You must log in or register to comment.
My mother uses something similar to keep track of her passwords for everything. While I prefer a password manager like Bitwarden or Keepass. I would rather her use a note book like this over something like Google or Apples password managers.
Or even worse, the same password for everything.
So… It’s a password book? Like, pen and paper?Not the best choice for storing passwords, but I’d be more willing to do that than trusting Amazon not to hold my passwords hostage with a digital service by them.
Here’s the thing … as crazy as a notebook with passwords sounds, it’s not accessible to someone across the internet.
Yeah, It’s actually quite a secure way to store passwords, since it requires physical access.
I knew a guy who had a drawer full of slips of paper with passwords written on. He called it the “security drawer”. Made me smile, but probably shouldn’t have been advertising it.
Oh I know him. What a weirdo. Fun guy tho. Did he move what’s his new address anyway?
It depends on what the user fills it with.
Even the objectively safest solutions will be much shorter, and have less entropy, than what a pw-manager can deal with.
Their Ring camera that points directly at the desk they keep this notebook on: “it’s showtime”
Please hold your password notebook in front of the laptop camera.
Password managers check the URL before giving its data. A human being can be fooled into giving it to a fake web site.
TBF, they can be fooled too.
Bitwarden warns against using autofill on load for that very reason, as then simply loading a malicious page might cause it to provide passwords to such a site.
And then, a human when a site doesn’t autofill, is more likely to just go “huh, weird” and do it manually.
Wait, what? How does autofill get fooled?
Someone manages to maliciously sneak username and password fields onto a site that store what is entered as soon as it’s typed. They don’t even have to be visible to the user and bitwarden will fill them in as soon as the page loads.
Bitwarden will only autofill if the domain matches.
Right, “maliciously sneak”, as in they’ve either gained access to make changes to the site ditectly, or they’ve found a way to inject their scripts to steal creds.
And how is that any different from not having a password manager?
Yes, if someone hijacks a domain they can get credentials intended for that domain. A password manager doesn’t make a huge difference here, because why would they make the site look any different than normal?
they can be fooled too.
Makes it harder: when I go to the wrong website, the manager simply doesn’t suggest credentials (it does not have) for it. That causes me to wonder why.
Without a password manager, a user is never prompted to wonder. They’d simply not notice.
You’ve always got the human element, bypassing security features; but extra little hurdles like a password manager refusing to autofill an unknown url is at least one more opportunity for the user to recognize that something’s wrong and back away.
If you’re already used to manually typing in the auth details, you may not even notice you’re not on the site you were expecting.
but:
-
way less convenient to generate dozens and dozens of unique, complex passwords. which means it’s less likely to be used/updated as much as it should be.
-
not tied into MFA which is an additional layer of security and convenience
-
Just maybe don’t plaster “THESE ARE MY SECRETS” on the cover. Security through obscurity.
INTERNET PASSWORD LOGBOOK is probably a paper slip that you can remove, and then it’ll just be a blank leather journal.
Now a REALLY secure physical logbook would just have the cover of a boring, unremarkable-looking book on the outside.
Would you trust Amazon or any huge corporation with all your login and passwords ?
Surely they didn’t backdoor a notebook?
No
I would trust them with my Amazon password.
Valid question. But this article is a physical book in your own hands. I am not saying this is safe or anything but has nothing to do with Amazon besides that they sell it.
Honestly, a physical password book isn’t a bad idea.
Not accessible via the internet, and in most cases if someone has physical access to your system you’re done for anyway.
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
What this book likely doesn’t suggest, is to just code the username.
I have 2FA backup codes in my go bag and nowhere do I write the usernames or even the service if it’s important.
You know your email address. If you lose this in an airport, writing “main email” makes it useless to anyone else.
Don’t forget to use diceware. The human mind is not random enough https://www.eff.org/dice
Yep. My Dad in his late 70s uses this system and it works great for him.
People make fun of it, but for people with low tech literacy this is actually far better than having a mish-mash of solutions where some their logins end up automatically saved in iOS on their phone, some are saved in Chrome on the desktop, some are just in their head, they don’t know where anything is, and are constantly losing access and resetting credentials all the time.
And it definitely reduces the burden on me of parental tech support, when its all in the book.
Yeah, my in-laws have such a book and it honestly is great. They live in their own flat where nobody can access the book without breaking in. They do not save their passwords in their browser, so anyone hacking into their PC can’t grab them. If they want to login into an account, they take out their book, put in the user name and unique password and that’s it. Quite the good method and I really do not see many problems there.
My Mum died recently and my step dad is shit with tech, so their password book was invaluable in helping us gain access to her Apple account and her phone. It meant we were able to get to her iCloud passwords, so now we have access to everything.
So yeah, password books are actually pretty handy.
“People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down.
We’re all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Obscure it somehow if you want added security: write “bank” instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don’t do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize.”
For the majority of my clients who use this kind of system, it is totally dysfunctional.
Most of the records are incorrect, my guess is that they occasionally reset the password on mobile while the book is inaccessible and then don’t remember to update it in the book later.
Effective use relies on the user’s understanding of umbrella accounts. I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
As passwords get updated, it can become a mess of crossed out records with new ones squished into the margins. When a someone dies, anything written illegibly can be difficult for surviving family to discern. As the book gets filled out, it can get tricky to keep things alphabetized unless the user provisioned additional empty space between records.
This system can work great for someone who is meticulous, neat, and organized.
For your average person, I’ve had better luck solving the problem with a password manager synced to an online account that is protected by MFA and has recovery options that are also protected by MFA.
I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
In fairness to them, I get a new email every month or two from Microsoft letting me know that they merged another account that I didn’t ever ask them to.
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
I disagree. Using this book will always lead to shorter passwords that are easier to type. That’s the main weakness imo.
Or in other words: it really depends what the user fills it with. It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Not at all. It will lead to easier to type passwords, likely. But that doesn’t mean shorter. This could easily be filled with passwords that are four words long with special characters interspersed.
Which you then have to type out every time. Laziness wins: they will be shorter.
The assumption is that the product is for non-savvy users. They might not even understand what you wrote up there.
Autocorrect can help here, but dictionary words are easily
brute-forcedguessed. And - more importantly - that hypothetical user would have to come up with that idea in the first place. But people who come up with such ideas usually already use password managers anyhow.Several dictionary words in series cannot be “easily brute forced.”
You’re out of you’re depth and saying stupid things.
Correct horse battery staple
This isn’t even weird.
I think most security experts would recommend that you have your most important passwords written down somewhere, and then hopefully locked up in some safe or deposit box somewhere. You don’t need to buy an entire book for it, but some people like to spend money.
If this is for your less important passwords, then for the most part, writing them down is actually better. You won’t be as tempted to reuse your banking password for your social media. And some people like writing things down. A password manager is a better solution, but lots of people aren’t as good with technology and if they even let the browser remember it, they won’t know how to retrieve it later if they want to use a different computer, for example.
My password-manager is a script that gpg-decrypts to XDG_RUNTIME_DIR and then opens it in editor, encrypts back on changes. Is that bad?
How do you syncronize it between multiple devices and operating systems?
I have a letter in my safe in the event of my death that contains all my passwords and accounts. I have also slipped in a dead man switch that she’s unaware of that will wipe out my “collection of science”.
Does anyone else know how to get into the safe?
it’s a key entry, and yes.
Keeepass, simple and easy to use! https://keepassxc.org/
* for the tech inclined
Managing sync between mobile and desktop is a bit more complicated than average consumers have the patience for (it’s really not very complicated, average consumers are just impatient)
I’ve found 1password a good compromise. Unbreached so far!
For a lot of people at 60+, writing things down is easier and safer. It will also help anyone that would need to troubleshoot or in the event of death in a very simple way.
i got bitwarden
I’d rather people use this than reuse the same password everywhere.
That’s exactly what I use. Chances of my house getting robbed is small. Chances of yet another data breach is very high - this year my data was breached at least 2ce that I remember.
this is my internet password logbook
Silly, you just posted a picture of your key now everyone can access your passwords
True, but honestly look at that lock, you can open that with a paperclip.
I still like it.
That is tight as hell and I love it
you too can have it (not my listing): https://www.depop.com/products/christy19js-rare-1990-sanrio-spotty-dotty/
It’s $55 (I’m assuming USD). Or “4 interest-free payments of $13.75”. On one hand, it’s expensive. On the other hand, it’s bloody brilliant!
Hells yeah thank you for sharing :D
Honestly, for at home personal use, it’s better than any on device password manager. It’s not hackable. Someone has to break into your home and steal it. For an office environment though…worst way to handle it after sticky notes.
Self hosted and air gapped.
And very power efficient
The indexing and search need improvement.
Quantum proof
As long as the notebook is in a locked draw I would pass this on an IT Audit.
Unfortunately it’s a combination lock, and the code is written on a post-it stuck on the front of the drawer.
That is still better than in a password manager with no access controls
The combination is 1-2-3-4-5!
How the fuck do you know my PIN number?!
Just as the Lord intended.
I see no issue with this, especially for an elderly person, for example, to keep at home. The only way this will get “breached”, is if someone breaks into her home. At that point, the password book is the least of her concerns anyway. In fact, from a cyber security point of view, this is brilliant if kept in a safe place, such as a locked safety box. You can’t really remotely hack a physical book.
her
What?
Sorry, it just read to me like you’re presuming a old person that struggles with tech would be a woman. I should’ve left a more constructive comment.
Oh! Hahahahaha!! Not at all! I specifically had my grandmum in mind, since my grandad has passed long ago.
Oh haha sorry!
Still waiting for passkey support
