Much has been written – and hopefully read – on securing your passwords from disclosure. But what about when you want or need your passwords located? Failing to make proper (and secure) arrangements for your passwords to be found if you become incapacitated or pass away can have disastrous consequences. Just ask the customers of cryptocurrency exchange QuadrigaCX. According to an article in TechSpot and an ABC News report, QuadrigaCX was holding approximately $145 to $190 million in customers’ bitcoins and other cryptocurrency on a server (a “hot wallet”) and in a secure offline and encrypted storage area (a “cold wallet”). Transfer of the currency between customers’ accounts and the wallets regrettably was controlled exclusively from the personal and encrypted laptop of the company’s founder and CEO, who alone knew the password to the database. The CEO died unexpectedly on December 9 while traveling in India. Unfortunately for QuadrigaCX, the database password passed away with him. So far, even white hat hackers (security specialists hired to break into protected systems and networks) have had little success accessing the wallet contents.
There are as many ways to keep your passwords secure yet accessible as there are people with passwords. The method you choose comes down to your personal risk tolerance and trust levels. Some may be comfortable giving a hard or electronic copy of their passwords to a close friend or family member. Others may trust their attorney to secure the list alongside their will and other confidential papers. A safe deposit box is secure, but inconvenient. Use of any of these “offsite” options is hampered by regularly-forced password changes, requiring retrieval and replacement of the password list. Placement in a personal safe increases accessibility, but decreases security if the safe itself is easily located and easily removed.
A compromise alternative might be to place a hard or electronic copy of your passwords in a place where no one would ever look for or stumble across it (or it accidentally be given away, like the inside pocket of an old coat). Ideally, the location would be so nondescript and hidden even you might forget where you put the list. Next, place a set of clues to the hiding place in a separate, preferably secure, location. If your password list is actually a key to your password system rather than the actual passwords themselves, so much the better.
Is all this unduly onerous or even overkill? Possibly for some, and certainly for others. Ultimately, it is simply a balance between your stomach for risk and your taste for convenience. Whether because you want to ease the burden on your loved ones when you die, or make sure needed funds can be found if you become incapacitated, choose some password recovery method. The one unacceptable option is to do nothing. Otherwise, the list of your precious passwords may be like the formula for Greek fire (Wildfire to you Game of Thrones fans) – forever lost.
Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact Bob Brewer, Tony McFarland, Elizabeth Warren or a member of our Privacy & Data Security team.