

Ask HN: Is it time to start writing passwords down again? - jl6

Over the last few years I have lost a lot of trust in the electronic systems I use, to the point where the basic physical security on my home feels more secure than any part of any my computers.<p>I feel I am far more likely to be compromised by anonymous remote hackbots using 0days on my password manager than by burglars.<p>Is it time to keep my passwords on paper?
======
colanderman
I'm considering crocheting my SSH private key into a blanket, so that I can
safely and clandestinely transport it across borders. Holes representing 0s
and stitches representing 1s, with strong parity to mitigate transcription
errors.

I will call it my "security blanket".

~~~
NAFV_P
> _... with strong parity to mitigate transcription errors._

How would you deal with coffee stain errors?

------
wanda
I try to use a different password for every site and I remember all the
passwords I use. This is obviously not helpful to anybody and would be
thoroughly impractical even for me to rely on, because not everybody is good
at remembering 18-30 character strings of letters, numbers and symbols, and
equally I figure one day I will not have the same ability to remember them
either.

So I keep the de facto "ciphers" on paper. These ciphers usually take the form
of differential equations that give fairly lengthy, rational numerical
solutions. Equations have the advantage of not looking like a cipher,
especially if you're known to be a mathematician. Even if I lost the paper or
it was destroyed, the equations are memorable to me for having played a role
in some of my studies a long time ago. I could root around in my notes and
find them again.

The equations are all I need to have on paper because I can just do the math
and remember how I form the solution into a password to include letters and
symbols. Even if I forgot how exactly I formed the solution, with the
numerical string resolved I could quite simply brute force the few characters
remaining. I keep this bit of paper safe but separate to my credit cards and
cash because that's the most likely thing to be stolen from me.

But you know what? I don't even consider this a particularly secure solution.
It's just more fun. And it has to be better than storing passwords with a
password manager, using a pen drive or keeping passwords themselves on paper.

------
kalleth
It's time to use complex, un-rememberable passwords that are unique for each
system you use.

"unlock" them using a master password that's secure and you can remember (
_not_ 'correct horse battery staple') and that you use FOR NO OTHER SYSTEM.

If a site is compromised, you will lose your account on that site regardless
of how strong your security for your account is.

However, the main problem at the moment is the chain of compromise -- people
who use the same credentials and the same username on multiple sites and on
'core' systems like their e-mail account. One site gets compromised, which
leaks the same credentials you use for your e-mail address, and all of a
sudden they have access to your entire online identity.

I use LastPass ([http://lastpass.com](http://lastpass.com), stores your
encrypted passwords remotely so you have to trust lastpass.com) and pay for a
premium subscription ($1/month?) with a master password not used elsewhere.

But there are other alternatives like
[http://keepass.info/](http://keepass.info/) (stores your passwords locally,
can sync with dropbox. No trusting an external service required.)

Also [https://agilebits.com/onepassword](https://agilebits.com/onepassword)
(1password), similar to keepass, but not open source (I don't think). Better
UI.

------
nherment
I agree with most of what Kalleth says. However there is just no way that you
can trust a North American company to keep your passwords safe, especially
when the code is closed source.

I've built [https://elipsis.io](https://elipsis.io) and if you are tech savvy
I recommend that you host your own service. Don't do it on a VM but on a
dedicated box.

An alternative is to use use
[https://www.clipperz.com/](https://www.clipperz.com/) since they are also
open source but I really hate their user interface.

Like @kalleth said, you can also use keepassx with dropbox.

~~~
stevekemp
Your site looks interesting, but note that
[https://elipsis.io/status](https://elipsis.io/status) is a 404.

~~~
nherment
yes I know. Thanks for letting me know. I've stopped working on it. Only a
friend and me are using it. I'll leave it as is and free as long as there are
only a few users.

I might add 2 factor auth sometime in the close futur.

------
pm24601
yes

