I recently made the following comment on twitter and because Troy Hunt retweeted it, a few people liked/retweeted or commented on it.
I thought I would expand a bit on some of the things mentioned and what I personally think about the subject, which is not easily to express in 240 characters.
The best ways to keep track of passwords are as follows:
1) Memory: If you are God or other omniscient being then keeping track of your complex passwords for 100s (if not 1000s) of different online services is easy. For everyone else I would advise you avoid this method. I can't remember what day I got married and I am always making use of "Forgot My Password" links.
2) Password Managers: I keep my passwords in 1Password, it syncs between my laptop and phone so I can always access the login details I need. There are plenty of other Password Managers out there:
For some people trusting a company with all your secrets and login information is too much. I am happy with 1Password and people like Troy Hunt recommend them.
3) Write them down: Yes, you heard me correctly using a note book or product like I tweeted above is a viable option for some people. I would prefer you use a Password Manager but for some people this isn't an option. I have relatives that write passwords down in the back of a notebook.
I was surprised that a specific book was being sold for this purpose, but I can't say I am that surprised. As others on my twitter have suggested consider where you store this book. If it is locked up at home, the risk of others obtaining the book is low. If you carry it around with your laptop or leave it on the bus, anyone that picks it up has complete access to all your passwords in an unencrypted format.
4) Weak Passwords: Using the same password for multiple services or using weak or easy to guess passwords is the worst option. Your risk of someone gaining access to one or more of your accounts is high. All I need to do is know your username or email and I can try a load of weak passwords or worse if you details have been made public knowledge I can try these details on multiple other accounts and see what works.
Writing down unique secure passwords in your book or password manager is all you need to do to avoid this risk. Hackers need to break into your home steal your book and then try your password, much harder that just trying a load of credentials I have found on the dark web.
My last comment on this subject is that I am in no way trying to ridicule those that use paper base password managers (which is essentially what writing them down is!) They are a great way to improve your security by using more unique secure passwords. I also think that once you know all the accounts and login details you use, at some point in the future you could transfer this list to a password manager once the barriers to this have been solved.
Top comments (2)
I use Bitwarden, which is free (for a reasonable amount of features, and the paid plan is cheap for the value), and open-source (no need to trust, read the code for yourself). It can even be self-hosted, if that's your thing.
I generate 64+ all characters passwords for every site, or lower when they impose (stupid) restrictions. It's very easy to use, I might start using a Yubikey/OnlyKey to handle the master password, as it is now the SPOF.
I’m never going to be able to write something down and keep track of it. I’ve started using the “Suggested Password” feature in Safari, especially on risky sites or when I know I’ll only need it a few times. I like that it’s built in.