Passwords End With You

Canadian cryptocurrency exchange Quadriga has filed for protection from creditors in the wake of its founder’s death. Gerald Cotten died while traveling in India in December, taking the only known password to the firm’s cold accounts to his grave. Now, customers of the exchange stand to lose a combined $190 million.

Crytocurrency exchanges typically keep two sets of accounts, one hot and one cold. The hot accounts are connected to the Internet and are affected directly by the online mining processes that give cryptocurrency its value. To minimize the risk of hackers seizing these funds, exchanges regularly move some of their money to offline “cold” accounts so that they sit beyond the reach of cyber thieves. This practice resembles the common practice of splitting personal funds among smaller and more frequently accessed checking accounts and larger, seldom accessed savings accounts that function as replenishing reserves.

In Quadriga’s case, Cotten was the only one who accessed the cold account and the only one who knew the account’s password. With his death, no one, not even his wife, has the credentials needed to access the reserves to pay creditors. Investors have been left wondering whether they will be repaid. Given how strongly encryption locks data, it is likely they won’t.

Fans of cryptocurrency revel in how unregulated it has managed to stay, but that stands to change with this incident. At the very least, controls should be established to ensure that the password to critical funding accounts be known by more than one person. Multiple individuals in multiple places should know the information needed to unlock accounts when calamity strikes.

This situation got me thinking about other kinds of accounts that impact others, some in big ways, and some more trivial; for example, online cloud storage accounts where a family might store its photos, or encrypted copies of tax returns and wills, or online banking or insurance accounts. It is not uncommon in these situations for just one person to manage the account, and so just one person knows how to access it. When that person dies, it can be very difficult, and often impossible, to gain access.

The Quadriga case should teach us the importance of sharing our passwords to such accounts with at least one other person who might need to use them. Alternatively, holders of critical accounts should store a copy of the passwords in a safe deposit box that can be opened upon their death or enfeeblement. It also suggests an intriguing new service for the digital age: an online safe deposit box to which the owner assigns unlocking privileges when they can no longer manage the associated accounts. Companies like Quadriga should be compelled by law to use such a service, but individuals, driven by their concern for loved ones, could surely use it too.

About Ray Klump

Associate Dean, College of Aviation, Science, and Technology at Lewis University Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *