I seem to recall Bruce Schneier advocating the same strategy:
> I write my passwords down. There’s this rampant myth that you shouldn’t write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet. [1]
I think this is a viable strategy. And I don't think the fact that a wallet can be lost or stolen should dissuade a person. If your wallet is stolen, you're already facing a security compromise, with or without written passwords inside. Your typical wallet is going to contain ID cards, bank and credit cards, etc. You already need to cancel those cards and get new ones issued. Fortunately, by being in the wallet, those passwords will be rather secure. IME, people seem to understand losing one's wallet is Serious Business.
The common advice against writing passwords down is not the only bit of perverse security policy I've encountered. On the AIX boxes at one my employers, it wasn't so bad that password policy required a minimum length of multiples of letters, numbers, and symbols and forbade reusing the past N passwords. No, what was BS was that the policy also forbade X repeated letters, and Y letters that were in any of the Z previously used passwords. Now, while this might have been intended to prevent users from using passwords like "aabbccdd1", "aabbccdd2", "aaaabbbb3", etc, it also in effect forbade stronger passphrases. The longer a passphrase is, the more likely you are to have multiple repeated letters, or letters that occurred in the last few passphrases. There are only 5 vowels in the roman alphabet, and many words use more than one. For example "correcthorsebatterystaple", has 6 repeated letters, and its replacement of "wargnomefinaltreetruce" not only has 4 repeated letters, but 5 letters used in the previous passhrase, thus forcing a much weaker password like "FuckA1X!". Oops.
You are, of course, correct. The main issue isn't with writing them down but with people finding them if they are written down.
This means not putting passwords on a post-it on the monitor and to guard them like you guard your wallet or house "keys", wherever they are written down or otherwise recorded.
Of course, with so many passwords in one place, it's best to do a little planning in case a paper gets lost or wet. It's also a good idea to consider what might happen if ALL passwords get disclosed at once.
If they just steal your computer, they'll most likely still be logged in to many services already. If there's no password at login, they can already request a password change and a confirmation email from any other site.
Not to mention autofill - my Dad is a terror for this. He sees it as a convenience, but I'm pretty sure his autofill could file his tax return for him by now.
One way of semi-resolving the issue of the paper falling into another's hands is writing the password and adding characters to it on paper that you know not to add when using it as a password.
For example, when we visit my mother-in-law, she likes to hand over her ATM card for us to do local errands. My wife, knowing that she'll forget the PIN, writes it as a telephone number, where she knows the offset/method to extract the PIN.
Writing down your passwords is not about forgetting your passwords and needing the written page at all times. It's about having a backup that is behind lock and key (your front door). It's about "oh, shit, what's my login for this meaningless site I use once a quarter?" And it's about your spouse being able to get into those things if you die.
It would probably be better to include this backup code in your will or some other paperwork filed with your lawyer. Your wallet can be stolen pretty easily.
It's a risk, but it's extremely tiny. I have the password memorized, but it's long enough and complex enough that I can't always type it correctly, especially on a phone.
Being able to scan it when needed allows me to use a password manager for all my other passwords and keeps me using a complex-enough master password.
It's the same argument as the article, just at one higher level of abstraction.
I'm not in a high risk group for wallet compromise. I'm over forty and have never lost my wallet or keys even once my whole life. I have many flaws, but misplacing small valuables isn't one of them.
Fair point, but I consider my house being broken into a couple of orders of magnitude more likely than my wallet being compromised.
Plus, leaving my house unlocked has no utility, whereas having a scannable copy of my master password with me at all times does.
Finally, the consequences of my house getting broken into are pretty bad. But even if I did lose my wallet it's virtually certain to be someone that knows nothing about password managers, and changing my master password is pretty easy.
Beware of other important considerations when writing down passwords. For example, law enforcement can demand that you hand over a sheet of paper, but they cannot force you to divulge a password from memory. But each password carries its own weight, so while you may care about this for your disk encryption, you may not for your social media account.
There's also the risk of creating weak passwords so that they're easier to type. Ideally, your password would be generated randomly by a computer, or using other methods, like dice (e.g. https://www.eff.org/dice).
In 2005, password managers weren't very popular if there were any. Certainly the good ones didn't even exist[1].
I personally think that jotting down passwords physically is worse than saving passwords in a good password manager. Now, there are a few good ones, like 1Password[2].
So no, I disagree with this security guru's advice with the exception of 2FA recovery codes.
My wife still needs to get in in the event of my demise. That's why the 1Password master password and the creds to my main machine are taped to the inside of the gun safe. If someone gets into that, we've got bigger security issues.
The thing is: If you password is exposed once in one site, the rest of your passwords could be guessed eventually. Unless if you take some additional steps to make it really hard for anyone or any software to guess your password. See other comments on this thread.
How is it worse? Storing them on a piece of paper in my safe or hidden in my home is a lot less risky.
Can malware or a MITM attack compromise connecting to a password manager? It seems like anyone anywhere could gain access to the password managers severs(exploit) or my computer (malware).
For paper password, someone would need to know my address and then break into my house.
Good password managers (KeePass) run locally and have no remote server to connect to. Mediocre password managers still store passwords encrypted.
If you get infected by malware then it could just grab the password as you type it anyway; if anything then using a password manager is slightly more secure, since browser integration goes over an authenticated connection that is harder for non-root applications to intercept.
If you were good at securing physical objects then you could just lock down the computer instead, and stop bothering with passwords.
Quote:
I write my passwords down. There's this rampant myth that you shouldn't write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet.
I'm surpised at how many programmers I meet who don't use a password manager. In my work alone I have over 30 credentials to remember and they expire.
An aside, I use KeePass and strictly use it offline with a secret key and passphrase. Browser integration and mobile and desktop KeePass apps are not really polished and all have their own quirks. I've noticed a huge audience of 1Password and other password managers that store the passwords in the cloud. The apps and integration look good but I can't justify trusting somone else to handle my data. Am I being too paranoid?
The only reason why this is challenging for me is because I use passwords not just when I'm home: I could use them at work, or on my phone (being anywhere - something probably not considered back in 2005?).
So having this list of passwords on a piece of paper (or whatever) becomes difficult since I'd need to consult it many times, leading to:
1. Higher risk of someone stealing it from me.
2. Higher risk of losing it.
So far, I've used some mental mneumonics to remember passwords (which is not safe since it can be easily discovered by a machine learning algo for example) + 2 factor auth.
If you take the process they outline and memorize it, you're rid of having to carry around something physical. You can still store the formula somewhere safe in case you forget it or something happens to you.
You might be surprised how little effort it takes to memorize. Half an hour a day for a few days can do it for a lot of people, followed by putting it in to practice.
The password creation process:
[~8 characters including lowercase, uppercase, and special characters]
+
[a secret word or set of characters ~8 characters long]
+
[a simple encryption method for the alphabet which you use to write the service's name down]
eg. [qWeRtY4$] + [bananas] + [ibdlfsofxt]
Which comes out to: qWeRtY4$bananasibdlfsofxt
Decrypter for the last section ('ibdlfsofxt' is 'hackernews'):
a = b
b = c
c = d
d = e
e = f
f = h
h = i
i = j
j = k
k = l
l = m
m = n
n = o
o = p
p = q
q = r
r = s
s = t
t = u
u = v
v = w
w = x
x = y
y = z
z = a
Take those three steps and randomize them or make them something unique to you and you're good to go.
Probably the most important part of your password is the length. The longer a password is, the longer it will take for software to break it with brute force. If the service you're using has a three character name, you'll be relying on the first two parts of your passwords to reach a good length. It's good to keep those two at a combined length of around 14+ characters.
eg. [1234567]+[1234567]+[aws] = 17 characters
Some problems with this method:
A: If your password requires changing.
- To solve this, you could choose a character in the first sequence that you can increment every time you have to change your password. You could also choose a different word for the second section. Plan ahead for this scenario.
B: The service you are using doesn't allow a password with one of your special characters.
- You could try using special characters that are very commonly accepted when you create your password, such as the exclamation mark. Though, this _does_ take away from the security.
- You could also have a secondary password; one that is simplified and doesn't rely on special characters. You can have this as a backup for services that have limiting password requirements.
eg. [qwerty]+[bananas]+[ibdlfsofxt]
C: The service you're using doesn't allow a password of that length.
- As with problem B, you could have a secondary password ready ahead of time, . eg [tY4$] + [ibdlfsofxt]
I think that the problem for quick and easy memorizations is that it could also be easy for an algorithm to crack it.
For example you have:
[qWeRtY4$] + [bananas] + [ibdlfsofxt]
If your password is exposed:
[qWeRtY4$] = remains the same for all passwords
[bananas] = remains the same for all passwords
[ibdlfsofxt] = changes for all passwords
Cracking the part that "changes" is probably not going to be difficult for a machine since you are associating the place name (hackernews or aws) with the part that changes (same number of characters). Then it won't take long for a machine to guess that you are replacing with the next alphabet letter or something else that is easy for a human to remember.
In that sense, I believe QWERTY cards are a bit more secure in this sense since it's just random characters assigned to each key, and each card is unique. It takes away the "easy to remember" part since you will have to look at the card, but it will be some orders of magnitude harder for a machine to guess it.
After multiple breaches, however, your encryption table might be exposed too. At this point you will have to change your passwords and get a new card. Probably do it every 3 months?
I don't know, sounds like a lot of work and maybe too paranoid, but I'm hopeless when thinking about password creation and making it easy to remember.
That is pretty cool, and thanks for the detailed reply. Asking innocently, because I don't know much about this stuff and I'm lazy, but is it much more secure? The thing I liked about the qwertycards is that there isn't a single point of failure.
If somebody takes your card, you still know the secret, and that could be any number of characters you wanted it to be.
I have a an encrypted USB drive [0] on my keychain with a portable installation of my password manager and a weekly-updated backup of my database. Anywhere I have access to my laptop - I have access to my login. I don't login to anything via my phone for security reasons (I still don't trust my phone to be considered secure.)
I keep a keepass file in dropbox, and Minikeepass/dropbox client on my phone. I memorize the keepass password, can access any password from my phone, but I can also access my dropbox/keepass file from any computer if I lose my phone/it's unpowered/etc.
Well, the master password is complex enough to have to really guess at it, even if they had the raw keepass file. And I can change it regularly without affecting any other login.
If someone does crack it, at least I have a handy database of websites and logins I have to change the password for.
It's worth noting that the likelihood of someone hacking your preferred password manager is drastically higher than the likelihood of someone breaking into my house and rifling through my drawers. (My passwords aren't there either, because my memory is REALLY good at passwords, but I'd rather put them in my desk drawer than a password manager.)
Sure, but again, it depends what you're most worried about. All of the examples you gave are specifically of targeted attacks, but the issue with password managers is much larger: Automated, non-targeted attacks on everyone putting their passwords in a commonly understood place.
Agreed, but that's why I like the model of 1Password (or KeePass, theoretically, although it apparently had some issues?) where the only thing stored online is an encrypted vault and the decryption only happens on local devices.
KeePass doesn't store anything online by default and doesn't run any servers at all (people use their choice of online file folder provider [Dropbox, Box, OneDrive, Resilio, private servers, etc] if they want online access/sync), so you may be confusing it with something else.
I understand. 1Password (in its classic model, not sure about the team/family/web product thing or how that works) doesn't store anything online by default either. In both cases (1Password and KeePass), you can combine with an online file folder provider to achieve sync across your devices. And I like that model.
That'd suck, and I'd imagine whether or not I remembered all my passwords would no longer be my top concern in my life. Everything eventually filters down to an account tied to my real identity that has customer service (I don't rely on Google anymore), so presumably I could prove my identity outside of the Internet.
The same is applicable. Even if I were to die, a death certificate and a family member can get into an account. In most cases though, it's unlikely they'd need to. Close out my credit card, and everything else is going to, by very nature, shut off (eventually).
I mean to expand. Yes, that works and is honestly what I rely on.
I will add that it is more cumbersome than it needs to be for family. I highly encourage everyone to make sure immediately family is joint owner of critical things. Makes transitions much easier. (Though, yes, there are valid reasons not to do that.)
For many years, I've been using a simple scheme: a prefix/suffix that's the same for all passwords, and identifiers for the service and username.
For example, something like this
[$#__1077__#$]---!SERVICE!USERNAME!
So, for Hackernews, I would use h for hackernews and t for theduke --> [$#__1077__#$]---!h!t!
Now all I have to remember is the template and my username.
For accounts that need regular password changes I'll add an additional part that identifies the year and the quarter.
Of course, if someone where to get a hold the cleartext password for one site, they might be able to figure out the scheme and get into all my accounts.
But that's a risk I'm willing to take (except for very important accounts/passwords, which get randomly created).
Not writing down passwords made sense >20 years ago when the main threats you wanted to defend from were "local" because internet connectivity was not ubiquitous, and you would have only one password or two to manage...
In today's world with widespread internet connectivity and dozens of passwords to manage, password managers and/or writing down and (certain) dual factor identification approaches make more sense...
Write down or save most of your password in a password manager. Add a secret prefix or suffix string to this password from memory when logging in.
This effectively gives you MFA. Something you have, something you know.
Every login gets a different password (that you don't have to remember) yet nobody knows the real password even if the password manager or piece of paper is compromised.
I forgot my password last year for a government taxation site. I called them and the person I was speaking to gave me a couple of clues and I was able to remember it. Clearly she was looking at it. My main feeling at the time was relief that I hadn't used an embarrassing one.
I've noticed music theory is especially good for coming up with good password schemes that also encourage rotation. I've wondered if chemistry students have a similar edge.
What about the fact that you can't be compelled by courts to reveal a password that you have memorised, but you can be compelled to hand over physical keys.
> I write my passwords down. There’s this rampant myth that you shouldn’t write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet. [1]
I think this is a viable strategy. And I don't think the fact that a wallet can be lost or stolen should dissuade a person. If your wallet is stolen, you're already facing a security compromise, with or without written passwords inside. Your typical wallet is going to contain ID cards, bank and credit cards, etc. You already need to cancel those cards and get new ones issued. Fortunately, by being in the wallet, those passwords will be rather secure. IME, people seem to understand losing one's wallet is Serious Business.
The common advice against writing passwords down is not the only bit of perverse security policy I've encountered. On the AIX boxes at one my employers, it wasn't so bad that password policy required a minimum length of multiples of letters, numbers, and symbols and forbade reusing the past N passwords. No, what was BS was that the policy also forbade X repeated letters, and Y letters that were in any of the Z previously used passwords. Now, while this might have been intended to prevent users from using passwords like "aabbccdd1", "aabbccdd2", "aaaabbbb3", etc, it also in effect forbade stronger passphrases. The longer a passphrase is, the more likely you are to have multiple repeated letters, or letters that occurred in the last few passphrases. There are only 5 vowels in the roman alphabet, and many words use more than one. For example "correcthorsebatterystaple", has 6 repeated letters, and its replacement of "wargnomefinaltreetruce" not only has 4 repeated letters, but 5 letters used in the previous passhrase, thus forcing a much weaker password like "FuckA1X!". Oops.
1. http://freakonomics.com/2007/12/04/bruce-schneier-blazes-thr...