The Wrong With Writing Down Your Password

What's Wrong With Writing Down Your Password?

Recently a reader asked me why she wasn’t supposed to write down her passwords—which is a very good question. Ignoring all the geeky password manager talk, why can’t a home user write down passwords? Let’s examine this topic more closely.

If you’ve never heard anybody say this, you probably haven’t talked to enough network security types—it’s generally looked down on to write your passwords on a physical piece of paper or a sticky note.

So Why Can’t You Write Down Your Password?

We’ve already established that you aren’t “supposed” to write down your passwords, but why not? Are people really going to rifle through your stuff to find your password, and then use it maliciously? What if somebody breaks into your house, are they going to sit down at your PC and use your password? The answer to all of this can be summed up easily:

• Work Users: Do Not Write Down Your Password
• Home Users: Writing Down Passwords Is Fine, Usually

To put these in a little more context, let’s look at each one separately and discuss why you should or shouldn’t write down your password.

If You’re a Work User

When you’re a corporate sloth and stuck at a desk for an arbitrary number of hours each day bored out of your mind, most of the passwords that you will use are probably for work-related applications like your corporate email, databases, and accounting systems.

Here’s why you probably should not write down your password at work, and should instead opt for passwords that you can remember, or use a password manager:

• It’s probably against your company’s policies to write down your password.
• If somebody finds the password and does something bad with your account, you could get fired.
• Even if you write down the password and lock it up, it’s probably not terribly secure.
• What are you going to do, cover the sticky note with your hand when the cleaning staff comes by?
• All the IT people will laugh at you.

You should also figure out what your organization’s policies are concerning passwords, and follow those.

If You’re a Home User

When you are a home user, your most important passwords are your email, bank, and probably your Facebook password. If you are using a password on Windows, it’s probably not terribly secure, but you should make absolutely certain that your email and bank passwords are secure—and not the same.

Here’s why it doesn’t really matter if you write down your password at home (usually, at least)

• If somebody has physical access to your PC, you are screwed, and your password can easily be cracked or reset. (see below)
• If somebody breaks into your house, they could just take the whole PC or laptop. They might also steal your beer.
• The biggest problem for home users is having their banking / email passwords stolen online. If writing down a tough password helps keep you from identity theft, go for it.

There are exceptions to these rules of course—if you’re sharing an apartment with other people that you don’t totally trust, you should probably move. Also, you might not want to write down your passwords, and opt for a tough password or a password manager application. Maybe sleep with one eye open.

If you’re a home user with kids around, you might not want to write down the Windows password if there’s adult material on your PC. Or the internet—I hear there’s some adult content there too.

Choosing Strong, Unique Passwords Is All-Important Online

We simply can’t state this enough—your email and banking passwords are extremely important, and you should use different strong passwords for each one. Here’s a couple of quick rules to help you stay safe:

• Use separate passwords for your online accounts—otherwise, if somebody cracks one password, they can access all accounts.
• Use strong passwords for your accounts, using a combination of letters and numbers.
• Do not use the name of your pet, child, significant other, insignificant other, school, mom, or anything that somebody could easily guess.
• Make sure the security question on your email or bank account is set to something unique, and write it down somewhere. Do not blindly answer the question and use your pet’s name or something somebody can easily figure out. This is how most passwords are cracked.

If writing down these passwords and secret questions helps you be able to use strong passwords and prevent identity theft, it’s worth it, right?

Your Windows Password Is Easily Crackable

If somebody has physical access to your PC for a couple of minutes, it doesn’t matter what Windows, OS X, or Linux password you use. It’s as simple as that.

Want proof? Here’s all the ways that your computer password can be cracked or reset, and keep in mind that these are only the ways that we’ve covered here on How-To Geek. And we’re the good guys!

• Change or Reset Windows Password from a Ubuntu Live CD
• How to Crack Your Forgotten Windows Password
• Reset Your Ubuntu Password Easily from the Live CD
• Reset Your Forgotten Password the Easy Way Using the Ultimate Boot CD for Windows
• You Can Reset Your Forgotten Windows Password with the Sticky Keys Trick
• Reset Your Forgotten Ubuntu Password in 2 Minutes or Less
• Change Your Forgotten Windows Password with the Linux System Rescue CD
• How to Reset Your Forgotten Mac OS X Password

Wow, that sure makes me feel secure! So how do you prevent this, you ask? You can use complete drive encryption if you choose to do so:

• Getting Started with TrueCrypt on Windows (to Secure Your Data)
• Getting Started with TrueCrypt Drive Encryption on Mac OS X
• How To Use BitLocker on Drives without TPM

Since your vacation photos of you eating too much probably aren’t worth encrypting, your best bet is actually…

Password Managers Are Your Best Bet

Using a good password manager is the best way to protect your passwords from everybody and easily use secure passwords for every site. All of your passwords will be secured behind nearly unbreakable encryption, and easily accessible for everyday use.

My personal favorite password manager is LastPass, which integrates directly into your browser, and stores the encrypted passwords on their servers, syncing them to every device you can install the extension on. You can even use it to store other data, like notes or credit card numbers.

Note: While the passwords may be stored on their servers, the great thing is that the master encryption key is not—all the passwords are decrypted in your browser, so they cannot see any of your password information.

You can also use KeePass, which is an excellent password manager with loads of plugins and other features. I don’t use it because it’s separate from the browser, which is where all my passwords need to be used, but it’s still a worthy application.