
 Paper, the least terrible password management tool (2015) - walterbell
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0619/Opinion-Paper-the-least-terrible-password-management-tool
======
charleslmunger
Paper is an awful medium for password management, for a host of reasons:

1\. It's vulnerable to phishing. The vast majority of sites still do not
support U2F or similar, and typing in a password from paper means that a human
is validating the domain, not a machine.

2\. It's not encrypted at rest. This means that leaving your wallet somewhere
means all your passwords have been exposed. It also means in many legal cases
(IANAL, US law, etc) the contents of that paper are a key to all the other
encryption you might have. In particular, courts have held that the fifth
amendment protects a defendant from being compelled to reveal passwords in
many circumstances.

3\. It's difficult to keep in sync with new registrations, logins, and
password changes - given the widespread use of mobile phones, it means that
you are likely to take that piece of paper with you, compounding the risks in
#2

5\. Paper isn't durable. Spill a drink on it and everything is basically gone.

6\. Paper isn't generally structured to obscure passwords - open your
browser's password manager, and you'll see ________for each password unless
you click to reveal it. With paper, you are much more vulnerable to shoulder
surfing.

Edit:

7\. Any decent password manager will volunteer to generate passwords for you -
if you're doing this on paper, it's much more likely that you'll try to come
up with a password yourself, resulting in weaker passwords.

~~~
nickpsecurity
"5\. Paper isn't durable. Spill a drink on it and everything is basically
gone."

Paper is more durable than any digital storage which all suffer from rot. They
also rot faster than advertised. My documents stored in water- and fire-
resistant containers will be readable even when my HD or discs fail. Just like
the old books I find at thrift stores that were already older than some
corrupted media I had.

~~~
freehunter
Paper is certainly not more durable than digital storage. It may last longer
at rest, but a disk under constant usage will outlast paper under constant
usage any day.

Durable means able to resist wear. Lasting means persisting over an extended
period of time. Paper, when stored properly, is long-lasting. It is _not_
durable.

~~~
Retric
A poster on a wall could last for decades to centuries of use after a HDD in
constant use has died. So, really HDD win in a subset of cases and lose in
others.

~~~
freehunter
Is a poster on a wall considered "paper in constant use"? After all, that disk
has been constantly, unceasingly physically manipulated for years, while the
paper has just been merely subjected to light and a small amount of air
movement. A poster on the wall is as much "in use" as a disk that is plugged
in but not mounted.

Sticking with the original subject, write your password to your computer disk
and write it to a piece of paper. Now change your password on your computer
disk while changing it on the paper as well. Now change it again. And again.
And again. See what is more durable, the disk being constantly erased and
written over, or the paper being constantly erased and written over? A modern
SSD can handle tens of petabytes being written before it dies. Can a piece of
paper?

~~~
yifanl
But that isn't at all relevant to the use case at hand. Using paper storage
just means you can access and read the content of the paper.

~~~
freehunter
So you just never change your passwords?

------
MarkMc
Pro tip: If you use paper add the same prefix to all your passwords, but don't
write down the prefix. This improves security if you misplace the paper.

For example, your paper might look like this:

 _Gmail: face method ruler

Facebook: rows bat likewise

Bank: hilltop skids lavender_

But your actual passwords are:

 _Gmail: apple face method ruler

Facebook: apple rows bat likewise

Bank: apple hilltop skids lavender_

Pro tip 2: Use random words instead of random characters. For sites you log
into regularly you will soon memorise the password and won't need to pull out
the paper.

------
rayiner
Password management has gotten completely out of hand. My dad, who is in his
60s but is pretty technologically savvy, has resorted to a master paper list
of all his passwords (almost two dozen).

The situation has gotten worse in recent years. First, the unjustified worry
about shoulder surfing means that password entry widgets make it impossible to
figure out if you’ve entered the password correctly, especially on mobile
where typing errors are common. Worse, some don’t even have a “show what I’m
typing” mode. Second, many sites totally confuse the password managers in
Chrome/Safari because they get fancy with having separate pages for username
and password.

And all for what? My passwords have been leaked dozens of times over in
various security breaches anyway.

~~~
xoa
>Password management has gotten completely out of hand.

Sure, the industry is basically recreating public key crypto very, very badly.
All the tech has been there to do away with passwords for ages but path
dependency can be a very scary and depressing thing sometimes. Probably
doesn't help that for a long time only users paid any of the cost.

Granted there is also this weird mindset even amongst lots of tech workers
that authentication is some scary thing and should be manual too, as in this
idiotic article. Perhaps that has also inhibited progress.

>And all for what? My passwords have been leaked dozens of times over in
various security breaches anyway.

Well, that's the major reason behind password managers isn't it? It's
precisely because we're not using real crypto for authentication that what 3rd
parties do and whether they get breached actually matters, and in turn creates
the necessity to use a different good password for every single service and
have the ability to change them to a new good one at will. For most humans at
any significant scale that rapidly becomes impossible to manager so naturally
the right thing to do at an individual level is turn to a computer to handle
it.

~~~
kungtotte
It's exactly the sort of thing a computer should be doing, too.

Automating an administrative task is basically what they're for.

------
jcmi
It obviously depends on your threat model. If you don't have any accounts with
too sensitive information and you can stash the paper somewhere reasonably
safe, then sure. My big issues with this are:

1) People suck at making their own passwords and this encourages bad passwords
and password reuse. 2) The article admits that paper alone isn't good enough,
but suggests that having "four password storage methods" is the optimal
solution. That seems... unwieldy. Storing the most important (banking info,
email) passwords in your head is a recipe for password reuse or getting locked
out of your account.

~~~
artie_effim
Threat modeling is the most important part of this discussion, but will fall
by the wayside in this discussion as well. Normal folks are really bad at risk
analysis. I personally use a paper storage system and diceware (
[http://world.std.com/~reinhold/diceware.html](http://world.std.com/~reinhold/diceware.html)
) - because, at the end of the day - low tech is the best tech.

<edit> \- also am a CISSP

------
Alpacalex
If your concern is third-party reliability but you'd still like a password
manager, I'd say your best bet would be pass + git. pass uses gpg to encrypt
each password separately in a file structure, and works very well with any
sort of git repository making it accessible across devices. Depending on how
you set it up it can be 100% in your control with minimal configuration (in my
case though I've been lazy and just hooked it up to a private GitHub
repository).

~~~
TheBarton
1+ for pass. It does one thing and does it well. Zero bloat. I use a simple
emacs helm plugin to quickly copy the password to clipboard. Very happy with
this setup.

~~~
jachee
How do you sync to mobile browsers with pass + git?

~~~
TheBarton
I don't, sorry. My previous password manager, while it did have a mobile app,
was painful to use so I don't miss that too much. For my most important stuff
I use rememberable passwords.

------
delcaran
It's really that difficult to use KeePass? It's offline, cross-platform, with
password generation, secure session for entering the master password, could
type passwords without using the clipboard and if you want to sync you can
save the encrypted db on dropbox, git or wherever yout want.

The only problem I see is when I need a password but I can't access database,
which is almost never since Keepass has a port for Android. But in those (few)
cases I can write down a few notes which I can use to create a not easy to
guess password for that specific use case.

------
tobiasSoftware
I've never been a fan of password managers, but I've found a much better way
than paper:

1\. Create a complex password to re-use everywhere. Memorize it and don't
write it down.

2\. Create individual simple passwords when you need one. Write them down

3\. Create a method to combine the complex password and the simple password.
Memorize it and don't write it down.

I figure there are two main attack vectors: online and offline. Online attack
vectors are either a dictionary attack, which requirement 1 solves with a
complex password, or using hacked passwords in one site to gain access to
other sites, which requirement 2 solves with different passwords for each
site. Offline attack vectors are someone discovering your written passwords,
which requirements 1 and 3 solve by memorizing pieces of it.

The only weakness to this scheme is if someone is A. deliberately targeting
you as opposed to a mass attack, and B. gains access to two or more of your
passwords, allowing them to figure out your password system.

~~~
anonred
> 3\. Create a method to combine the complex password and the simple password.

So what happens when a site / service limits the length? Do you truncate your
complex password? And what about cases where only a certain subset of
characters is accepted? Do you now need to memorize multiple variations of the
complex password?

I used to do something similar to your proposed method, but the number of
exceptional cases and work simply made if not worth the effort compared to a
real password manager.

~~~
wwweston
How often are you running into length-limited password fields these days? I
usually take it an organization is not attentive to or is outright
uninterested in security, and either I shouldn't use their service (if it's
optional), or I should publicly shame them.

~~~
andrewflnr
Passwords with character restrictions are still pretty common, AFAICT. Yahoo,
for instance.

------
jmull
The article and some posts suggest keeping certain passwords only in your
head.

Be sure you do that only when it would be Ok if the account became very
difficult to access in case you die or become incapacitated. There are
remedies for your survivors, but it is generally a big pain in the ass you
don’t want to leave behind.

------
sunstone
In an imperfect world this is the optimal combination of security and
convenience.

A google drive spreadsheet full of passwords. The gmail account is U2F.
Memorize the (long) account password and then copy and paste from the
spreadsheet.

Benefits: * is not a honey pot target like a password manager * easily
accommodates long random passwords * convenient access * cannot be misplaced *
account password very likely to remain secured

~~~
marssaxman
What is "U2F"?

~~~
sunstone
It's a hardware key that provides 2 factor authentication for GMail.

------
MarkMc
The great thing about paper is that even my grandma can understand it. For 80%
of people that makes it superior to any other password manager.

------
rootusrootus
Interesting suggestion that a pad of paper is just as safe as your house.
Problem is, much like corporate security, when it comes to passwords I
actually figure that the biggest threat comes from the very people who already
either live in my house or have relatively easy access to it.

------
vemv
Password managers seem to have the essential flaw of using the clipboard.

What prevents a random npm/rubygems/... dependency from running `pbcopy` every
second, storing interesting-looking results and relaying them to some server
once in a while?

~~~
Nadya
This assumes the machine is already pwned - at which point why wouldn't they
just use a keylogger? In that case, typing the password in without the use of
a password manager instead of copy/pasting from a password manager wouldn't be
any more secure.

~~~
bscphil
This suggests a related question. There's no inherent reason why programs
other than your desktop shell and the current focused window (for window based
DEs) need to have access to keyboard input. In practice, how good are existing
DEs at controlling this access? I know, for example, that the slow move from X
to Wayland has removed _some_ of the methods a program might use to access
inputs or the clipboard.

------
ravenstine
I'm surprised no one ever talks about invisible ink for this purpose.

------
4684499
I'd use an air gapped device to replace paper.

------
Nicksil
Non-AMP link

[https://www.csmonitor.com/World/Passcode/Passcode-
Voices/201...](https://www.csmonitor.com/World/Passcode/Passcode-
Voices/2015/0619/Opinion-Paper-the-least-terrible-password-management-tool)

~~~
dang
Thanks, changed.

------
rrdharan
Needs a 2015 in the title?

------
mdekkers
It wasn't a very good idea in 2015, and it still isn't a good idea today. It
may not be "least terrible" when you have 20 - 50 passwords or so, but I'm at
5000+, and wherever possible, my logins are also random strings.

~~~
mehrdadn
I agree it doesn't scale, but holy cow, 5000+! That is a _lot_!!

------
baggsie
My personal method is passphrase + first three characters of domain + number +
!

Eg foobarYCO2018!

Easy to remember, unique and doesn't rely on third-party services.

~~~
jmmcd
It's not good to reveal your scheme, or for your scheme to be so simple. If a
HN database ends up in the open, your accounts on other sites become
vulnerable.

~~~
bscphil
Ideally your passphrase would be secure enough that it couldn't be bruteforced
from a (hashed) HN database. But in case a non-hashed database gets leaked,
what sort of scheme could one use that couldn't be revealed from a single
known password? I suppose one could use a system like

    
    
      bcrypt(passphrase + "domain.com")[:32]
    

But anything requiring a calculation step seems to lose a lot of the
advantages of a single-passphrase system.

