Features

Death, where is thy password?

by Wendy M Grossman | posted on 24 April 2010


When last seen, our new widow was wrestling with her late husband's password, unable to get into the Microsoft Money files he used to manage their finances or indeed his desktop computer in general. Hours of effort from the best geekish minds (we are grateful to Drew and Peter) led nowhere.

Wendy M Grossman

Eventually, we paid £199 to Elcomsoft (the company whose employee Dmitry Sklyarov was arrested in 2001 at Defcon for cracking Adobe eBook files) for its Advanced Office Password Recovery software and it found the password after about 18 hours of constrained brute-force attempts. That password, doctored in line with the security hint my friend had left behind, unlocked his desktop.

My widow had only one digit wrong in that password, by the way. Computers have no concept of "close enough.

But the fun was only beginning. It is a rarely discussed phenomenon of modern life that when someone close to you dies, alongside the memories and any property real and personal they bequeath you a full-time job. The best-arranged, most orderly financial affairs do not transfer themselves gently after the dying of the light.

 

For one thing, it takes endless phone calls to close, open, or change the names on accounts. Say an average middle-class American: maybe five credit card accounts, two bank accounts, a brokerage account, a couple of IRA accounts, and a 401(K) plan per job held? Plus mortgage, utilities (gas, electric, broadband, cellphone, TV cable), government agencies (motor vehicles, Social Security, federal and state tax), plus magazine/product/service subscriptions. Shall we guess 40 to 50 accounts?

 

All these organizations are, of course, aware that people die, and they have Procedures. What varies massively (from eavesdropping on some of those phone calls) is the behavior of the customer service people you have to talk to. In a way, this makes sense: customer service representatives are people, too (sometimes), and if you've ever had to tell someone that your <insert close relative here> just died unexpectedly you'll know that the reactions run the gamut from embarrassed to unexpectedly kind to abrupt to uncomfortably inquisitive to (occasionally) angry. That customer service rep isn't going to be any different. Unfortunately. Because you, the customer, are making your 11th call of the day, and it isn't getting any easier or more fun.

 

A desire to automate this sort of thing was often the reason given for the UK to bring in an ID card. Report once, update everywhere. It sounds wonderful (assuming they've got the right dead person). Although my suspicion is that what organizations do with the information will be as different then as it is now: some automatically close accounts and send a barcoded letter with a number to call if you want to take the account over; some just want you to spell the new name; a few actually try to help you while doing the job they have to do.

 

What hasn't been set up with death in mind, though, is online account access. I'm told that in the UK, where direct debits and standing orders have a long history, all automated payments are immediately cancelled when the account holder dies and must be actively reinstated if they are to continue. In the US, where automated payments basically arrived with the Internet, things are different: some (such as mortgage payments) may be arranged with your bank, but others may be run through a third-party electronic payment service. In the case of one such account, we discovered that although both my friend and his wife had individual logins she could not change his settings while logged in using her ID and password. In other words, she could not cancel the payments he'd set up.

 

Cue another password battle. Our widow had already supplied death certificate and confirmation that she was executor. The company accordingly reset his password for her. But using her computer instead of his to access the site and enter the changed password triggered the site's suspicions, and it demanded an answer to the ancillary security question: "What city was your mother born in?"

 

There turned out to be some uncertainty about that. And then how the right town was spelled. By which time the site had thrown a hissy fit and locked her out for answering incorrectly too many times. And this time customer service couldn't unlock it without an in-person office visit.

 

Who thinks to check when they're setting up an automated payment how the site will handle matters when you're dead or incapacitated? We all should – and the services should help us by laying this stuff out up front in the FAQs.

 

The bottom line: these services are largely new, and they're being designed primarily by younger people who are dismissive about the technical aptitude of older people. At every technical conference the archetypal uncomprehending non-technical user geeks refer to is "your grandmother" or "my mother". Yet it does not seem to occur to them that these are the people who, at the worst moment of their lives, are likely to have to take over and operate these accounts on someone else's behalf and they are going to need help.

 

Death's a bitch – and then you die.


Technorati tags:        

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).