For many, many years, you’ve heard the advice: “Never save passwords by writing them down.” This is trumpeted at work, from online services, from financial institutions. Well, it’s wrong. Not in every case, but in many. It encourages people to pick weaker passwords either in complexity or length because they must manage them.
If you’ve adopted a password-management app like 1Password or LastPass, you shouldn’t need to write anything down, of course: your devices retain and optionally sync passwords and other secure data, and you only need to remember a single piece of information—namely, your master password. But what if you forget that? We are all fallible, and sometimes our brains work against us.
The greatest risk most home users face is the vast, seething pool of criminals, vandals’, governments, and random opportunists. These risks emerge from remote access and, typically, exploits. This can be giant password leaks that reveal millions of account secrets. Or it can be a software failure, whether in apps residing on your computer or cloud services, that allows recovering passwords or trying millions of common ones without being locked out.
The risk is rarely someone gaining physical access to your home, figuring out where you store the passwords, and either copying down, photographing, or running off with the list or notebook.
Now, if you’re in shared housing, part of a family, or routinely have strangers pass through your home, you’ll want to take additional measures. This can include, that people write their passwords down on a small piece of paper and keep it with their other valuable small pieces of paper: in their wallet.
Another major incident causing the loss of passwords can be by purchasing a new computer or wiping your existing one. Any passwords saved will no longer be available and will require you to recover all of them, for the different applications or websites you access.
If you don’t include services or website names with those passwords, the passwords on their own are valueless in most cases if that piece of paper were lost, when writing down your information. It’s only valuable to people who might already have access to your computers or other devices. Furthermore, there are offline software programs designed to keep your details safe, that provide additional options if you’re worried about your information being used once written down.
What type of password should I use?
If you’re writing down passwords, simplicity helps, but you don’t have to be less secure when you pick something memorable and easy to write out and enter. The most commonly used type is so-called Dice-ware passphrases, which combine randomness with a modest dictionary, available in many languages. It may seem counter-intuitive to use words found in a dictionary, but a random combination of multiple words can’t be dispatched with brute force, even when all the words are known.
When you’re more restricted in what you can pick, you can turn to password-pattern systems, which are available as pre-printed cards and as apps. Rather than storing the full password, these systems help you generate a stub that you can use a standard formula to append to. The formula can’t be guessed and has enough variation in it to produce a password that’s highly resistant to brute-force cracking over very long periods of computationally intensive attempts.
You can even find actual wallet cards, like Qwertycards, which print unique variants for each customer, or use an app like Password Chef, recently reviewed at Macworld.
Even better, write down a password (something you know) and enable two-factor authentication. That second factor can be generated by an app, sent as a text message, or produced in a service’s own software, or you can use Touch ID or other biometrics to validate your identity. Someone stealing all your two-factor-protected written-down passwords still can’t access your accounts without the second factor, too, all of which will likely reside in your phone.
By: Matthew Clark