Post-mortem account security

In the last few years, I started to work (pro bono) on a different topic: personal digital security. In this post, I want to discuss post-mortem security: how to minimize family threats after death.

My concern is related to email security: what a malicious actor can do if he can access my mailbox? He could access, via password recovery, multiple attached accounts (e.g. social networks, e-commerce, utilities…). Many of those accounts could affect family security.

The obvious solution requires planning the death: giving instructions and passwords to relatives, so they can properly manage accounts. But it’s not so simple:

relatives could not have the right skills to properly handle accounts;
accounts could be closed without notice.

This post summarizes some thoughts I made while listening to The Privacy, Security, and OSINT Show Podcast by Micheal Bazzel , especially on episode 259 .

Post mortem risks

When an email account is dismissed, it could be impersonated by a malicious actor pretending to be the original owner.

The above post is a good example of what a malicious actor can do. And no particular skill is required to do that. Just find interesting domains and pick up some interesting ones. Reactivate the domain, register a catch-all domain address and impersonate the original owner. Try to recover associated accounts, and present yourself as the original owner…

Scary, at least to me.

Domain/Service/Account retirement

But death is not the only event we should care about. Maybe a service could be retired, an account suspended, closed, or migrated to other users.

CTemplar is closing and the last day of operation for this email service will be on May 26 of 2022.

In some cases we could lose an Interned Domain too:

(EU) Domain names that are not reinstated will remain suspended until 30 June 2021. They will then be withdrawn as from 1 July 2021. On 1 January 2022, all the withdrawn domain names will be revoked. They will then start to be made available for registration by other entities.

Solutions

I didn’t find any good solutions yet. I currently evaluating two scenarios & solutions.

Robust 3rd party email account

In this scenario, I’m using a large email account provider (e.g. Google). I’m assuming:

the domain (e.g. gmail.com) won’t be closed for years;
the account won’t be reused (maybe closed/suspended but not reused).

In this scenario, after death, nobody can access my email account for years, except the ones that have specific instructions to do that (username, password, token).

This solution does not cover:

unexpected account suspension/closure.

In this case, I need to migrate all associated accounts to another email. Doable, even if boring.

Personal domain with email sub-addressing

In this scenario, I’m using a personal domain account (e.g. adainese.it). I’m assuming:

I’m registering a domain with the TLD associated with the country I live in (let’s avoid another .EU style scenario);
I’m using sub-addressing (see later).

We know that sooner or (hopefully) later, the domain won’t be renewed and thus it will be available to anyone. We also know that sooner or later our domain will be part of a data breach, and associated with our physical identity.

We could use sub-addressing to minimize the risk associated with password recovery. Sub-addressing allows you to use the + symbol to create multiple aliases, so you could use yourname+randomstring@example.com as the email address.

Is this enough? Not really, because sooner or later the service provider will send any unsolicited email uncovering the email address used to log in.