There are days when Surfing the Internet, it seems to me, is like skating on thin ice – one wrong move and you’re in trouble. I know – this past weekend I got hacked. After 20+ years – BAM!
There are any number of possibilities as to what happened, but one of those possibilities is not unauthorized access to my online saved Passwords. I don’t save passwords online. I never have, and I never will.
Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure.
There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue, and here’s why –
The world is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true.
One piece of computer security advice that you’ve probably heard over and over again is – don’t write down your password/s. The problem is; this piece of advice couldn’t be more wrong, despite the fact it seems reasonable, responsible and accurate.
Here’s the dilemma we face. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. No surprise then that most computer users’ employ easy to remember, and unsafe passwords.
You know the kind of passwords I’m talking about – obvious passwords, like your first name, or your wife’s name, child’s name, date of birth date, etc. – passwords you’re not likely to forget. And that’s the problem – there’s no point in having a password at all if cyber-criminals will have no difficulty in figuring it out.
Cyber-criminals use simple processes, all the way to highly sophisticated techniques, to capture online passwords as evidenced by the Hotmail fiasco last year, in which an anonymous user posted usernames, and passwords, for over 10,000 Windows Live Hotmail accounts to a web site. Some reports indicate that Google’s Gmail, and Yahoo Mail, were also targeted. This specific targeting is one possibility that might explain how my Gmail account got hacked.
Not surprisingly, 123456 was the most common password captured, followed by (are you ready for this?), 123456789. Some truly brilliant users used reverse numbers, with 654321 being very common. Pretty tricky, huh? I’m being a little cynical, but..
I know that on the face of it, writing down your password seems counter intuitive and flies in the face of conventional wisdom, since the issue here is one of security and safety.
But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.
While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.
Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.
Here are some guidelines on choosing a strong password:
Make sure your password contains a minimum of 8 characters.
Use upper and lower case, punctuation marks and numbers.
Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.
Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.
Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?
You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.
Guest writer, Glenn Taggart’s article from yesterday – LastPass Password Manager – Secure Your Passwords and User Names, offers a terrific review of another free password application.
If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.
As an additional form of protection, you should consider the Firefox add-on KeyScrambler, which will protect you from both known and unknown keyloggers.
For additional info on password management, checkout Rick Robinette’s “PASS-the-WORD”… Basic password management tips” Many regular readers will remember that Rick is a very popular guest writer on this site.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
28 responses to “Should You Forget About Password Safes and Write Down Your Passwords?”
FYI, Password Safe has a built-in password generator. It allows you to set the configuration to match any password content limitations for the site on which the password will be used (number of characters, no symbols allowed, etc.)
Thanks Jeff – I appreciate the info.
He who believes in security provided by passwords also believes in Father Christmas, the Easter Bunny, the Tooth Fairy, etc.
The sad truth is that passwords protect you from your small nephew at best. Simple passwords are cracked sooner than complicated ones; they delay a determined hacker for minutes or hours at best.
I agree – but there’s no point in making yourself part of the “low hanging” fruit crowd with poor password control.
so your advice is dont use password safes and use your book? For me ijust use my pc to store my passwords on a notepad (inever got hacked before) .
Thanks for this great article and ihope you have a good weekend!
I don’t think storing your passwords in plain text on your computer, is a good idea. While you may not have been hacked yet, the possibility certainly exists. Otherwise, you wouldn’t use AV protection, right?
The more complicated it gets – the more complicated it gets.
That’s a mouthful Liam, but so true.
I neither use 3rd party apps for password management nor write them down in notebooks.. It’s all up there in my brain. My passwords however are lengthy, eventhough I prefer to use my brain more…
Afterall, these kind of activities keep our brain cells charged… 😉
I’d like to keep mine there too – not enough room left though. lol
Use CCleaner then… Lol.. 😛
Thanks for the hint Ranjan – that just might work. 🙂
Yeah, I really need to get some kind of local password safe. I used to keep them written down on a piece of paper, and then I left it in my pocket one day and washed it. Crap! I lost all my passwords. And some of them were really complicated. Now I just rotate through five different ones, and if I it’s not the right one when I log on, I try one of my others. There’s no way in hell anyone would guess them as they’re words I made up and don’t exist anywhere outside my head. I’ve been doing this for years, and it seems to work okay.
It’s hard not to see just how practical that is. Beats the hell out of fancy smancy.
Good to hear from you.
Great advice. Of course, most people will not take heed and that’s their choice. Personally, I’m like you, I now write them down. With the ever changing nature of malware, chances are I will come across something that will evade ALL my protections, and be able to penetrate any password safe I have. I was sick of worrying about that possibility, however small it might be and however vigilant I might be.
Most people I know just don’t understand how dangerous the internet is now, compared to say 10 years ago. It’s all shiny and new and everyone uses it, so it must be safe they say. It’s not their fault they think this way, but some of them will learn the truth the hard way.
Well, it was your comment, last night, that got me thinking about what I’d said on this previously.
Our views on password safes are identical – if it CAN be penetrated, it WILL be.
As Georg Lechner said in his comment “He who believes in security provided by passwords also believes in Father Christmas, the Easter Bunny, the Tooth Fairy, etc.” I couldn’t agree more.
I absolutely agree with your statement, “Most people I know just don’t understand how dangerous the Internet is now, compared to say 10 years ago”. Sounds as if we know the same kind of people. 🙂
I’m glad my comment yesterday sparked some comments on this.
The way I look at it, if any kind of password manager is safe, then why are we always updating our antivirus etc. In the last month alone, I have updated Zemana twice. That tells me that malware is constantly evolving, otherwise there would be no updates, would there.
A perfect illustration of the value of comments, and the discussions they can provoke. So, thank you for that.
Every day, new malware runs somewhere between 20,000 – 40,000, depending on who you believe. If malware wasn’t evolving in this way, as you say – “there would be no updates, would there?”
Nice work on this article…as usual. I couldn’t agree more with your reply to Georg Lechner. Hackers are opportunist at heart and will always go for low hanging fruit and give up on the tough ones that are harder to break because they use layered defense and/or have a strong password that is taking too long to break.
Thank you for the supportive comment.
You’ve summed up the “low hanging fruit” principal nicely. Sure, there are carefully crafted targeted attacks which are difficult to protect against, but most attacks are aimed at the undereducated, and the weakly protected – the low hanging fruit.
Good to see you here.
I’m a little confused by the suggestion that if passwords were perfect we would not need AV protection. The hacking of passwords is surely only one use of viruses.
As you may remember I use RoboForm2Go. This is kept on a pen drive, not my computer. It generates random passwords and enters them automatically, so keylogging is apparently not a problem.
My own belief is that nothing is 100 percent secure, it’s all a question of relativity. This is borne out by your own experience.
I think that if everyone realised that they will get hacked or infected at some stage, it would make them a lot more careful.
By the way I’ve written to you a couple of times about not using the Windows admin account to surf online. This followed my own experience when my PC would not load my profile. I now have 2 admin accounts plus one without admin permissions that I use on line.
Well, I don’t think the comment was meant to give the impression that “if passwords were perfect we would not need AV protection”. Instead, it was meant to illustrate one specific area.
You’re right, of course, in stating that no system is ever 100% secure. For every new safeguard we install, cyber crooks develop the means to penetrate. We’re involved in a circular chase that seems to have no end.
I do appreciate your suggestion concerning Admin accounts, and in fact, I have included this tip a number of times in previous articles.
I keep all my passwords in a password protected Excel spreadsheet which is contained in a TrueCrypt encrypted volume. I have to remember 2 random alpha/numeric passwords to gain access to all my other passwords.
I can’t imagine anything better than that. Thanks for pointing out this technique.
Just a reminder,
“that Rick is a very poplar guest writer”
Poplar is a tree not an adjective…
Thanks Adrian. damn that spell checker. :0
Pingback: In The News: Poor Password Practices: Do We Have Too Many Passwords To Remember? | Paul's Home Computing Blog
Pingback: Finance Sites Collect Bank, Card Passwords | Credit and Loan