SEARCH

How-To Geek

Ask How-To Geek: What’s Wrong With Writing Down Your Password?

image

Recently a reader asked me why she wasn’t supposed to write down her passwords—which is a very good question. Ignoring all the geeky password manager talk, why can’t a home user write down passwords? Let’s examine this topic more closely.

If you’ve never heard anybody say this, you probably haven’t talked to enough network security types—it’s generally looked down on to write your passwords on a physical piece of paper or a sticky note.

So Why Can’t You Write Down Your Password?

We’ve already established that you aren’t “supposed” to write down your passwords, but why not? Are people really going to rifle through your stuff to find your password, and then use it maliciously? What if somebody breaks into your house, are they going to sit down at your PC and use your password? The answer to all of this can be summed up easily:

  • Work Users: Do Not Write Down Your Password
  • Home Users: Writing Down Passwords Is Fine, Usually

To put these in a little more context, let’s look at each one separately and discuss why you should or shouldn’t write down your password.

If  You’re a Work User

image

When you’re a corporate sloth and stuck at a desk for an arbitrary number of hours each day bored out of your mind, most of the passwords that you will use are probably for work-related applications like your corporate email, databases, and accounting systems.

Here’s why you probably should not write down your password at work, and should instead opt for passwords that you can remember, or use a password manager:

  • It’s probably against your company’s policies to write down your password.
  • If somebody finds the password and does something bad with your account, you could get fired.
  • Even if you write down the password and lock it up, it’s probably not terribly secure.
  • What are you going to do, cover the sticky note with your hand when the cleaning staff comes by?
  • All the IT people will laugh at you.

You should also figure out what your organization’s policies are concerning passwords, and follow those.

If You’re a Home User

imageWhen you are a home user, your most important passwords are your email, bank, and probably your Facebook password. If you are using a password on Windows, it’s probably not terribly secure, but you should make absolutely certain that your email and bank passwords are secure—and not the same.

Here’s why it doesn’t really matter if you write down your password at home (usually, at least)

  • If somebody has physical access to your PC, you are screwed, and your password can easily be cracked or reset. (see below)
  • If somebody breaks into your house, they could just take the whole PC or laptop. They might also steal your beer.
  • The biggest problem for home users is having their banking / email passwords stolen online. If writing down a tough password helps keep you from identity theft, go for it.

There are exceptions to these rules of course—if you’re sharing an apartment with other people that you don’t totally trust, you should probably move. Also, you might not want to write down your passwords, and opt for a tough password or a password manager application. Maybe sleep with one eye open.

If you’re a home user with kids around, you might not want to write down the Windows password if there’s adult material on your PC. Or the internet—I hear there’s some adult content there too.

Choosing Strong, Unique Passwords Is All-Important Online

image

We simply can’t state this enough—your email and banking passwords are extremely important, and you should use different strong passwords for each one. Here’s a couple of quick rules to help you stay safe:

  • Use separate passwords for your online accounts—otherwise, if somebody cracks one password, they can access all accounts.
  • Use strong passwords for your accounts, using a combination of letters and numbers.
  • Do not use the name of your pet, child, significant other, insignificant other, school, mom, or anything that somebody could easily guess.
  • Make sure the security question on your email or bank account is set to something unique, and write it down somewhere. Do not blindly answer the question and use your pet’s name or something somebody can easily figure out. This is how most passwords are cracked.

If writing down these passwords and secret questions helps you be able to use strong passwords and prevent identity theft, it’s worth it, right?

Your Windows Password Is Easily Crackable

image

If somebody has physical access to your PC for a couple of minutes, it doesn’t matter what Windows, OS X, or Linux password you use. It’s as simple as that.

Want proof? Here’s all the ways that your computer password can be cracked or reset, and keep in mind that these are only the ways that we’ve covered here on How-To Geek. And we’re the good guys!

Wow, that sure makes me feel secure! So how do you prevent this, you ask? You can use complete drive encryption if you choose to do so:

Since your vacation photos of you eating too much probably aren’t worth encrypting, your best bet is actually…

Password Managers Are Your Best Bet

Using a good password manager is the best way to protect your passwords from everybody and easily use secure passwords for every site. All of your passwords will be secured behind nearly unbreakable encryption, and easily accessible for everyday use.

My personal favorite password manager is LastPass, which integrates directly into your browser, and stores the encrypted passwords on their servers, syncing them to every device you can install the extension on. You can even use it to store other data, like notes or credit card numbers.

Note: While the passwords may be stored on their servers, the great thing is that the master encryption key is not—all the passwords are decrypted in your browser, so they cannot see any of your password information.

image

You can also use KeePass, which is an excellent password manager with loads of plugins and other features. I don’t use it because it’s separate from the browser, which is where all my passwords need to be used, but it’s still a worthy application.


So what do you think? Are you angry with rage at the notion that I’m telling people to write down their passwords? Turn off your Caps Lock and share your opinion in the comments.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 10/7/10

Comments (50)

  1. Santo

    Very well written.

  2. Steve K

    Like you, I’m a major fan of Lastpass.

    However, when teaching company security classes, I tell them it is OK to write down passwords under three conditions:

    1. It is mixed in a list of fake passwords
    2. the first two, or last two characters are not written down
    3. the list is carried in your wallet, and is on an otherwise blank paper

    I figure they’ll write it down anyway, so I might as well teach them how to do it in a way that minimizes risk.

  3. The Geek

    @Steve

    Those are great tips, especially if the password is carried in the wallet, which isn’t something I wanted to recommend =)

    I figure keeping your bank password written down at home is just as safe as all your checkbooks, bank statements, and everything else you keep at home already.

  4. Iszi

    I think one thing that was totally missed out on, was the risk for laptop users who write down their passwords. As laptops and netbooks become cheaper and easier to use, more people are switching to these as their primary computers. Most laptop users with written passwords will probably store them in their laptop bag. Additionally, some people even include usernames with the written passwords! So, if the bag is stolen or even just snooped through in an airport or coffee shop, the victim’s complete online identity – including e-mail and bank accounts!

    This is also a big issue when it comes to two-factor authentication. You’ve already addressed the “Work Passwords” topic, which probably covers at least 80% of these users. But, more and more these days, banks and other online service providers are issuing security token hardware to augment their user’s account security. Some people seem to have the misconception that the little security token they’re issued makes them invincible to identity theft. I issue these tokens for my company’s VPN system, and see at least one in ten users try to write down their PIN immediately after it’s been set – right in front of me! Writing a PIN and carrying it with your token, is just like sticking your PIN onto the back of your ATM/Debit card! Would you recommend that as well?

    So, obviously I’m a strong opponent of having any passwords of any type written down. The only concession I could see, would be for a home desktop user who fully trusts the other members and guests of his/her house with whatever information is stored on their computer. Even then, I’d strongly suggest that the only passwords they write down are passwords that are local to that computer and not used on any other system or online account. Other passwords should either stay memorized, or be locked in a Password Manager behind a secure mechanism that does not include the written-down password.

    Kudos for bringing up the point about security questions, though. User-defined security questions and answered used to be a part of our process, when we still used paper forms. Since the questions were filled out by the user on paper, I of course saw these in order to enter them into our Help Desk’s database. I can’t begin to think of how many times people would use things that were easily-accessible public information, or would otherwise be common knowledge among peers or acquaintances!

  5. The Geek

    @Iszi

    Yeah, I was really meaning if they write down the password at store it at home. Good points though – obviously laptop users are likely to carry the passwords with them.

    That’s why I said LastPass is really the best solution, because that can be carried with you and you don’t need to write anything down.

  6. Iagoman

    I was one of those people with my passwords written down on sticky notes
    and also stored on my laptop.
    I then tried RoboForm (Roboform.com) and am in love with my security
    methods. When I go to a site, Roboform asks me if want to save the password or have the program generate one.
    It has many features that allow you to store sensitive info that is only accessible by you, the owner.
    I have a master password that is long and complicated and it allows me
    access to all the stored p/w’s (approximately 40+ at this writing).
    I do not have that password written down anywhere, but I will never forget it for reasons I shall not say here.
    I suugest that anyone concerned about p/w security should review
    the RoboForm product. It’s great.

  7. sheila stern

    Is there something like that for Apple?

  8. Barbara

    how do you feel about keeping the passwords in a password protected Excel spreadsheet?

  9. Bruce H. Johnson

    Another possible option is to use a USB device, perhaps with a password manager. I carry one around my neck with passwords, setup and other information. Back it up with a password-protected ZIP.

  10. asdf-chan

    “All the IT people will laugh at you. ”
    Allways will and do : )

    Well … password manager don’t work for encrypted laptops.

    @Iagoman

    Get away from closed source when it comes to security, you never know if they have backdoors for agency’s or abuse your passwords etc for their own good.

  11. Marfa

    Keepass and separate paranoid password for every site end etc.

  12. Todd

    Instead of writing down the actual password, I recommend to people to write down a phrase that reminds them of their password. So if it’s “PurpleRain” for example, they might put “colorful weather”. This way they have their reminder, and someone else encountering the note will not know what it means.

  13. gilteon

    When I was trying to memorize my PIN number, I wrote down four symbols which represented the numbers to me (they weren’t obvious, like pentagon=5). Besides being obfuscated, the numbers were also in the wrong order. Eventually I became so used to having to think out the rearrangement of digits that I was able to remember the number without the paper. For really secure passwords, I stick to KeePass with a longish (36 char) master password that isn’t written down or otherwise stored anywhere outside my head.

  14. KB Prez

    I never write passwords down even at home. I use KeePass to store all my User ID and password info.

    My security software (Norton Internet Security) has a built-in password mgr (Identity Safe) that works within browsers. I love it because I can create very long and cryptic passwords that I don’t have to try to memorize.

  15. 3sushis

    I like the hide in plain sight approach. Buy a box or two of staples that don’t fit your stapler and leave
    them in a drawer with the bar code visible. Underneath the barcode are ten random numbers in plain sight.
    Toss in a couple of letters or another innocuous barcode and you can have twenty digits in plain sight.

  16. John Tod

    I had used the same password for years for everything except banking passwords, they are unique. So I only had two passwords to remember. Someone would have to know me VERY well to hack those passwords. Then my Facebook password was hacked once. I started getting messages from people telling me I was spamming them from Facebook and then I got a message from Facebook security telling me they had locked out my account and were sending me a new temporary password so I could log in and change it which I did, after confirming that I really was locked out and could not log into Facebook, just in case it was a phishing email. I then changed the password on the other accounts that I had used that old password on. I left my banking passwords as they were because they are completely different. So far no problems. And, no, I never wrote the passwords down. How my Facebook password was hacked and by who or how I have no idea.

    I know Windows passwords can be bypassed easily. Where I used to work we had a hacker CD that we would use to get into someones PC who had gone on vacation or something and had changed their password just before they left. When they returned they could not remember it. This particular CD simply went into the registry and erased the password so when the system was rebooted it didn’t have a password anymore. You had to boot off the CD. It ran under Linux and was simple to use. If the PC was set up normally all you had to do was press enter at every question and it did its thing. I still have a copy of that CD just in case. A friend of mine called me the other day. He has a PC he can’t get into and I have to go over and crack into the PC.

  17. John Tod

    It bothers me that LastPass is free. I am always wary of the “free lunch”. Someone unscrupulous could if they wanted to access their so called encrypted database and have instant access to a whole bunch of passwords. I would rather not trust a password manager and just rely on my own password. My thoughts anyway.

  18. Jeremy

    I was kind of surprised (but I guess I shouldn’t be) that you had the same advice I give. Go ahead and write them down! Most people are fine doing so and better secured for it (at home anyway).

    As for password managers, I don’t use them personally since I already use Truecrypt for other files. Might as well shove the passwords in there too.

    Next you’ll have to tackle the “should I change my password” one. I usually tell people that if someone who gets in your account is likely to make a mess and cause trouble, you don’t need to change it since you’ll know they were there. If they’d spy on you forever until you change it, those are the passwords you need to change.

  19. Barron

    Great post was wondering if these password managers manage all the passwords for you and fill out the password on login would it possible to decrypt the password using softwares like for example Asterisk Password Reveal

  20. Jason

    My work situation is a little different. Our IT guy got tired of idiots at work trying to type in their network passwords with the caps lock on. So, he instituted a policy of requiring six-character passwords with numerals *only*. Plus, when setting up a new account for someone, he hands them a copy of the password- written on a sticky note. :-/

    Unfortunately, I have very bad memory problems, so I have to store passwords somewhere. Because of the format of the passwords, what I do is take my assigned passwords, obfuscate them with a simple mathematical formula and then write them down as part of a fake phone number on a list of other fake numbers.

  21. Austen

    I like the idea of using a password manager to help remember complicated passwords, and save time filling them in. But, how do I know that my passwords are ACTUALLY not able to be viewed by lastpass devs or admins. Or what is to stop someone from actually just hacking lastpass itself to get all the passwords?

  22. Jason

    @Jon Tod:

    You missed the part where LastPass doesn’t store the encryption key on their servers. No one- not even them- can access your passwords without your master password. (Which also means you need to remember the password- if you forget it, you’re SOL). The only thing the LastPass servers ever see is your account name and a block of data that was encrypted on your end. The only attack vector is if your own machine is compromised- which is the flaw of *any* password system. If you get malware on your computer, it can log your carefully remembered passwords as you type them in just as easily as it could mine your PC for stored passwords.

    Also, LastPass may be free for the basic service, but they also have premium accounts that you pay for. It’s a standard Internet business strategy used by many companies, including Google and Microsoft.

  23. Lisa

    I can’t believe how many people I know who have had their email/Facebook/Twitter, etc. accounts hacked. I also can’t believe how many people don’t use password managers. I’ll be passing this article on to them.

    I use both Lastpass and Keepass(x) and can’t imagine living without them.

    Cheers.

  24. Lisa

    P.S. @Austen: Many people on the Lastpass forums have had exactly your concerns and they have been addressed (to my satisfaction, anyways) by the developers.

    http://forums.lastpass.com/

    Or, alternatively, you could use Keepass, which has some plugins available to assist with browser integration.

  25. John

    Personally, I prefer keepassX for a password manager solution. I prefer it because it doesn’t automatically enter passwords for me, and doesn’t integrate into the browser. I keep a copy of my password db stored on both my windows and linux installs,thumbdrive, and on dropbox. the last two include the program as well in case of a catastrophic failure. The main advantage over keepass for me is that it works on linux installs without requiring mono to be installed(I’ve yet to need it, so don’t feel like installing).

  26. Jodi Holmes

    I found the article useful. I already use strong passwords but keeping track is a problem. Password managers and encryption for sensitive data is just what I need.

  27. Mike

    How about identity theft? That would really, really screw up your life!

  28. jd2066

    I use KeePass.
    Recently I found the extension KeeFox ( http://keefox.org ) for Firefox which adds integration with KeePass to Firefox.
    Justin

  29. Derf24

    Interesting discussion. We’re an octogenarian couple active using 4 PCs. If we cannot write down critical data we’ve had it. Our respective memories are not just unreliable, they are unpredictable. I’ve found I must use a word clue X which leads to an e-mail address or url Y which leads to password Z. I remember X but not always when I want to. [Sometimes a day or two later!]

    For retired folks the laptop bag is a real danger area for ID paper

  30. 34woody

    I like Password Corral and have used it successfully for years. Great article!!

  31. Harvey

    I have used Roboform for many years. It is easy and gives many options. GREAT

  32. Barb

    I’ve had to write down passwords when I’ve been forced to change them by IT policies.
    Don’t want people to write down passwords? Make us create a good one, but then don’t force us to change it on your schedule.

    There’s one that has to be changed so frequently (90 days) that everyone gave up and just hits “Forgot password. Please reset.”

  33. infmom

    I write my passwords down, but in code. If anyone can decipher (a) my handwriting and (b) my thought process, I’ll stand back and applaud. :)

  34. orangespot

    great article, thanks for all the info and reminders.

  35. Darryl C Gardner

    Very good info.

    I use a different technique.

    I don’t use online banking, period. In fact I don’t even know how to get into my account from a computer. I’d rather drop by, and get my favorite lollipop from their handouts – which can’t be done online.

    The same goes for other “important numbers”. I never put Social Security, Drivers License, etc. numbers on the computer.

    If they manage to hack into my E-mail account, simply get another one.

    And if they accost you on the street, hand them a paper bag full of garbage, and run the other way.

  36. dennis cheney

    a strange thing happened to me. I bought my computer 2yrs ago, I drank alot and I didn’t care about security “O the hell with ” O the hell with it” I only needed it for three things. So I started looking deeper and I jumped out of my chair. Get this, some one put porn in my computer, I sure in the hell did’t, it looked good so I go deeper there were pictures of naked little girl that I didn’t know about. I called the police but they only took my info to check if I had a history, I can’t believe this? They didn’t care. So much for security, but I got on it. I call the capt up and ask him, “I,m seating in my apt with something thats very illegal right”, he says you can believe it, O shit. La Crosse WI were I live is going to legalize the good stuff later. Latter

  37. ilikefree

    I’m like Darryl C Gardner and don’t use any computer for banking. Only passwords I have are for a smut site. I don’t care if that is cracked. I do know people that write their passwords on the calendar in the kitchen along with the shopping list.

  38. mikycomputers

    very well written and helpful,
    thank you very much.

  39. Judith

    I’m a home user. I not only write them down, I put them on Avery business cards with pertinent info and file them in a card box. Besides passwords, I make cards for all my pcs and peripherals noting models, serial numbers, dates purchased, hardware and software included, and info on warranty if any. I can’t tell you the number of times I have needed that info. But, if I were still working, that information would be either kept at home or under lock and key.

  40. daerhun

    Or, you could just simply use a password manager to guard your passwords behind a single password, and another password manager to guard the password of the first password manager.
    And THAT is crack-proof.

    I bet this is the page that repeats the most the password word in the world (or in the internet, but to finish that sentence with the “world” word was something that had to be done).

    Now seriously, it’s a great post and a great site.
    So, thanks for the site and keep the hard work.

  41. Chris

    What if your system crashes, and you have to get a new computer. Can you still access LastPass? How about other Managers? TrueCrypt? Or is there something specific to the original machine that is used in the encryption scheme?

  42. David

    The easiest way to remember a password is to make a sentance such as “My 1st bank account was with Natwest Bank in Manchester.” Your online banking password is now “M1BawwNWBiM” For your email it could be, ” The nearest post box is a 20 minute walk away.” So the password would be “Tnpbia20mwa”.

  43. Daniel

    I use a 16 digit password for my banking, email, and important accounts. Dumbass accounts ( some forums, stuff like that) I use a simple, short password.

    My strategy uses a four digit “key” with a 12 digit strong password which I change every six weeks or so. (I have it as a recurring task on my task manager). I memorize the key and either use it in front of or at the end of the 12 digits. So it might look like ####A?ymAFW@s0AZ where the # is the key.

    I also change up the key every second change (or 12 weeks). This allows me to have a strong password that I can write down, but is not readily breakable . Simple, but effective.

  44. Mike

    The answer to this whole issue is existential at best. In reality there is no security for anything even the secrets of your own mind. If anyone wants anything it just means that they have to go through a benefit and loss calculation. If the benefit is great enough then nothing is safe. That person or organization will do whatever is needed to get what they want regardless of the posslbe consequences in many cases based on their calculations. Do I want this bad enough and will I take the chance to get it.

  45. Thunderman

    Semi-off topic, but maybe interesting.
    I am running the IT for a small company. A month ago we had a head-of-dept swap. My new boss now wants me to put together a map with ALL known passwords including logon names etc. for all my colleagues, every website we use to order items, our domain, our routers, even our admin account.

    Funny thing is, this boss used to be ‘IT-coordinator’ for a similar company. ‘In my former company, it was very conveniant if someone was ill’…Yeah, talk about secure! How ’bout that? How do you think about this security setup?

  46. Khaos

    My personal measure for potentially “Writing them down” is having a grid of letters and numbers along with pattern identifiers only you know how to use, such as:

    10×10 grid:
    Locations and order of password keys in coloumn 7-10
    Actual password characters scrambled in upper/lower left corners.
    The trick is, use your head to make a “Password Pad”. You can also have some reversing or coding for your passes, such as turning the alphabet upside-down or embedding password letters in numbers, tricking the thief’s head.

  47. Wayne Riker

    I’ve had to carry a list of passwords to the library. I don’t make into a ‘list,’ rather a note that is normal to read as with a name, phone number, address, or whatever. It is in code. I can pull my passwords by knowing the locatations of the characters. Sometimes just a hint, not the actual password.

  48. John Chorley

    You should never make a random jumbled up password. You’ll likely forget it.

    Use an English word followed by a series of numbers with upper and lower case characters, make the word something completely unrelated to you. A good one is using something you are afraid of, or just the first word that comes into your head.

  49. rini

    npha saya tdk bsa bka fb sya pda hal sya ingkat kta sandi sya

  50. elton john

    hello
    im elton john nice advice:)

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!