Ask HN: Is it time to start writing passwords down again?

7 points by jl6 ↗ HN
Over the last few years I have lost a lot of trust in the electronic systems I use, to the point where the basic physical security on my home feels more secure than any part of any my computers.

I feel I am far more likely to be compromised by anonymous remote hackbots using 0days on my password manager than by burglars.

Is it time to keep my passwords on paper?

9 comments

[ 3.1 ms ] story [ 29.0 ms ] thread
It's time to use complex, un-rememberable passwords that are unique for each system you use.

"unlock" them using a master password that's secure and you can remember (not 'correct horse battery staple') and that you use FOR NO OTHER SYSTEM.

If a site is compromised, you will lose your account on that site regardless of how strong your security for your account is.

However, the main problem at the moment is the chain of compromise -- people who use the same credentials and the same username on multiple sites and on 'core' systems like their e-mail account. One site gets compromised, which leaks the same credentials you use for your e-mail address, and all of a sudden they have access to your entire online identity.

I use LastPass (http://lastpass.com, stores your encrypted passwords remotely so you have to trust lastpass.com) and pay for a premium subscription ($1/month?) with a master password not used elsewhere.

But there are other alternatives like http://keepass.info/ (stores your passwords locally, can sync with dropbox. No trusting an external service required.)

Also https://agilebits.com/onepassword (1password), similar to keepass, but not open source (I don't think). Better UI.

I agree with most of what Kalleth says. However there is just no way that you can trust a North American company to keep your passwords safe, especially when the code is closed source.

I've built https://elipsis.io and if you are tech savvy I recommend that you host your own service. Don't do it on a VM but on a dedicated box.

An alternative is to use use https://www.clipperz.com/ since they are also open source but I really hate their user interface.

Like @kalleth said, you can also use keepassx with dropbox.

Your site looks interesting, but note that https://elipsis.io/status is a 404.
yes I know. Thanks for letting me know. I've stopped working on it. Only a friend and me are using it. I'll leave it as is and free as long as there are only a few users.

I might add 2 factor auth sometime in the close futur.

I try to use a different password for every site and I remember all the passwords I use. This is obviously not helpful to anybody and would be thoroughly impractical even for me to rely on, because not everybody is good at remembering 18-30 character strings of letters, numbers and symbols, and equally I figure one day I will not have the same ability to remember them either.

So I keep the de facto "ciphers" on paper. These ciphers usually take the form of differential equations that give fairly lengthy, rational numerical solutions. Equations have the advantage of not looking like a cipher, especially if you're known to be a mathematician. Even if I lost the paper or it was destroyed, the equations are memorable to me for having played a role in some of my studies a long time ago. I could root around in my notes and find them again.

The equations are all I need to have on paper because I can just do the math and remember how I form the solution into a password to include letters and symbols. Even if I forgot how exactly I formed the solution, with the numerical string resolved I could quite simply brute force the few characters remaining. I keep this bit of paper safe but separate to my credit cards and cash because that's the most likely thing to be stolen from me.

But you know what? I don't even consider this a particularly secure solution. It's just more fun. And it has to be better than storing passwords with a password manager, using a pen drive or keeping passwords themselves on paper.

I'm considering crocheting my SSH private key into a blanket, so that I can safely and clandestinely transport it across borders. Holes representing 0s and stitches representing 1s, with strong parity to mitigate transcription errors.

I will call it my "security blanket".

> ... with strong parity to mitigate transcription errors.

How would you deal with coffee stain errors?