Password Tip #3: Write Them Down

That is probably the opposite advise you have heard regarding passwords. However, it is simply not possible to have strong, unique passwords for every site/application you use. I have 94 passwords! How can I have strong (preferably random) , unique passwords without writing them down?

In 2005, Jesper Johansson and Bruce Schneier recommended people write their passwords down. Bruce goes a step further, and recommends people write them down and put them on a small piece of paper in their wallet. In my opinion, that is pretty good advice. We know how to protect our wallets and purses very well. The only downside to a wallet is if the piece of paper is accessed, copied, and replaced you may not know. However, given who can access your wallet without your knowledge you may have bigger problems! You could add a 4-6 number PIN to these passwords to help if you fear this situation.

Combining this technique with a good password manager and you have a fairly strong technique for managing passwords. A good password manager will store unique passwords for each site/application you use in an encrypted form. Get a password manager that will generate random passwords of various strengths. For important sites, go with at least 14 random characters — including upper case, lower case, numbers, and symbols. This should get you above the NIST recommendation of 80 bits of entropy. Given the current state of digital computers and our understanding of physics, it should not be possible to brute force a password with this much entropy in a reasonable amount of time.

The encryption key (or a portion of it) and passwords needed to access the password manager could then be stored in your wallet.

The next step is to combine this with a backup of the password manager file and the critical keys and passwords to access it in a safe deposit box or safe designed to house sensitive documents. Now you have a fairly strong technique for managing passwords — with a good salt of disaster recovery to boot.

If your a business owner, consider revising your password policy to allow employees to use this effective technique.