Password Management Without Software

I previously wrote an article called How to Create a Great Password. In it, I described not just how to create a good password, but also how it should be easy to remember. While passwords can be easy to remember, eventually, the list grows and remembering them all becomes a chore. This is where many people abandon good practices and start writing passwords on Post-Its and sticking them on their monitors.

This article is about where to store passwords when you start accumulating more of them than you can remember. Now, I usually recommend that my clients use a password management application on their computers. This can help them keep track of all those passwords, but not everyone wants to spend more money on software, especially for such a simple task.

Why password management software is not always ideal

One common problem with using software to manage passwords is that it is not always as convenient as it could be. The software often is not synchronized between computers, so the information won’t match when people move to their laptop.

Another problem is that not all password management software is well designed. It often can be a hassle to use it because of poor implementation. For example, when you need it to access a website, it requires too many steps to insert the password into the correct field.

Extra software also goes against an important principle of security: to keep things simple. Password software adds more layers of complexity. Ultimately, that complexity increases the potential for human error. One common issue is that people forget the master password, which then locks them out of all the other passwords.

There must be a better way. There is! For many people, especially small businesses, a password management application is overkill. For those people, the better option is to store the passwords on paper.

Storing passwords on paper?

There is a lot of debate on this practice. Obviously, someone who gains access to your paper copy then gains access to your passwords. True, but how likely is that? The fact is, that there are also mitigating factors about saving passwords on paper. As with all security matters, every solution has trade-offs, so let us consider them.

Let’s be honest, a physical break-in is unlikely in most cases. So, barring that, storing passwords on paper is rather secure. For one, an online computer hacker will not gain access to it by accessing your network remotely, which is the most common way that security is compromised. Keeping your passwords on paper and not on a computer is a good option.

There are other benefits to a handwritten list of passwords, some of which people rarely consider:

1. Written passwords are easier to remember – research has shown that hand-written items are retained better in the mind than typed ones.

2. A paper list is easy enough to hide in a bookcase or between other papers – it is unlikely that someone who breaks into your home is going to find it easily.

3. There is no master password that could be stolen or forgotten, so there is no single point of failure (more on that later)

4. If the list needs to be destroyed in a hurry, it is easy to burn or shred. Unlike a deleted computer file, a paper copy does not leave parts of itself on a hard drive that can then be retrieved by a good hacker.

5. For those who do need to find it (for legitimate reasons or in case something happens to you), something tangible like a paper list is easier to find than a hidden file on a computer somewhere among millions of other computer files.

6. Software and online password managers like to include lots of other data with each password – sometimes they even automatically include data that you do not even see. This can actually assist hackers in gaining access to other info about you and your passwords.

So, my recommendation for storing passwords is to hand-write them on paper.

What your password list should include

Passwords should be written down on paper in a simple list. The list should include minimal info so that that a thief cannot deduce other related information about you and your passwords. It should just have the info for you to get into the account when you need to. Typically, software password management software require other info, which they add to each password. I believe that is a bad idea.

Here is my recommendation of all that your password list should include. Start by writing the year and the quarter (fall, winter, spring, summer) at the top of the page. Then divide the page into two columns, one for the service or business (what the password grants access to) each password is for. The second column is for the password. Put each pair, on its own line and do not include more. Keep the info to a minimum.

It is also not necessary to include a web address. Password management software always likes to include a web address, and often even creates a live link that you can click on directly, but that is pointless on a hand-written page. Anyhow, it is more work, is likely to have typos, and is not going to save you any time.

When adding passwords, just add them at the bottom list, after the last one that you wrote down before. Unless you really have many passwords, it is not necessary to enter them alphabetically or to number them either. This is because there should not be any unnecessary relationships between passwords that would allow someone to guess more information than necessary. An ordered list betrays your thought patterns which can give clues to that info.

The same idea applies to creating categories: don’t. Categories provide more information to clever thieves that will then lead them to discover other information. It may seem far-fetched that hackers and thieves do this, but the reality is that passwords are often found through clever guesses and accidents.

Just write down the passwords clearly and legibly on each line, in no particular order. Keep it clean and simple.

How you should divide the list

Security breaches try to zero in on a single point of failure, a single location or some other unifying point. That is where a hacker will focus all the attention. Consequently, that is also what a physical break-in will focus on, should that happen. One easy way to foil that is to not create one single list (a single point of failure). Instead, divide up the list into more than one list.

Some thought should be given about how the list should be divided:

I. Create 3-4 lists

Keep them unique, you do not want duplicate passwords between lists. This will allow you to store them in 3-4 different locations. This way if one list is lost or compromised, it only represents a fraction of all the passwords. This creates an extra layer of security for all the passwords.

Let us consider an example to illustrate this. If a well-informed thief (think disgruntled employee) breaks into your place of business, they could get lucky and find one of these lists. In a more serious situation, they could threaten you to reveal the passwords for your business. In that case, revealing just one of the lists (a fraction of all the passwords) may be enough to satisfy their demands. It is akin to how a lizard is able to shed just its tail to distract a predator and then make his escape.

Another possibility is that you forget where you hid one of the lists. Short of upending the whole office, you would only have lost a fraction of all your passwords. This is better than losing all your passwords, which is what would happen if you only had one list.

II. Do not put related info in each list

Contrary to convention, do not put related info in each of the 3-4 lists. By that, I mean do not put all the bank account passwords into one list and social media ones in another. Instead, mix and match them so that you have different types of passwords in each list.

Doing this will address another risk. As in the example above, a thief who breaks in and finds a list will spend a few minutes looking it over before making his escape. If it only has one type of password category, for example social media passwords only, then he will quickly realize that the list is not complete. In the second example, losing one of these lists will be less devastating if it includes different types of passwords, both important ones and less important ones.

III. Hide your lists by color

Here is a quick tip on how to decide how to group the lists: by color! Most businesses use a dominant color in their logo or marketing materials – for example Facebook uses blue, Wells Fargo uses red, Evernote uses green, etc. Dividing up the lists by the color of company logos is one very good option. The other advantage to this method is that it is easy enough to remember which list you need when you need to look up a password. By the way, color association also helps with remembering.

For example, at my previous work, I placed each colored list in a book with the same spine color. So, for example, my green list was in my OpenSuse book on the top shelf. My red list was in an old Novell training manual I had at the bottom of the shelf. While my employees knew I kept paper copies of my password lists, I do not think they ever knew where I stored them. As far as I know, none of my passwords were ever compromised – books are not exactly the first thing computer folks will think to search through, lol.

You should recycle your password list regularly

This is one recommendation where people lose interest in password management, even those who use a software solution. Ironically, it is one of the more important things to do as part of a well-designed security strategy. Think of it as housecleaning – no one likes to do it, but it needs to be done regularly or things start to smell. Password lists need to be cleaned out too or they too get stale.

This is because hackers never stop trying and for everyone that does give up, another one will take their place. The more your business grows, the more it will come to the attention of hackers and thieves. They will keep trying passwords until they get in. The best remedy against this is to change your passwords regularly.

Every quarter the passwords need to be changed – this is why we wrote fall/winter/spring/summer at the top of each page. If this is too much work, then just recycle one of the lists each quarter: blue in winter, green in spring, yellow in summer, etc. Note that I used the colors of the seasons; this is because if color themes help you remember to do this, then it cannot hurt, either. Find what works for you, even if it seems silly.

Many people change passwords once a year, and I think this is a bad idea. Aside from the fact that this is not often enough, it also establishes another pattern that a clever hacker will be looking for. For example, changing all your passwords on the first day back from winter break is very common and hackers know this. I had a colleague who changed all his passwords on April Fool’s Day every year like clockwork… until the day the joke was on him.

Some companies like Microsoft actually require very regular password changes, so you may not have a choice. Use their vigilance to motivate yourself. And do not just change your Microsoft password when they prompt you, do it for all your passwords as a matter of good practice. As mentioned already, this is the best way to protect yourself from people who may be studying your online patterns to gain access to your business.

Creating the new password list

The simplest way to create a new list is to start a brand-new page, write the year and quarter at the top and then start recreating passwords – use the techniques from my article How to Create Great Passwords as a guide. As you create new passwords, you should go to each service/company site and change the password there as well. Yes, you could recreate all the passwords on paper first and then go online to change them, but what if you are interrupted and lose your place? Keep things simple and straight-forward.

When all the passwords for that list have been changed, the old list should be destroyed. I use a conventional cross-cut paper shredder and then I send the shredded paper to a service that recycles it, but that may not be possible for everyone. Alternatively, it can be incinerated – just be sure to follow proper safety procedures.

Note that I said to keep the lists on paper. I did not say a notebook, I said paper. This is because a bound notebook is harder to recycle – the last thing you want to do is toss the whole thing in a dumpster for someone to find. But if you are going to use a notebook because that works better for you, then use one that you can easily rip the pages out of.

Conclusion

OK, I did not intend for this to be a manifesto against software password managers. I have used several and they have their benefits. As with all things in security, you want to spread out the risk, so using them in conjunction with paper lists is a good practice as long as they are not duplicates of each other. Keep things separate and without obvious links.

Password managers have their uses, especially in large organizations. Alternately, if your small business happens to manage many accounts for others and that is your business, then you may need something like this as well. Just keep in mind that software management systems create more complexity, especially if you do not need it, like most small businesses.

Every business has different needs, but too often small business owners are told to buy a product that someone says will solve all their problems. This is especially the case with security software, and also password managers. That is not always the best option, and I hope this article offer an alternative solution for those that need one.