不要把密碼帶進墳墓啊!

Tagged:  

最近一位好友找尋一些用作儲存密碼的軟件, 但我實在幫不了他, 原因? 是我把所有的密碼用腦袋記住, 直至看到一篇文章, 可能我真的要改變一下這個習慣了。

一名男子 Jon Hansen 在送往醫院途中時, 緊握妻子的手並對她說: 「請記下密碼」, 「噢! 妳還需要這個密碼, 妳也沒有那個密碼!」 幸好這位男子的性命被救回, 但若果 ... 豈不把所有的密碼都帶進了墳墓嗎?

朋友, 你們又怎樣記下大量的密碼呢? 紙? 記事簿? 軟件? 教教我吧!

原文: Don't take passwords to the grave - Settling estate a big challenge without them


作者: Doug Bedell, The Dallas Morning News

As an ambulance whisked Jon Hansen to the hospital last year, he held tightly to his wife's hand and told her things she needed to know if he were to die.

"Write down this password," he told her. "Oh, you'll need this one, too. And you don't have this one, either."

The Orem, Utah, software salesman managed to recover from that near-fatal bout with encephalitis.

But the ambulance ride taught him a valuable lesson.

"One of the first things I did was write down all my passwords and put them in the safe," he said. "I should have done that a long time ago."

Perhaps there are secrets we all should take to the grave. But, as Hansen and others have learned, important computer account passwords are not among them.

As an increasing amount of critical personal and work-related information is stored on computers instead of inside file cabinets, passwords are creating digital locked doors for lawyers, will executors and the relatives of deceased loved ones. Without a comprehensive list of passwords left behind by the dead, survivors and their representatives are often forced to hire special password-cracking services to break through electronic barriers.

The lack of access to password-protected online bank and brokerage accounts -- as well as electronic mail and sections of computer hard drives -- has prolonged the settlement of estates and thwarted emotional closure for survivors.

"It's becoming a very common occurrence," said John E. Kuslich, a for-hire password cracker and developer of break-in software. "I've had families of people who have committed suicide, for example, and they'll call me and say all these files are encrypted and they want to get into them. In those cases, especially, people call back and are so thankful for what they were able to read. It's really something else."

In discussion boards across the Internet, friends and relatives seek advice on gaining computer access. In the alt.hacking newsgroup, a user named Mobius was looking for help tracing his late aunt's final correspondence. She had overdosed on Valium and died, he said.

"Her husband (my uncle) is now trying to get into her e-mail to see if there is anything that might provide a clue as to why she did it," Mobius wrote.

The aunt's Internet service provider agreed to open up her mail account, but only if it received copies of a death certificate, a notarized statement about the status of her estate and other documents.

"He asked me if I could do anything to get into her account without jumping through all the hoops," Mobius wrote. "I told him I would try, and so I am here."

Although there are a variety of ways to retrieve a dead person's passwords, there are legal issues to consider.

Matt Yarbrough, a former federal prosecutor and current head of Fish & Richardson's Cyber Law Group, said survivors risk violating both state and federal statutes if they're not careful.

"Most estate cases are as nasty as divorce, or worse," Yarbrough said. "You can really run afoul of the law if you don't have the authority."

Even if the deceased once allowed a relative to log into a computer account, for example, the person doesn't necessarily have permission in perpetuity, Yarbrough said. When someone dies without preparing a will, there are still procedures for determining which relative should have access to private records and accounts.

Disregarding the legal rights of the deceased and their estates could even result in a criminal prosecution under the federal Computer Fraud and Abuse Act Crossing or existing state laws. Estate executors can take legal action if they find anyone else has entered secured accounts and made changes, said Keith Novick, estate-planning specialist for law firm Gardere Wynne Sewell.

"That's called thievery," Novick said, and the estate has a strong legal right to reclaim any funds lost during an unauthorized online session.

Lawyers handling probate usually can secure the right to pull together records and assets of the deceased without breaking into computer drives or online accounts, he added. For example, if hard copies of financial statements are available, they can be obtained by lawyers.

Legalities aside, a simple Internet search turns up dozens of websites like Password-crackers.com, Kuslich's Crak.com and AccessData.com that sell do-it-yourself forensic software packages priced as low as $9.99 US and for more than $1,500.

Professional password crackers warn that some of these programs may have been developed by malicious hackers, who secretly receive copies of the passwords cracked on an Internet-connected computer.

Many legitimate solutions are specifically designed for certain types of computer files. AccessData.com, for example, got its start primarily helping lawyers regain access to protected Word Perfect files for which they had forgotten passwords.

A spokesman for AccessData said the company has developed more sophisticated software that can decipher passwords for all sorts of files. One program, for example, scans a hard drive for all data and creates a "dictionary" of every word typed by the user. By examining the most often-used words or combinations of letters and numbers, forensic experts usually can deduce favourite passwords of the deceased.

Patterns can also be gleaned from the record of websites visited, experts say, because people often create passwords out of quirky words used in their favorite avocations.

Professional crackers often employ high-powered computers to run decryption programs that perform "brute force" attacks on password protected files. These machines can quickly generate millions of possible letter and number combinations, then test them within seconds. Well-formed passwords -- words not in the dictionary coupled with numbers or symbols -- may take the best equipment days to crack.

Hiring forensic computer experts can get pricey. Most charge between $150 and $300 an hour.

"Usually, people are trying to get into a single file -- a Word file, a Quickbooks file, something like that," said Kuslich. "Those are fairly easy to break into. On occasion, it's been mail files -- PST files from Microsoft Outlook, that sort of thing."

Sometimes, software vendors can help survivors. For example, Intuit -- the maker of Quicken -- doesn't record an individual's password but does assist properly documented executors in bypassing password protection. Intuit spokesman Chris Rapetto said survivors can fill out an online form (intuit.com/support/-quicken/dataservicesassword_removal.html), copy the Quicken data file to a diskette and send it to the company.

The company charges $65 for service within five business days and $150 for one-day express treatment, but will usually waive fees in the case of survivors seeking access to a dead person's financial records, Rapetto said.