Make sure some passwords can be found. Just in case.

Transferring passwords

Passwords makes it incredibly easy to share passwords with friends and family, but with the explicit intent that they can only access them in the event something happens to you.

It uses state-of-art cryptography to keep your passwords private and safe, while being convenient and easy-to-use for your recipients.

What can Posterity see?

Passwords is designed so your data can never be revealed to Posterity, whether it’s before, during or after a recovery process.

What Posterity cannot see

Posterity and its employees can never see:

• The actual password value;
• The kind, label or description of a password.

What Posterity can see

Our knowledge is limited to:

• Who the recipient is;
• When a password was added or updated.

How is my data encrypted?

Below are some technical details on how your passwords are kept safe on Posterity.

At sign-up, an ECDH-P384 key pair is generated on your device and stored in your account. The private half is encrypted using a key derived from your account’s password¹ using PBKDF2 with 100,000 iterations.

When you add or update a password, Posterity generates a random 256-bit key K, and uses it to encrypt the password you’d like to share with a recipient using AES‑256‑GCM.

For you, K is stored on your account after it’s been encrypted with a key derived from your account password using PBKDF2.

For your recipient, a copy of K is added on their account, but only after two distinct layers of encryption have been applied to it:

1. First, using RSA‑OAP‑SHA512 with a 4096-bit key owned and maintained by Posterity². The private half of it is only released if we can verify your death;
2. Second, using AES‑256‑GCM with a key derived from the private half of the ECDH‑P384 key pair generated at sign up, and the public half of theirs.

The second layer ensures the data can only be decrypted by its recipient, and the first protects it from being revealed if the death condition is not met.

The benefits of this approach are the following:

1. You can access your encrypted data by simply using your account’s password;
2. The same applies to your recipients, but only after we’ve released the private half of the death verification key pair we’re responsible for;
3. Posterity is never in a position to view the decrypted content of your data, because it neither has access to the password of your account, nor that of your recipients.
4. If our infrastructure is ever compromised, the data we hold is useless to hackers; it’s fully encrypted with a password we’ve never seen.

How do you verify a death?

The recipients of your passwords will need to report your death by submitting a certified copy of your official death certificate. They’ll be able to do so directly from their own account, first created when you designated them as a password recipients.

Learn more about how Posterity handles death verification.

How can I deal with 2FA?

Two-Factor Authentication¹ is a great way to protect an account from unauthorized access by requiring, in addition to a password, a temporary code which is generated on the spot.

If you leave a password for a 2FA-protected account, your recipient will also need instructions for the temporary code if they are to ever be able to gain access to it in the event something happens to you.

The instructions depend on the type of 2FA implemented on the account.

TOTP

TOTP-based 2FA is when the temporary code is generated by an authenticator app, and often changes every 30 seconds.

In this case, you can leave one of the recovery codes that were generated for you when you enabled 2FA on that account, alongside your password.

SMS

SMS-based 2FA is when the temporary code is sent to you via SMS.

In this case, you need to make sure the device where you receive the SMS can be unlocked by the recipient. For that, simply add the passcode of that device to Posterity Passwords.

What about face and finger recognition?

The vast majority of devices that offer biometric unlocking (i.e. face or fingerprint) also require a passcode to be set as a fallback.

For example, after a few failed attempts to identify your face, iPhone will automatically offer you to enter the passcode for the device instead.

Leaving the passcode to unlock a device in Posterity Passwords is therefore enough to make sure it can be accessed if something happens to you, even if configured to use your face or fingerprint to unlock.

What if my passwords change?

Like any good emergency plan, Passwords should be reviewed and updated from time to time. Posterity will regularly send you reminders to that effect.

Can I use this as a password manager?

The short answer is you shouldn’t. While there are no technical limitations preventing you from doing so, Passwords is simply not designed for that.

Passwords managers are for personal use, and are optimized for quick access to all the passwords you use on a daily basis.

Posterity Passwords is for sharing a selection of essential passwords, and goes to great lengths to make sure their recipients can only access them if and only if something happens to you.

What countries are supported?

For the time being, Posterity is US-only.

Over time, we’ll be expanding to countries where our death verification process can be safely implemented.