How Secure Are Your Online Account Passwords?

With announcements this month from popular Web sites LinkedIn, eHarmony, and Last.fm that a significant number of user passwords may have been compromised, it’s a good time to ask yourself, “How secure are your passwords?” It’s also a good time to change your passwords on these Web sites, if you haven’t done so already.

Microsoft generally recommends using strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols. They also recommend not using the same password for everything. If you use the same password for multiple online accounts, then when one account’s password is compromised, your other accounts also may be compromised. The old adage that “a chain is only as strong as its weakest link” applies to your online accounts. Whitson Gordon posted an interesting article yesterday on Lifehacker explaining the different methods that online service providers use to protect user passwords, and there are significant differences in the level of security that these companies may use.

If you’d like to see an interesting example of how long it may take a hacker to guess your password, Gibson Research Corporation has a useful Web site that estimates the time to search through the possible password character combinations. There is a brief video explanation on their Web site too. For example, an eight character password consisting of only lowercase letters may take up to 2.17 seconds to guess using an offline system that can guess 100 billion passwords per second. Changing that to an eight character password containing an equal number of lowercase letters, uppercase letters, numbers, and symbols results in up to 18.62 hours to guess the password. Changing that to a twelve character password containing an equal number of uppercase letters, lowercase letters, numbers, and symbols results in up to 174,000 years to guess the password. Please note that these estimates are based on the time it would take to try every possible combination of characters, and the password may be guessed before running through every possible combination. These estimates also are based on the number of uppercase letters, lowercase letters, numbers, and symbols that you enter (e.g., three of each type of character in my last example). But, a hacker generally won’t know the precise mix characters that you used, so they may start by trying just lowercase letters and then add more complexity if that isn’t successful. And, if your password is one of the 470,000 or so words in the dictionary or one of the more commonly–used passwords, it may take a hacker only a few seconds to guess your password.

If you’re wondering how to remember all of the strong passwords you’ll need for each of your online accounts, consider using a popular software tool like LastPass, 1Password, KeePass, RoboForm, Keeper, etc. Look for a tool that is secure, easy to update, convenient to use, and portable so that it’s always with you (e.g., on a smartphone). If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).

One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.

Posted in E-mail, Financial Accounts, General, Social Networking Accounts | Tagged , , , , , , , , , , , , | Comments Off on How Secure Are Your Online Account Passwords?

Wisconsin Family Struggles to Obtain Access to Deceased Son’s Facebook and Gmail Accounts

A June 1, 2012, article by Jessica Hopper posted on MSNBC’s Rock Center, describes a Wisconsin family’s attempts to gain access to their deceased son’s online accounts. As I mention in previous postings, it can be a very time–consuming, expensive, and frustrating process.

The first problem is that most major Web services won’t reveal or reset the password of an incapacitated or deceased person. The second problem is that the Terms of Service contracts at some major Web services prohibit you from allowing anyone else to access your account, which may prevent even a court–appointed and duly–authorized fiduciary from fully accessing an incapacitated or deceased person’s account. And, if you aren’t authorized to access the incapacitated or deceased person’s account, you may be violating a state or federal criminal law regarding unauthorized access to computers or computer systems. Third, the Terms of Service contracts for some major Web services, like the one for Yahoo!, says that your account terminates at death. Finally, the Terms of Service contracts for most major Web services say that the online account is not transferrable or only transferrable with permission.

In this Wisconsin family’s situation, it appears that they have been struggling with access to their deceased son’s Facebook account and Google Gmail account. I have not seen copies of any of the pleadings filed in this case or the orders signed by Judge Joseph D. Boles of the Pierce County Circuit Court, so I’m not sure if the family requested a copy of “the contents” of these online accounts or whether they requested full access to “the account itself.” I’ve previously explained the difference between trying to obtain “the contents” versus full access to “the account itself.” The article notes that Facebook has received a copy of the Wisconsin Circuit Court’s order but has not responded yet.

In this situation, I don’t know whether Facebook or Google were made parties to the court proceedings (served with notice of the pending action and given an opportunity to be heard by the court) before the orders were issued. This may be an important element in this case. My understanding is that, in the past, Yahoo! has asserted that a general court order, without naming Yahoo! as a party to the court proceedings, is not sufficient for them to turn over the e–mail account contents. For example, in the Michigan case In re Ellsworth, No. 2005–296, 651–DE (Mich. Prob. Ct. 2005), a family made Yahoo! a party to the court proceeding, gave Yahoo! notice of the proceeding, and a Yahoo! representative appeared at the hearing. Following the order in the Ellsworth case, Yahoo! turned over the contents of the deceased user’s e–mail account to the family.

It will be interesting to see how Facebook and Google respond to this Wisconsin family’s requests and the court’s orders.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , | Comments Off on Wisconsin Family Struggles to Obtain Access to Deceased Son’s Facebook and Gmail Accounts

WSJ Article on Access to Online Accounts After a Business Owner Dies

There is an article by Molly Williams in today’s Wall Street Journal titled “If a Business Owner Dies, Who Can Access the Web?” The article points out that some small businesses have only one person who knows the passwords to the important online accounts for the business, and that could disastrous for the business if that person becomes incapacitated or dies without writing down the passwords so that others can access the accounts. Ensuring access to the business’s important online accounts is an important part of business continuity planning—a business may need to handle online customer orders, online purchases from suppliers, online payroll software, online bill paying, online marketing, e–mails, and more.

In general, I suggest that a business use its own e–mail server or have the business contract with a commercial e–mail service provider—do not rely on a free e–mail service for your business e–mails. Why? Because the Terms of Service contracts at the major free e–mail service providers (Google, Microsoft, and Yahoo!), say that these accounts are not transferable (or transferable only with permission). So, if the business e–mail account is registered in the individual owner’s name at one of the free e–mail services, the account probably cannot be transferred.

Also, the Yahoo! Terms of Service contract says that your account terminates when you die. The Terms of Service contracts at many other service providers are silent about what happens to your account when you die. If a business contracts directly with a commercial e–mail service provider (rather than one of the free e–mail providers), the account could continue after the owner dies.

The Microsoft and Facebook Terms of Service contracts say that only you may use your account, and you must not authorize a third party to access or use your account. This probably does not work well for business purposes, where more than one person may need to access the online account. As I have mentioned before, it could be considered a crime to access another person’s online accounts—even if you are the duly–authorized fiduciary for that person—if you “exceed authorized access” under the online account’s Terms of Service contract. The Wall Street Journal article quotes me as recommending not to access another person’s account using the person’s password—instead, the duly–authorized fiduciary for that person should contact the service provider to request the contents of the account to avoid potential charges of “exceeding authorized access.” I’ve previously mentioned the proper procedures for contacting Google, contacting Microsoft, and contacting Facebook. For a Yahoo! e–mail account, you can contact Yahoo! Customer Care to start the process, but note that, in the past, they have required a court order directing them to turn over the e–mail account contents citing privacy concerns.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , | Comments Off on WSJ Article on Access to Online Accounts After a Business Owner Dies

Update on Whether It’s a Crime for Fiduciaries to Access a Decedent’s Online Accounts

I’ve written previously that using an incapacitated or deceased person’s passwords to access that person’s online accounts may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On April 10, 2012, the Ninth Circuit Court of Appeals issued an opinion in United States v. Nosal regarding the scope of the phase “exceed authorized access” under § 1030 of the Computer Fraud and Abuse Act.

In this case, David Nosal, a former employee of Korn/Ferry, convinced current Korn/Ferry employees to obtain information from a confidential Korn/Ferry database—information that Mr. Nosal could use to help start a competing business. The current Korn/Ferry employees were authorized to access the database, but disclosing that confidential information violated Korn/Ferry’s company policies. The criminal charge was “exceeding authorized access” under the Computer Fraud and Abuse Act because the company’s policy was violated.

The Ninth Circuit held in this case that “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Note that the key phrase in that quote is “use restrictions.” The Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” In this case, the current company employees had permission to access the confidential company database, but the company’s policies restricted the use of the information. So, the criminal charge of “exceeding authorized access” under the Computer Fraud and Abuse Act was dismissed.

As I have discussed before, the U.S. Department of Justice has asserted that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the Computer Fraud and Abuse Act when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position may have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.

This case is interesting for fiduciaries and family members because the Ninth Circuit narrowly construes the phrase “exceeds authorized access,” despite the government arguing for a very broad construction of “exceeds authorized access.” Although it is not part of the Ninth Circuit’s holding, the most interesting portion of the order to me is the Discussion section of the Ninth Circuit’s opinion, where the court gives several examples of the consequences of the government’s broad construction, including an example about Facebook’s Terms of Service contract provision regarding letting someone else access your account:

For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007–March 1, 2012, § 2.3, http://www.google.com/intl/en/ policies/terms/archive/20070416 (“You may not use the Services and may not accept the Terms if…you are not of legal age to form a binding contract with Google….”) (last visited Mar. 4, 2012). Adopting the government’s interpretation would turn vast numbers of teens and pre–teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms (“You will not share your password,…let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.

…Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms (“YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.”) (last visited Mar. 4, 2012). Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.

The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, 130 S. Ct. 1577, 1591 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17–year–old boy and cyber–bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.

So, although the Ninth Circuit’s actual holding in this case does not specifically resolve the question of whether using an incapacitated or deceased person’s passwords to access that person’s online accounts is a crime (if that “exceeds authorized access” when the Web service’s Terms of Service contract prohibits letting others access the online account), the opinion’s discussion about Facebook’s Terms of Service provision gives me some hope for the future. Keep in mind that the Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use,” so the chilling effect on fiduciaries and family members accessing online accounts remains a problem.

For more discussion of United States v. Nosal, read the April 10, 2012, article by Orin Kerr at The Volokhh Conspiracy, including a mention of disagreement among the circuit courts about whether to interpret the Computer Fraud and Abuse Act broadly or narrowly, which could lead to a Supreme Court opinion on this issue in the future.

Posted in E-mail, Financial Accounts, Online Sales Accounts, Social Networking Accounts, Video Games & Virtual Worlds, Web Pages and Blogs | Tagged , , , , , , , , , , , , , | Comments Off on Update on Whether It’s a Crime for Fiduciaries to Access a Decedent’s Online Accounts

Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Previously, I’ve written about courts ordering spouses to reveal their Facebook passwords in the course of a divorce proceeding. In the past few weeks, there have been several stories about employers asking a job applicant to reveal the applicant’s Facebook username and password and schools asking a student to reveal the student’s Facebook username and password. See articles here, here, here, here, and here for a sampling of articles. The ACLU quickly condemned this practice as an invasion of privacy and has encouraged legislation to protect users’ privacy.

Facebook’s Chief Privacy Officer, Erin Egan, posted on March 23, 2012, that demanding access to a Facebook user’s profile and private information “undermines the privacy expectations and the security of both the user and the user’s friends.” She states, “That’s why we made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.” She also states, “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action.”

In a previous post about Planning Ahead for Access to Contents of a Decedent’s Online Accounts, I cautioned against having a family member or fiduciary use the password of an incapacitated or deceased user to gain full access to that user’s online accounts (“the account itself”) because it may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. According to the statement quoted above by Facebook’s Chief Privacy Officer, in addition to state or federal criminal laws, Facebook may initiate legal action (presumably a civil law suit against the person exceeding access to the Facebook account) where appropriate to protect the privacy and security of users.

It’s essential to plan ahead with a list of passwords so that, during a period of incapacity or after your death, your fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. But, your fiduciaries and family members must think carefully about the potential for criminal penalties or civil lawsuits if they try to use your list of passwords to get full access to any of your online accounts (“the account itself”). As I’ve discussed before, the safer course of action for now it so have the duly–appointed fiduciary for an incapacitated or deceased person request a copy of “the contents” of the online account from the online service provider, and that should not be construed as “unauthorized access.”

Posted in Social Networking Accounts | Tagged , , , , , , , | Comments Off on Sharing Your Facebook Password With Employers, Schools, or Fiduciaries

Jim Lamm Quoted in The Wall Street Journal’s Law Blog

On February13, 2012, I was quoted in The Wall Street Journal’s Law Blog in the article “What Happens to Your ‘Digital Assets’ When You Die?” by Steve Eder. The article also quotes my colleague, Gene Hennig, who co–authored a Project Proposal with me in May 2011 to the Uniform Law Commission for a uniform law to grant fiduciaries specific powers and authority regarding an individual’s online accounts and digital property during incapacity and after death.

Posted in General | Tagged , , , , , | Comments Off on Jim Lamm Quoted in The Wall Street Journal’s Law Blog

Planning Ahead for Access to Contents of a Decedent’s Online Accounts

February 1 was informally designated as “Change Your Password Day,” and a good collection of articles is available at Lifehacker.com about how to test the strength of your passwords, how to update your passwords with “strong” passwords, and a list of software and services to help you keep track of all of your “strong” passwords. This is also a good time to update your list of passwords, online accounts, and digital property for your estate plan.

News services reported this week that the e–mail account of the president of Syria was hacked by the “Anonymous” group, and that the password he used was “12345.” More details are in this article by Stephen Webster at Raw Story. On one hand, that’s not surprising, because five of the top ten most frequently–used passwords are “123456,” “12345,” “123456789,” “1234567,” and “12345678” (link).

Personally, I like a password and account list that is secure, easy to update, convenient to use, and portable so it’s always with me (or it needs to sync automatically with all my devices, including my iPhone and my iPad). You could use a written list, but that isn’t very secure (and if you store it securely, it isn’t very easy to update). I prefer an encrypted electronic list. Some of the most popular software tools are LastPass, 1Password, KeePass, RoboForm, and Keeper. If you use an encrypted electronic list, make sure you write down instructions for your fiduciaries so they can find it and access it if you are incapacitated or deceased (store the written instructions in a safe deposit box, home safe, etc.).

One of my favorite features of LastPass and similar software tools is that they can integrate securely with my Web browser to automatically fill in my username and password (after I’ve typed in my master password when I first start my Web browser), so that I don’t need to manually type any of my “strong” passwords. LastPass and similar software tools also can generate “strong” passwords when you register for a new Web service or when you choose to change your password for a Web service—and they can fill in the new password automatically for you so you don’t make a typo.In addition to these software tools, there are a number of Web services that are specifically designed to hold an electronic list of your passwords and online accounts while you are alive, then the service will turn over your list to your duly–authorized fiduciary after you die.

It’s essential to plan ahead with a list of passwords so that fiduciaries and family members have full access to your smartphones, tablet devices, computers, and encrypted data storage. For data that is protected by a strong password plus strong encryption, it may be practically impossible to access the data without the password. But what about online accounts?

I want to stop here and draw an important distinction between access to “the account itself” and “the contents” of an online account after a person becomes incapacitated or dies.

First, the Terms of Service contracts on the major Web services—Microsoft, Google, Yahoo!, Facebook, YouTube, Twitter, eBay, PayPal, etc.—say that “the account itself” is not transferrable or only transferrable with permission. Second, most major Web services won’t reveal or reset the password of an incapacitated or deceased person, so the family members and fiduciaries aren’t able to fully access “the account itself” unless they know the incapacitated or deceased person’s password. Third, if you give fiduciaries and family members your password, letting them access “the account itself” may violate the Terms of Service contract on Web services (which might violate criminal laws—see below). Fourth, some Terms of Service contracts, like the one for Yahoo!, say that a user’s account terminates at death.

In my opinion, full access to “the account itself” for a typical online account isn’t all that valuable to family members or fiduciaries. “The contents” of the online account are where the financial or sentimental value is located. Family members generally want access to and copies of the deceased person’s e–mail contents, photos, videos, music, intellectual property, etc. There are exceptions to this. A Twitter account has followers. A Facebook account has friends. An eBay account has a reputation. For these types of accounts, “the account itself” does have value—but these are probably limited to the business world—the commercial value of followers, friends, or a reputation.

For the most part, the goal of estate planning for most online accounts is to plan ahead so that the duly–appointed fiduciary or family members can find and then obtain “the contents” of the online account—the electronic data—from the Web services after the account holder dies or becomes incapacitated, which can be done even if we don’t know the account password. Planning ahead by leaving a list of your online accounts for your family members and fiduciaries is an important step because it helps the duly–appointed fiduciary locate valuable or significant digital property. Armed with that list of accounts, the duly–appointed fiduciary can request copies of the contents of a deceased person’s Facebook account, e–mail account, and many other types of online accounts. However, as I mentioned above, using a deceased person’s passwords to access “the account itself” may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On the other hand, having the duly–appointed fiduciary request a copy of “the contents” of the account should not be construed as “unauthorized access,” although some Web services have insisted on a court order authorizing disclosure of “the contents” of the online account citing privacy concerns. The bottom line is that I still recommend planning ahead by keeping a list of passwords to your online accounts, but a critical issue for your fiduciary to consider is whether to use the passwords to access your online accounts (“the account itself”) or whether to just request “the contents”—because of the potential application of these criminal laws.

All fifty states and the federal government have enacted criminal laws penalizing unauthorized access to computer systems and types of private or protected personal data. These laws generally provide consumer protection against fraud and identity theft, but these criminal laws may also have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.

The U.S. Department of Justice asserts that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security. However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”

On the other hand, there’s an ongoing Michigan case where Leon Walker has been charged with a felony for allegedly accessing his wife’s e–mails from her Google Gmail account. On December 27, 2011, the Michigan Court of Appeals issued an opinion addressing the issue of whether Mr. Walker’s alleged conduct falls within the scope of Michigan’s criminal law on unauthorized computer access, and they held that “the prosecutor presented sufficient evidence of each element of unauthorized access of a computer, MCL 752.795, to support the district court’s decision to bind defendant over for trial.”

If you plan ahead by specifically authorizing a fiduciary under a Durable Power of Attorney (a “digital power of attorney”) or under a Last Will and Testament or Revocable Trust Agreement to access your online accounts during incapacity or after death, would that solve this potential problem of “unauthorized access” by the fiduciary? While that would clarify your intent, I’m not sure whether that is enough because there’s a potential second layer to this problem. If the Terms of Service contract prohibits you from allowing anyone else to access your account, like the Terms of Service contracts of Facebook and Microsoft’s Hotmail, then it may not matter whether you specifically authorized the fiduciary to access your account—the fiduciary isn’t authorized to access the account under the Terms of Service contract, so a fiduciary’s access to “the account itself” may be construed as “unauthorized access” under these criminal laws.

It will be very interesting whether this Michigan case and the testimony from the Department of Justice will have a chilling effect on fiduciaries who are considering accessing a decedent’s online accounts (“the account itself”) using the decedent’s password. As I mentioned above, the safer course of action for now is to have the duly–appointed fiduciary request a copy of “the contents” of the account, and that should not be construed as “unauthorized access.”

Posted in E-mail, General, Social Networking Accounts | Tagged , , , , , , , , | Comments Off on Planning Ahead for Access to Contents of a Decedent’s Online Accounts

Zappos.com Customer Account Information Compromised

On January 15, 2012, Zappos.com announced that their customer account information may have been compromised, including customer names, e–mail addresses, billing and shipping addresses, and phone numbers. CNN reports that this affects 24 million Zappos.com customers.

Fortunately, Zappos.com announced that customer credit card numbers were not compromised. Although unencrypted customer account passwords were not compromised (the encrypted customer account passwords may have been compromised), Zappos.com took the proactive steps of resetting all customer account passwords and recommending that customers change their passwords at other Web sites.

This is another reminder of how important it is to use separate, strong passwords for each online account that you have. As I mentioned in previous postings, a recent study concluded that 75% of users had the same password for both their e–mail accounts and their social networking accounts. If hackers are able to obtain your username and password from one company, they may try the same username and password combination at other popular Web sites. For a detailed list of other reported data breaches, see the list at Privacy Rights Clearinghouse, a nonprofit consumer organization (at this time of this posting, they listed 2,841 publicly–reported data breaches since 2005!).

I’ve previously written about ways to keep track of and securely store your important passwords and online account information. For online accounts, Microsoft recommends creating strong passwords of 14 characters or more with a combination of uppercase letters, lowercase letters, numbers, and symbols. It’s difficult to remember strong passwords, and it’s easy to make a typo when entering them. As I’ve mentioned before, there are tools that enable you to create and maintain an encrypted electronic list of passwords and online accounts on your smartphone or your computer, and these tools can integrate with your Web browser and automatically look up and enter your passwords for your online accounts. For example, LastPass, KeePass, 1Password, RoboForm, and Keeper, among others.

Remember to let your family members and fiduciaries know where you keep your “master” password to unlock your encrypted electronic list of passwords and online accounts in case you become incapacitated or die, and make sure they know where your encrypted electronic list is kept too.

Posted in Online Sales Accounts | Tagged , , , , , , , , | Comments Off on Zappos.com Customer Account Information Compromised

Unique Virtual Sword Sells for $16,000 in Age of Wulin Video Game

I’ve written before about estate planning and charitable giving with video games and virtual worlds. Here’s another example of how valuable digital property can be—including virtual items in video games.

In December 2011, the developers of the video game Age of Wulin held an auction to sell unique virtual items to use in the video game. One man paid $16,000 for a virtual sword to use in the video game. Other unique virtual items to use in the video game sold for $2,500 and $1,600 in the auction.

These values for virtual items are a bit surprising because this video game has not even been released to the public yet. The developers completed the first phase of closed beta testing in 2011, and they plan to release the game to the public sometime in 2012.

As I’ve mentioned before, it is important for video game and virtual world players to plan ahead and incorporate their digital property into their real–world estate plan. Beyond just writing down the account name and password for the fiduciaries to access the account, the fiduciaries and family members need to know if there are monthly fees to keep the video game or virtual world account open (so the valuable video game character and its virtual property and currency are not deleted!), what the approximate real-world value may be, and either how to transfer it or where to sell it. A little time spent planning ahead can make the administration much more efficient when the video game or virtual world player becomes incapacitated or dies.

Posted in Video Games & Virtual Worlds | Tagged , , , , , , , , , | Comments Off on Unique Virtual Sword Sells for $16,000 in Age of Wulin Video Game