The digital emergency kit: who gets in if you can't?

Here's the test: if you were in hospital tomorrow, could anyone pay your bills, reach your accounts, or even unlock your phone? For most households the honest answer is no. Everything runs through one person's email, behind one person's passwords, locked to one person's face and fingerprint. A digital emergency kit is an hour of work that answers that question before a crisis asks it. It is not a list of passwords taped inside a cupboard. Done right, it's a sealed page of clues: useless to a thief, decisive to the one person you trust. Here's how we'd build one: what goes in, what stays out, and where it lives.

What happens to your accounts if something happens to you

Nothing graceful. Direct debits keep drawing until the account runs dry. Bills keep landing in an inbox nobody can open. Your family can see your phone on the bench and can't get past the lock screen: the PIN is in your head, and the face it wants is in a hospital bed. Banks do have formal processes for incapacity and death, but they're slow and they do nothing for the everyday problem: the electricity bill due Thursday, the subscription quietly billing a dead card. In the gap between the crisis and the paperwork, the household runs on whatever access you set up in advance. For most people, that's none.

Start with the master-access chain

Before you write anything down, map how your access actually works. For almost everyone it's a chain: the phone PIN unlocks the phone, the phone reaches the email, and the email resets everything else. One email account sits at the top and can recover the bank login, the super, the utilities, the lot. That concentration is exactly what criminals attack, and it's why we bang on about the recovery gap. It's also what saves your family: the kit doesn't need every password you own. It needs to get one trusted person through three doors: into the phone, into the master email, and past two-factor. From there, normal account recovery does the rest. Find the email account at the top of your chain and build the kit around it.

The paper password list, done right: partial, never complete

Yes, write things down on paper. Paper can't be phished, can't be hacked from the other side of the world, and doesn't sync to anything. It's a better home for recovery information than any file on any computer. The rule that makes it safe is absolute: write down enough to unlock recovery, never the complete credential. The page should read like riddles to a stranger and like plain instructions to the one person it's written for. In practice that means three kinds of entry:

  • A hint instead of the thing. "Phone PIN: the postcode of the first place we rented" means nothing to a burglar and is instant for your partner.
  • A partial secret. The first half of a passphrase written down, the second half being something the person already knows, or held somewhere else entirely.
  • A pointer to where the real thing lives. "Everything is in the password manager on the laptop. The master password is the sentence from the airport in 2019, all lowercase, no spaces."

Hold every line to one test: on its own it gets a thief nowhere; with what your trusted person already knows, it opens the door. If a line would work for a total stranger as written, it's too complete. Rewrite it.

Turn on your password manager's emergency access

If you use a password manager, and you should, most of the big ones ship a feature almost nobody switches on: emergency access. You nominate a trusted contact ahead of time. In a crisis, they request access to your vault. A waiting period you chose, anywhere from a day to a month, counts down. If you don't decline the request in that window, they're let in. While you're fine, you can knock back any request, so having it on costs you nothing. It's the cleanest emergency door there is, because no password ever has to be written anywhere. Set it up this week, name the person the kit is written for, and note on the page that it exists so they know to use it.

2FA continuity: the lockout risk doubles in a crisis

Two-factor authentication is where most rescue attempts die. Your trusted person finally gets the email password right, and the login asks for a six-digit code from an app on the very phone nobody can unlock. Dead end. 2FA is built to stop someone who isn't you, and in a crisis your family is someone who isn't you. Two fixes, and we'd do both. First, print the backup codes. Every serious service issues one-time backup codes when you turn 2FA on; almost everyone clicks past them. Print the codes for the master email and the bank, and put them in the kit. Second, register a second method: a spare hardware key in the envelope or the safe, or an authenticator app on a second device like the tablet in the drawer. In normal life 2FA keeps strangers out. In a crisis it keeps your family out too, unless you built the second path in advance.

Where the kit lives

A sealed envelope, dated on the outside, in one of two places: a safe or lockbox at home, or handed directly to the trusted person it's written for. Not a note on the fridge, not a drawer at work, not a file called passwords.txt, and not a photo of the page, because the camera roll quietly syncs it to the cloud you were keeping it out of. The seal isn't security, it's a tell: you'll know at a glance if it's been opened. Keep at most two copies and know where both are. And keep it current: new phone, new bank, changed PIN or master password, update the envelope. A stale kit fails like no kit at all, just with more confidence. Check it twice a year; it takes ten minutes.

What this is not: legal advice

Straight up: a digital emergency kit is practical access planning, not estate planning, and we're not lawyers. It doesn't replace a will, a power of attorney, or the formal authority banks require before anyone can properly control your money. Those are lawyer conversations. Have them. What the kit covers is the gap those documents don't: the weeks while the formal process grinds, when someone still has to keep the household running.

The small-business version

A business gets its own envelope, because it has its own version of the question: if the owner is unreachable for a fortnight, what breaks? Usually three things. Banking, because payroll and the tax office don't wait. The domain name, because a missed renewal takes email and the website down together. And email admin, because someone has to be able to reset a staff mailbox. Same doctrine: partial clues plus a named person, never complete credentials on paper. And while you're at it, make sure the data itself would survive: start with our small business backup primer.

Digital emergency kit: common questions

What is a digital emergency kit?
A small set of instructions, kept on paper, that lets one trusted person reach your accounts if you suddenly can't: hospital, accident, death. Done right it holds hints and pointers to recovery, never complete passwords, so it's useless to a thief but decisive to the person it's meant for. It takes about an hour to build.
Should I write my passwords down on paper?
Partially, yes. Paper can't be phished or hacked from the other side of the world, which makes it a better home for recovery information than any file on a computer. The rule is to never write a complete credential: write a hint only your trusted person would understand, half a secret, or a pointer to where the real thing lives. The paper alone should get a stranger nowhere.
What happens to my accounts if something happens to me?
By default, nothing good. Direct debits keep drawing, bills arrive in an inbox nobody can open, and your family is stopped cold at your phone's lock screen. Banks and platforms have formal processes for incapacity and death, but they're slow and they don't help with the bill due this week. Without prepared access, that practical gap runs for weeks.
How does password manager emergency access work?
You nominate a trusted contact in advance. In an emergency they request access, and a waiting period you chose counts down, anywhere from a day to a month. If you don't decline the request in that window, they're let into your vault. While you're fine you can knock back any request, so it costs you nothing to have it switched on.
Does a digital emergency kit replace a will?
No. It's practical access planning, not legal authority. Wills, powers of attorney and formal control of accounts after death are a lawyer conversation, and banks will still require the proper paperwork. The kit exists for the gap in between: the weeks when the paperwork is grinding through and the household still has to run.

The kit answers who gets in when you can't. The other half is who gets in when they shouldn't, because the recovery chain your family would use is the one criminals attack. Tell us what you're protecting and we'll help you close the back door without locking out the people who matter.