PassMyWill Is A Will For Your Online Assets And Passwords (opens in new tab)

(techcrunch.com)

26 pointsbzupnick14y ago20 comments

20 comments

Pretty sure these guys have been doing something similar for a while now: https://www.lifeensured.com/

I wonder if PassMyWill has ever been audited for security vulnerabilities? LifeEnsured has: https://www.lifeensured.com/faqs#security

EDIT: lol. The login form on PassMyWill gets POST'd over HTTP.

EDIT2: Nope, the entire server doesn't support SSL. facepalm

jonursenbach14y ago

I love how companies play up the security theater they have in place in their datacenters. If someone is going to try to get your data, the last place they're going to get it from is in person at your DC.

dguido14y ago

I think it's kind of a standard disclaimer. Notice they got the most important part right: independent review by experts.

Even people that do security well need to engage in security theater.

Danilka14y ago

At any case, the data is encrypted in JS, so the transferred piece is worthless, anyway.

hopeless14y ago

I wish I could dig up the HN story from a few months ago. Basically JS encryption is horribly broken and essentially worthless

Edit: ah, here it is http://news.ycombinator.com/item?id=2935220

rdl14y ago

Another problem is keeping your backup passwords in sync with your day to day use passwords, especially if you're not going to die to 40-80 years.

Probably the best solution is to have something like 1Password set to automatically manage passwords, encrypted with a master password, and then disclose only enough information to get to the daily-use 1Password. Disclosing a single password like that is probably better accomplished in a paper will, stored with a lawyer/executor.

Although there's also some value in an "I'm dead" script which deletes porn, porn passwords, information about your affairs, criminal activity, compromising photos involving porn and crime and drugs, the Guatemalan second family you support, etc., before turning over things like facebook passwords to next of kin.

mburns14y ago

Even better, use KeePass (and sync/backup into the cloud like Dropbox, etc) and have an open source solution that is safe and encrypted from end to end, without trusting a company to not be stupid.

Then, just leave your master password(s) for the encrypted database in your will, or safely amongst your personal belongings.

gkoberger14y ago

After they die, I don't see why someone would want their family to have their passwords. Every email, IM and Google search? Even if you don't do anything "wrong," there's still probably a ton of stuff you wouldn't want anyone reading (especially out of context).

bdunbar14y ago

My father passed last summer.

He had a busy life online, post-retirement - built and ran a website for a yacht club, used the computer to book stand-by travel with his former employer (American Airlines), online banking, etc.

Nothing where the lack of access would have been a killer. But not having them would have been inconvenient for a lot of people.

Happily, he kept his accounts and passwords in a tablet, on his desk. Single-space, filled the page. So I was able to hand the 'keys' of the website over to his backup, get my mother logged in to the website so she can book tickets, and so on.

Every single online account would have been excessive. But the ones he documented, I'm glade he did: saved a lot of people some inconvenience.

jseifer14y ago

This is an interesting start up and concept but it seems like there's a pretty high barrier to entry. In order to use this site you have to place a lot of trust in it to:

* Be secure with your credentials to sites * Reliably figure out that you are dead * Trust that your next of kin will figure out the key you've set up

It's certainly a useful concept and much better than hoping your loved one placed the credentials somewhere you could access them.

shazow14y ago

An easy solution:

Encrypt your package using a fresh private key. Send the package to the will handler (such as PassMyWill), but not the key. Send the key to all the will recipients.

Upon the execution of your will, your recipients get the package that they can already open with their key.

The trick becomes to keep the package opaque to the will handler, and to keep the recipients from gaining access to the package prematurely.

feral14y ago

I think the best solution in this space would be to implement this: http://en.wikipedia.org/wiki/Shamirs_Secret_Sharing

Then you could nominate some family members, friends, significant other, such that some minimum number of them were required to collaborate to decrypt the files.

CGamesPlay14y ago

Double-encrypt the package with a key that you give to PassMyWill and that you give to the recipients. Give the package to everyone.

joshzayin14y ago

What benefit would this provide over simply having an encrypted memory stick (or similar) containing all of the necessary account information and leaving the password with someone trusted (e.g., lawyer responsible for will, family member friend, etc)? (or, as troels suggests, leaving the password or even the stick in a safe)

bzupnickOP14y ago

The benefit is that if you did it with an encrypted USB that you keep with a lawyer, every time you make a new account or change your username or password, you would have to get the USB back, re-write the txt file, then give it back. Whereas here, it may be easier to update your information in this fashion

joshzayin14y ago

Well, you could keep the USB stick and give the lawyer the decryption key.

yesimahuman14y ago

Entrustet.com has been doing this for several years now. They have been on TC in some capacity a few times:

http://entrustet.com/

troels14y ago

I really don't see it competing much with having an envelope with a master password (e.g. my gmail password) in my safe?

epochwolf14y ago

Same here, only leaving the master password for my laptop and 1Password in my parent's safe. They would need to fly 2,000 miles to get physical access since the passwords don't work on my gmail account.

Kwpolska14y ago

What a great way to get your passwords stolen.

j / k navigate · click thread line to collapse

20 comments

dguido14y ago

Pretty sure these guys have been doing something similar for a while now: https://www.lifeensured.com/

I wonder if PassMyWill has ever been audited for security vulnerabilities? LifeEnsured has: https://www.lifeensured.com/faqs#security

EDIT: lol. The login form on PassMyWill gets POST'd over HTTP.

EDIT2: Nope, the entire server doesn't support SSL. facepalm

jonursenbach14y ago

dguido14y ago

I think it's kind of a standard disclaimer. Notice they got the most important part right: independent review by experts.

Even people that do security well need to engage in security theater.

Danilka14y ago

At any case, the data is encrypted in JS, so the transferred piece is worthless, anyway.

hopeless14y ago

I wish I could dig up the HN story from a few months ago. Basically JS encryption is horribly broken and essentially worthless

Edit: ah, here it is http://news.ycombinator.com/item?id=2935220

rdl14y ago

Another problem is keeping your backup passwords in sync with your day to day use passwords, especially if you're not going to die to 40-80 years.

mburns14y ago

Even better, use KeePass (and sync/backup into the cloud like Dropbox, etc) and have an open source solution that is safe and encrypted from end to end, without trusting a company to not be stupid.

Then, just leave your master password(s) for the encrypted database in your will, or safely amongst your personal belongings.

gkoberger14y ago

bdunbar14y ago

My father passed last summer.

He had a busy life online, post-retirement - built and ran a website for a yacht club, used the computer to book stand-by travel with his former employer (American Airlines), online banking, etc.

Nothing where the lack of access would have been a killer. But not having them would have been inconvenient for a lot of people.

Every single online account would have been excessive. But the ones he documented, I'm glade he did: saved a lot of people some inconvenience.

jseifer14y ago

This is an interesting start up and concept but it seems like there's a pretty high barrier to entry. In order to use this site you have to place a lot of trust in it to:

* Be secure with your credentials to sites * Reliably figure out that you are dead * Trust that your next of kin will figure out the key you've set up

It's certainly a useful concept and much better than hoping your loved one placed the credentials somewhere you could access them.

shazow14y ago

An easy solution:

Encrypt your package using a fresh private key. Send the package to the will handler (such as PassMyWill), but not the key. Send the key to all the will recipients.

Upon the execution of your will, your recipients get the package that they can already open with their key.

The trick becomes to keep the package opaque to the will handler, and to keep the recipients from gaining access to the package prematurely.

feral14y ago

I think the best solution in this space would be to implement this: http://en.wikipedia.org/wiki/Shamirs_Secret_Sharing

Then you could nominate some family members, friends, significant other, such that some minimum number of them were required to collaborate to decrypt the files.

CGamesPlay14y ago

Double-encrypt the package with a key that you give to PassMyWill and that you give to the recipients. Give the package to everyone.

joshzayin14y ago

bzupnickOP14y ago

joshzayin14y ago

Well, you could keep the USB stick and give the lawyer the decryption key.

yesimahuman14y ago

Entrustet.com has been doing this for several years now. They have been on TC in some capacity a few times:

http://entrustet.com/

troels14y ago

I really don't see it competing much with having an envelope with a master password (e.g. my gmail password) in my safe?

epochwolf14y ago

Kwpolska14y ago

What a great way to get your passwords stolen.

j / k navigate · click thread line to collapse