Prepare for your passing by passing on your passwords
Newhouse News Service
The man did just that, inviting his nephew over for a cyber-tour of the asset spreadsheets he kept in his home computer.
But as he was logging on, the Camden County, N.J., man said to his relative, "Now I'm going to sign in. Don't look at my password!"
The nephew obediently averted his eyes — much to his later regret. When the old man died, the nephew was unable to crack his uncle's security system, according to family attorney Glenn Henkel of Haddonfield, N.J.
We all have secrets we plan to take to our graves. A computer password should not be one of them.
"He did an excellent job of preparing for his passing, except that — giving his password," said the nephew, Andy Hyde.
"It's a problem now, and it will be more of a problem in the future," said Darryl Neier, the director of litigation support at the accounting firm of Sobel and Co. A former detective sergeant with a county prosecutor's office, Neier specializes in computer forensics.
Relatives can hire experts to break into password-protected files, but the going rate is $150 to $300 an hour, he said.
"It's awful, just awful. We have people who keep everything on the computer — even their wills, which really isn't a good idea," said Peggy Sheehan Knee, a Saddle Brook, N.J., lawyer certified in elder law.
It wasn't such a problem a decade ago, when home computers were used mostly for e-mailing and document creation. Now, however, many households increasingly use online banking and computer check-writing software.
How's a grieving, password-less widow to know if the mortgage has been paid?
Knee was co-executor of the estate of a 53-year-old computer technician who died of lung cancer but had made almost no provisions for his approaching death. He didn't even give Knee the keys to his place until the night before he died. His only relative was a cousin in the Netherlands.
After his death, Knee and the cousin looked around his house for vital documents. Stymied, Knee finally looked at the computer and said, "I bet everything's in there."
The cousin tried to guess the password based on her knowledge of her relative, but failed. Knee then consulted some computer technicians who advised that trying to break in might destroy crucial data. They ended up having to re-create his assets by laboriously sifting through all his paper correspondence.
Had he simply written down his password, "it would've saved us a month of work," she said.
Saved by paperwork
Hyde, the nephew in charge of his uncle's estate, also explored the possibility of hiring someone to crack the computer. That proved unnecessary when he found duplicate paper statements from his uncle's brokerage accounts. The uncle did lots of online trading and money transfers, but didn't pay all his bills online.
Part of the problem is that computer-security advisers constantly warn against writing passwords down for fear they will fall into the wrong hands.
That may well be a legitimate concern, but most people haven't thought of the repercussions of failing to get them into the right hands.
Perhaps they just assume that an executor would be able to summon the password with a quick call to some Password Central. In fact, while online Web sites keep passwords on file, manufacturers of software do not. It isn't a big problem if an executor doesn't have the password to the deceased's amazon.com account, but what if he needs access to the income-tax program?
Retrieving a dead person's password is cumbersome and costly, but not impossible. There are software "decryption" programs — perfectly legal — designed to break passwords, Neier said, and other forensic techniques the experts can use to get around password protections. Decryption software is commercially available, but is expensive and requires a computer with a lot of memory.
The experts caution against taking this on as a do-it-yourself project. Different decryption software works on different programs, and some of the so-called "hacker-cracker" programs available on the Internet secretly report the password back to potential hackers, said Neier's colleague, Robert O'Leary, senior associate in computer forensics at Sobel and Co. in Livingston, N.J.
In addition, some heavily protected computers are booby-trapped in a manner designed to thwart password detection. If decryption is done ineptly by an amateur, the process could destroy the very data the bereaved is seeking. "It's great — if it works," O'Leary said. "But when it doesn't, you have a huge problem."
Neier and O'Leary demonstrated a standard decryption program, one that searches through every word in the dictionary, on a commercial file for a case they are working on. Within a single second, it came up with the passwords for all of the half-dozen employees who had access to the data.
When passwords are not in the dictionary, other more sophisticated programs churn through every possible combination of letters, beginning with "aaaaaaaa," then moving to "abaaaaaa" and so forth. Checking these at a furious pace of more than a million per second, after 18 minutes it had tried 5.3 billion passwords and was still working on the As.
If the deceased used online banking, Neier said, a local branch of the bank could probably provide access to the data, so long as the executor provided a death certificate.
Quicken, the financial software company, keeps no record of individual passwords, said Chris Rapetto, public-relations manager. An executor would have to contact the California-based company and fax a form attesting to his or her legal right to the data. They could save a copy of the Quicken data file onto a disk (it's in its own folder on the C drive), then mail the disk to the company.
There, the password would not be discovered, but rather eliminated. Once the disk was returned, the executor could start over with a new password. The company charges $65 for a five-day turnaround of this process, or $105 for a one-day express. The fee is almost always waived if there has been a customer death, Rapetto said.
In short, the experts list this one as a big problem with an easy solution: Make sure your legacy includes your secret password.
Copyright © 2003 The Seattle Times Company