For the majority of my clients who use this kind of system, it is totally dysfunctional.
Most of the records are incorrect, my guess is that they occasionally reset the password on mobile while the book is inaccessible and then don’t remember to update it in the book later.
Effective use relies on the user’s understanding of umbrella accounts. I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
As passwords get updated, it can become a mess of crossed out records with new ones squished into the margins. When a someone dies, anything written illegibly can be difficult for surviving family to discern.
As the book gets filled out, it can get tricky to keep things alphabetized unless the user provisioned additional empty space between records.
This system can work great for someone who is meticulous, neat, and organized.
For your average person, I’ve had better luck solving the problem with a password manager synced to an online account that is protected by MFA and has recovery options that are also protected by MFA.
I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
In fairness to them, I get a new email every month or two from Microsoft letting me know that they merged another account that I didn’t ever ask them to.
Yep. My Dad in his late 70s uses this system and it works great for him.
People make fun of it, but for people with low tech literacy this is actually far better than having a mish-mash of solutions where some their logins end up automatically saved in iOS on their phone, some are saved in Chrome on the desktop, some are just in their head, they don’t know where anything is, and are constantly losing access and resetting credentials all the time.
And it definitely reduces the burden on me of parental tech support, when its all in the book.
My Mum died recently and my step dad is shit with tech, so their password book was invaluable in helping us gain access to her Apple account and her phone. It meant we were able to get to her iCloud passwords, so now we have access to everything.
So yeah, password books are actually pretty handy.
“People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down.
We’re all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Obscure it somehow if you want added security: write “bank” instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don’t do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize.”
Yeah, my in-laws have such a book and it honestly is great. They live in their own flat where nobody can access the book without breaking in. They do not save their passwords in their browser, so anyone hacking into their PC can’t grab them. If they want to login into an account, they take out their book, put in the user name and unique password and that’s it. Quite the good method and I really do not see many problems there.
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
I disagree. Using this book will always lead to shorter passwords that are easier to type. That’s the main weakness imo.
Or in other words: it really depends what the user fills it with. It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Not at all. It will lead to easier to type passwords, likely. But that doesn’t mean shorter. This could easily be filled with passwords that are four words long with special characters interspersed.
Which you then have to type out every time. Laziness wins: they will be shorter.
The assumption is that the product is for non-savvy users. They might not even understand what you wrote up there.
Autocorrect can help here, but dictionary words are easily brute-forced, esp. when they’re enclosed by special characters. And that hypothetical user would have to come up with that idea in the first place. But people who come up with such ideas usually already use password managers anyhow.
Honestly, a physical password book isn’t a bad idea.
Not accessible via the internet, and in most cases if someone has physical access to your system you’re done for anyway.
The main weakness it has is from a nosey flatmate, spouse, or child in the house.
is it’s a pain in the ass.
For the majority of my clients who use this kind of system, it is totally dysfunctional.
Most of the records are incorrect, my guess is that they occasionally reset the password on mobile while the book is inaccessible and then don’t remember to update it in the book later.
Effective use relies on the user’s understanding of umbrella accounts. I’ve had users have separate written entries for “Office”, “Skype”, “Hotmail”, and “Windows” because they don’t understand those things are all one Microsoft Account.
As passwords get updated, it can become a mess of crossed out records with new ones squished into the margins. When a someone dies, anything written illegibly can be difficult for surviving family to discern. As the book gets filled out, it can get tricky to keep things alphabetized unless the user provisioned additional empty space between records.
This system can work great for someone who is meticulous, neat, and organized.
For your average person, I’ve had better luck solving the problem with a password manager synced to an online account that is protected by MFA and has recovery options that are also protected by MFA.
In fairness to them, I get a new email every month or two from Microsoft letting me know that they merged another account that I didn’t ever ask them to.
Watch out for that home grown script kiddie
Yep. My Dad in his late 70s uses this system and it works great for him.
People make fun of it, but for people with low tech literacy this is actually far better than having a mish-mash of solutions where some their logins end up automatically saved in iOS on their phone, some are saved in Chrome on the desktop, some are just in their head, they don’t know where anything is, and are constantly losing access and resetting credentials all the time.
And it definitely reduces the burden on me of parental tech support, when its all in the book.
My Mum died recently and my step dad is shit with tech, so their password book was invaluable in helping us gain access to her Apple account and her phone. It meant we were able to get to her iCloud passwords, so now we have access to everything.
So yeah, password books are actually pretty handy.
Bruce Schneier - 2005.
Yeah, my in-laws have such a book and it honestly is great. They live in their own flat where nobody can access the book without breaking in. They do not save their passwords in their browser, so anyone hacking into their PC can’t grab them. If they want to login into an account, they take out their book, put in the user name and unique password and that’s it. Quite the good method and I really do not see many problems there.
Don’t forget to use diceware. The human mind is not random enough https://www.eff.org/dice
What this book likely doesn’t suggest, is to just code the username.
I have 2FA backup codes in my go bag and nowhere do I write the usernames or even the service if it’s important.
You know your email address. If you lose this in an airport, writing “main email” makes it useless to anyone else.
I disagree. Using this book will always lead to shorter passwords that are easier to type. That’s the main weakness imo.
Or in other words: it really depends what the user fills it with. It should be accompanied by a little machine that spits out random passwords, I’m thinking a rubics-cube-shaped bling pendant at the end of the bookmark band.
Not at all. It will lead to easier to type passwords, likely. But that doesn’t mean shorter. This could easily be filled with passwords that are four words long with special characters interspersed.
Which you then have to type out every time. Laziness wins: they will be shorter.
The assumption is that the product is for non-savvy users. They might not even understand what you wrote up there.
Autocorrect can help here, but dictionary words are easily brute-forced, esp. when they’re enclosed by special characters. And that hypothetical user would have to come up with that idea in the first place. But people who come up with such ideas usually already use password managers anyhow.
Several dictionary words in series cannot be “easily brute forced.”
You’re out of you’re depth and saying stupid things.
Correct horse battery staple