t find it immediately, so hopefully this helps someone else.)
Unfortunately, it requires you to have a 1Password account and subscription. A stand-alone license will not work.
posted by danielparks at 3:40 PM on October 5, 2019
Unfortunately, it requires you to have a 1Password account and subscription. A stand-alone license will not work.
posted by danielparks at 3:40 PM on October 5, 2019
Google has a sort of dead-man switch that you can set up, called the "Inactive Account Manager". There are lots of articles around on setting it up. You can choose what categories of data get opened up to your digital next-of-kin, and what gets deleted. (Because, let's face it, there are probably some things that you want Google to take to your grave with you.) I think one of the things your "Trusted Contact" gets access to is your Gmail, which is generally the linchpin of a typical user's online identity (since most accounts can have their passwords reset if you have access to the email address on file).
Of course you have to be careful, if you think you're the sort of person who might someday pull a Thoreau and go live in the woods without the Internet for a while, because that could potentially trigger it inadvertently. But for those of us who will probably have our phones literally taken from our cold, dead hands, it's not a bad solution.
That said... having dealt with the unexpected death of a family member, consider the low-tech "passwords in an envelope" thing for stuff that your family might need to access immediately, e.g. online banking that they'd need to pay bills, utility accounts, etc. Having to wait 90 days or whatever you specify as the deadman-switch interval for your Google account, and then having to reset a bunch of passwords individually, would be a real pain in the ass at a time when your friends/family probably don't need it.
posted by Kadin2048 at 3:40 PM on October 5, 2019 [1 favorite]
Of course you have to be careful, if you think you're the sort of person who might someday pull a Thoreau and go live in the woods without the Internet for a while, because that could potentially trigger it inadvertently. But for those of us who will probably have our phones literally taken from our cold, dead hands, it's not a bad solution.
That said... having dealt with the unexpected death of a family member, consider the low-tech "passwords in an envelope" thing for stuff that your family might need to access immediately, e.g. online banking that they'd need to pay bills, utility accounts, etc. Having to wait 90 days or whatever you specify as the deadman-switch interval for your Google account, and then having to reset a bunch of passwords individually, would be a real pain in the ass at a time when your friends/family probably don't need it.
posted by Kadin2048 at 3:40 PM on October 5, 2019 [1 favorite]
I'm just going to rephrase in the hopes of understanding, but here's my current interpretation:
The problem we are trying to solve is that of an EMERGENCY situation where Emergency Contact Person #1 (ECP1) will need to access system/account/xyz in a short timeframe up to and including immediately upon notification of said Emergency Situation. But there's a catch: we can't just trust ECP1 to the keys to the kingdom that they can access willy-nilly any time of day or night on a whim? What if ECP1 takes up crack one day and decides they need more RIGHT now and oh yeah I have access to all jackbishop's accounts!! a Press Button Receive Crack (PBRC) type scenario. So we need a secure location that ECP1 can access at any time pretty much immediately but ONLY when there is an Emergency Situation(TM). Some kind of access control system that can be programmed to open for ECP1 if various situational clauses are (somehow?) detected to be in play and verified by said system.
The rest is just details. You could probably cobble something together with certain elements mentioned above that I have possibly favorited. The key thing is finding the right approach for your particular, unique situation that we know next to nothing about.
posted by some loser at 4:19 PM on October 5, 2019 [1 favorite]
The problem we are trying to solve is that of an EMERGENCY situation where Emergency Contact Person #1 (ECP1) will need to access system/account/xyz in a short timeframe up to and including immediately upon notification of said Emergency Situation. But there's a catch: we can't just trust ECP1 to the keys to the kingdom that they can access willy-nilly any time of day or night on a whim? What if ECP1 takes up crack one day and decides they need more RIGHT now and oh yeah I have access to all jackbishop's accounts!! a Press Button Receive Crack (PBRC) type scenario. So we need a secure location that ECP1 can access at any time pretty much immediately but ONLY when there is an Emergency Situation(TM). Some kind of access control system that can be programmed to open for ECP1 if various situational clauses are (somehow?) detected to be in play and verified by said system.
The rest is just details. You could probably cobble something together with certain elements mentioned above that I have possibly favorited. The key thing is finding the right approach for your particular, unique situation that we know next to nothing about.
posted by some loser at 4:19 PM on October 5, 2019 [1 favorite]
This is the sort of problem that Shamir's Secret Sharing solves. Split your secret key into pieces and give them to k of your friends, such that any n of them (but no fewer) could recover the original key. If you want to do this yourself I recommend going low-tech, where the key shard is written as a hexadecimal string on a piece of paper that you hand out. I work on a cloud product that can do this, which is fine for companies with an IT staff, but for individuals you need to make sure everyone's trusted associates creates an account with the service, and doesn't lose their credentials over the years. (And the service still exists when you need it.)
posted by serathen at 4:50 PM on October 5, 2019 [4 favorites]
posted by serathen at 4:50 PM on October 5, 2019 [4 favorites]
Short term. Get a decently reliable cloud system that you can log into. Keep your encrypted passwords file there and give instructions to the people who need them. Set up monitoring so whenever someone passes the authentication stage, the message to you has been sent and you get an email/SMS notification.
Somebody should make an image that does this.
Step 3: profit!
posted by zengargoyle at 8:22 PM on October 5, 2019 [2 favorites]
Somebody should make an image that does this.
Step 3: profit!
posted by zengargoyle at 8:22 PM on October 5, 2019 [2 favorites]
Oh, that's old $WORK talking. If anybody logged into some machines as 'certainuser', everybody got an email. You just expand that to different usernames/passwords (authentication). You could do this web-wise and say "login and go here, but I'm going to get paged when you do". Add in some delay or waiting period and you're set as long as your provider stays around and you've paid your bills.
posted by zengargoyle at 8:32 PM on October 5, 2019
posted by zengargoyle at 8:32 PM on October 5, 2019
If you don't need your emergency person to have immediate access, make a local password vault using KeePass or some other local program, set it to use a master password, and save the master password and the KeePass folder path in a file in another folder, or print it out. Tell your emergency contact where that information is.
posted by Ahniya at 11:39 PM on October 5, 2019
posted by Ahniya at 11:39 PM on October 5, 2019
Google alerts the primary account holder when a log in from a new device is detected. So if you put your encrypted container onto a google drive and set it private you'll get notified that the container has been accessed. You are trusting google in this case. To be truly paranoid you could have the data in the encrypted container be a pointer to another service that also does notification. Layer as many services deep as need to satisfy your level of confidence you'll be notified.
When my guy sends me racy photos, I keep them in a folder called TAXES because no one will look there.
this only prevents shared users from stumbling on to images. Anyone actually looking (whether for racy images in particular or just images in general) is going to search for .jpg/.png and is going to see your taxes images and they are going to stick out like a sore thumb because they are in a folder labeled TAXES. However even a simple, non-secure encryption method like that used by .zip files will prevent casual discovery.
posted by Mitheral at 6:05 AM on October 6, 2019 [1 favorite]
When my guy sends me racy photos, I keep them in a folder called TAXES because no one will look there.
this only prevents shared users from stumbling on to images. Anyone actually looking (whether for racy images in particular or just images in general) is going to search for .jpg/.png and is going to see your taxes images and they are going to stick out like a sore thumb because they are in a folder labeled TAXES. However even a simple, non-secure encryption method like that used by .zip files will prevent casual discovery.
posted by Mitheral at 6:05 AM on October 6, 2019 [1 favorite]
"Here's the sort of thing I have in mind: an online credential-accessed information store in which I could place an encrypted file of my important passwords and passphrases. I would then provide my in-case-of-emergency trustholders with both the credential to the online service and the decryption key. However --- and this seems to be the bit that I'm not sure is out there --- I'd want access to the service to be alarmed, to prevent or at least discourage access in non-emergency scenarios, so that the service would let me know when it's been accessed, possibly enforcing a significant delay before providing the access to the file."
-------
If I'm reading this correctly, what you want does exist for Dashlane and LastPass, and has been requested for 1Password. I haven't checked other password managers but they may well have similar. See my previous reply here . (You may find other answers in this post helpful too.) I just confirmed that the links I provided in that reply are still active. They control access in exactly they way you say - you allow someone(s) to request access but the system alerts you if that someone actually does request access, and you have some time period (set by you) in which to decline access. If you don't decline access, they get it.
These aren't an encrypted file per se, but they're encrypted collections of your passwords and I believe all have the option of also saving notes and/or files. Bonus: it's a good idea to use a password manager regardless.
posted by 2 cats in the yard at 6:42 AM on October 6, 2019 [1 favorite]
-------
If I'm reading this correctly, what you want does exist for Dashlane and LastPass, and has been requested for 1Password. I haven't checked other password managers but they may well have similar. See my previous reply here . (You may find other answers in this post helpful too.) I just confirmed that the links I provided in that reply are still active. They control access in exactly they way you say - you allow someone(s) to request access but the system alerts you if that someone actually does request access, and you have some time period (set by you) in which to decline access. If you don't decline access, they get it.
These aren't an encrypted file per se, but they're encrypted collections of your passwords and I believe all have the option of also saving notes and/or files. Bonus: it's a good idea to use a password manager regardless.
posted by 2 cats in the yard at 6:42 AM on October 6, 2019 [1 favorite]
« Older Where do teenage girls find other girls for dating... | How do I light myself well for webcam? Newer »
This thread is closed to new comments.
posted by migurski at 2:26 PM on October 5, 2019 [5 favorites]