For many, many years, you’ve heard the advice: “Never write your passwords down.” This is trumpeted at work, from online services, from financial institutions. Well, it’s wrong. Not in every case, but in many. It encourages people to pick weaker passwords—either in complexity or length—because they have to manage them.
If you’ve adopted a password-management app like 1Password or LastPass, you shouldn’t need to write anything down, of course: your devices retain and optionally sync passwords and other secure data, and you have to remember a single piece of information—namely, your master password. But what if you forget that? We are all fallible, and sometimes our brains work against us.
This mistaken belief, which may seem intuitively correct to us, stems from the use of passwords in work and academic environments long before individuals regularly needed to use passwords elsewhere, especially complex ones due to the risk of remote, network-based exploits.
Sticky notes are our last line of defense
In a place in which you cannot be sure that other people don’t have access to your stuff, writing a password down is foolhardy. Putting it on a sticky note on your monitor is even more so, especially if you’re in a place where visitors or even random people may be able to wander by. Security may check that nobody leaves with paperwork, but it can’t metal-detect-wand someone’s mind.
And if your workplace says not to write passwords down, either it or you could have liability associated with a security breach. How many times recently have we heard of laptops being lost or stolen, protected with a bad password or none at all? (You can’t write down a password if it doesn’t exist, of course.)
But here’s the thing: That’s work! It’s their problem (and yours) about managing passwords there. At home, your password-access-control concerns are vastly different. Do you live alone? If you live with others, are you concerned about them having access to your passwords? If so, do you worry they will rifle through your things to find them?
The greatest risk most home users face is the vast, seething pool of criminals, vandals (those in it for lulz), governments, and random opportunists. These risks emerge from remote access and, typically, exploits. This can be giant password leaks that reveal millions of account secrets. Or it can be a software failure, whether in apps residing on your computer or cloud services, that allows recovering passwords or trying millions of common ones without being locked out.
The risk is rarely someone gaining physical access to your home, figuring out where you store the passwords, and either copying down, photographing, or running off with the list or notebook.
Now, if you’re in shared housing, part of a family, or routinely have strangers pass through your home, you’ll want to take additional measures. This can include, as security guru Bruce Schneier suggested back in 2005:
I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
As long as you don’t include services or website names with those passwords, the passwords on their own are valueless in most cases if that piece of paper were lost. It’s only valuable to people who might already have access to your computers or other devices.
Techniques for variation
If you’re writing down passwords, simplicity helps, but you don’t have to be less secure when you pick something memorable and easy to write out and also enter. The most commonly used type are so-called Diceware passphrases, which combine randomness with a modest dictionary, available in many languages. It may seem counter-intuitive to use words found in a dictionary, but a random combination of multiple words can’t be dispatched with brute force, even when all the words are known.
These work wherever you can enter long passphrases and aren’t limited by outdated and inaccurate notions of safety through complexity. (One enterprising tween, the daughter of a privacy journalist, set up her own artisanal Diceware creation business.)
When you’re more restricted in what you can pick, you can turn to password-pattern systems, which are available as pre-printed cards and as apps. Rather than storing the full password, these systems help you generate a stub that you can use a standard formula to append to. The formula can’t be guessed, and has enough variation in it to produce a password that’s highly resistent to brute-force cracking over very long periods of computationally intensive attempts.
Even better, write down a password (something you know) and enable two-factor authentication (something you have or are). That second factor can be generated by an app, sent as a text message, or produced in service’s own software, or you can use Touch ID or other biometrics to validate your identity. Someone stealing all your two-factor-protected written-down passwords still can’t access your accounts without the second factor, too, all of which will likely reside in your phone. (Amazon just opened its two-factor system to all customers. I recommend you enable it.)
I surveyed coworkers at one tech-oriented outlet for which I edit about their password habits, and there was a good and surprising split between password-management ecosystems and simply writing things down. The bonus of writing down passwords? You can leave information for friends, partners, spouses, family, and colleague in the event you’re incapacitated, or worse. A mind is a permanently locked room when the key is lost, unlike a piece of paper.