Feature Request: Emergency password for family in case of death

XaV'S

I know, nobody want to talk about it's own death, however, i start to think to leave some instructions in a testament (eg: close some account, post some specific tweet, etc.), in case where a badly thing happen. Because we use a lot of different password, and we change (we should!) the passwords on a regular basis, it's hard to leave a copy of theses passwords somewhere and keep it updated. I don't think you want to call your notary and/or a trusted person (confidence person, family, ... ) each time you change your facebook|twitter|... password.



The idea is to be able to set a second password to be able to use it in this kind of situation. A single password, random, secure, hard to guess, long... where we can leave for this kind of situation on a testament or to a trusted person, to unlock the whole thing for this kind of special situation.



Also, i think we should keep the master password field as is. So, to be able to use the emergency password, the user will need to go in a sub-menu. The main reason is to avoid a mis use of the emergency password. Finally, when 1password is unlocked later with the original password after a usage of the emergency password, to display a warning message to tell the user the emergency password was used.



I think it's could be a useful feature you can implement in 1Password. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Thank You!



----

Sorry for my bad English! ^^

khad

Hi XaV'S,



Welcome to the forums! Thanks for the suggestion. It is an interesting idea. What do you think the security implications of having a second password might be? I would be concerned about having two master passwords. I like only having one "locked door to my house." <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I do currently share my master password with a trusted loved one in case of emergency. Perhaps the best way to do this is by utilizing a physical security measure. Have a safe deposit box with your Dropbox password (where you should be storing your data file anyway <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_tongueout.png' class='bbc_emoticon' alt=':-P' />) and your 1Password master password written down. In the event of death, someone can use the key to get the passwords out of the box. This way they do not have to know the password(s) presently.



What do you think?

XaV&#39;S

Hi khad!



[quote name='khad' timestamp='1287278810' post='13429']

What do you think the security implications of having a second password might be? I would be concerned about having two master passwords. I like only having one "locked door to my house." <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

[/quote]



I understand your concerns, however I really think this kind of option should be available, but not mandatory, so everyone will be able to decide by himself ^^



The main idea here is to allow to have an independent emergency password you can store in a secure place or on a testament. So, if need to change your master password, you don't have to update the password stored in a secure place (somewhere else of your home, in case of sinister) or on your Notary (and in this situation, it's mean $$).



The "ideal use case" of the emergency password i have is :



1. You set the emergency password. This password can have some restrictions like a minimum of 30 chars. (The emergency pass is not for a daily usage). Some security features can be added here (eg: Type the master password when you set the emergency password).

2. You write this password (and your dropbox password too) on a piece of paper or you put it on your testament.

3. You forget this emergency password (anyway, you should not learn it)



So, imagine, for example, you are distracted (or drunk or whatever) and you type your master password in a place you should not (eg.: in a chat window). The first thing you think to do, is to say "OMG, i have made a big mistake, i need to change my master password right now". You change your master password. But, you don't think to update the password you have written, or to call your friend/family member to give them the new password, or to call the notary, or ... you can forget to update the password .



With an emergency password, you can change your master password, but the emergency password stay the same one. So if you change your master password, and 5 minutes later you are hit by a bus, well your family member will be able to unlock your 1password.



However, it's could be a good thing to add a label/icon somewhere in the software main interface to inform the user they have an emergency password set.



Anyway, with or without an emergency password, if you store your master and/or your emergency password in a unsecured place, you will have the same problem. With one or two locket door to your house, if you have the key, you can open it <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />

thightower

XaV'S







On a personal note here:



Yours is the most well put answer/reason for such a feature. When I saw you had replied. I was wondering if this was going to be a couple page debate on the subject. (I have heard both sides remember).



I would like to say I agree with you, its a very convincing piece. I carry no weight around here being a volunteer, but I thank you for the wise and well thought out reply. If anyone is interested I add my vote to the subject.



For now I guess its the old safe deposit box thing for me.



Now having said that I also worry about the 2 password thing, so hmmmmm. My take on this is so many of us have a second password for our iphone app that may be shorter easier to remember etc. or have the most frequent items protected by a pin on the iOS app. So whats the real difference in having an emergency password ? Then what about the logins bookmarklet that uses a pin ? All of these are by user choice, so why not allow the emergency password ?



I still think I like the idea alot.





EDIT :



I hope you dont mind I took the liberty of adding a poll to your topic, I have cast my vote, XaV'S you will need to add yours as well as any others interested in this topic. [img]http://forum.agile.ws/public/style_emoticons/default/smile.gif[/img]

khad

I am truly interested to see what others think. I hope we get some more discussion going. My impulse is that having a "back door" is not good for security. I'm waiting for the "ultra-security police" to stop in and explain why. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I'm still on the fence and have not cast my vote yet. Maybe someone can convince me further.



I do agree with Tommy, XaV'S. You present a very clear description and sensible arguments. Well done. I am not yet convinced, though. No matter. I am not the one who needs to be convinced. I'll see if I can't gather them around.



Thanks for starting (and continuing) this discussion!

khad

I think my problem is that it is another vector of attack. Someone could get ahold of your emergency password and you would not know about it until after they already accessed your information. This is the same with your current master password, but there is only one of them. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



The odds of a thief breaking into my home, finding the key to a safe deposit box, knowing it is for a safe deposit box, obtaining the location/number of the box, and knowing what to do with the passwords stored in the box are pretty slim. Let's be realistic here.



The odds of that back door key falling into the wrong hands and being used behind your back I would imagine to be much greater. Of course, you could always put it in a safe deposit box, but then I don't see any benefit of having another password.



You've really got me thinking. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_tongueout.png' class='bbc_emoticon' alt=':-P' />

Joe M

I had to jump in on this as I've often worried about the implications of my own death for my family.



My vote is with khad on this. Write down the master password on paper and store it in a safe deposit box. Besides, if there's a master AND an emergency password, Agile will have to change the name of its product. And "2Password" just doesn't have the same punch. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Joe M

XaV&#39;S

Well the idea to do an emergency password feature is not to add a second password. The main purpose is for emergencies (so, the password have not to be remembered), we can force the user to use only allow computer's generated password, with a minimum length of 30 chars. It's will block any mis-use of the second password feature.



Also, I think the word "backdoor" is not the right one to describe this feature. Generally, in computing, the backdoor is an hidden feature, for example, to allow to the company to rescue your password file in case you forget your password. In this case, he feature is an emergency password.



I think we should keep in mind this feature is not mandatory, but it's allow the user to enable it if they want it or not.



To be able to enable the emergency password, the master password should be typed, to be sure it's the right user.



Also, it's could be a good thing to add an option to let the user to set a permanent flag. When this flag is enabled, it's will be not allowed to set an emergency password. Also, i think the software should display a mention like "This keychain have an emergency password set" somewhere on the main interface. It's will discourage unauthorized emergency passwords.



About the secure disposal box, i don't like the idea for many reasons. First of all, it's not a good idea to keep a single copy of the passwords in the same place where you live. Domestic secure disposal box are generally fireproof, but the fireproof have some limits. Also, it's easy to hide a secure disposal box somewhere in a house, however, in a small apartment or in a studio, it's not the same thing <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' /> And when you rent a apartment, you can't hide your secure disposal box in a wall.



Also, some people will appreciate to ask to his notary to write the password in his last will and testament. This kind of document is confidential and securely stored. It's can be also usefull for few people where they don't want to trust anybody in the family and have not a trusted friend to store the master password.



But, again, i think it's should be an optional feature, where you can disable it if you don't want it. ^^

khad

One consideration to take into account is the added support of each additional feature. This is something that is weighed against any possible benefits. Imagine hundreds of users all wondering what this emergency password is or thinking that Agile somehow has access to it? We get loads of "forgot my master password" requests as is. I have a feeling that this might further confuse the issue. We always tell people that we do not have a backdoor (because we certainly don't), but this could give a false impression. I'm not saying it's a bad idea because of it, but it is something to strongly consider.



By the way, I was referring to [url="http://en.wikipedia.org/wiki/Safe_deposit_box"]safe deposit boxes[/url] stored offsite (with only the key in your home), rather than a [url="http://en.wikipedia.org/wiki/Safe"]safe[/url] stored in your home. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I am not one of the developers, so I cannot speak to all areas of this. I am only giving my opinions. They do not represent the views of everyone at Agile.

thightower

[quote name='khad' timestamp='1287343498' post='13459']

One consideration to take into account is the added support of each additional feature. This is something that is weighed against any possible benefits. Imagine hundreds of users all wondering what this emergency password is or thinking that Agile somehow has access to it? We get loads of "forgot my master password" requests as is.

[/quote]



Good Point.

XaV&#39;S

Well it's should be clear 1Password should be not able to bypass the keychain master password.



Also, it's should be really well explained for the users, it's only a second key you can use to open the keychain, where the purpose is for an exceptional situation.

[Deleted User]

[quote name='XaV'S' timestamp='1287408949' post='13506']

Well it's should be clear 1Password should be not able to bypass the keychain master password.[/quote]



We do make this very clear in our user-guide:



[quote name="What do I do if I forgot my master password?"]

"1Password creates your data file using the password you provided when you first launched the application. This password is not kept anywhere and it is never logged. Furthermore, there is no “back door” mechanism to recover your data or password. This approach is very important in order to be able to say that 1Password keeps your data safe and secure. However, because of it, [b]once your password is forgotten, there is nothing we can do to help you recover it[/b]." - http://help.agile.ws/1Password3/forgot_password.html[/quote]



[quote]

Also, it's should be really well explained for the users, it's only a second key you can use to open the keychain, where the purpose is for an exceptional situation.

[/quote]



My own personal opinion, again this does not represent the whole of Agile or our developers, is that this would be no different than giving a trusted family member or friend your actual master password, the emergency password would still give them the same access to your data. We do suggest that your 1Password master password be unique and not used anywhere else, so if you do give this password to someone, or have it in your will or other confidential documents, then someone would have to get this password and your 1Password data file for it to be any use to you.



That doesn't mean we won't add the suggestion to our feature list, but in all honesty I can't promise if or when we'd implement such a feature.

NovaScotian

Although I'm in good health, I am 73 years old. Nonetheless, I have not given anyone my 1P master password, nor have I included it in my will. Thinking it over, there are only a four web sites for which a super-secure password is essential for me for web access to bank, retirement, and brokerage accounts. Nonetheless, for my wife's security, all of these are in physically accessible institutions and all of the mentioned accounts are either joint with her or she is their beneficiary. She would only have to go to each of them, identify herself and make her own arrangements for access and that suits her. I won't be using a back door.

MikeT

The only reason that I could see for a second added “master” or emergency password is that it’s a one-time use, the password cannot be changed and it has to be a much higher length (30 characters +). If a person stored their master password on a piece of paper in a safe deposit box off-site, that person needs to remember to update the info if password were changed, otherwise it’ll be worthless.

Harry Warrior

How about giving the trusted friend/relative an offline copy of the 1password file along with the password.



If you are dead, don't assume the survivor can open your dropbox account or your mac.



So long as the password matches the file they have, there is no issue. Of course the data could be a bit

old. But just knowing the Bank name and account number is a lot (those are not likely to change).



This is exactly why the "html/js" version of the 1password "built in to" the 1password directory is so cool.

khad

Harry, you're right. [url="http://help.agile.ws/1Password3/1passwordanywhere.html"]1PasswordAnywhere[/url] is useful in a number of situations. In a sense, your data file becomes a self-contained, read-only 1Password installation. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

Harry Warrior

BTW, it may help your sales/marketing effort to advertise it as a built-in feature of 1Password. Giving a name 1PasswordAnywhere gives the impression that it is something I need to install. Something like "Emergency read-only access to your data without any s/w installation".

khad

Thanks for the suggestion, Harry!

branlaw

I thought that title might get your attention. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



We're all going to die. After this eventuality, those people trying to make sense of your estate will be eternally grateful if you leave them with ALL of the information to do the job. My 1Password file contains the vital information that will enable my family to access financial accounts, online services, computer files, etc., with minimal fuss.



Unfortunately, my 1Password file also contains the information that could allow the wrong person to wreak havoc on my estate.



My question to the forum is... what are the best (safest) ways to be certain your 1Password information stays secure while you are alive while also being certain it will be easily accessible by the appropriate people after you die? What are you doing about this now? Any thoughts on this rather unpleasant topic will be very helpful.



Lastly, to the developers of 1Password... how about creating "guest" passwords for this type of inevitable situation? These guest passwords are the passwords a 1Password user would send to an attorney, family members, or a trusted friend. Each guest password would be unique. To protect the 1Password owner (you) from unauthorized use while you're alive, there would be a "cooling-off" period before the "guest" had access to your 1Password file. During this "cooling off" period, 1Password would attempt to alert you via email or text message that a "guest" use was being attempted. If you're dead, the file opens when you don't reply in the required time. If you're alive, you can delete offending guest password and prevent future access. I have some other thoughts on this, but will wait first to hear what others think of the concept.



Thank you.

DavidB

[quote name='branlaw' timestamp='1310080688' post='31406']

I thought that title might get your attention. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



My question to the forum is... what are the best (safest) ways to be certain your 1Password information stays secure while you are alive while also being certain it will be easily accessible by the appropriate people after you die? What are you doing about this now? Any thoughts on this rather unpleasant topic will be very helpful.

[/quote]



I think you should treat your 1P password the same way you would treat the combination to a safe. The simplest thing might be just to put it in a sealed envelope marked, "To be opened only in the event of my death or incapacitation," which you give to your attorney or another trusted person. (I do something similar.)



Depending on the strength of your password, it might be much harder and more expensive to crack than even a safe. As a backup, therefore, you should probably give the password to more than one person and/or store it in your safety deposit box.



David



Edit note: "The simplest thing might be just to put it in a sealed envelope . . . " (inserted "it")

khad

Welcome to the forums, branlaw!



I think David has the right idea. I merged your post with the existing thread on this topic, so please see above and let me know if you have any other questions or concerns.



You might also want to take a look at the "[url="http://forum.agile.ws/index.php?/topic/4189-using-1password-to-track-digital-assets/"]Using 1Password to track digital assets[/url]" thread. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



Cheers,