Bitwarden releases “emergency access” feature (opens in new tab)

Everything should be documented. We have a binder with checklists that walk you through gaining access to everything the other partner might need in the event of death (email accounts, domain registrar, bank and brokerage accounts, auto/home/life insurance, ongoing recurring bills of all sorts). Bitwarden databases are exported to paper, 3 hole punched, and put in the binder on a schedule. Both partners get setup with each other's 2FA OTP tokens. Have options? Agreement goes in the binder. Own real estate? Deeds, land trusts, LLC agreements, etc related to this go in the binder. If in doubt, print it out.

Either one of us can assume responsibility for the entire estate in about an hour or so, the only delay would be a life insurance benefit payout. If you have assets that your partner might not know how to facilitate liquidity for, or when to, pay someone you trust to manage that. Your gift to your family is when you leave the world, they can continue on without fumbling to wrap up loose ends.

https://getyourshittogether.org/checklist/

Having gone through an unexpected, young death where nothing was recorded, I’ve come to the opposite conclusion: anything significant enough to care about already has next-of-kin processes established such that the Right Person will be able to sort it out.

Indeed, when it comes to stuff like finances, at least where I live, touching them post-death creates issues when the legal channels confirming there’s no contest over next-of-kin haven’t been run to ground. In those situations, having a password means nothing.

This doesn’t mean you shouldn’t prep a will and have processes in place, but it gave me a lot of reassurance that I did not need to worry so much about this.

My wife and I recently had to settle an estate (pre-covid), and most subscription services are quite easy to work with. The estate we were dealing with was a bit of a mess, so we basically had nothing to go on except some bank/credit card statements. We were able to contact the banks, deactivate all the credit cards, and contact some services to request refunds for several months of service. We didn't have any trouble getting those refunds after providing the death certificate.

Obviously, it would have been much less of a hassle if we'd had the account information from the beginning, but there were much more annoying problems to deal with than deactivating Netflix.

If you're really concerned about this, make sure you have a will in place and beneficiaries defined on your financial accounts. That is probably just as important as making sure your dependents have immediate access to your money.

A day before a critical surgery I was told I had 50% chance of survival, being a single founder of my startup I had access to all the accounts, passwords, encrypted data (files, codes etc.) and had to find a way to transfer them to my shareholders if I die.

I settled for writing the master key in a physical file to be delivered to a trusted contact in case of my demise along with registering the fingerprint of my trusted contact to my smartphone(all of which has since been revoked). Bitwarden's Emergency Access addresses this problem in a much safer way.

I didn't think about credit card access then, but in my case I think shareholders could have legally taken over the startup and thereby getting access to all the online subscriptions; what wouldn't have been feasible was accessing the private encrypted data hence the 'need for secure key transfer after death'[1].

[1] https://www.needgap.com/problems/27-secure-transfer-of-encry... (Disclaimer: My problem validation platform where I had posted this problem a while ago).

After my wife watched the show “Dead To Me” on Netflix, we had this exact same discussion. I ended up writing a “death document” on Google Docs and sharing it with her. It just outlines “here’s where everything is and this is what you do with it”. It was done kind of jokingly, but now that it’s written it actually makes me feel much better.

For passwords and such, she has a Bitwarden account too and we share all important passwords (finances, medical, etc) in a shared organization between the two of us.

I actually put together a service that is focused on this issue called Fidelius Vaults (https://www.fideliusvaults.com). If you have a moment to look, I'd be curious to hear your feedback on whether it solves the problem you stated.

Have one email account on your domain (example.com) and use that for everything important. Use a long random password for the account and don't 2FA it. Share that with your family. That's probably all they need to gain access and reset your other accounts.

If you 2FA the email account, you risk locking you and them out permanently for many services. I've written some about this. If you care to read it:

https://www.go350.com/posts/now-they-have-2fa-problems/

Also, if you 2FA other things and aren't really careful, you may lock them out even if they know the password and/or are able to reset it. That is by design.

This problem is growing larger every year as more sites enable or mandate 2FA. It's impossible for humans to manage this at scale.

I've written down all account credentials and passwords into a text file that sits inside a Veracrypted volume on an external hard drive with multiple copies including off-site. My wife knows the encrypted volume password (as her personal files are also within), and the location of the text file.

Still need to write a licence permitting her to release all my IP into the public domain.

I have shared document that has high level details: Savings accounts, investment, 401ks etc. That is known to my wife. We both use lastpass, so Im also using delayed access release* for wife (14 days) and for my brother (30 days, he lives in another country, were not particulary close).

If we travel together with wife on something like plane we ensure that our wills, that have the same information as above are shared with relatives.

* the wife can request access to my account. I'll get email notificarion. If I wont reject it in given time period the access will be given

I conceived this a little while ago and got a friend who is a developer to write it.

https://play.google.com/store/apps/details?id=com.mistudios....

It's been a slow start but hoping it picks up and we can get it onto the Apple store.

My mother has the releaser email and the email itself goes to my partner.

I don't do anything with my online accounts; for assets I rely on beneficiary information and my will, and I expect that the online accounts will just die off (as CCs close, etc).

I've always wondered if I should do more. What are the downsides of relying only on wills and beneficiaries? What might I be missing with this super basic estate planning?

This question feels like a potential opsec danger zone.

Same question reformulated: “What’s the one thing you need to compromise to get into my entire digital domain?”

Keep everything in Lastpass notes or the notes of whatever password manager you use.

Then put the password to that somewhere safe for people to have.

safety deposit box at my bank with my accounts, passwords and 2FA recovery codes in a notebook

I have been using Bitwarden for over a year now and there are still tons of UX bugs that annoy me.

In Firefox extension:

1. There is no memory. If you close the window, to copy the password, you have to re-search for the account to find the username.

2. If you open up bitwarden before the page is loaded, it says it can't find the password box to fill in. This is probably an extension limitation, but still annoying.

iOS

1. No memory. If I search for a username, I have to re-search for the password. It always opens up to the search screen (when I am using it via the password helper keyboard). 2. iOS the keyboard doesn't always show up to let me search for an account via password helper keyboard.

In general

1. You should be able to set a default username or email to automatically use when creating a new account. I hate having to type my email address in every time when creating the account on mobile. 2. When you're registering an account on a website, I first create it in Bitwarden with a password then I paste the password into the textbox to register the account. If the website rejects the password cuz of formatting, I gotta go back into bitwarden, edit and update the password with the new format. it takes like 5 clicks. ugh.

Thanks for listening.

Just want to echo this. I've been using Bitwarden for about a year now, and a few months ago, my mum (not technologically literate) had her email hacked. Getting her set up with Bitwarden & teaching her how to use it was one of the easiest experiences I've had when introducing her to new software. Really well designed.

How dependent is it on them as a service? If their website/service disappeared off the face of the earth tomorrow, would I still have access to my passwords locally?

I'm still hesitant to use any form of password management that relies on cloud services. I still like Keepass (with auto-updates disabled for security because their updater uses HTTP, of course), for my purposes. I can Sync my keepass file any number of secure ways that don't rely on a single provider.

I like it so much I proposed it to my boss and we set it up at work. Small team, around 20 people, but even the non techs got up to speed with it with just a 20-minute explanation.

I (premium user) have just tried this with my girlfriend (free user).

I can add her as a emergency contact and she can accept that. But she cannot add me as an emergency contact since it is a premium-only feature.

I periodically send my loved ones encrypted copies of my password vault. A copy of the decryption key is stored in my safe-deposit box, which they can access only after I am gone. This lets me update the contents of my password vault without having to visit the bank.

And actually, the safe-deposit box only holds one half of the decryption key. My loved ones have the other half in their respective safe-storage locations. This means a rogue bank employee can’t drill my box and do anything useful with the contents.

The password vault itself is a plaintext file that I decrypt and edit/grep as needed. I use the OpenSSL command-line tool for encryption and decryption. My loved ones either have this installed by default on MacOS, or have a Cygwin installation on Windows with which I have tested the commands. The safe-deposit box contains short and detailed instructions for use for my non-technical loved ones.

I also use the Google Chrome password manager with client-side encryption enabled. Whenever I change any important passwords, I’ll export its contents to my text file password vault.

I have a similar and opposite problem. I would be fine with all my secrets dying with me, but what i want to protect against is me going into a coma/for some reason I forget how to access my accounts.

How to securely manage it so that only I can open it if my biological self is there? I don't trust bank safe deposit boxes and I can't put a safe worth using inside my Apt.

https://www.nytimes.com/2019/07/19/business/safe-deposit-box...

They encourage you to verify the grantee’s fingerprint phrase:

> To ensure the integrity of your encryption keys, verify the displayed fingerprint phrase with the grantee before completing confirmation.

https://bitwarden.com/help/article/emergency-access/#confirm...

> The fingerprint phrase is an important security feature that assists in uniquely and securely identifying a Bitwarden user account when important encryption-related operations are performed (such as sharing).

https://bitwarden.com/help/article/fingerprint-phrase/

While I make heavy use of a password manager, I still choose to memorize my email password, and not store it in a password manager, precisely because it is is relied on so much, and can be used to reset the majority of the passwords stored in the manager anyway.

I'm under the impression that the "encrypt master key with the receiver's public key" step is done on-client, so you could verify that the master key isn't being stored the same way you can very they're not sending the master key when logging into the web ui: looking at devtools and seeing everything that leaves the network.

The built-in Firefox password manager does not work with other browsers (kind of obvious, no?). I use different browsers on different devices, and Bitwarden just works on all of them.

I switched from the Firefox password manager to bw a while ago, but at the time, Firefox didn't allow multiple users to share passwords (organizations). I share some passwords with my wife, that was enough to switch.

Password fill for every other app on your phone, and just generally decoupled from your choice of browser.

I’m also looking to move away from LastPass. Dropping this comment to get notified of replies.

I disagree. This is an extremely important feature. If something happens to me, I wouldn't want my family to have to jump through insane hoops to get access to my accounts for a bit of extra theoretical security. At this point something traumatic has already happened to them and this would just be another emotion burden. This could be for financial reasons, or say if I were missing, to communicate with my friends.

Let people who don't need it and don't want it turn it off, but for me I'd definitely have it on.

Here’s a list of password managers:

https://en.wikipedia.org/wiki/List_of_password_managers

It has a column for Secure Sharing, but not one to show granularity.

Ones that make organization easy seem to choose to offer persistent sharing at the vault level (multiple vaults shared to nobody or to different sets of people), easy ways to move items between vaults, and flagging if you have multiple or OOS copies of items.

Careful, most seem to offer per-item share-as-a-copy that the recipient should store, which I wouldn’t consider as counting as the kind of sharing needed for this thread.

> Dashlane ... their desktop app, which has all the usual anti-user behaviour

They are going "web first" and eventually deprecating the desktop app, so you are going to need to reengineer that solution at oe point soon.

> * despite of having vault unlocking to set with pin, I have to provide password

You can configure how it locks upon close.

It's working fine for me here (Firefox private window on OSX).

I did have to go to the extension's settings and enable "Run in Private Windows".

Not sure why I'm getting down-voted. It doesn't work in Firefox's private mode. Nearly 4 years after the issue was raised. It was completely dismissed as "something Mozilla needs to fix" on multiple occasions.