Ask HN: Is it time to start writing passwords down again?
Over the last few years I have lost a lot of trust in the electronic systems I use, to the point where the basic physical security on my home feels more secure than any part of any my computers.
I feel I am far more likely to be compromised by anonymous remote hackbots using 0days on my password manager than by burglars.
Is it time to keep my passwords on paper?
9 comments
[ 3.1 ms ] story [ 29.0 ms ] thread"unlock" them using a master password that's secure and you can remember (not 'correct horse battery staple') and that you use FOR NO OTHER SYSTEM.
If a site is compromised, you will lose your account on that site regardless of how strong your security for your account is.
However, the main problem at the moment is the chain of compromise -- people who use the same credentials and the same username on multiple sites and on 'core' systems like their e-mail account. One site gets compromised, which leaks the same credentials you use for your e-mail address, and all of a sudden they have access to your entire online identity.
I use LastPass (http://lastpass.com, stores your encrypted passwords remotely so you have to trust lastpass.com) and pay for a premium subscription ($1/month?) with a master password not used elsewhere.
But there are other alternatives like http://keepass.info/ (stores your passwords locally, can sync with dropbox. No trusting an external service required.)
Also https://agilebits.com/onepassword (1password), similar to keepass, but not open source (I don't think). Better UI.
I've built https://elipsis.io and if you are tech savvy I recommend that you host your own service. Don't do it on a VM but on a dedicated box.
An alternative is to use use https://www.clipperz.com/ since they are also open source but I really hate their user interface.
Like @kalleth said, you can also use keepassx with dropbox.
I might add 2 factor auth sometime in the close futur.
So I keep the de facto "ciphers" on paper. These ciphers usually take the form of differential equations that give fairly lengthy, rational numerical solutions. Equations have the advantage of not looking like a cipher, especially if you're known to be a mathematician. Even if I lost the paper or it was destroyed, the equations are memorable to me for having played a role in some of my studies a long time ago. I could root around in my notes and find them again.
The equations are all I need to have on paper because I can just do the math and remember how I form the solution into a password to include letters and symbols. Even if I forgot how exactly I formed the solution, with the numerical string resolved I could quite simply brute force the few characters remaining. I keep this bit of paper safe but separate to my credit cards and cash because that's the most likely thing to be stolen from me.
But you know what? I don't even consider this a particularly secure solution. It's just more fun. And it has to be better than storing passwords with a password manager, using a pen drive or keeping passwords themselves on paper.
I will call it my "security blanket".
How would you deal with coffee stain errors?