FREE NEWSLETTER
“LOOK RIGHT HERE, Charlie. If you click on the background of Windows Vista in just the right place, the script that I developed will launch and give you access to all my online passwords. You will need to know that if something were to happen to me.”
Dad was a self-taught computer nerd and paranoid about securing passwords. The year was 2007.
Dad died in 2018. I didn’t remember where to click to get his passwords. I didn’t even know whether he continued to hide passwords on his desktop following subsequent Microsoft operating system upgrades. Mom didn’t know any of the passwords, either. Dad kept his passwords extremely secure. Problem is, now nobody had access to them.
This was the first of many frustrations Mom and I encountered in the days after Dad passed away. All Dad’s usernames were lost as well, so we tried going through the “forgot username/password” protocols. Those weren’t helpful because, without the password, we didn’t have access to Dad’s numerous email accounts. We also didn’t have access to his cell phone—because he didn’t have one.
In one day, my mom lost all online access to credit cards, utilities, bank accounts, retirement accounts, retirement benefits, Costco, Social Security, Medicare and more. Thirty years ago, nobody had a problem like this. Today, I hear about this type of thing all the time.
So, Mom needed to open new accounts and verify her identity in a variety of ways. She sent copies of Dad’s death certificate and copies of their marriage license, and in one case she was required to send a copy of Dad’s will, last signed 13 years earlier. There were other times when Mom had to answer obscure security questions about the spelling of the school where Dad attended kindergarten. This one was particularly frustrating because it seems that Dad misspelled the school’s name.
Handling all this was difficult, and it was piled on top of an already stressful situation—the death of a spouse—when folks are least able to handle a lot of extra stress. It took months to gain and regain control of my parents’ online accounts. Much of this could have been avoided with proper password management.
Statistically speaking, one out of every one person will die, so it makes sense to do some advance planning for the inevitable. Family members will be grateful if we do.
Mom initially tried to manage her passwords by writing them down in a notebook. Admittedly, this isn’t a very secure method of storing passwords. But there was another problem. When Mom revisited an online account, she frequently discovered the password and username combinations weren’t correct for some reason. Keeping the notebook of passwords current was a bit of a chore.
Fortunately, there are automated tools available to make accessing online accounts easier and more secure. In addition, these tools can make things easier for our loved ones if something were to happen to us.
Most internet browsers have a built-in password manager. These might seem like an easy and free way to manage your passwords. Unfortunately, they don’t work well across both desktop and mobile devices.
Dashlane, 1Password or another good password manager—one that doesn’t come as part of your internet browser—may be just the ticket for managing passwords across all your devices. They can suggest complex passwords, store lengthy passwords, and automatically fill in passwords seamlessly on any computer’s internet browser and on your smartphone. No more using the same password for multiple accounts, and no more forgotten passwords, either. And, just as important, you’ll only need to remember one master password instead of many.
In addition, many password managers provide alerts to security issues that may affect your accounts. Some also offer family plans or have ways to set up emergency recovery options to make it easier for our family if something were to happen to us. The only downside to a password manager: There may be a small monthly or annual fee.
Chuck Staley and his wife Gina have five children between ages seven and 30. He worked for 35 years as a Department of Defense engineer at Edwards Air Force Base before retiring in January 2022. Chuck now volunteers as a part-time pastor at a small church. He recently started a sole proprietorship, Walk Worthy Solutions, to train federal employees about retirement planning and leadership. Chuck enjoys walking daily with his wife, reading, home improvement projects, and traveling with his family. His previous article was Best Time of My Life.
Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.
I understand many have trouble with the technical use of PW managers, and write their PWs in a book or on paper and hide that somewhere in their house, or on their computer. What happens if your home is destroyed, along with your computer? This is why offsite storage is part of a good backup strategy. Consider using “Passphrases” rather than passwords.
Thanks Chuck. I worked for a Chuck Staley when I was in DoD but it wasn’t you. This article makes me think I have much more work to do in this area. I have watched my niece and nephew labor for months since their dad passed on; and one’s a CPA and the other a Financial Planner. Their dad had stocks he inherited from his mother (who lived to 99) and everything on the stocks was in paper…it’s a large, ongoing mess; they’ve gone to Lastpass to allow them to work all this from two different locations and it’s been over six months but they have more work to do. All my financials are with my financial planner, but I do daily checks on nearly all accounts. The password thing needs work. I’ll have to bookmark this and work on this the rest of this year because it doesn’t seem a 1 or 2 day job. Thanks again for making me think.
This is a good topic and part of a larger issue of financial and household management as we age. For password management, I personally use KeePass, which I was introduced to at work many years ago. My parents had a written password notebook (I can still picture the scrawl of my dad’s handwriting). I set them up with KeePass but they never felt comfortable using it. I started to assist my parents with financial management as they got older. With my mom’s encouragement (and dad’s encouragement before he passed), I am now her financial manager and tech support (highly recommend Team Viewer for remote computer management). I have full agent authorization for her financial accounts. She likes to log in frequently to her bank account and she has that bookmarked and password saved in her browser. I have it set up so that any login attempt from an unrecognized device will text my cell phone. However, for her brokerage account that has the vast majority of her financial assets we do not have any saved information (no bookmarks, no passwords) on her computer and nothing written on paper. She trusts me to monitor it for her (which I do using YubiKey on my system). I know a 70+ year old retired coworker who has significant financial assets and no one to rely on (no kids and no close family that he trusts). I often wonder what he will do as he ages…
Bottom line, nothing is foolproof. Reading the comments about companies being hacked is something we live with unfortunately. Also, writing passwords on a piece of paper is very inefficient. Choose your poison.
I believe in the tech so use Lastpass. I took a pic of my password and shared with my wife and son. We all hide it in our photos on the iPhone. There are also ways to be a bit better like using “hide my email” and longer, computer generated passwords unique to each site. It’s painful to do it but once done, gives me more peace of mind.
Lastly, I know this is overkill but run my app that provides net worth daily. Easy to see if something is gone missing and nice to know the impact is the market’s swings. I know I’m crazy so if you want to tell me that, go for it haha.
Another excellent post here at humbledollar.
Like most things in life … it depends.
Both my wife and I are former – retired – IT “professionals”. HAHA
We keep all our passwords on paper in notebooks. She knows where mine is.
I know where she keeps her.
Is that THE BEST solution? I don’t know.
But it IS the solution we’re comfortable with.
Thought I would point out another item in regards to passing them on as my parents did not use a computer. They did have a number of brokers that switched companies, more than once, and my folks followed the broker. What was not transferred was the basis for their purchases over the years. It never dawned on me to look back at all the old records from the 70s and 80s! They had multiple shelves of looseleaf binders of all the old monthly reports. Becoming POA for mom and moving her to assisted-living all those old papers went in the bin. It became a nightmare to attempt making trades of holdings that had no basis listed. The IRS let you use best guess. Having no idea what decade my folks purchased their stocks became a bit of a nightmare to make a trade. The brokers should have known better and requested the basis as it doesn’t transfer from one brokerage to another, only the holding!
Thanks for all these good tips. Passwords have been a huge issue for me because for so long I’ve helped clients set up websites and social media accounts and had to track their passwords, too. I’ve had more than 300 passwords at times (new and ancient; theirs, mine, and ours).
I signed up for LastPass in its early days, for the ease of it auto-populating passwords in logins (which doesn’t always work). Something told me NOT to list my most important—meaning financial—passwords in their system. Then last year LastPass was hacked and I was told all my passwords could be at risk. While I could not believe this had happened, it also seemed inevitable. I’ve seen the movies: Bank robbers are always going to put all their expertise and efforts into breaking into where the gold is.
How do I know I have 300+ passwords? I started out 20 years ago keeping track of passwords in a local password-protected excel sheet with category names so I could quickly find account names & numbers again. Even though I know I’m not supposed to, I update that sheet every once in a while.
Even worse, judging from the comments here, I keep a printout of that 19-page sheet (some old PWs need to be pruned) in a mismarked folder sitting near my home office computer. I refer often to the printout when LastPass fails to auto-insert the right PW or my husband has forgotten a password (he won’t use LastPass, so I make sure he tells me his new PWs). I shred each earlier version of the sheet and carefully hide this folder in the house when I’m away traveling.
Don’t know what I’ll do about all this when I’m older and possibly in a shared living situation or being cared for by other people. The technology solutions seem imperfect for a lot of reasons, but maybe will be simple and secure enough by then?
Will be tracking this topic.
I’m surprised you continue to use a company that was hacked and a paper copy. Seems like you are increasing your risk keeping both. Your account is the exact reason I do not use a password manager. Hack into their server and access to all of your passwords. Easy one stop shopping. You hear about companies getting hacked all the time. I was the victim of the credit agency hack years ago. The US government is frequently hacked. I think paper is safer especially if you live in a low crime are such as we do.
Actually, as I understand it the hack was that using social engineering the hackers were able to copy an encrypted backup of the vaults containing passwords. The vaults were still encrypted so the hackers will still have to break the encryption. The notification of that event spurred me into re-evaluating password managers and I found one I liked better so I switched. I choose 1password as I liked their 2 key system. Then I electronically imported all my passwords (about 175) into the new password manager (which took about 1 minute). Once in my new password manager, I changed all my important passwords and usernames (just in case the hackers figure out a way to decrypt the vaults someday). Realistically, the vaults will probably never be decrypted. Specifically in this case, having one’s passwords strongly encrypted means that there’s quite a period of time from theft to decrypting (assuming they’re ever able to decrypt them). This gave me a substantial period of time to leisurely take care of this issue. When considering the notification by Lastpass and the decrypting obstacle, I’d say this is significantly better than losing security on a piece of paper with one’s passwords on it. Just my 2 cents.
Thanks for helping me understand how decryption works with these password managers. It makes me feel better about them. Also, thanks for sharing how easy it can be for a user to switch to a new PW manager.
Good article and a good nudge. I know we need a PW manager. I have a couple of linked Google Docs in the interim, but I know we need something more secure. It goes on the summer to-do list right now.
Just this week I was helping my father-in-law, who’s 81, get onto the website for their long-term care policy. He needed to start a claim so that he can hire a caregiver for my MIL, who has Alzheimer’s. I had helped him get up and running on the site about a year ago, but somehow his password was no longer working. We clicked on “Forgot password,” and of course they sent the link to reset it to his email address…but he didn’t remember the password for his email account, either. (They were in our home and we were using my computer.) Thankfully, he’d brought the piece of paper with his handwritten passwords, and that got us into the email to get the link, and we were in. But if he hadn’t been able to find that piece of paper, it would have been a big problem. And one of the things my MIL is doing these days is “straightening up” and making things disappear.
Huge fan of LastPass as well as detailed instructions to access it in our “Letter of Instruction”. You can even share access with a trusted person.
The Microsoft Edge browser manages passwords between desktop and mobile devices, and it’s free.
In reading all the other very good comments about dealing with PW and our survivors I thought of one more big issue I haven’t figured out a solution. Most of us use a bill pay system through our bank accounts. My wife and I have one main bank account. The bank requires us to each have a separate logon id and PW. That is understandable I think. BUT, when you set up bills to be paid they only show up on the bill pay for the person who was logged in when the payee was first set up. So when my wife logs in she cannot see the bills or payments. Nor can they pay bills unless they log on with your id and PW. And if she sets up any bills for bill pay I cannot see them.
Now for the kicker, when you die and the bank is notified, your Id PW, and bill pay list disappear. So if he survivor isn’t the one paying the bills they are in a world of hurt. They would not receive the notices of bills due, or reminders.
I have thought of trying to duplicate the list of payees with their information on both log on IDs and PWs. But that seems like a clerical nightmare. While you can print off list of payees, that summary list does not contain the address and account number information one would need to start over.
Even though we have one account, common ownership, the bank doesn’t see us as an entity…….
We pay everything we can through automatic bill pay. There is no approval necessary once it is setup. Most of these payments, typically monthly utility or credit card bills, are presented to us via email in advance. I have never had to question one.
Our bank has a separate process for requesting bills to be paid, typically for occasional bills. We rarely use that process.
You might want to ask your bank about this if you haven’t already. With ours, after we click Pay Bills, it defaults to our individual list but has a button to elect to pay from the other’s list. Hopefully you have a similar option that just isn’t obvious.
Now, when one of us dies, will that list of bills go away? I don’t know.
Having account access through appropriate secure passwords and 2FA access can be vital for surviving spouses and beneficiaries for each account a decedent has an ownership interest in for a smooth transaction post death.
For post death tax reporting in taxable brokerage accounts getting the proper tax reporting of the changes in tax basis (a step up or down in basis to DOD FMV for many assets) will likely mean getting the basis changed at/by the broker/fund company prior to any post death sale of the particular assets that triggers tax reporting. Doing so can help with getting the tax reporting correct and avoid the headaches with incorrect tax reporting for post death sales where the basis is incorrectly reported as the pre-death basis.
Issues with password management and access to accounts are additional reasons to simplify your finances and take appropriate actions sooner rather than later IMO.
For complex taxable accounts I have seen where a in-kind transfer to a new appropriately titled account with the appropriate EIN/SSN shortly after death may help create a bright line division of pre and post death taxable events. Talking to the stockbroker(s) and/or the account custodian(s) prior to account action is important. Taking any post death action often requires having an original death certificate and/or letter of testamentary. As part of traditional funeral arrangements the funeral home will often notify the SSA of the death and the SSA will add the decedent to their Death Master File which is updated on a weekly basis. Once that happens users, think account custodians, of that file would then know of the death even before a obit appears and may suspend access to accounts even if you have login information for certain accounts.
Many broker custodians now ask for a trusted contact and naming that person should be considered. A link to some good comments by Vanguard regarding a trusted contact can be found here
https://investor.vanguard.com/trust-security/security-center#modal-trusted
I think it is better for the account co-owner or trusted contact to reach out and advise the account custodians of the death as soon as it occurs. This can be a really big ask when a spouse and family are grieving. Unfortunately, the time immediately after a death may bring out some of the worse of scammers.
Thanks – good article and comments.
Your link was to the general subject of “Security at Vanguard”—I hunted around and found this on the subject of ‘trusted contact’: Who should this person be?
Your trusted contact should be someone you know would be unbiased when it comes to your health, whereabouts, and well-being—someone with integrity whom you can rely on. You can name anyone you decide is best. However, we encourage you to name someone who can’t transact on your accounts to help ensure objectivity.
A trusted contact is different from someone with power of attorney—who may have limited or full authority to transact on your behalf in the event you become incapacitated. A trusted contact has a very specific and limited role and no power to transact or make any financial decisions for you. This person would only be contacted if we had concerns about your capacity or wellbeing. They can provide us with information but have no authority to transact on your behalf.
I think the Vanguard commentary you posted is on point with what I was trying to communicate.
I also have Yubico security keys that I would use in conjuction with a password manager for extra security.
That’s really secure. I’ve thought about it but haven’t taken that extra step.
If I use 1password on my home laptop and cellphone and I wanted to login to the same accounts at work would I be able to on my work computer?
Yes. They have very secure web-based access.
Chuck, thanks for this article. I’m sorry for the loss of your father and for the administrative hassles that followed for you and your mother.
Looking at comments, I know I’m an outlier here, but I’ve no intention of leaving a list of passwords anywhere. The important thing to my mind isn’t the list of passwords, but ensuring access.
My individual accounts will become my wife’s soon after presentation of a death certificate. Meanwhile, there are plenty of assets that aren’t my individual accounts that she already has full access to while that happens. The reverse is also true. We also each have durable powers of attorney on file with our custodian.
Our detailed “upon death” instructions list our accounts and points of contact, but not passwords.
Password account information can be helpful for the surviving spouse for mundane things like utility bills, magazine subscriptions, service providers, home+auto insurance providers, medical service providers, etc.
Good point. We don’t have a list of those because we basically both know them, but if not, that’s a good use of a password list.
Great point. We use 1Password and my wife has access to all our accounts.
I agree. My wife of 9 years and I also have our affairs similarly arranged so there’s no need for a list of passwords. But all the normal day-to-day stuff we already share and we also have detailed “upon death” instructions that list our accounts.
A good reminder of an important topic. I think it’s worth noting that a password manager enables one to have much longer passwords (since you’re not typing them) and unique usernames as well for important websites. Plus if I log into a website and I happen to be in a siutation where I’m (unknowingly) on camera, I don’t have to type my password nor do I have to enter it. So it can’t be as easily captured. In the case of 1password, one feature it has that I really like is that it will only work on a device on which my particular account has been installed. So knowing my 1password master password doesn’t get someone into my vault. They still have to get access to one of my devices as well. I really like this 2 key approach to authentication 1password uses.
I like the idea of the 1password feature mentioned that it only works on installed devices. We’ve used Bitwarden for about 2 years and find it much better than trying to keep track of pw’s manually. Works across all our devices and allows us to store other important info securely. And it’s free.
A good password manager is well worth the money. What many people don’t understand is that two-factor authentication is infinitely more secure than very long passwords.
These are all great points I had not considered. And I use 1Password as well.
I simply list all my passwords in a Word document on my computer. My wife knows where to find it.
After making our list we delete the document
Is the document password-protected? If not, you might want to do so.
That’s convenient but would freak me out. The theft of our computer and the info on it would already be bad enough without the thieves getting a list of passwords to boot.
Thanks, Chuck, for such an important reminder. And, so sorry for the loss of your father. I’ve used a password manager for years, Last Pass, now Bitwarden, along with authentication apps (Authy and Duo) when allowed in lieu of SMS text. One of my daughters has emergency access to my PW manager for when I go. I have several articles about passwords saved I send to friends who have been hacked. May I suggest “AskLeo.com” for clear articles on anything computer. As for paying for a PW manager, how important is your information?
Jeff, thanks. I will check out AskLeo.com. And you are right about the cost of a password manager, the value of the information, and the value of our time. They are well worth it, in my opinion.
How secure is 1Password? I have my passwords on a piece of paper in an unrelated file in a desk drawer (I carry a copy in my money belt when I travel). Highly unlikely a burglar is even going to look for it, never mind find it. Much more likely a password manager will be hacked.
You have reminded me to tell my executor where to find it.
I suspect the reverse is true. Especially in any kind of senior care setting where relatively low paid help have physical access to seniors living space, I think keeping passwords written on a piece of paper is probably a common and well known habit of seniors. It would seem very easy for an unscrupulous caregiver to keep a lookout for such and snap a quick picture if the opportunity presents itself. Then later figure out what username or email address the senior is using. Meanwhile, modern password systems such as 1password are transparent about their security scheme’s and undergo regular independent security reviews. To answer your question, everything I’ve read indicates 1password is very secure.
Might be true if it was just in a drawer but seems unlikely they would go through my files. However, I can lock my desk, maybe I will start doing that when I move to the CCRC.
I think it’s a serious mistake to underestimate the intelligence or resourcefulness of others when safeguarding your valuables. Also, when you consider the normal life cycle of most people, expecting their health and mental acuity will enable them to continuously provide physical security for a piece of paper stored in a desk seems problematic. If you’re going to continue using the piece of paper paradigm, I’d suggest finding a better solution than a locked desk in a room other people have access to. At least encode the passwords with some simple substitution technique (eg. “dog” really means “collie”) so the password list requires something additional to be usable.
I use Dashlane with two-factor authentication. In the unlikely event that Dashlane gets hacked I will still be protected by the second authentication factor–a text message to my phone.
I hate relying on my phone. Probably OK at home, not so great on the road, especially now the battery is sealed. Much more likely to be lost or stolen than my money belt.
You can also have your second authentication factor be one of your email addresses.
Unless your phone or your computer (if you use email as your second factor) is stolen by the same person who hacked your password software then there is no way that the hacker can get your password.
The other day I counted up the log on ids/passwords in my password manager and it was over 100. About half had the 3 security questions that a lot of businesses like to use to make life even more difficult. Additionally, some use telephone PIN numbers, access words, access phrases, etc. etc. Before I retired when the internet was in its infancy, I too used the little book with the list of PWs. Unfortunately, as soon as you write the information on paper, you have lost some of the securty the PW system was supposed to provide. The complexity of all this today I think, mandates the use of some kind of password manager.
I started with a PW manager after I read of burglaries in which those little PW books were taken, along with their owner’s peace of mind. The one that I use today works accross both the PC and Apple worlds, and keeps everything synchorized via a cloud server. Setting this up wasn’t simple. Users of this approach must have some technical knowledge. However, there are people who are very weak technically and might find that using a PW manager to be a real challenge. For them, the best way to keep their PWs safe might be to use the password retention feature in most browsers. This browser feature can create complex passwords, but its security depends on the security of the device on which it is used. Loss of your phone or pc might mean big problems.
For my survivorss, I have the single password for my password manager in a shared file on cloud based Dropbox.
My frustration with this whole subject is that the security of my personal info has been jeopordized three times by different companies who didn’t protect it within their computer systems.
Yes, I was surprised to find I have over 150 passwords and usernames. And you are right; the security of our information can easily be compromised by others. I have had my usernames and passwords listed in several cyber break-ins over the past few years. 1Password alerts you right away when this happens to allow you to quickly change login information.
It appears the technology does not exist to keep our personal information stored by others safe.
I still use a physical book, that supplies all the information my heirs will need – not only ids and passwords, but contacts, location of valuable items, that sort of thing.
I love 1Password. The biggest selling point is the passwords “synch” between desktops, laptops, and mobile devices.