Keeping a Secure List of Passwords, Online Accounts, and Digital Property

An important part of a comprehensive estate plan (planning ahead for incapacity and death) is preparing a complete list of your passwords, online accounts, and other digital property—and keeping it up to date. This list helps fiduciaries and family members find your valuable and significant online accounts and digital property, keep administration costs down, provide for a smooth administration, and ensure no property is overlooked.

A written list is easy for anyone to create, but it’s insecure to keep with you at all times and may be inconvenient to update. A sample written list is available on my blog—I call it “My Digital Audit.” You can download the Adobe PDF form to your own device and either edit it electronically or print it and fill it out by hand. Keep your written list in a secure location, like a safe deposit box or a home safe. Secure storage and frequent updates don’t work well together for a written list, so an electronic list or a hybrid method combining an electronic list and separate written instructions is preferable to only keeping a written list.

Personally, I prefer to use an encrypted electronic list because it’s secure, easy to update, convenient to use, and it’s on my smartphone so it’s always with me. A master password is used to access the encrypted data in the list. So, I only need to remember one master password, then I can use the electronic list to keep track of all my separate, strong passwords for each online account that I use. An electronic list can be stored on a smartphone, a computer, a portable storage device, or in the cloud.

When choosing software or a Web-based service to keep an encrypted electronic list of passwords, online accounts, and digital property, look for one that synchronizes your list among your computer, tablet, and smartphone (and the cloud, if desired) so that it’s easily accessible by you. Also, look for one that integrates with your Web browser to securely and automatically enter the username and password for your online accounts. In addition to being a time-saver, it also encourages you to use separate, strong passwords for each of your online accounts (if you’d like to learn more about strong passwords, read this article from Microsoft on Six Rules for Safer Financial Transactions Online). The ones that integrate with your Web browser also help keep your list up to date by automatically updating your list when you create a new online account or when you change an online account’s password. If the software or Web-based service stores your list in the cloud (not just stored locally on your device), make sure it encrypts your data before sending it to the cloud so that the service provider (or a hacker compromising the service provider’s security) can’t access your confidential data.

Five of the most popular free and commercial software tools to keep an encrypted electronic list are described in a January 11, 2015, article at by Alan Henry. The five encrypted electronic list tools the article describes, in alphabetical order, are: 1Password, Dashlane, KeePass, LastPass, and Roboform.

A key problem with an encrypted electronic list is that fiduciaries and family members need to know your master password in order to read your list while you are incapacitated or after you are deceased. Without the master password, the list may be practically impossible to access (e.g., if the list is protected with strong encryption and a strong password).

One idea is to use a hybrid method by keeping an encrypted electronic list of your passwords, online accounts, and digital property plus keeping a separate written instruction sheet describing how to find and access your encrypted electronic list, including the master password. Keep the separate written instruction sheet in a secure location, like a safe deposit box or a home safe.

Another idea is to use a Web-based service to both keep your encrypted electronic list and provide a mechanism for designated fiduciaries or family members to access the unencrypted list. Some of these Web-based services, in alphabetical order, are: AfterSteps, Assets in Order, BestBequest, Deathswitch, Estate Map, E-Z-Safe, PasswordBox’s Legacy Locker, and SecureSafe. However, unlike the software tools listed three paragraphs above, the Web-based services listed in this paragraph currently do not integrate with your Web browser to enter the username and password for your online accounts securely and automatically, which may make these services less convenient to use and less convenient to keep up to date. Also, if the service provider has the ability to turn over the unencrypted contents of your list to a fiduciary or family member that you designate, that means the service provider (or a hacker compromising the service provider’s security) potentially could gain access to your confidential data—this is a trade-off between convenience and security.

During your incapacity or after your death, fiduciaries and family members should read the applicable Terms of Service contract before attempting to use your password to access your online account. There are federal and state laws that penalize unauthorized access to computer systems and types of private or protected personal data. These laws provide consumer protection against fraud and identity theft but may have a chilling effect on fiduciaries and family members trying to access an incapacitated or deceased person’s online accounts.The U.S. Department of Justice asserts that 18 U.S.C. § 1030(a)(2), which is a provision of the Computer Fraud and Abuse Act (“CFAA”), is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. For example, some Terms of Service contracts prohibit you from allowing anyone else to access your online account, which may mean that a fiduciary or family member using your password to access the account is “exceeding authorized access” within the scope of the CFAA. If any of your online accounts has an access restriction like this in its Terms of Service contract, your fiduciary or family member should consider asking the service provider for a copy of your account’s contents instead of attempting to use your password to access your account.

This entry was posted in General and tagged , , , , , , , . Bookmark the permalink.