Password Managers for Estate Planning : a checklist

Now that we’ve covered what a password manager is, why they are useful for estate planning, and what specifics to consider while setting up a password manager for estate planning, the final step is to execute on the plan. What follows is the last part in this blog series: a checklist for implementation.

1. Select a password manager.

The available password managers and their features are changing over the years, and people more technically and security-savvy than I am are continually doing high-quality analysis of the ones available. Rather than give an overview, here are some aspects you should consider when selecting from those currently available:

  • Does it run on your operating system? You are likely viewing this blog entry on a Windows PC, an Apple computer or phone, or an Android device. While most password managers will run on all of these, it is important to verify.
  • What is the cost? Some have a one-time cost, others have a monthly fee.
  • Does the password manager have sharing built in? Some even have sharing specifically for estate planning built in now!
  • Can you use it? Is the interface clear and navicable for you? If you’re not going to use it, there’s no point in getting it.

2. Set up your password manager

  • Install your selected password manager.
  • Go through the set-up process.
  • Make sure your password for the password manager is memorable or that you have saved it physically somewhere.
  • Try it out with a few sites you commonly use, without changing your passwords for those sites yet.
  • If it sticks for a few days, start migrating more passwords into the manager’s vault.
  • If it sticks for a couple weeks, start changing your passwords to more complicated ones, which will be stored in the password vault.

3. Notify folk of your setup.

  • Select the people involved with your digital estate planning based on the previous posts in this series as well as your own guidelines.
  • What do you want these folk to do with your digital assets? Make a list of actions and who should take those actions.
  • Define when you want what actions to be taken, and how they’ll know.
  • Describe how to find and unlock the encrypted password file to those folk.

4. Do a test run

All this overhead only matters if it works. Set up a time with the person you’re trusting with your password, plus possibly another trusted person or two, with whom to walk through the process. Make sure it works, and that everyone knows what’s going on. Then drink tea and have cookies!

Not ready to do this? That’s ok! Instead you can…

Inventory the most important accounts you use in another way, such as a spreadsheet. Ideally you will store this printed out and left in a lockbox or with your attorney, rather than on your computer.

Extra credit

If your life if compartmentalized (maybe the folk in your book club hate the folk in your cribbage club, or your work life and personal life have different levels of security concern and different people need to have access on death or incapacity), it might be worthwhile to “tag” the accounts in your vault for those different compartments. Various people might be assigned to take actions in specific groups, rather than one person issuing a blanket statement to all social networks and account providers. This takes regular upkeep and additional planning which might seem overwhelming, so don’t embark upon this until/unless you’re completely comfortable in the rest of the setup!

How to Set Up a Password Manager with Estate Planning in Mind

Now that we’ve covered what a password manager is and how it matters in estate planning, this entry will take us through how to set up your password manager with this use case in mind, or to set a password manager for the first time.

Who should know about your accounts (and what are their contexts)?

Who are the folk who need access? Who don’t you want to have access? For a deeper dive into this question, you can also do a threat model, but in the meantime, here are the three factors to focus on for this use case:

  • Trust : you are granting access to your bank account, to your social media, to everything you have online. You should be excited for the person/people you grant it to speak for you (posts to social media), manage your money (withdraw and deposit funds, sign for things in your name), and the like.
  • Technical ability : after reading through the rest of this post, consider who in your life has the technical ability to understand and execute your password-manager-related request.
  • Legal context : the law around who can access an account is still squishy. Accessing an account you’ve been given the right to via a will may still overlap with a nasty law called the Computer Fraud and Abuse Act (CFAA). Come back soon for a link from the legal side in how to set up your fiduciaries to succeed and be safe.

How will you notify them?

The folk you select will need to know when to access and act upon your digital assets. Just like other aspects of estate planning, it can be difficult to talk about these inevitabilities, but it’s better for folk to know what is expected of them than to have it sprung upon them. Additionally, setting up a way for them to be reminded at the time of need will help refresh folk’s memories. I use a mailing list, to which any of the folk I am often around can post. You might add the reminder in with you will and other related paperwork.

How and when will they gain access?

Password managers store all your passwords in one encrypted file called a “password vault.” The person(s) executing your estate will need to be able to find this file. Some places that file might be, which will need to be communicated:

  • A device you share with that person, such as a laptop. If it’s on your own machine, they’ll also need a password to unlock that device – how will you get that to them? This is the best option if you live with a loved one you trust.
  • You can keep the encrypted file of your passwords in “hard copy” – such as a thumb drive stored in a lockbox or secret place. This means the fiduciary will need to know where to find the object on which the file is stored, and be able to access it. This is the best option if you’d like to keep the file offline and generally out of touch until it’s needed.
  • The file can be kept in “cloud storage” like Google Drive or SpiderOak. This means just about anyone can look at the file, but unless they have the password, they won’t be able to unlock it. This is the best option if you’re concerned people won’t find or keep track of a physical object.

Unlocking the password file

  • The fiduciary will then need to be able to decrypt (sometimes called “unlock”) the password file. This person or persons should be someone you trust – see the above section on “Who Should Know About Your Accounts?” You should trust them both to not unlock unless necessary, and to remember/store the password.
  • It is also possible to put your password in escrow, often with the attorney who helps with your estate planning. Be sure to check that they understand the setup and are able to execute on it.
  • For the technically savvy, it is also possible to split your password amongst multiple people, so that no one person might decrypt (or be compelled to decrypt) the password file. Then the trick is for them to be able to be in touch with one another in order to execute the digital estate.

Our lives have changed in the digital age. So, too, will our deaths. Through some careful planning, you can make yourself more secure at the same time you ease the execution of your digital estate – by using a password manager. Those you care about will have an easier time when they are already in duress. After the initial setup, your life should be easier, not harder, with a password manager. You should be able to live your life normally, and have your password manager and a system you trust be kept up to date though its use so when you fail out, your system doesn’t.

The next entry will be a checklist to help you set up and make sure a password manager for your digital assets is working. Let me know if you have any questions! I’d love to improve this blog entry and the checklist.

Why a Password Manager for Estate Planning?

Password managers aren’t just for security and privacy, they can also be useful for digital estate planning. This entry takes us through how to consider setting up “password vault” access in case of emergency and incapacitation. The previous entry went over what a password vault is. This entry covers why a password vault is useful for estate planning. The next will cover how to set up a password manager with estate planning in mind, and the final entry will offer a checklist with extra credit.

We do a lot in digital space these days – manage our bills and banking; socialize, share adventures, get tickets to a show; and store our emails, photos, and videos. All of these actions require accounts (usernames and passwords). Some people use what are called “password managers” to keep track of all those accounts and the associated passwords. There are many resources on how useful password managers are regarding security and privacy which we encourage you to check out if interested (1, 2, 3). But here we’re talking about estate planning. This entry isn’t about just privacy – but how you share to others when appropriate.

While you see friends and family if you were doing these social and business transactions in the physical world, your online accounts are invisible and inaccessible. While a friend or family member often sees you on a social platform (like Mastodon or Facebook), or has seen your bank name on your screen over your shoulder or on your card at a shared meal, they are unlikely to have access to those accounts, just as they are unlikely to have access to your bank account because they walked into a branch with you one time. That’s the main point of having a password – so your accounts are your accounts.

The password vault maintained by a password manager is a record of your accounts and how to access them. This is valuable for your daily life, and is also a valuable asset for fiduciaries. By carefully choosing to whom and how you share a way to access your password vault, you make your digital life visible and accessible – just like your photo albums and china plates.

Using a password manager can make your accounts visible and accessible not just to you, but also to those you care about when they are closing bank accounts, searching for photos of that one day at the park, and notifying your online hobby group of your passing. The trick is letting the right people know, and limiting their access only until they need that access. The next blog entry will cover how to consider setting up your digital estate with a password manager, and who to involve in the process.

Password Managers for the Non-Technical

Most of the folk who read this blog probably know what a password manager is. You likely even have opinions about what the best one is. The core audience to the Networked Mortality project, however, does not. While any user of technology is impacted by digital estate planning (either because they are doing it or because they are not doing it), few have the technical literacy to manage their digital assets. These skills are necessary to plan for the future of those assets, which is what is then defined in an estate plan. In order to move into management and future planning, this first in a series of posts will describe what a password manager is in this context. The following entries will cover how to set up a password manager with estate planning in mind; and a checklist with extra credit.

Many folk (maybe that’s you!) keep passwords in written format, share passwords with a family member, or have the browser remember passwords. These are understandable ways of dealing with your accounts – remembering passwords is hard! But these techniques don’t set you up to succeed for estate planning, nor do they protect you from abuses.

The area of study dedicated to thinking about how computers store and transmit information to authorized and unauthorized users is called Information Security, sometimes abbreviated to “InfoSec.” InfoSec experts have long advocated for “strong” passwords, meaning they should be long, with many strange characters. For instance, “password” is not a good password. “2=7Am8,KI5eOL!3AnvbGHjT” is a great password. But how would anyone remember something like that?!

Luckily, smart people have made something called a Password Manager. There are now many different options available, but they all basically work like this:

  1. You create a vault, which requires one password to lock and unlock.
  2. By unlocking that vault, always with that one password, you can use all the other passwords you usually have access to. You don’t have to remember which password goes to which account – the vault does that for you!

This means that you need to remember one password, and because the program is remembering all the rest of them for you, they can be long and complicated like D7z8~t;adn4VfLqR!LhUzLlix}sSH6H|1 which prevents others from guessing them. It’s like carrying around a bag full of keys. You only have to remember the one bag in order to have all the keys with you.

  1. Then you need to put your current keys into the vault. Each password manager has a clear way to add accounts – often as you use them.
  2. This is also an excellent time to change simple or redundant passwords into complex ones.

Please take a look at some password managers – do a search for “password manager” and read what other folk have to say about them. The next post will take you though thinking about using password managers for estate planning, Thursday’s post will include questions to keep in mind while doing so, and a final blog post will offer a checklist and some extra credit.

I’m super happy to answer any questions you have. These blog posts will be further improved upon as people ask questions and point out issues – so every bit of feedback you give helps others.

Password Managers for Estate Planning – primer post

While any user of technology is impacted by digital estate planning (either because they are planning or because they are not planning), few have the technical literacy to manage their digital assets. These skills are necessary to plan for the future of those assets, which is what is then defined in an estate plan. In order to move into digital management and future planning, this Networked Mortality blog series will have several posts on topics such as password managers and digital media assets, which go through this arc of explanation.

We’re going to assume some things about our user base, of which readers of this series are a part, or are supporting someone who is:

  • Low/negative desire to try new technologies, especially when complicating.
  • Interact with one or two devices, which other people likely have access to.
  • Deal with memory loss or other cognitive impairments.
  • Any threats tend to fall within the elder abuse model.

And we’re going to assume some things about our purpose.

  • Autonomy should be advocated for whenever possible.
  • Privacy is important.
  • We should respect an individual’s wishes.
  • Death is a community-centric event.

From this perspective, the first set of blog entries will start tomorrow – using password managers for estate planning. The first will cover what password managers are for this audience (literacy), the second how to adapt or set up a password manager for estate planning (management), a third on how to consider choices to be made when doing that set up (future planning), and finally a checklist with extra credit will be offered for individuals to execute.

2016 Retrospective

I did one of these posts last year, inspired by Tilde, who I continue to be inspired by. In an effort to be more consistent in my life, I’m going to do it again this year.

Unachieved 2016 Goals:

I did a lot this year, but I did not do everything I set out to do. Before we jump into the “lookit how great it was!” here are the things at which I fell short:

Get this paper out the door

I have an editor I’m working on with this. But it’s still not out. Fingers crossed on 2017.

Do 2 speaking gigs max — unlimited participatory events

I ended up doing 3, but 2 of those were 7 minutes long. This is still a drastic change from past years.

Read and comment on at least one blog entry/article a week

Reach conversational comfort in Deutsche, Kiswahili, or ASL. Future years for the others.

Yeah, neither of these happened. I still understand how important they are, but they just didn’t stay at the top of the stack.

What I did manage to do was…

Slowed down. For me.

Only travel for (well-paid) work and family/close friends

This year was a year of transitions and movement, but also of stillness and consistency. I did go completely around the world once. I also went to India and Japan, meaning I’m now only missing Antartica from Continent Yhatzee.

That said, I travelled less than I have in years past (~30k less). There was an entire month where I didn’t go anywhere further than a 3 hour drive (!!). This has not happened since 2012.

This gave me a chance to… Continue reading

Remembering Normal

Most of my corners of the internet are currently filled with rage. One of the ongoing cries is “this is not normal.” It’s true, it’s not. So let’s take a moment to remember what normal has been for the past bit. This is to both balance out the past blog post, and in light of great blog posts like this one about mental health and long fights. Much of my “normal” has to do with where I live and what I look like. I still find it important to talk about them because these levels of freedom are something I actively fight to make available for others on a daily basis in my own flawed and insufficient ways.

  • Normal has been a high likelihood that overhead helicopters etc are for traffic reporting.
  • Normal has been walking in my neighborhood safely.
  • Normal has been making aggressively questioning remarks about government, governance, and other systems of power in public and having lively debate and no concern for my long-term well-being.
  • Normal has been visiting nearly every continent in 5 years and only getting heavy scrutiny thrice, including when soft-packing through TSA.
  • Normal has been asking friends to move to encrypted channels and no one being targeted for those moves.
  • Normal has been holding hands with a girlfriend and a boyfriend on a street corner and only getting occasional side-eye.
  • Normal has been openly attending talks from activists in other countries.
  • Normal has been experiencing shock when I see enforcement agents with semi-automatic weapons in other countries (because they don’t where I live).
  • Normal has been publishing under my own name.
  • Normal has been making an appointment for, and then getting, an IUD from my doctor, and it being covered by insurance.
  • Normal has been, and will always be, a slow fight towards more justice and more equality.

And so much more. Remember what is normal.

Same as it ever was

Hi, friends.

I’ve gotten into a few conversations recently with friends for whom this election has deeply shaken their world view. They wonder how — how — this could have happened. And how I can be so damn calm?! Instead of talking through this over and over again, I’m documenting it here.

I am not surprised by Trump winning the election.

A bee once flew into my motorcycle helmet while I was at speed on the highway and I was able to calmly and safely pull over and get it out without either of us losing our lives. My being calm and unsurprised is not an indicator of how terrified I am for my friends, for humanity, and for the planet in this slide towards fascism all over.

I know Trump supporters

People I have cared about for much of my life – and continue to care for – find promise in Trump. I think this is due to their feelings of disempowerment, but they have their own reasons as well. They are just as racist and sexist as anyone in a racist and sexist culture is. Which is to say, at least a little bit. They also, like most/all of my radical and liberal friends, feel disconnected from our governance systems. Sorry to go all Steven Universe on y’all, but I see these folk as potential allies in a very long fight, not as The Enemy. We’re all people, and anything I fight to achieve for my friends (legal recognition of love, freedom of speech, safety from harm) I also fight to achieve for these folk, because human rights apply to everyone.

Our systems are set up for this

Friends are under threat of violence. Our planet is under threat of no longer supporting human life. Friends of mine are under threat of funding being yanked, at an organizational or personal level. These are not new challenges, it is simply that we were mildly comfortable with who was at the helm in a haphazard and ineffective attempt to avoid these issues. Until a system can truly have any person in a role without the output of the system changing, it isn’t stable and maybe shouldn’t be relied upon. And unless a government is fulfilling its basic role to provide baseline human needs through collective action and resource management, it ain’t a government I’m much into. I say in a nominally self-aware way as a white lady in SF who has tons of privilege.

These are long standing issues

There are many social justice organizations which have been long working on problems of systemic violence such as racism and sexism through the means available to them. Those who understand the above point likely haven’t shifted what it is they’re up to all that much based on this election, although we may be working with more urgency than before.

What’s to be done?

When the Snowden revelations came out, some corners of the infosec community shrugged and said “yeah, and?” It was a huge lost opportunity. Suddenly, people care about your cause. This is, as they say, a “teachable moment.” Use this time to onboard people to your cause. Use it to teach and embrace and build solidarity.

Live your life

I don’t believe in needing the external morality of religion to guide my actions (though religion is just fine), and I don’t believe I need a government to tell me how to behave, either. I will continue looking out for my fellow humans, performing small acts of human decency, and wading into fights if needed. I hope you’ll do the same, or be even more present than you have been before. This everyday action thing is also the only way I’ve found to be sustainable in my long years of action.

Join the fight

We’re glad you’re here. Hello. Welcome. There are tons of groups already doing excellent work. Please find and contribute to one of them.

Step outside of your comfort zone

Try listening first, and then acting. Try understanding someone you dislike. Try seeing someone you’ve never looked at before. We’re in this together, regardless of how it shakes out.

And most of all: <3

Acting Together

Regardless of how or if you voted, if the past few days have inspired you to take action but aren’t sure how, here is a template to get started.


Not loading for you? It’s likely due to the chat on the riseup pad. Here‘s a direct link to the pad.

We’ll be hosting one this upcoming Tuesday evening in San Francisco. Let me know if you’d like to know details.

local San Francisco neighborhood preparedness

One of the hardest lessons and ongoing challenges in digital disaster and humanitarian response is how to connect with a local population. While many digital response groups deal with this by waiting for official actors (like the affected nation’s government, or the United Nations) to activate them, this doesn’t always sit well with my political viewpoints. Some of these affected nations have governments which are not in power at the consent of the governed, and so to require their permission rankles my soul. But to jump in without request or context is also unacceptable. So what’s to be done? It’s from this perspective that I’ve been diving into how civics, disaster, and humanitarian tech overlap. And it’s from this perspective that I’ve been showing up to Bayview meetings for San Francisco city government’s Empowered Communities Program. ECP is working to create neighborhood hubs populated by members already active in their communities. Leaders in local churches, extended care facilities, schools, etc gather about once a month to share how they’ve been thinking about preparedness and to plan a tabletop exercise for their community. This tabletop exercise took place on October 20th in a local gymnasium.

The approach of ECP is generally crush-worthy and worth checking out, so I won’t dive into it too much here. In brief, it is aware of individual and organizational autonomy, of ambient participation, and of interconnectedness. It has various ways of engaging, encourages others to enroll in the program, and lightens everyone’s load in a crisis by lightening it in advance. I am truly a fan of the approach and the participants. It’s also possible to replicate in a distributed and federated way, which means digital groups like the ones I work with could support efforts in understood and strategic ways.

Here is what doesn’t necessarily show through in their website: how grounded in local needs and social justice these community members are. There is a recognition and responsibility to the vulnerable populations of the neighborhood. There is a deep awareness of what resources exist in the community, and of historical trends in removing those resources from a poor neighborhood in a time of crisis. We’ve had frank conversations about what they’ll do about debris, and how the Department of Public Works parking and storage in their neighborhood is suddenly a positive thing. About what to do with human waste, and what a great boon it will be to have the waste water plant in their neighborhood. The things that wealthier parts of the city have vetoed having near them because of noise, pollution, and ugliness (NIMBY, or “not in my back yard”) will make Bayview resilient. They’re preparing to take care of themselves, and then to take care of other neighborhoods.

There’s a plan in NYC now to knock on every. single. resident’s door in the next crisis. It’s an approach other cities might also consider. But it’s one which is nearly impossible to implement. Who is doing the knocking? What are they doing with the information they gain? ECP’s approach is to apply their own oxygen masks first, and then to check on their neighbors, to know what the local Hub can take care of and what is needed for external support. When/If a city employee comes knocking on their door, they can then speed up the process of getting aid to where it’s needed (“I’m ok, but Shelly up the street has our 7 disabled neighbors there and they need a wheelchair, medication, and no-sodium food.”)


The end of the tabletop exercise had Daniel Homsey, the gent who heads up this program, talking about how we didn’t devise plans while together, but we did learn how to suddenly have to work at another role with people we’d barely or never met before. And I, as a digital responder, listened to what the community’s needs were, how they organized themselves, and considered the smallest interventions which could be maximally applied.