51

A lot of the users in my company are using their agendas to write down their password and usernames, or Excel sheets with a protected password. I'm hesitant to install software for password management after reading recommendations/feedback on them. Is there any other secure and user-friendly solution to store passwords?

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
Hajar Qh
  • 599
  • 1
  • 4
  • 5
  • 4
    Maybe ask IT if they have a recommended solution. They may already have some software they allow. – Daisetsu Mar 25 '19 at 20:47
  • 104
    What is it about the recommendations/feedback that’s made you hesitant? – Ry- Mar 25 '19 at 21:48
  • Potential duplicate? [Password manager vs password book](https://security.stackexchange.com/questions/175075/password-manager-vs-password-book) – schroeder Mar 25 '19 at 22:31
  • 41
    This question reads exactly like "I want a password manager, but not a password manager." Hajar, I'm not sure what would satisfy you. Any sufficiently well made solution would be a password manager, so you're essentially limiting yourself anything that "works" for this purpose, but not well enough to be called a password manager". You're limiting yourself to half-baked hacks like those spreadsheets. – Alexander Mar 26 '19 at 16:11
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/91587/discussion-on-question-by-hajar-qh-is-there-a-good-way-to-store-credentials-outs). – Rory Alsop Mar 27 '19 at 09:40
  • 3
    Related: [How to store passwords written on a physical notebook?](https://security.stackexchange.com/questions/108746/how-to-store-passwords-written-on-a-physical-notebook) Still, I'd recommend an offline password manager such as KeePass whenever possible. – tmh Mar 27 '19 at 10:55
  • 4
    Would you be hesitant to wear a bulletproof vest after reading about their shortcomings? – MonkeyZeus Mar 27 '19 at 12:36
  • Password managers have dangers such as losing access to all your passwords because there is only a few access points and the password managers can corrupt your passwords. – user2617804 Mar 28 '19 at 07:13
  • Relevant: [Is it safe to store my passwords in a text document protected by a password?](https://security.stackexchange.com/questions/158953/is-it-safe-to-store-my-passwords-in-a-text-document-protected-by-a-password) – John Wu Mar 28 '19 at 07:35
  • 1
    There is *no* good way to store passwords. A password manager is just the least bad option. – Shadur Mar 28 '19 at 08:58
  • Per every single answer here you should use a password manager, but that in itself is **not enough**. Storing 'password123' or your child's first name in l33tspeak in a password manager is not improving on things. Generate random passwords (plenty of options for doing so, many password managers include this feature) and store those. – Jared Smith Mar 28 '19 at 12:38
  • Your brain. It's among the most secure things on the planet. – user64742 Mar 29 '19 at 01:36

13 Answers13

114

Install a password manager. A good password manager is much, much better than anything you can do by yourself.

They are software created by security professionals, follow strict development rules, and are tested by a lot of people, and attacked by a lot of people. They have better chance of protecting your passwords than anything invented by the average, even the above average user.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • 33
    how does one know which is a good password manage and if they actually follow all the strict development rules ? – Nigel Fds Mar 26 '19 at 01:06
  • 10
    @NigelFds Some, like Password, get audited by 3rd parties. https://support.1password.com/security-assessments/ – Schwern Mar 26 '19 at 01:35
  • 2
    I use [Enpass](https://enpass.io) and it's very well written. – ThoriumBR Mar 26 '19 at 01:51
  • @Schwern awesome, that's good to know – Nigel Fds Mar 26 '19 at 03:13
  • 37
    @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself. – Mischa Mar 26 '19 at 08:31
  • 2
    For business use, managed by IT, I'd recommend 1Password or LastPass. Both are highly regarded, and the enterprise features will make business happy and users way more secure. I've used them both. I'd recommend 1Password for Mac, and LastPass for Windows/Linux. Don't invent your own, and don't add to "shadow IT" in the workplace. – JesseM Mar 26 '19 at 21:33
  • 16
    @JesseM LastPass is a cloud-based password manager. This should immediately conflict with any sane company security policy. Also, LastPass had various security incidents and a breach. I wouldn't recommend it to anyone, not even for personal purposes. Stick to offline password managers. – scai Mar 27 '19 at 08:50
  • 1
    @NigelFds It does ultimately come down to trust, but it's better to trust a "Developer + Lots of Third Party Professionals" than just "Developer". There is a reason KeePass and LastPass are widely respected. – Lightness Races in Orbit Mar 27 '19 at 11:07
  • 1
    Just to be fair, no matter how well developed a password manager is, this doesn't stop malware from slipping in through other software and then lazily reading all the passwords from the password manager. Of course password managers are very slowly improving by making this harder (https://www.helpnetsecurity.com/2019/02/20/flawed-password-managers-allow-malware-to-steal-passwords-from-computer-memory/ ), but at the end of the day putting passwords on the same system as all your other software is risky (and a paper agenda might be safer). – David Mulder Mar 27 '19 at 14:28
  • 27
    @scai _"This should immediately conflict with any sane company security policy"_ Total BS. As long as proper encryption is used you can store your secrets _anywhere_, including the cloud. _"Also, LastPass had various security incidents and a breach"_ Please read [Schwern's answer](https://security.stackexchange.com/a/206109/3992) and stop spreading FUD. Also: ALWAYS use 2FA (if you can / is supported by that website). – RobIII Mar 27 '19 at 15:42
64

You're probably referring to the recent articles about flaws in password managers.

Its right there in the titles, password managers have flaws and you should still use one because they're more secure than what many folks do, like keeping passwords in Excel, emailing them around, pasting them into chat where they'll be logged by everyone...

All software has flaws. Password managers, and security software in general, is held to a higher standard than run-of-the-mill software. The flaws these articles are talking about in password managers are not rookie mistakes, but risk trade-offs.

1Password has a write up about the latest flaw as well as a deep discussion on their forums. It's not a mistake as it is a consequence of a trade-off to avoid other worse memory bugs. The important bit is that your computer must already be compromised and you have recently typed in your master password. As jpgoldberg of 1Password put it...

...we need to consider that for this to enable an attack the attacker must

  1. Be in a position to read 1Password process memory when 1Password is locked
  2. Not be in a position to read 1Password process memory when 1Password is unlocked.

Number 1 requires that the attacker has already seriously compromised the device. Number 2 means that that the attacker (who has seriously compromised your device) only has that control at some oddly limited times.

If your computer is already so compromised an attacker can read 1Password's process memory they don't need this exploit. They can just wait until 1Password unlocks.

And if your computer is compromised, keeping your passwords in an Excel spreadsheet offers you no protection.


Password managers can do other things to add to your security.

  • Share and manage your passwords between all your devices, including mobile devices.
  • Share and manage passwords and credentials with co-workers.
  • Store more than just passwords securely.
    • GPG and SSH keys and passphrases
    • One-time password generators
    • Recovery keys
    • Security questions
    • API keys
    • Notes
    • Credit cards (arguably better than saving them on web sites)
    • Bank accounts
    • Memberships
    • Software licenses
  • Inform you of insecure passwords
    • Reused passwords
    • Password breaches
  • Generate secure passwords
  • Auto-fill passwords (avoids being shoulder surfed)
  • Auto-record new accounts
  • Protection against ransomware (if it stores your vault elsewhere)

These avoid bad practices such as reusing passwords, using weak passwords, sharing them via email or chat or a shared document, writing them down (whether on paper or a file), and continuing to use breached passwords.

Schwern
  • 1,558
  • 8
  • 17
  • Storing OTP generators in password managers _decreases_ security, if anything (all eggs in the same basket). I still do it, though :/ – Sergio Tulentsev Mar 26 '19 at 08:44
  • 7
    Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password. – JeroenHoek Mar 26 '19 at 13:27
  • 1
    "(...) keeping your passwords in an Excel spreadsheet offers you no protection" -> actually, from what I know when you set a password on an Excel doc, modern Excel versions encrypt that using AES with PBKDF2 on top. This is quite very good, given that AES is not broken (as far as we know) and PBKDF2 makes it immune to brute-force attacks (as long as you have a good password). – Radu Murzea Mar 27 '19 at 10:43
  • 2
    @RaduMurzea But you can still see everyone's password, in the clear, without much effort: just enough physical access or even "over the shoulder". Worse: you can snap a few photos of it in an instant, and have an offline copy. – Ismael Miguel Mar 27 '19 at 17:50
  • 1
    @RaduMurzea Yes, you could encrypt it (and I bet most don't) and that would give you a bit of protection... until you decrypt it. Decrypting the document decrypts the entire document leaving passwords in memory and possibly a temp file easily snapped up by generic malware which is the scenario in question. See [Tschallacka's answer](https://security.stackexchange.com/a/206125/22452) for more. We like to fixate on encryption for security, but breaking encryption is the *last* resort of the attacker. – Schwern Mar 27 '19 at 19:36
  • 1
    @IsmaelMiguel: Simple solution though: create your own font where characters are indistinguishable and use that in your Excel file! ;) – Flater Mar 28 '19 at 16:20
  • @Flater Yes, because your average secretary worker really knows how to make a font... – Ismael Miguel Mar 28 '19 at 20:27
8

The safest place to store a password is nowhere. It should be a secure token that only exists in the memory of the holder. Unfortunately, many use passwords that is too simple and insecure, for the purpose of making it easier to remember. In contrast, more secure passwords are more difficult to remember (for most people). Adding to the complexity is the fact that many have dozens, sometimes even hundreds of passwords to remember.

Because of these issues, everyone should definitely use a password manager. Password managers prevent even physical access from compromising your passwords when you are not present.

And yes, while it is true someone could attempt to coerce you into revealing your password using threats or other means, the same is true for any other physical security token. For example, they could ask where the paper is that you record your passwords on, or the hardware security key that you have hidden away, etc. Coercion is a threat regardless of how the secret is stored.

The advantage of using a password manager with a master password stored only in your memory is that it reduces the threat of break-in while not at a given location (think: a Post-It on a monitor in the office). Another alternative is to always carry a master hardware key for your password manager, with it never leaving your side.

This leaves basically two secure options:

  1. Use a password manager and only keep the master password in your memory.
  2. Use a password manager and use a hardware key as the master password, under the assumption that you always carry it.

In either case, using a password manager is essential to improving security.

owacoder
  • 197
  • 4
  • Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory. – lucasgcb Mar 26 '19 at 08:21
  • 5
    @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you **do** use the same password for different services. – owacoder Mar 26 '19 at 12:03
  • While services should, they sadly don't always have proper storage (even facebook messed this up recently https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/) . Which is why passwords must be not only strong but unique for each purpose, I doubt even the most reliable of minds is able to comply with this without adding clear patterns - so even if you have reliable memory a password manager is still superior for security. – lucasgcb Mar 26 '19 at 12:33
  • 5
    I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely. – Dan Mar 26 '19 at 14:45
  • @Dan - I agree with the experience securing physical items, but most locks, whether padlocks or built in to the door, can be broken into in about 5 minutes or less using just hand tools. I know from experience in performing forcible entry as a firefighter. Secure passwords should take *much* longer to break. In comparison, the average precautions taken for physical security (for either residences or businesses) are just not as good as a secure password. – owacoder Mar 26 '19 at 15:15
  • 1
    @owacoder Agreed, but physical security is about significantly more than just a lock. As I mentioned, it's about weighing it up. For example, is a person in their own home with a locked drawer more or less susceptible to having their credentials stolen than being infected with something nefarious on a computer? I'm certainly not saying that physical security is necessarily a better option, I'm just saying it's not a _bad_ option per se. – Dan Mar 26 '19 at 15:21
  • 2
    @Dan - Agreed. We're on the same page I think. Both physical *and* computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though. – owacoder Mar 26 '19 at 15:26
  • 2
    @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum. – Baldrickk Mar 26 '19 at 15:33
  • 5
    It's not even true that the inside of the owner's memory is the safest place to store a password under all threat models. Storing an unmemorable or invisible password on physical media can make it harder to get the owner to disclose the password by coercive or deceptive means, which may or may not be more significant threats than ways of gaining access to the physical media. – Will Mar 27 '19 at 09:09
  • I think the better way to phrase this answer is like so: The most secure place for a password is in your head. However, you should have a different strong password for each site; it is nigh impossible to keep them all in your head. A password manager means you only need to keep one strong password in your head, the one to secure the password vault; the rest are kept in the vault. – Schwern Mar 09 '22 at 20:10
  • Please see the updates to this answer. – owacoder Mar 10 '22 at 18:34
4

The encryption in Microsoft office documents is pretty good and secure for all intents and purposes, as long as you don't open the document, and don't have a security certificate pushed by an IT admin.

It does offer some weak points

https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office

Previously, if the original creator of a file password either forgot the password or left the organization, the file was rendered unrecoverable. By using Office 2016 and an escrow key, which is generated from your company or organization's private key certificate store, an IT admin can "unlock" the file for a user and then either leave the file without password protection, or assign a new password to the file. You, the IT admin, are the keeper of the escrow key which is generated from your company or organization's private key certificate store. You can silently push the public key information to client computers one time through a registry key setting that you can manually create or you can create it through a Group Policy script. When a user later creates a password-protected Word, Excel, or PowerPoint file, this public key is included in the file header. Later, an IT pro can use the Office DocRecrypt tool to remove the password that is attached to the file, and then, optionally, protect the file by using a new password. To do this, the IT pro must have all the following:

The IT manager or someone with access to the root certificates can decrypt all documents. So if a malicious attacker would be able to gain access to this, it could decrypt all the password protected documents.

There is the secondary problem of the temp files Microsoft Office. The moment the file is opened in Microsoft Office and the correct password is entered, Microsoft Office creates a temp file that displays the contents. Anyone browsing to this file can just select it and see the contents in the preview pane of Windows Explorer as long as someone has opened it.

In most windows networks its possible to just browse to the pc of a collegue and look into the documents on his/her pc or to any share they may have those documents on.

So in it's own, on the surface it might seem safe, but down below, someone just has to infect a workstation with a program that lies in wait for any encrypted documents it has access to be opened and then just read the contents of the temp file. And most people will just leave that password document open in the background once opened.

Most password managers have protections in place to only decrypt when needed and then store the password for a short moment into the clipboard before overwriting it, minimizing the possible exposure of the password.

In comparison, password managers offer more security.

Tschallacka
  • 303
  • 1
  • 9
  • 11
    By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage. – Oxy Mar 26 '19 at 11:42
  • 1
    Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents. – Tschallacka Mar 26 '19 at 13:42
  • 1
    Note that the DocRecypt tool and temp files both don't apply to MS Access, thus that can be used to store passwords without this weakpoint. However, an added weakpoint for nearly all Office applications is COM automation. Any application can check if Office files are open and read their content if they are using COM automation, which is a lot easier than reading out the password manager memory and doesn't require any special privileges. – Erik A Mar 28 '19 at 11:05
4

Sure! Here's a scheme that will not get compromised very often, if executed perfectly [1]:

  1. Keep a list of sites you have passwords for. Put it somewhere secure enough. [2]

  2. Keep a list of passwords. Keep it folded in your wallet. Be vigilant about showing it when opening your wallet, or when using a password from it. Destroy passwords you've memorized.

  3. If your wallet is lost or stolen, enjoy the huge headache of changing all your passwords.

So, pretty much what a basic password manager does - memorability, mapping to sites, and confidentiality. It's just way more leg work than using a password manager. If you make mistakes doing this, it becomes far less secure than using a password manager. Given human fallibility, perhaps a password manager is better?

[1]: The main ding against this scheme is that you will eventually fall out of practice doing it, and it will be a huge mess when you need to actually change passwords.

[2]: 'Secure enough' will vary greatly depending on your needs. Are you a boring person whose saving their bank credentials? A safe in your basement is probably fine. Are you hiding from the NSA? This scheme probably isn't sufficient, honestly.

2

I still heartily recommend using a password manager. If that is impossible, and all the following are true:

  • People can choose their own passwords.
  • No one has to share passwords.
    • (Protected Excel files make this seem unlikely.)

...then you could suggest a Password Card to keep in their wallet.

Michael
  • 2,432
  • 2
  • 20
  • 37
  • The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card. – Monica Apologists Get Out Mar 26 '19 at 14:01
  • 1
    @Adonalsium TBF, the Password Card site does say that. _"Don't read along with your finger, or the smudge will tell a thief where your password is."_ – Lightness Races in Orbit Mar 27 '19 at 11:11
  • 2
    @LightnessRacesinOrbit ... That's probably where I read that advice originally. Heck. – Monica Apologists Get Out Mar 27 '19 at 16:31
  • That Password Card looks like a hideously bad idea to me. It has 8 rows of 30 characters, or 240 starting positions. That's about 8 bits of entropy, or just about as secure as a password containing one lower case letter and one digit. – dgnuff Mar 28 '19 at 05:18
  • 1
    @dgnuff, If someone knows the seed that generated _your_ card, maybe. But otherwise it's offline steganography. – Michael Mar 28 '19 at 10:59
  • @dgnuff Wouldn't there be extra entropy from choice of direction and # of characters? Yeah, I have to pick from 240 characters to start from, but then I pick a direction (8 inc. diagonals), and a number of characters (8-??? depending on whether/how I choose to wrap around). – Delioth Mar 28 '19 at 14:43
  • @Michael This assumes your card is compromised. Unlikely, but still a possible attack scenario. – dgnuff Mar 28 '19 at 15:21
  • @Delioth Not that much. Number of characters 1 to 32 is just another five bits of entropy, and 8 directions is 3, so that only another 8 bits, or about 16 total. You're now at two digits and two lower case letters equivalent. – dgnuff Mar 28 '19 at 15:24
2

A spreadsheet encrypted with a password (say in Excel 2016) will use "ECMA-376 Document Encryption" by default which uses AES-256 bit encryption. Provided the password isn't a dictionary word, it would be no better or worse than any other password manager from a data risk perspective.

The spreadsheet would be FIPS-140-2 compliant and you would comply with the majority of encryption laws if they key or drive needed to be wiped with the secure wipe methodology as stated in NIST 800-88.

For a user managing a few passwords, I don't see a short term problem using Excel and a password, or a legal problem.

Long term, a password vault solution which allows check-in/check-out rotation, like CyberArk or Thycotic would be much better with logging and other capabilities. Something else to look at for free and simple is Buttercup.

schroeder
  • 125,553
  • 55
  • 289
  • 326
opsecwin
  • 31
  • 1
  • Vulnerable to simple shoulder surfing. – Schwern Mar 27 '19 at 07:41
  • @Schwern not if they were very complex passwords – Ulkoma Mar 27 '19 at 20:47
  • @Ulkoma 1) The password may not be the user's choice; shared work passwords are often weak because they are shared in a way that is difficult to update, such as a spreadsheet. 2) Users and orgs who use spreadsheets to store passwords probably have poor password discipline. 3) (Here's the kicker) phones have amazing cameras. Good security has many layers so if one is breached, such as an easily remembered password, or if your assumption like "my password is too complex to shoulder surf" is wrong, you have other layers of protection to stop the attacker. – Schwern Mar 27 '19 at 20:55
2

Sheneir on Write Down Your Password:

Microsoft's Jesper Johansson urged people to write down their passwords.

This is good advice, and I've been saying it for years.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

Billal Begueradj
  • 162
  • 2
  • 3
  • 10
1

Your only solution is to select passwords, that are hard to break but easy to remember, then you don't need to write them down anywhere!

But seriously, maybe you can ask your IT support to install a password manager server for your whole company, then you don't need to install one on your machine.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Paris
  • 27
  • 1
  • 3
    I think that the hesitation is with using a password manager in general, not the local install. – schroeder Mar 26 '19 at 00:11
  • But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, :-) – Paris Mar 26 '19 at 01:06
  • The problem with this answer is that you cannot force users to do this. Sending something akin to the ["correct horse battery staple" example](https://xkcd.com/936/) (but more simply explained) as part of the policy may help them learn though. – Captain Man Mar 26 '19 at 16:24
  • @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs. – Paris Mar 26 '19 at 20:43
  • Sorry, this does not scale to reality in any kind of modern life. I have 130 passwords *and I am a late adopter*, and I actively seek to avoid passwords. It just never ends. Paperless billing? Password. Retail rewards program? Password. Pizza delivery? Password. Uber? Password. Have your tax refund not be hacked? Password. E-file? Another password. 401K? password. GP? Password. Specialist? Password. Lab? Password. Play a game? Password. Library card? Password. New car? Password. Buy a textbook? Password. You cannot keep track of them all without duping or writing down. – Harper - Reinstate Monica Mar 28 '19 at 22:40
0

Many recommend password managers. I don't disagree, that is indeed sound advice, but there is another possibility.

It is fairly doable to let them record information on where to find the password without significantly weakening the integrity of the password - to most attack vectors. Have each bring a personal book (think: Alice in Wonderland or something), which are kept together in a single bookshelf and make every password a combination of 3-4 words from the book. You can then write down anywhere you like the page number, line number and word number of those words. Yes, password lookup will be slower but it will increase the security of your passwords against brute force attempts, it will ensure that physical access to the office is necessary, as well as a who's-book-is-which to break the code in addition to electronic access to their "stored" password. This is a huge improvement over storing the passwords in plaintext in a file on the workstation - which only needs a single successful phishing attempt to work.

As a bonus, the passwords are more secure and easier to remember. Obligatory xkcd

But, then again, if they can't be bothered to not write passwords down into an excel file - it can be a tough sell to establish a cumbersome procedure such as this. YMMV.

Stian
  • 109
  • 2
  • This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords). – OrangeDog Mar 26 '19 at 17:49
  • It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them. – OrangeDog Mar 26 '19 at 17:49
  • @orangedog but not all of them. – Stian Mar 26 '19 at 19:13
  • I think you are confused about what a phishing attack is. – OrangeDog Mar 26 '19 at 19:15
  • @orangedog Hardly, it rather seems like I am quite convinced. – Stian Mar 26 '19 at 19:18
  • @OrangeDog He doesn't mean "some of his passwords are immune to phishing." He means that they aren't compromised as a group when you make a single mistake. – Michael Mar 27 '19 at 12:23
  • @Michael only if the manager you use is online, doesn't have 2fa, and you are specifically phished for the master password. – OrangeDog Mar 27 '19 at 12:25
  • I am not talking about password managers (although they have the problem you just described). I am talking about your comment above: _"write your passwords in a notebook and lock it in a drawer"_ where if someone finds/steals/etc. a key, they clearly have a list of your passwords. – Michael Mar 27 '19 at 12:28
0

I agree with the other answers that a password manager is more secure than custom methods. Also note that protected Excel spreadsheets can be compromised easily than a password manager.

Having said that, If you have decided against using a password manager then you could use the following approach

  1. Have two password protected Excel files.
  2. Use different passwords for each Excel.
  3. Store the list of User names, services, etc... in one sheet and assign a unique number / test (eg: A001 for Adobe, S001 for Stack Overflow, etc...) for each record.
  4. Store the unique number and corresponding password in another Excel.
Kolappan N
  • 2,672
  • 14
  • 27
-2

If you do not want a password manager program, print them out and store then in a safe or something secure rather than just a notebook like your co workers use.

user197001
  • 21
  • 1
  • 4
    This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a *convenient* and secure location. A safe will not cut it. – Schwern Mar 25 '19 at 23:57
  • 2
    Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything. – ThoriumBR Mar 26 '19 at 01:53
-3

This is not really answering the question about co-workers, but for personal use this works great if you really don't want to use a password manager (like me).

You can easily store it in your mind: but don't remember the passwords, remember a formula.

For example, start with a base word, let's say "Password", and think of a couple of custom rules:

  1. Number of letters in website name (Facebook: 8), and add it to the end.
  2. Capitalize matching vowels (Facebook: A and O)
  3. Replace the Nth character with a number equal to number of syllables (Facebook: 2)

You end up with P2sswOrd8.

You can now "store" an infinite amount of mostly unique passwords in your head (even with just 3 rules).

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 6
    This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one? – schroeder Mar 26 '19 at 16:10
  • 3
    Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas. – schroeder Mar 26 '19 at 16:14
  • It was about storing credentials, and this is how I *store* them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an *example*, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP. – Jeffrey Roosendaal Mar 26 '19 at 16:31
  • 3
    Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose. – schroeder Mar 26 '19 at 16:41
  • [The entropy of this password generation method](https://security.stackexchange.com/questions/6095) is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) is an illusion. – zakinster Mar 26 '19 at 17:37
  • While this kind of formula is cryptographically weak, this idea should still work well because of real world factors. If your password was stolen via Phishing, Data Breach, etc. the attacker is still limited by standard brute force protections on other systems which does not give them enough guesses over time to reasonably crack even a basic cipher. Even if it only take seconds to break on a compromised system, against a portal that locks you out for a while after every few bad tries could keep you out for several lifetimes. – Nosajimiki Mar 28 '19 at 04:36