Write Your Passwords in a Notebook and How To Memorialize and Access Deceased Loved Ones' Online Accounts
You might find it odd for information security people to recommend writing down your password in a notebook somewhere. Most security guidance recommends NOT writing down your password. Anywhere. Ever.
This might be true and much needed in a corporate or government cultures but it's not necessarily the case in a family where there are few other alternatives when someone unexpectedly passes away.
In this timely piece for Secjuice, you'll get two point of views from two of us who work in information security and are also regular folks like anyone with friends and family who sometimes pass away, forcing us to deal with their estate, both physical and online.
Miguel Calles and Chad Caleaseilluminate some reasons why keeping offline records of your online accounts might be worthwhile to help loved ones when they need it the most.
Miguel will speak about his experience being a certified information assurance engineer for U.S. Government contracts and a family man.
Chad will share his experience and research in recovering and memorializing deceased family member's accounts from all the major social media and mobile carriers in the U.S., along with some valuable tips and info for making this as friendly as possible when you need it.
Miguel Calles: Using U.S. Government Security Guidance
Experience from U.S.G. Projects
After working for U.S. Government project for the majority of my engineering career, I have developed an appreciation to the severity a leak and compromise can have on the United States' national security. I was fortunate to work as a certified information assurance engineer my last two years before moving into a different industry. Those last two years, I had the opportunity to improve our national defense in a specific area of the U.S. military. Although I was already aware about the security requirements imposed by the U.S.G., I become more intimate with them.
These requirements might seem obvious to some: no use of password managers, no writing down passwords for individual users, enforcing complex password requirements, requiring password changes every 60 to 90 days, no reusing previous passwords, rate limiting password attempts, locking out passwords after certain number attempts, and more. Reference the DoD Cyber Exchange Security Technical Implementation Guides (STIGs) for more information.
I learned requirements must be tailored for each contract and use case. For example, an account lock out could be extended from the requirement three failed attempts to a higher number with valid justification and waiver. A password could also be written down, but only in special cases and with additional security protocols added to protect that written password. You can probably speculate how many waivers and exceptions could be put in place from the several hundreds of security requirements. Note: I am giving generic examples for obvious reasons.
Given the U.S.G. can accept implementing deviations against their own security guidance depending on the situation, it seemed I could do that same for my own and my family's cybersecurity.
Implementing My Own Cybersecurity At Home
I started implementing more cybersecurity at my home after starting my official information assurance role. I thought it was prudent for me to practice my increased cybersecurity knowledge outside work hours. I made my passwords more complex, I changed my computer account to a regular user after creating an administrator user, and many other things.
Using a Password Manager
I decided I would use a password manager. I realized I am prone to password reuse and having a tool that could generate complex passwords and perform a security audit was beneficial and time saving. I decided I would apply the separation of duties concept. I would mainly use the password manager for storing usernames and password for "regular" accounts, and not use it for "sensitive" accounts. I defined "sensitive" accounts as those with sensitive information and could have a detrimental impact to my and my family's livelihood if compromised. These included bank accounts, credit card accounts, insurance providers, and the email accounts tied to them. Regular accounts would be everything else.
If I was not using a password manager, how would I manage the "sensitive" accounts? Would I have to remember complex passwords for each? Would I need to rotate them every 90 days? What would be my security policy?
Death Is An Untimely Thing, so Write Down Your Password
I started getting obsessed about my family's well being a couple years ago. I was wondering what would happen to them in the event of my untimely death. I started increasing my life insurance coverage. I prepared a will and living trust. I developed instructions to guide my family upon my passing. I was doing what I could to "prepare" for the untimely.
I began realizing I was leaving my family with a difficult burden in the event of my passing. How would they be able to get access to all my "sensitive" and "regular" accounts? With implementing complex and unique passwords, how would they ever guess a password or even recover the password?
I would need to write down my passwords and make them available for them to find. I run the risk of having my passwords stolen upon a home robbery, so I needed a password book that would not be something a robber would want to steal; something that looked conspicuous. I know the risk is still there, but at this point in time, the risk of leaving my family in the lurch has a greater risk impact.
Writing down the username and password to my password manager gives them access to my "regular" accounts. Writing down my credentials for each "sensitive" account gives them access to those accounts. I gave my spouse fingerprint access to my iPhone so she can access any two-factor authentication (2FA) setup for my accounts. I wrote down the passwords for my computers too.
Unfortunately, I will never know how effective my current implementation will work. I can only continue to refine it overtime and have faith things work out in the end. Hopefully, me sharing my current thoughts and strategy imparts some ideas for your consideration.
Chad Calease: How To Access and/or Memorialize a Deceased Loved One's Online Accounts
If your loved one did not write their passwords and accounts down on paper anywhere, there are some often lengthy and complex processes to go through in order to get access to their account and/or request memorialization or deletion.
Ever since my parents passed away, which unexpectedly forced me to go through the process personally, I'm always grateful when everyday folks reach out for help when someone they love has passed. I get a lot of satisfaction from helping guide others on how to go about accessing, handling, and memorializing their loved one's online accounts.
The steps involved in achieving these goals are not as straightforward as they might be. Some major companies don't even have formal policies and procedures, which can make these required actiities more confusing than they need to be, especially during a time when we're grieving a loss.
I use a cool book called "I'm Dead, Now What?" and recommend it to clients who are keen on taking pro-active steps to make sure their next-of-kin don't have to sleuth through the ins and outs of it all after they've passed. Once completed, it can be safely stored in a safe deposit box or built-in safe in the home for when it's needed.
Dying isn't easy for anyone involved. This is why I've made time to build the list of useful information and tips below. It's a good starting point for anyone in the midst of dealing with such challenging times. I hope it can be helpful to someone when they might need it.
Social Media Services
Facebook has policies for handing accounts that belong to people who have passed away.
Memorialized Status vs. Deletion
"Memorializing" essentially means moving the account into a new status that helps protect it from being tampered with and improves its overall privacy. For example, accounts moved into this status:
- Cannot be logged into
- Cannot accept new friend requests
- Can accepts posts from previously accepted friends: thoughts, memories, and images from trusted friends can be posted on a deceased person's page
- Can receive private messages
- Can retain all the photos, posts, and content the deceased already shared
- Can retain it's visibility settings to the audience it previously trusted
- No longer appear in People You May Know and other algorithm-powered suggestions
- Will have the word Remembering next to the person's name on their profile.
Facebook also offers pro-active measures, such as Delete After Death and Legacy Contact.
Delete After Death
To request that your account be deleted upon your death:
- Open your account Settings.
- Click Memorialization Settings.
- Scroll down, click Request that your account be deleted after you pass away and click Delete After Death.
A legacy contact is someone you choose to look after your account if it's memorialized. If you add a legacy contact, that person will be able to make decisions about your account once it is memorialized.
Your legacy contact can:
- Write a pinned post for your profile (example: to share a final message on your behalf or provide information about a memorial service).
- Update your profile picture and cover photo.
- Request the removal of your account.
- Download a copy of what you've shared on Facebook, if you have this feature turned on.We may add more capabilities for legacy contacts in the future.Your legacy contact can't:
- Log into your account.
- Read your messages.
- Remove any of your friends or make new friend requests.Learn more about memorialization and how to add a legacy contact to your account.If you're a legacy contact, learn how to manage a memorialized profile.Note: You must be 18 or older to select a legacy contact.
Answers to common questions:
What happens to my Facebook account when I pass away? https://www.facebook.com/help/103897939701143
How do I report a deceased person? https://www.facebook.com/help/150486848354038
How do I choose to add, edit, or remove a legacy contact? https://www.facebook.com/help/991335594313139
How do I request removal of a deceased family member's Facebook account? https://www.facebook.com/help/1518259735093203
Instragram is owned by Facebook and have the same policies and procedures, start here --> https://help.instagram.com/264154560391256
Twitter has formal policies and procedures for such things, too, and is arguably the easiest of all to work with.
They don't currently have a policy for memorialization (it's coming soon), but in the event of the death or incapacitation of a Twitter user, they will work with a person authorized to act on the behalf of the user to have an account deactivated. After you submit a request starting here (https://help.twitter.com/forms/privacy), they will send a confirmation email with further instructions.
There aren't any clear policies, practices, or procedures posted by these folks. However, reporting a deceased user is pretty straightforward. They have a form (follow the link below) that asks for the following info:
- The member's name
- The URL to their LinkedIn profile
- Your relationship to them
- Member's email address
- Date they passed away
- Link to obituary
- A box for any additional comments
- Ability to upload an attachment (presumably a death certificate, where appropriate)
Accessing a deceased person’s account
In rare cases Google may be able to provide the account content to an authorized representative of the deceased. Any decision to provide the contents of a deceased user’s account is made only after a lengthy process and careful review.
Filing the required documentation does not guarantee that they will assist you. If you're the authorized representative of a deceased user and wish to proceed with an application to obtain the contents of a deceased user’s account, please carefully review the following information regarding their two stage process:
Google requires the following information to begin the process:
- Your full name
- Your physical mailing address
- Your email address
- A photocopy of your government-issued ID or driver’s license
- The Gmail address or Google username (which is typically an email address) of the deceased user
- The death certificate of the deceased user. If the document isn't in English, they'll ask that you provide a certified English translation prepared by a competent translator. It will also need to be notarized.
- The following information from an email correspondence that you have received at your email address, from the email address associated with the Google account in question:
- The full header from the email message. See instructions on how to find headers in Gmail and other webmail email providers. Copy everything from ‘Delivered-To:’ through the ‘References:’ line.
- The entire content of the message.
Mail or fax this information to:Google Inc.Gmail User Support – Decedents’ Accountsc/o Google Custodian of Records1600 Amphitheatre ParkwayMountain View, CA 94043Fax: 650-644-0358
Upon receipt of all this information, Google will review your request and notify you by email as to whether or not they'll move to the next step of the process. If they're able to move forward, they'll send further instructions.
The next steps are more involved. It involves obtaining an order from a U.S. court, for example. If they determine that they cannot provide details of the account you have requested, they won't share further details about the account or discuss their decision. Google may also change what's required from time to time, too.
In short: seek legal guidance
Microsoft must first be formally served with a valid subpoena or court order to consider whether it is able to lawfully release a deceased or incapacitated user’s information regarding a personal email account (this includes email accounts with addresses that end in Outlook.com, Live.com, Hotmail.com, and MSN.com), OneDrive storage, or any other aspect of their Microsoft account. Microsoft will only respond to non-criminal subpoenas and court orders served on Microsoft’s registered agent in the requesting party’s state or region and is unable to respond to faxed or emailed requests for such matters.
Any decision to provide the contents of a personal email or cloud storage account will be made only after careful review and consideration of applicable laws. Please understand that Microsoft may be unable to provide the account content, and sending a request or providing a subpoena or court order does not guarantee that we will be able to assist you.
At the time of registration, all account holders agree to the Yahoo! Terms of Service (TOS), which sets up some rules on access.
To request to begin the process of accessing a deceased account, Yahoo! requests the following info to begin:
- A letter containing your request and stating the Yahoo! ID of the deceased
- A copy of a document appointing the requesting party as the personal representative or executor of the estate of the deceased; and
- A copy of the death certificate of the Yahoo! account holder
This information may be sent to the Legal Department at
fax: (408) 349-7941
snail mail: 701 First AvenueSunnyvale, CA, 94089-0703 USA
Mobile Carriers (U.S.)
You'll need to provide some information in order to initiate a request:
- You’ll need to provide the account holder’s Social Security number and/or the password on the account.
- Early termination and/or Transfer of Billing Responsibility fees won’t be charged.
- The balance on the account is the responsibility of the estate (according to them).
- The account cannot remain active under the name and Social Security number of the deceased person (with the exception of customers residing in Oklahoma). A Transfer of Billing Responsibility is required to retain the mobile number with AT&T service.
They require the following information to initiate the process:
- Your loved one's name.
- Their cell phone number.
- Last four digits of their Social Security number.
- The date they passed away.
- Documentation of business registration to confirm ownership if co-owner passed away.
This should be all the information they need. If not, they’ll contact you.
The fastest way to start the process is emailing them at DeceasedNotification@sprint.com
Other contact methods are:
- Calling 1-866-412-8519 or
- Faxing 1-866-766-2491 or
- Mailing information to: Sprint Attn: Credit Compliance P.O. Box 7951 Shawnee Mission, KS 66207
For the quickest resolution, it's best to have some information on hand before calling:
- Name of the deceased person on the account
- Their mobile phone number
- Date of death
- Last four digits of the deceased customer's Social Security number
Steps for authorized and non-authorized users
Include a copy of one of the following forms of documentation with your request:
- Copy of death certificate
- Electronic link to memorial website
- Obituary electronic or paper (Authorized users only)
- Copy of memorial (Authorized users only)
- Attorney / legal estate documents
- Other reasonable documentation
Verizon is elusive about this and does not post a formal policy or procedure online.
To cancel wireless services contact their customer support: 800-922-0204
To cancel other services: 800-837-4966.
If you’re looking for information about a site or service that isn’t listed here, try the Net, such as using a service (such as a mobile carrier) site's search feature for 'death' or 'deceased' for related information. Some companies have established policies and practices, some don't.
In most cases, you'll need at least a death certificate for proof, so it makes sense to have a physical copy on hand if you prefer to use fax or snail mail and/or an electronic copy of it if you plan to use email.
If you're reading this due to loss of a loved one, you have my most sincere condolences. May you take comfort in the pain of your loss. If this information has been useful to you, please share with others.
Before You Go
Join my mailing list to receive updates about my writing.
About the Author
Miguel is a Principal Security Engineer and is the author of the " Serverless Security " book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.