"Passwords stored in clear text, written on a post it note and stuck to your monitor or an Excel document with all of your usernames – these are but a few of the ways you can store your passwords insecurely."
Is it safe to write your passwords down on paper?
Since the inception of authentication, secure password storage has always been a hot topic of debate in the world of cyber security. Passwords stored in clear text, written on a post it note and stuck to your monitor or an Excel document with all of your usernames – these are but a few of the ways you can store your passwords insecurely.
When posing this question to the internet, it came up with a response I didn’t agree with:
“It is generally not recommended to write passwords down in a book or on a piece of paper, as these can be easily lost or stolen.”
Why don’t I agree with this answer?
Simply put, the argument over how to store passwords securely is missing context. I think there is some value in showing the risk of writing down passwords, and posing questions as to whether the password is secure.
Let’s run through a pictorial thought experiment to see if we can add some context!
In the picture below, is the password stored securely?
Simple answer: No. Anyone can walk past the computer and steal the password. But let’s add some context…
The computer that this password is attached to is located inside the room below. Is the password stored securely?
Simple answer: Still no. Multiple people could have access to that vault meaning his password is known by anyone with access. Let’s add some more context…
This is Freddie. He is the only one with access to the vault. Is the password stored securely?
Simple answer: Potentially not. As Freddie is entering his vault someone could tailgate him into the room and steal his password. Let’s try adding enough context so that we can convincingly say that his password is stored securely…
This is the building where Freddies vault is located.
The vault is located on the top floor, which only he has access to.
He needs to pass through five security gates on the top floor to reach his vault, and voice and fingerprint ID is required to open each security gate.
Finally, there are security guards at the first two gates which will restrain anyone that tries to enter behind him.
Is the password stored securely?
Simple answer: Yea, that sounds really secure…
What about now?
What does it all mean?
The purpose of this thought experiment is to demonstrate that it's pointless to argue over whether writing down passwords is secure or not. As with most things in security, defence in depth is what really matters, and the layers of controls you put in place ultimately determine how secure something is.
Turning your passwords into passphrases, using unique passphrases for each service, storing your passphrases securely, enabling multi-factor authentication and updating your passphrases twice a year gives you 5 layers of password defence.
How many do you have?