On 28 May 2017 09:33 -0700, from
mkirsc...@gmail.com (Matthew Kirschenbaum):
> - For email and social media, make sure next of kin has passwords.
IMO this is a bad idea. Encouraging sharing actual passwords with
anyone is a terrible practice, and one that should be avoided as far
as is at all possible. It also risks breaking down if one changes
passwords without updating the information held by others, for which
there can be any number of reasons.
Rather, most modern webmail and social media services seem to allow
setting up a separate e-mail address which is associated with the
account and which can be used in account recovery. For where that is a
possibility, it's probably better to set up such an account, make sure
that a password reset can be performed with access only to that
account, and _put the login details for this recovery account
somewhere which is accessible, but perhaps not immediately so, to next
of kin_. By using that account to change the password to the main
account, one's next of kin can gain access to the main account in a
way that does not risk someone other than the account holder logging
in _undetected_; also without relying on a person continually updating
someone else's password records, possibly insecurely (I'm looking at
you, e-mail). (It's pretty obvious when your password changes, since
then you can't log in normally.) There are several ways in which such
restricted access to a password can be arranged, both legal and
technological.
That recovery account should obviously be protected by a very strong
password, and it might not be a bad idea to select the username
completely at random as well (so it's better to register something
like
vieof9p...@gmail.com than
me.myself...@gmail.com), but
one should probably _not_ use two-factor authentication for it because
there's no telling which 2FA tokens might be available when the
account is needed. The password could easily be 50-60 characters
selected at random, since it will almost never need to actually be
typed in.
Once access to a person's e-mail account has been established, access
to most other services can typically be established by using the
"forgot password" functionality of those latter.
Yes, it's a little more involved once needed (takes a bit more than
just logging in to a person's main account), but it is also _far_
better password hygiene. We shouldn't be training or even asking
people to handle their passwords irresponsibly.
--
Michael Kjörling •
https://michael.kjorling.se •
mic...@kjorling.se
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)