By Helen Modly, CFP, CPWA, and Tiffiny Dimel, CFP
From keeping passwords protected and organized to allowing users to share passwords securely, perhaps even permitting them to grant access to trusted individuals in an emergency, a proper password management solution can add value to both client and advisor when implemented in a smart and thoughtful manner.
What Is a Password Manager?
Password managers are applications that store usernames and passwords. Most offer the ability to reset passwords without touching the keyboard and a browser plugin that can be used to automatically log in users directly into websites. By generating long, random, and varied passwords and then auto-populating login screens with them, users can sign in with one click and be assured their accounts are secure. This practice increases financial and nonfinancial account security by eliminating the very human tendency to use the same username and password combination across multiple websites or, to remember them more easily, just writing them down.
Most password managers work across multiple operating systems, including Windows, Mac OSX, iOS, and Android, so users always have their login credentials available no matter what device they are using. There are basic, free programs that function simply as a database of login information, and premium (paid) programs that add functionality, such as password sharing and the ability to designate emergency contacts. Despite our love for all things free, the ease-of-use of a premium password manager along with its bells and whistles can be well worth the price.
Password Sharing Made as Secure as Possible
While the mantra since the beginning of the Internet has been never to share a password, the fact remains that it becomes an unfortunate necessity at times, and most people value the convenience of sharing passwords over security. If a password must be shared, one of the most secure and convenient ways of doing so is through a password manager.
Most premium versions of password managers offer the ability to share login credentials with other contacts when both users have an account with the same password manager. Free accounts are available for this purpose, so there is no cost to the request recipient. Once both users have accounts with the same password manager, they can share one or several login credentials with full rights to use/change/delete the password. Alternatively, one user can give another user just limited rights to log in and nothing more.
The ability to share passwords can be a useful feature for clients who do not wish to manage their online accounts and instead have a trusted child, relative, or friend help them. If a client wants to share with the advisor, be aware of account credentials for outside assets, as this could trigger custody rules and the associated oversight that comes with it.
Using the Emergency Contact Feature as Part of Estate Planning
Premium password managers such as Dashlane and LastPass include an emergency contact feature, which allows users to select a contact in advance who can have access their login credentials in the event of an emergency, such as incapacity or death. Users can choose whether to share just a few or all of their passwords, and they can designate multiple people as emergency contacts with access to differing sets of login credentials. For example, clients who own a business may choose to share work-related passwords with their business partners and personal accounts with their spouses or children.
If users want their emergency contact to have access right away, they would just need to ask the contact to initiate an access request using the contact's password manager account. Once submitted, users can approve a contact's request via an email, granting instant access. In the event the user is incapacitated or dies, the emergency contact can request access and, after a predefined amount of time has passed and there is no reply from the user, access will be granted.
A client could use this feature to designate the executor of his or her will as an emergency contact with access to financial accounts, portals, insurance logins, and any other related websites to help the executor in his or her task. Financial and medical POAs or the new trusted contact designees allowed on custodial accounts are also excellent candidates for emergency contacts.
Supplementing Account Access with the Use of Secure Notes
In addition to passwords, users can also create and share secure notes. These notes are free-form fields that can be used to record information outside of login credentials, such as safe combinations and instructions, locations of important documents, and special instructions. When combined with account access, the client can control with a great deal of specificity regarding who receives what information and when.
It is easy to construct scenarios that take advantage of a robust password manager's features to securely and efficiently share important information. For instance, a client uploads medical records to an online cloud storage service such as Dropbox or even a portal supplied by the advisor, maintains the password in their password manager, and identifies his or her medical POA as an emergency contact with a 0-hour waiting period. The client can also create a note that details the physical location of the paperwork, how to get to it (including key locations or safe combinations), and the contact information for his or her estate attorney.
If the client becomes incapacitated for any reason, the medical POA can send a request for access through the password manager, which will immediately be granted due to the 0-hour waiting period the client defined. The password to the client's cloud storage vault will immediately be made available, giving the POA access to the online version of the advanced medical directive, along with the note that includes instructions.
The client could set up an arrangement similar to the preceding scenario for his or her financial POA, except perhaps increase the waiting period to seven days, as access would not be necessary right away.
Your Firm Benefits from Better Client Password Management, Too
Improved password management on the part of the client translates into less time advisors have to spend dealing with email from compromised client email addresses. Firms everywhere have been affected by emails that come from a client's address, using their standard greeting and even their signature, asking to transfer funds to an international third party. Internal and custodial anti-fraud checks and procedures prevent the majority of these requests from being completed, but each incident requires advisors to spend time notifying clients and working with them to re-secure their accounts.
Take some time to familiarize yourself with the most popular password managers and explore the topic with your clients. Most have free trial periods for testing all of a program’s functions before reverting to a more limited free version. Add value to your client's life by exploring their password management system and helping to incorporate one as part of their estate plan. The only ones who do not benefit from this practice are fraudsters who rely on old, weak passwords to exploit for their own nefarious purposes.
Helen Modly, CFP, CPWA, is a wealth advisor with Buckingham Strategic Wealth, a fee-only registered investment advisor. The opinions in this article are the author’s own and may not reflect the opinions of Buckingham Strategic Wealth or Morningstar.com. The author may be reached at email@example.com.