|Practical Computer Advice
from Martin Kadansky
|Volume 10 Issue 11||November 2016|
|The Best and Worst Places to Store Your Passwords - Are Yours Secure?
Basic principles of password security
In my experience there are 3 fundamental elements of password security:
1. Choosing strong passwords,
2. Choosing a different password for each account, and
3. Storing them securely.
Where do these ideas come from? Here's one part of my perspective:
Using the same password (or minor variations of the same password) for every online account is a bad and outdated idea. If any one of your passwords gets compromised, that puts all the accounts where you've also used it at risk. Given the increasing number and sophistication of hackers trying to break into your computer, and the increasing number of security breaches that have already happened around the world, this is not as unlikely as it sounds. For example, LinkedIn and Yahoo and Amazon all experienced security breaches recently, so if you used the same password for one of those and your online bank and credit card accounts, then your financial accounts are already at risk.
Therefore, to protect yourself, ideally you should be using a different password for every account. If you only have a handful of accounts, then you can probably remember them. However, if you're like most people you probably have so many accounts that you will never remember them all.
So, that means that you should write down all of your passwords. Where will you keep that list? On paper? In your computer? Ideally, you should store it in a place that protects it from getting stolen.
Read on for my advice on how to store your list of passwords securely.
What is "secure"?
Keeping your passwords secure means that you've taken reasonably thorough precautions to prevent unauthorized people from finding or stealing them. In some cases you may be legally obligated to do so, for example if you run a business and your passwords could give someone access to legally-protected confidential information about your customers, clients, patients, employees, intellectual property, trade secrets, and more.
Security and convenience are usually at odds with each other. When you make something more secure, you're also likely to make it less convenient. Unfortunately, that's the modern cost of protecting yourself.
However, no security is perfect. Every system has its potential vulnerabilities. It's important to weigh the risks vs. the benefits, think about the worst-case scenarios, and then make choices that are reasonable given your circumstances.
Password storage methods that are not secure
Here are some popular places where many people store their passwords that make them very vulnerable to being stolen.
Passwords written on paper (that are not under lock and key):
Anyone with access to your home or office could easily find and steal passwords stored like this.
- On your desk under your keyboard
- Taped to the underside of your keyboard
- Under your stapler
- On post-it notes stuck to your monitor or desk
- On a piece of paper on your desk or in a drawer
- In a loose-leaf or spiral-bound notebook
- In a paper address book
- In a paper Rolodex file
- Paper printouts or photocopies of your passwords
Passwords stored in your computer (without using encryption):
Anyone with access to your computer could easily find and steal passwords stored like this, including both a person with physical access to it as well as a virus or hacker gaining access via the internet, or scamming you into granting them access, even once.
- Remembered in your web browser
- A document called "Passwords" that you've created anywhere on your computer, perhaps using Microsoft Word or Excel
- A document with any other name on your computer
- Email drafts that you've created (but not sent) containing password information
Passwords stored in your smartphone or tablet (without using encryption):
Anyone with access to your device could easily find and steal passwords stored like this.
- Electronic "Notes" containing password information
Passwords sent via regular (insecure) email:
Any information that you send using regular (unencrypted) email puts that information at risk of being stolen. Email is neither private nor secure. Sending an email is like mailing a postcard, and hackers and thieves can easily read the contents. You should never send passwords (or any other confidential or sensitive data) via regular email.
- Emails that you have sent to yourself containing password information
- Emails that you have sent to anyone else containing password information
Password storage methods that may mislead you into thinking they're secure
Just because a technology uses a password does not automatically make it secure by modern standards, especially one that uses low-grade or out-of-date encryption. For example:
Such files might prevent an inexperienced thief from getting your passwords, but there are many methods an experienced or resourceful person could use to break into such files.
- An old-style .zip file to which you've added a password
- A Word or Excel file to which you've added a password
Password storage methods that use modern security and encryption but present other issues
Cloud-based password-storage services or "password managers" have become very popular, including Lastpass, Dashlane, Roboform, 1Password, and others. These services typically store your passwords in a secure, encrypted database that may be located on your computer, but is also stored online ("in the cloud") and can be synchronized among your devices. This makes your passwords available to you from any computer or mobile device, as long as you remember your master password.
While that's very sophisticated and convenient, in my opinion any data that you store online is by definition less secure than data that you store only on your computer or on other devices in your possession. You have to trust that the service you're using will store your data securely, be available when you need it, not have a security breach (get broken into by hackers), not lose your data, not have a rogue employee, not give your data to someone else (like the government), not close your account, not go out of business, or not otherwise put your data at risk, even if it's encrypted. As a side note, some online services don't make it very clear how to back up your data, which further reduces your ability to protect your data yourself.
So, in my opinion, I don't care how secure or encrypted such services are. The risk of using them far outweighs their convenience. Thus, I do not recommend storing passwords (or other extremely sensitive data) online or "in the cloud," nor letting such data get transmitted or synchronized over the internet, period.
Password storage methods that are reasonably secure
Here are a number of approaches that I do recommend for storing passwords securely, including ways you can turn an insecure method into a secure one:
What's the best choice for you to store your passwords?
- Lock your paper password chart in a desk or file cabinet or office when not in use, away from family, cleaning staff, visitors, and others. Talk to a locksmith about ways you can add a lock to existing cabinets or offices, and consider using combination locks to eliminate having to store and copy keys. If you're traveling (and the list is compact enough), keep it in your wallet or on your person at all times.
- Create an encrypted container (folder) on your computer using modern encryption software and a strong password, move your "Passwords" document (and other sensitive files) into it, lock the container when not in use, and then securely delete ("shred") the original, unprotected document. See "Where to go from here" for specific suggestions.
- Use password-management software that stores its encrypted database on your computer (not in the cloud), and choose a strong master password for the database. If you also need passwords when you're on the road, either print them out (and be extremely careful with that printout, shredding it when you get back), or use a program that also offers a companion app for your smartphone or tablet that syncs over your local network, not via the cloud. See "Where to go from here" for specific suggestions.
- Obfuscation: Use your own secret code or abbreviations to mask your passwords. For example if it's your convention that "A" stands for "Albert" and "B" stands for "Bubble," then writing "A123" or "5B!" on your password list would not give a thief any useful information to break into your accounts, as long as you never write down what "A" and "B" stand for.
I have no idea what's best for you. Everyone's situation, needs, and budget will be different. I can only suggest that you ask yourself questions like the following:
How many passwords are you keeping track of? The more you have, the more you need a systematic approach.
Are these passwords all for you, or are they for other people as well?
Where are you likely to be when you need a password?
Which of your many passwords do you need to access and when? For example, do you always need all of your passwords, or are there times when a subset would be appropriate, like when you're traveling?
- At home?
- At the office?
- When you're out just for the day?
- When you're traveling out of town?
Where are you comfortable storing your passwords?
Besides you, who else has a legitimate need to access some or all of your passwords?
- Do you like the idea of storing passwords on your computer? On your smartphone or tablet? Perhaps both?
- Will you always have your computer with you when you need a password? If not, are you likely to have your smartphone or tablet handy?
- Are you comfortable with the risks of storing your passwords online, a.k.a., "in the cloud"?
- Do you prefer paper?
Besides you, who has physical access to your home or office or other space where you store your papers, computer, and other devices? This includes your family, co-workers, employees, customers, clients, visitors, cleaning staff, repair and maintenance workers, parking garage valet, landlord, tourists, etc. How will you store your passwords securely so that even someone with physical access (including someone who might steal your computer) cannot access them without authorization?
- Your spouse?
- Your business partner or successor?
- Your employer?
- Your employees?
- Your executor or power of attorney, in case you die or become disabled?
Whatever system you're thinking about setting up, have a trusted friend or colleague review it with you for potential security flaws or vulnerabilities before you commit to using it.
Where to go from here
Review how you store your passwords. Take reasonable steps not to expose them to unauthorized people, whether "in the room" or via the internet. Improve your security. It will be less convenient, but it's worth it.
Here are good tools for creating general-purpose encrypted containers (folders) on your computer:
Good tools for securely deleting ("shredding") files on your computer:
- http://veracrypt.codeplex.com - VeraCrypt, a free encryption tool for Windows and Macintosh, a successor to TrueCrypt; see http://ostif.org/the-veracrypt-audit-results for the security audit it underwent in October 2016, so be sure to get version 1.19 or later
- http://winzip.com - WinZip, a commercial encryption tool for Windows and Macintosh
- If you're on Macintosh, the .dmg file format (a "virtual disk image" which supports encryption) is another secure storage option that's built in; to learn more, google: create encrypted .dmg
Password-management software that runs on Windows and Macintosh and only uses your local network, or that includes the option to work locally and avoid the cloud, some of which also support iPhone, iPad, and Android:
- Windows: http://eraser.heidi.ie - Eraser, which can "shred" both existing files, as well as erase your hard drive's free space
- Macintosh: Use the "Secure Empty Trash" command built into the Finder, or Disk Utility's function to erase your hard drive's free space
I use and recommend SplashID, the others I have only read about.
Read more about security breaches:
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to firstname.lastname@example.org
and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2016 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.