You must log in or register to comment.
I see no issue with this, especially for an elderly person, for example, to keep at home. The only way this will get “breached”, is if someone breaks into her home. At that point, the password book is the least of her concerns anyway. In fact, from a cyber security point of view, this is brilliant if kept in a safe place, such as a locked safety box. You can’t really remotely hack a physical book.
Self hosted and air gapped.
My mother using something similar to keep track of her passwords for everything. While I prefer a password manager like Bitwarden or Keepass. I would rather her use a note book like this over something like Google or Apples password managers.
Or even worse, the same password for everything.
Still better than using the same password everywhere and/or saving passwords in an unencrypted text file on your computer somewhere.
Just not very user friendly.
It is very user friendly, at least for reliability and security if you keep it in a safe location. It is cumbersome and slow.
this is my internet password logbook
That is tight as hell and I love it
you too can have it (not my listing): https://www.depop.com/products/christy19js-rare-1990-sanrio-spotty-dotty/
It’s $55 (I’m assuming USD). Or “4 interest-free payments of $13.75”. On one hand, it’s expensive. On the other hand, it’s bloody brilliant!
Hells yeah thank you for sharing :D
Sure, it’s a horrible idea in an open office environment but if someone wants to use this at home for all their passwords it really won’t hurt anything.
That Web Addresses placement is killing me.
It’s infuriating! 😬
they just centered the whole thing 🤦
Im guilty of this. I dont write out the passwords in plaintext though. Its mostly just a few letters to remind me of which version of my many “master” passwords i used and then asterisks. P***W0*******$ kinda thing. I know its bad but I can’t bring myself to trust a password manager.
If you keep the book secure, it’s probably safer than any computer based record system - right up until someone untrustworthy gets their eyes on the book.
With a physical book, you can store it in a safe deposit box when you don’t need access, make partial copies, copies take (everyone, bad guys and good) significantly longer to make even with a photocopy process… most importantly, people intuitively understand the vulnerabilities of a physical book.
Now, the physical book won’t stop keyloggers…
Oh yeah, this is for my in-laws. This is peak boomer tech right here.
Of the 200 elderly I see maybe 75% still use the book or a variation of it.
The best is when they use iPad notes or even their fucking contacts to save info lol
Can confirm. I had to do a double take that I didn’t write this comment and just forget.
Honestly, a physical password book isn’t a bad idea.
Not accessible via the internet, and in most cases if someone has physical access to your system you’re done for anyway.
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
Yep. My Dad in his late 70s uses this system and it works great for him.
People make fun of it, but for people with low tech literacy this is actually far better than having a mish-mash of solutions where some their logins end up automatically saved in iOS on their phone, some are saved in Chrome on the desktop, some are just in their head, they don’t know where anything is, and are constantly losing access and resetting credentials all the time.
And it definitely reduces the burden on me of parental tech support, when its all in the book.
“People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down.
We’re all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Obscure it somehow if you want added security: write “bank” instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don’t do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize.”
My Mum died recently and my step dad is shit with tech, so their password book was invaluable in helping us gain access to her Apple account and her phone. It meant we were able to get to her iCloud passwords, so now we have access to everything.
So yeah, password books are actually pretty handy.
Yeah, my in-laws have such a book and it honestly is great. They live in their own flat where nobody can access the book without breaking in. They do not save their passwords in their browser, so anyone hacking into their PC can’t grab them. If they want to login into an account, they take out their book, put in the user name and unique password and that’s it. Quite the good method and I really do not see many problems there.
Don’t forget to use diceware. The human mind is not random enough https://www.eff.org/dice
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
I disagree. Using this book will always lead to shorter passwords that are easier to type. That’s the main weakness imo.
Or in other words: it really depends what the user fills it with. It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Not at all. It will lead to easier to type passwords, likely. But that doesn’t mean shorter. This could easily be filled with passwords that are four words long with special characters interspersed.
Which you then have to type out every time. Laziness wins: they will be shorter.
The assumption is that the product is for non-savvy users. They might not even understand what you wrote up there.
Autocorrect can help here, but dictionary words are easily brute-forced, esp. when they’re enclosed by special characters. And that hypothetical user would have to come up with that idea in the first place. But people who come up with such ideas usually already use password managers anyhow.
What this book likely doesn’t suggest, is to just code the username.
I have 2FA backup codes in my go bag and nowhere do I write the usernames or even the service if it’s important.
You know your email address. If you lose this in an airport, writing “main email” makes it useless to anyone else.
My master password is physically present as a mnemonic device, but not available digitally. Anywhere.
Beyond that I really cannot recommend this book: You need to be able & willing to type your passwords out, which means simpler and shorter passwords. I use 99 character complete random ASCII-strings by default. Try typing that in even once.
But there’s a different, unspoken criticism here: don’t store your database on a 3rd party server, a.k.a. “The Cloud”. I use KeepassXC btw. - and my very own “cloud”.
I’m sure grandma could figure out how to do all of this.
Here’s the thing … as crazy as a notebook with passwords sounds, it’s not accessible to someone across the internet.
Please hold your password notebook in front of the laptop camera.
Just maybe don’t plaster “THESE ARE MY SECRETS” on the cover. Security through obscurity.
It depends on what the user fills it with.
Even the objectively safest solutions will be much shorter, and have less entropy, than what a pw-manager can deal with.
Password managers check the URL before giving its data. A human being can be fooled into giving it to a fake web site.
TBF, they can be fooled too.
Bitwarden warns against using autofill on load for that very reason, as then simply loading a malicious page might cause it to provide passwords to such a site.
And then, a human when a site doesn’t autofill, is more likely to just go “huh, weird” and do it manually.
Wait, what? How does autofill get fooled?
You’ve always got the human element, bypassing security features; but extra little hurdles like a password manager refusing to autofill an unknown url is at least one more opportunity for the user to recognize that something’s wrong and back away.
If you’re already used to manually typing in the auth details, you may not even have an opportunity to notice you’re not on the site you were expecting.
Yeah, It’s actually quite a secure way to store passwords, since it requires physical access.
I knew a guy who had a drawer full of slips of paper with passwords written on. He called it the “security drawer”. Made me smile, but probably shouldn’t have been advertising it.
Their Ring camera that points directly at the desk they keep this notebook on: “it’s showtime”
Best option for non techies at home.
I’ve not found anything better. Storing on my computer, or worse someone else’s computer, doesn’t seem safe.
It’s pretty safe. Competent password managers will be heavily encrypted. Having your passwords hacked is essentially unheard of. You don’t have to worry about it being on someone else’s computer as without your master password the password file is useless.
I think the biggest case was LastPass, and they did it by getting a keylogger onto a developers PC to get at their password, but afaik customer passwords were safe unless your master password was weak or reused from a breached one.
But, a notebook isn’t hackable at all. But then the people around you could potentially get into it, which is a far more likely threat for a ton of people.
Either way use 2FA at every site that will allow it.
LastPass’s biggest problem was that they were almost the first in the game, and mistakes/choices they made 20 years ago bit them hard when they got hacked.
There were two major issues with LastPass’s security model:
- Non-Password data wasn’t encrypted. So usernames and urls were visible by the people who stole the vaults.
- Passwords were encrypted with a number of iterations based on when the account was created, so older accounts were only run through a single iteration. The iteration process makes it much harder to guess the master password(by making it take a longer time). So single iteration makes it pretty quick to guess the password.
So with flaw 1 you could see what vaults might have valuable passwords like banks and crypto wallets. And with flaw 2 you could reasonably quickly break into the vaults of long time users.
So aside from their lax security allowing the compromise to happen in the first place (Nothing is fool proof), they weren’t providing the level of protection most people assumed.
More modern password managers like BitWarden fixed those problem a long time ago.
One master password to rule them all, One server to find them, One password to bring them all, and in the darkness bind them.
Yeah I use 2FA with the master notebook.
The trick is to use code language, and don’t forget the code. Then you can use digital sources more freely, I feel.
My ex kept her’s in an unprotected excel file. I never peeked, I was just surprised when I saw her accessing it on her laptop.
All the effort of inputting data into a password manager, but none of the security.
It really depends what the user fills it with. “Clever” solutions like using your daughter’s birthday, or other hard-to-remember-but-easy-to-deduce strings.
It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
So… It’s a password book? Like, pen and paper?Not the best choice for storing passwords, but I’d be more willing to do that than trusting Amazon not to hold my passwords hostage with a digital service by them.
This isn’t even weird.
I think most security experts would recommend that you have your most important passwords written down somewhere, and then hopefully locked up in some safe or deposit box somewhere. You don’t need to buy an entire book for it, but some people like to spend money.
If this is for your less important passwords, then for the most part, writing them down is actually better. You won’t be as tempted to reuse your banking password for your social media. And some people like writing things down. A password manager is a better solution, but lots of people aren’t as good with technology and if they even let the browser remember it, they won’t know how to retrieve it later if they want to use a different computer, for example.
I have a letter in my safe in the event of my death that contains all my passwords and accounts. I have also slipped in a dead man switch that she’s unaware of that will wipe out my “collection of science”.
Does anyone else know how to get into the safe?
it’s a key entry, and yes.
My password-manager is a script that gpg-decrypts to XDG_RUNTIME_DIR and then opens it in editor, encrypts back on changes. Is that bad?
How do you syncronize it between multiple devices and operating systems?
