What Happens to Your Online Accounts When You Die — and Why Your Executor Can't Just Log In

The folder no one could open

A founder I'll describe — composite, but true to a dozen real ones — ran a small software business alone. One bank account, a Stripe dashboard, a domain registrar, a password manager holding the keys to all of it. He had done the responsible thing: every credential was strong, unique, and stored behind one master password that lived only in his head.

Then he was gone, suddenly, and his sister became the person responsible for winding things down. She had his laptop. She had his phone. She had a death certificate and letters from a probate court. What she did not have was a way in. The master password died with him. The recovery codes were inside the vault she couldn't open. The bank wanted to talk to an authorized signer, and the only authorized signer was the person they were calling about.

This is the part of digital estate planning almost no one prepares for, because it doesn't feel like a real obstacle until you hit it. We assume that ownership implies access — that if the accounts are his, and she is his legal heir, the doors will open. They don't. Understanding exactly why is the most useful thing you can learn before you write a single password down.

Owning an account and being able to use it are two different things

When you die, your heirs inherit your assets. The money in the bank, the equity in the company, the balance in the payment processor — those are property, and property passes through your estate to the people you name. That part works roughly the way you'd expect.

But an online account is not the asset. It's a license to use a service, governed by a terms-of-service agreement you clicked through years ago. Most of those agreements say the account is non-transferable and terminates on death. So your executor can be legally entitled to every dollar inside an account while having no contractual right to log into the account that holds it. The money is inheritable. The login is not.

This distinction sounds like a technicality. In practice it's the entire problem. Your heirs end up petitioning each company, one at a time, to release what's already theirs — and the companies are not being cruel. They're following a different law entirely.

The 1986 law that protects your secrets from your own family

The reason a provider won't just hand your sister your inbox is the Stored Communications Act, passed in 1986, long before anyone imagined a life lived inside email. It forbids companies from disclosing the content of your private communications without lawful consent. It was written to stop the government from rummaging through your messages without a warrant, but it applies just as firmly to a grieving family member with a death certificate.

So a service provider faces a genuine bind. Release a deceased user's emails to a relative and they may violate federal privacy law. Refuse, and they look heartless. Most choose caution, which is why the default answer to "my brother died, please give me access" is a polite, immovable no.

RUFADAA: the quiet law that decides who gets in

Starting in 2015, the Revised Uniform Fiduciary Access to Digital Assets Act — RUFADAA — was written to untangle exactly this, and nearly every U.S. state has now adopted some version of it. It's worth knowing how it actually decides things, because it gives you far more control than you probably realize, if you act while you're alive.

RUFADAA sets up a strict hierarchy of authority, and most people never use the top tier:

First, the online tool wins. If a provider offers its own way to name who inherits access — Google's Inactive Account Manager, Apple's Legacy Contact, Facebook's legacy contact setting — whatever you specify there overrides everything else, including your will. This is the most powerful and most ignored lever in your entire digital estate. Five minutes inside those settings beats a thousand-dollar trust document.

Second, your legal documents. If there's no online tool, RUFADAA looks to explicit language in your will, trust, or power of attorney granting your fiduciary access to your digital assets. The word "explicit" matters. A generic will that doesn't mention digital assets often won't unlock content, because the Stored Communications Act demands clear consent.

Third, the terms of service. If you've left neither, the company's own agreement controls — and that usually means the door stays shut.

RUFADAA also draws a line between the content of communications (the actual words of your emails and messages, which need that explicit consent) and the catalogue — the metadata, the record that a message existed, the list of what's there. Fiduciaries can more readily get the catalogue than the contents. For a business, the catalogue alone — knowing which vendors, banks, and services existed — is often half the battle.

Two-factor authentication: the lock that protects you and traps your heirs

Now layer on the security you've deliberately built. Two-factor authentication means that even someone holding your correct password is stopped cold without a second code — sent to your phone, or generated by an app, or printed on recovery sheets you stored somewhere safe.

That phone is now locked. The authenticator app is on the locked phone. The recovery codes, if you generated them, are very often saved inside the password manager — which is itself behind a master password and, frequently, its own second factor. Each safeguard you added to keep strangers out works identically against the people you'd actually want in. Security doesn't distinguish between a thief and a grieving sister with a court order. It only knows whether the right factor is present.

This is the cruel symmetry of doing security well. The more conscientious you were, the more completely locked the door becomes.

What actually solves it: a deliberate handoff, made in advance

The fix isn't to weaken your security. It's to build a second, intentional door and decide — now, while you can — who holds the key.

Concretely, that means a few things working together. Use the online tools every major provider offers, because RUFADAA makes them supreme. Write explicit digital-asset language into your will or trust so your executor's authority isn't ambiguous. Designate a digital executor — name the actual human who will do this work, and tell them they've been named. And most practically, leave a recoverable path to your master credentials and your second factors — the password-manager emergency-access feature, the printed recovery codes, the location of the backup phone — stored so that the right person can reach them without that path being open to everyone.

The goal is a single, ordered map: here is what exists, here is how to get in, here is who is allowed to. Not a sticky note. Not a hope that someone will guess. A deliberate inventory that turns weeks of locked-out petitioning into an afternoon of orderly transfer.

The afternoon that saves the months

The founder's sister eventually got most of it sorted. It took the better part of a year, a lawyer, several notarized letters, and a few accounts that simply went dark and were lost. None of it had to be that hard. Everything she needed had existed; it had just never been written down in a form anyone but him could use.

That's the whole lesson, and it's strangely freeing once you see it: the people you trust are not stopped by the absence of love or legal standing. They're stopped by the absence of a map. You are the only person who can draw it, and you can only draw it now.

That's the narrow, unglamorous problem Heirloom exists to solve — a single death-binder where a solo founder keeps the vault, the handoff instructions, and the named beneficiaries together, so the afternoon of preparation replaces the months of being locked out. If you've been meaning to draw that map and never quite known where to start, you can begin one here: estatemap.lumenlabs.works.