Where Do You Store Your Passwords

Yesterday I started thinking more about backing up critical information and I realized my passwords are extremely critical to me. If for some reason I would lose all the passwords, it would mean a serious problem. To prevent this from happening I’ve decided to set up a more regular backup system for critical data.

Currently all my passwords are located in a simple text file on my computer. As an additional security measure I’m also going to print all my password and store them in a physical folder. I really recommend doing this, in case you don’t already store your password like that.

It takes only couple of minutes, so there’s not really a reason why not to do that.

Juuso Hietalahti


  1. Wow, I didn’t realize storing passwords was such a popular thing to do. The important ones are stored in my head.

  2. If you’re going to store your credentials online (which is usually pretty useful), encrypt them with something like GNU Privacy Guard. Something that uses standards-based encryption (e.g. RSA, AES, 3DES, not some s3kr3t vendor hack that won’t stand up to a day of beating by a seasoned sysadmin or developer). GPG fits the bill. Don’t know about the other apps mentioned here, but there are multiple options for you.

    Then, your credentials file is armored, and you just need to remember the password to that, which should be easy to keep in your head since you’ll use that frequently. Then the attack surface you’re exposing is:
    – if someone installs a keystroke logger on your machine (i.e. you’re already completely owned and need to reinstall and change all your passwords anyways)
    – if your passphrase to unlock your password vault is brute force guessable, e.g. dictionary word with some numbers thrown in for sport.

    A good way to construct passphrases is to think of a phrase that only makes sense to you, take the first letters, throw in some numbers and non-alphanum characters to make it harder to brute force and that’s your password, e.g. “mgP4h&h3w1s!” looks like junk and won’t show up in a brute force dictionary, but you’ll remember it because its “my game projects are Highpiled and Hightailed except when I sleep!”

  3. I’ve used a number of different apps but really like http://keepass.info/. Import your text file to this straight away, there’s no reason to use a text file.

  4. @ZeHa: “Hmmm I’ve got the feeling that Juuso wrote this on purpose, to provoke something ;)”
    Nope, the bolded line in the blog entry is why I wrote this.

    @Frozax Games: “I can’t believe you are storing passwords unencrypted in your computer and on a sheet of paper.”
    Yeh, I do :)

    “The only place a password should be is in your head.”
    Well, I have 20 pages of passwords and usernames, and most of them are different and something like “zg00Pq1WflRw2SBBgmn54L”. I would need a serious memory upgrade to my brain to remember all of them ;)

    “I prefer to lose a password instead of having someone else knowing it.”
    That’s one option, and sounds reliable. Nothing wrong with that. I personally don’t think having a sheet of paper filled with password is such a security risk.

    One problem there is: what if you lose your email program passwords along with other ones…

    I personally won’t be sending my passwords to online services. I think they have much bigger chances getting hacked than my own computer. I presume there are reliable online password systems that can help you, but I personally dislike this. Maybe it’s bit same as with some of those online shops that store your credit card numbers. I don’t like that.

    @Scott: “In our safety deposit box at the bank. My business partner has access to the box and if I kick the bucket she can still find someone to access the systems.”

    Yeh, I also have thought this, but our two blood hounds will keep burglars away and alert in case of fire, so I haven’t done this.

    There are some reasons why I haven’t encrypted my passwords – pretty much same that Jake there mentioned already. First reason is that I simply don’t think the risk is that high (with my firewall protected computer) – I’ve experienced some program crashes but never getting hacked. Secondly (this is probably a poor reason in terms of security, but nevertheless it’s my reason) I don’t like the password programs… they aren’t flexible compared to a simple text file. They might take time to load the files, you might need master password… and what if they crash (like happened to me)… I agree that it probably would be safer (on the other hand: maybe there are viruses against highly popular password file protectors…) but for now, I’ll stick with my simple password file.

    Compared to the risk of losing passwords versus my computer getting hacked & burglars stealing my computer I believe I’m quite safe with the current system.

  5. I use PasswordSafe. It’s an encrypted method of storing passwords, and it requires a password to access. The only issue is making sure you can remember the password to the database and that no-one discovers it!

    I like it because you can organise your passwords into different categories (websites, banking, work, etc) in a tree-view and double-clicking on any entry put the password into the clipboard for easy pasting into fields. Best of all, it’s free!

  6. I use a system to make passwords that enables me to remember them OK. Problem is, if someone found of one of them, could they figure out the others?

    Also I do keep them noted down which is only a security risk if my house get’s burgled and they actuall can locate the paper in amongst a large number of folders…it’s soo unlikely.

    If you stored them on your PC, how likely is it that someone a) steals your PC and finds them or b) hacks into your PC remotely and finds them. Pretty unlikely methinks. I guess storing them in an encrypted file with a single password to enter would be sensible, maybe. Moreso if you are a business or a governement organisation etc.

    Thing is the sites you use could easily be hacked or the password can be obtained by entering your email address (easy to find out) and clicking “Send me a new password”. So if someone was at your PC they could do this and get the new password. At the end of the day I’m not seriously worried about this issue, I’ve got much more important things to focus on (note I didn’t say “worry about”).

    However I do recommend backing up critical data in an automated fashion (to avoid human error) regularly. Even if your drive doesn’t go down, I’ve found it useful to have several old backups to retrieve files that I’ve deleted or modified by accident, esp. code.

  7. In our safety deposit box at the bank. My business partner has access to the box and if I kick the bucket she can still find someone to access the systems.

  8. Hmmm I’ve got the feeling that Juuso wrote this on purpose, to provoke something ;) perhaps to get to something like “it’s no problem to do that when you make your computer secure, and I’ll show you how tomorrow :)”

    But anyway, the idea with the physical folder is a good one! Another idea is to choose passwords you simply can’t forget – something cryptic but with a system that you know of. Let’s say you always use the word “word” and expand it with something you connect to the place where you need the password. A very simple (and only meant to be an example!) way would be to use “word-gmx” on your gmx account and “word-msn” on msn or something.

  9. I can’t believe you are storing passwords unencrypted in your computer and on a sheet of paper. The only place a password should be is in your head.
    I prefer to lose a password instead of having someone else knowing it.
    And very often, when you lose a password on the internet, there is a “password lost?” option to recover it.
    Just be careful with you sensible data.

Comments are closed.