Password Escrow

  • Tue 06 May 2014
  • misc

Periodically the usual suspects post information germane to passwords-after-you-die. Nobody likes to contemplate his own mortality, but it creates a bit of a problem for your next-of-kin if they can't access various aspects of your digital identity after you pass on.

Just today I got email from a friend who has a problem - his recently-deceased brother used 1Password. Smart brother, or maybe badgered into it by aforementioned friend who's super smart.

Now 1Password is a particularly good password vault - in no small part because it uses PBKDF2 which is intentionally computationally expensive. While subject to attacks by nation-states or others who can bring a fleet of ASICs or GPUs to bear, as an individual trying to unlock your dead brother's password vault, you're in a world of hurt.

It makes sense to figure out some way of escrowing your passwords (or rather your master password for your password manager program, or PGP for your list-o-passwords, or whatever). That way you can avoid leaving a cryptographic pain in the butt as part of your legacy. Email exchange (with permission) follows:

So, I had a family tragedy recently. My brother passed away unexpectedly.

Yikes. I'm so sorry to hear that. :(

The two of us both use 1Password. No one knows the password to his password vault. I figure you may know the right approach to use to try to crack it. Does John the Ripper have a plugin for it or something?

It appears so, but as with all password crackers your success is somewhat predicated on the master password being shitty (i.e. it will succumb to a dictionary attack with the usu4l h3urist1c vArIants!!). I believe the Pearson coefficient between { people who are clueful enough to use 1password } and { people who set shitty master passwords } may be approaching -1. Research on this is left as an exercise to the reader.

1password uses a good HMAC plus PBKDF to turn the password into a crypto key. That's a long-winded way of saying "computationally way intense to crack".

I suspect your efforts here are going to end up being an operative lesson in "why your master password in a sealed envelope in a safe deposit box is a good idea". Doesn't hurt to try though.