Taking Your Password To The Grave
The title practically sounds like a movie plot, but indeed it’s true, when people die their passwords depart with them. There’s an article on com.com that talks about password security post-mortem. It’s a tough problem, but surprisingly I think I know a potential answer to it out of a joke my friend made.
Once upon a time my friend said he wanted to register the domain “istuckyourtoothbrushupmyassandnowimdead.com”. His theory was that he should go around and stick all of his friends and family member’s toothbrushes up his ass, and take pictures of it. Then he could set up a server to query the social security death index and when he died it would email everyone with said photos so they wouldn’t miss him so much after he was gone. Despite being a hell of a name and a pretty vile but amusing concept it actually might have some merit.
It’s not inconcievable that you could set up such a server with a social security death index query on a batch job with a private key for each individual user. Contained in it could be all of your secrets, etc… In a safety deposit box you could include the one password required to unlock all of that information. But before the encrypted information was made public for the loved ones, the person would have to die (social security index would need to be updated).
We’ve all thought about it. Once I was in an elevator with every single person who worked in security for a 36,000 employee multi-national company, and it occured to someone that if the elevator crashed no one would ever be able to get into any of the security devices for all of the customers. Theoretically this could be mitigated by having such a service. Would I sign up for it? Probably not, but it’s interesting to theorize about anyway.
As a side note, I did end up registering the domain istuckyourtoothbrushupmyassandnowimdead.com at one point as a joke. Then one day a year later (and long after I had forgotten I owned the domain) while I was vacationing in Colorado, InterNIC called me up on my cell and this nice sounding woman politely asked me, “Would you be interested in renewing your domain istuckyourtoothbrushupmyassandnowimdead.com?” I nearly died laughing.
September 22nd, 2006 at 9:28 am
I was about to write that I should register www.digitalwill.com, but I see it has already been registered and can be used exactly for what you mention. Though it does it a bit differently, offering two options. Either you let them know once a month that you’re still alive or you arrange for a trusted 3rd party to let them know you’re not.
Now then…. how could you pretend to be that 3rd party and cause some mayhem?
September 22nd, 2006 at 9:34 am
This really is a problem. It is common for people to forget their passwords and be locked out of their work/personal files for ever and ever but if they also start dying on us…
Of course this has to do with every person’s responsible attitude, I mean creating a will or sharing his/hers passwords with a trusted person.
I guess in situations like the above elevator (LoL) there should be a different security policy that the admin-god model. I remember reading a paper titled “How to share a secret” by Adi Shamir, Massachusetts IT. The author described how he could split some Data D into N pieces and scatter them around. If for some reason there was a hard disk failure and some of them pieces were lost for ever, he could still reconstruct D from any K (N>K) pieces left. Also, knowledge of K-1 pieces revealed no info about D.
This is very interesting and such thing could be applied in the above situations whether it is sharing a password or having a lock requiring 2 out of 3 keys to open (so that if someone is “gone” or forgets his key, the other two can still get it).
Finally it is my belief that it’s one thing protecting your personal files and quite another protecting your books/poems/paintings (you have a responsibility to the public) or your company’s secrets. The last one also poses as a problem when a displeased ex-employee refuses to give up encryption keys.
September 22nd, 2006 at 1:15 pm
WhiteAcid, the obviously bad thing you could do is if you could hijack their bind server or get access to their LAN to do ARP spoofing you could redirect their requests to you. That would then allow you to say anyone is dead without having actual physical access to the server or having hacked into it directly at all.
Legionnaire, I was thinking the same thing as I was writing this. I actually didn’t read that paper, but Bruce Schneier mentioned something similar in Applied Cryptography. I think in this case it’s actually too dangerous to do anything like that unless one part is in a vault that can be opened after your death. To allow everyone to have your secret - they could bypass your death and get the secret directly. Without that you’re missing the one component of the person’s death being the “switch” that unlocks the secret.