Probably a boring answer but I know my grandmother’s credit card information. I live with and help take care of her, so she doesn’t mind sharing it with me. Not like I’m planning to do anything nefarious, but I guess technically it could ruin her financially.
I have a lot of relatives who look to me for tech support. I used to have them choose their own passwords, or tell them to change it if I set one for them (they never change it). Then, inevitably, I’d have to help them reset those passwords the very next time they need to log in on a new device, or their sessions expire.
I tried to set them up with password managers, and some picked it up (my siblings). Others quickly forgot their master password, meaning I then had to sort out recovering ALL their various accounts.
Once I literally used a known exploit to hack into an old android tablet that my youngest sibling managed to forget the screen-lock for.
Now I just shamelessly save a bunch of other people’s passwords, pin-codes and other access details using my password manager, because they literally do not care. And it’s straight up more secure than the post-it notes some of them would use if I let them. They know I do this, I’ve made it clear that if they want my help but won’t follow my advice when I’m not there, making my life harder, further help comes with giving me unreasonable levels of access to their digital lives.
I’ve never misused it, and I never will. I take steps to be extra secure because I know I’m a single point of failure should my password database ever be breached somehow. But I could ruin dozens of lives.
Writing passwords down isn’t that bad, actually. We humans are very good at securing little pieces of paper; just put the one you wrote your password on with the other valuable pieces of paper, in your wallet.
It’s “sticking the post-it note to the computer screen” that’s the problem.
Picked up a keyboard from the thrift store with a pink Post It on the back.
user: admin
pass: password
Who the hell needs to write that down?!
I wouldn’t do this for my own stuff, but I just might do it if I’m donating it to a thrift store…
My Internet help desk days are over 20 years behind me, but that’s the default user/password combination for some consumer routers. D-Links and maybe Netcomms I think?
As for who needs it: you’d be surprised at how technically inept some people are. It’s truly amazing.
Absolutely, but unless you do stick it to the monitor, you still rely on them remembering where the note is, what it’s for, and keeping it around.
And keeping some passwords in your wallet is only safe for as long as you don’t also include what they are for. Which would be necessary in this case…
I obviously also forbid them from using the same password for everything, which meant that even when they did write their passwords down, finding it was a scavenger hunt that’s an even bigger time-waste than a password reset. Because they never kept them organized or in even in one place!
Just in theory, could you be held accountable if they did something illegal and you have access to that stuff?
I’m not sure I see the scenario. If I gave you the key to my place then I murdered someone in it, are you accountable for any of it?
Here’s a scenario: You have the password to my paypal account. The police arrest me for an unrelated public indecency charge after I urinate on the local government courthouse building. The account is then used to purchase illegal drugs from another country while I am in custody. Having no access to my account or the internet, I could not have made the purchase. The police learn of this purchase when customs detects a strong odor from a package and decide to inspect it, finding a massive hoard of marijuana and jenkem. the police are alerted and ask me, the account owner, who else has access to the account. Me, under duress and probably having shitty withdrawals, tell them everything i know about you, specifically things that might implicate you. As the only known person with access and having no alibi for the time period, you are then arrested for suspicion of involvement in an international crime ring. After searching your computer they find a VPN and TOR and then you are sequestered in a secret military prison and forced to do the chicken dance naked until you confess to every unsolved crime ever.
While this scenario might be far-fetched, hyperbolic and not really accountability per se, it is a plausible worry some people may have. Just playing devils advocate here.
I set up my mom and brother with a multivault password manager (1password) where our vault passwords are saved to a shared vault in case we forget our passwords/die - given the level of familial trust I think it’s an acceptable risk especially with how badly we got burnt by trying to get into utility accounts and the like after my father died.
BitWarden does have something similar via “backup access” and “organisation” vaults. I’ve not looked at setting up either, yet.
Bitwarden is kinda insane for the amount of features it offers. I recently found that you can create an organisation and add family members, and have it set up so that you can reset their password if they’ve forgotten it, while still securely encrypting the passwords. This was a really cool feature that I didn’t know was even possible.
If you’re using bitwarden or keepass then it should be safe. Anything else is asking for trouble.
Self-hosted and entirely under my control, yes. Any other manager that encrypts the store in a way where even when breached it’s not useful, should also be safe…
But truly knowing is best.
The problem with that is that you can never truly know that they actually do that unless the clients are open source.
I haven’t gotten to that point yet, but I am very close.