Estate Planning for Your Digital Legacy: How To Keep Track of Passwords, Access Keys, and PINs
If you were to pass away unexpectedly, will a family member or a trusted friend be able to access important electronic records such as emails, bank accounts, or social media accounts? Can someone stop online services from billing your credit card? Who can close your online accounts?
Security-conscious consumers now have access to military-grade cryptography. While hackers are still a big problem, a far more common challenge — and one few people think about — is the difficulty that online security practices pose after a person's death.
Take some time today to create a digital estate plan to protect your digital assets and sensitive information while ensuring a responsible person can close down your online accounts.
Securing Your Digital Legacy
Create a Plan for Storing Passwords Securely
Establishing a secure way to track, store and share logins, log-in passwords, access keys, and personal identification numbers (PINs) is the first step in securing your digital legacy. There is no standardized way to keep track of important account information, and many people have not received any education on this. It's left up to the individual to muddle through.
Here are some options for keeping track of your passwords:
- Password Managers: Password protection software is a solution millions of people use to protect sensitive information. There are dozens of online services that you can use to secure passwords and other log-in information, as well as generate strong passwords. Services like LastPass, 1password, and Keeper provide peace of mind. An added benefit, you can access your passwords when you need to from home or on the go with mobile devices such as an iPhone or Android cell phone. All information stored online or in the cloud has some exposure to hackers. Password manager users are placing their trust in the digital security professionals who work at these companies. The risk of hacking may be low, but it's not zero. And remember, someone needs to know the master password for the password protection service.
- Master Passwords and Password Splitting: Some people favor a password splitting scheme, where half of a master password is given to one party (e.g., a spouse), and the other half is given to another trusted person, perhaps a lawyer. The benefit here is that no one has access to your information while you are alive, not even your spouse. If you and your spouse were to die at the same time, your spouse's half of the password would also need to be held by a second person, perhaps a second lawyer with instructions to contact the first lawyer. The biggest pitfall to this approach is that some may find it too complex. If you change your master password at any time, you will need to remember to inform everyone of the change.
- Using a Safe at Home: This is probably the easiest method for the storage of a master password or a password list. After you've compiled a list of passwords, PINs, and security questions and answers, store this document in a waterproof, fire-proof home safe. The combination for the safe can be stored with your attorney. Again, because passwords and PINs sometimes change, be sure to update this important document on a regular schedule.
- Do Not Use a Safe Deposit Box at Your Bank: A safe deposit box is a great place to store expensive jewelry, the deed to your home, or a passport. It's not a good place to store your original estate planning documents or your digital estate plan. Most banks will not allow anyone to access the safe deposit box after the death of the owner until an executor has been appointed by the probate court. If the will is in the safe deposit box, it may take a court order to get it. That takes time. While digital assets may not be the first priority after a death has occurred, they are important to many people and you may not want the delay.
- Don't Get Too Creative: Come up with a scheme that works for you and your family. Don't get so creative that your loved ones can follow through with the plan when they need to.
Make a List of Each Service and Its Access Information
Once you have a strategy for storing account logins and access information, make a list of equipment and services that use access information (logins, passwords, access keys, PINs, etc.). For example:
- Computers, cell phones, other electronic devices
- Email accounts
- Financial accounts, retirement accounts, investment accounts, credit card accounts, and other financial institutions
- Online services (music and photo storage, computer backup services, recurring purchases, recurring charitable giving to nonprofits, etc.)
- Important contact information, including contact information for those whom you have listed as inactive account managers (see below)
- Locations and access information to safes, safe deposit boxes, alarms, etc.
Include a description next to each item on the list. For instance, a description of the assets held in an account, or the types of documents found in an online storage location. Now you are ready to put this information into storage.
And remember to periodically update this information.
Digital Legacy Contacts
Many of us live a significant part of our lives online. How will these accounts be managed, or deleted?
Google lets users name an “inactive account manager." This person is granted access to your account if it has not been used for a certain amount of time. You are given the option of setting a waiting period of 3, 6, 12, or 18 months. After that time, your account is automatically turned over to the designated person.
Facebook allows users two options for the management of their account after death. You can choose to have your Facebook account permanently deleted. Someone will need to notify Facebook to initiate this process. The second option is to create a memorialized account, with or without a legacy contact. If you assign a person as a legacy contact, they can manage tributes and posts on your Facebook profile page, can update your profile picture, respond to friend requests, and can ask to have your account removed. They cannot post as you or see your messages.
TikTok and SnapChat do not allow anyone else to access an account. They will delete the account if provided with a copy of the death certificate. Twitter will work with the executor of the estate or an immediate family member to deactivate the account.
Password protection companies, unsurprisingly, have also planned for the death of their user. 1password, for example, has users create an emergency kit when they sign up. This provides information that would allow someone to log into the account. It can be printed out or placed on a USB drive and stored in a safe or at a lawyer's office.
LastPass and DashLane allow you to designate an emergency recipient, along with a waiting period for access or immediate access. That recipient could be the executor of your estate or a spouse.
The Challenge of Two-Factor Authentication
What if you use two-factor authentication (2FA) with face or fingerprint recognition to access your accounts? Even if you log in with the correct email and password, you still need the secondary code that is sent to your phone.
On an iPhone, it's possible to add a second person's fingerprint or face into your phone settings. That person will also need to know your passcode so they can restart the phone if it has been inactive. Android phones vary. Look for information on your manufacturer's website.
Another option is to create a backup code for accounts that use 2FA and provide the option of a backup code. The backup code can be stored in the password manager but should also be stored somewhere physically.
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.