The best defense against hackers is….paper.
by Timothy B. Lee – firstname.lastname@example.org email@example.com
There is one foolproof way to protect your information online. But you’re not going to like it.
It involves paper.
News of the Heartbleed vulnerability hack has made a lot of people interested in better password management. Most of us know that our passwords should be random mixtures of letters, numbers and characters, and that we shouldn’t re-use the same passwords on multiple sites. In other words, we’re supposed to memorize a huge number of passwords designed to be impossible-to-remember. There’s no way most people will do that. So in recent weeks, a lot of computer-security experts have begun recommending password managers like Dashlane, 1Password, Lastpass, and Roboform. There are some major advantages to these services. They basically generate and remember your passwords for you. You use one master password to access them. The information is saved onto your devices and powerfully encrypted so it’s almost impossible to hack.
If that appeals to you, it’s worth giving it a try. But there’s another alternative that’s simple, reliable, and everyone already knows how to use it: paper. To keep your passwords safe, just write them down on a piece of paper and put it in a safe place like your wallet.
You can’t hack paper.
Choosing a low-tech solution for a high-tech problem seems counterintuitive to a lot of people. Shouldn’t we be using the most powerful technologies to safeguard our online lives?
But security mistakes happen when people are using systems they don’t understand. Password managers are powerful, but their complexity can also lead to problems. In contrast, everyone understands how a piece of paper works.
If you forget your password manager’s master password, the rest of your passwords are gone forever. Of course, a lot of people write their master password down somewhere on their computer. That creates an opportunity for hackers to grab their data, or, more mundanely, a risk that their hard drive will malfunction and they won’t have a backup.
“If what you’re concerned about is people coming in over the internet, they can’t do that if your passwords are on paper,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University who says writing down passwords is a perfectly sensible security strategy. Managing passwords on paper is endorsed by a number of other security experts, including well-known security researcher Bruce Schneier.
Paper has its dangers, of course. If you’re the kind of person who is prone to losing your wallet or accidentally putting things in the washing machine, trusting your passwords to a piece of paper might be a bad idea.
Paper can also be taken. If you have a nosy boyfriend or teenage kids who might be inclined to snoop through your accounts, that’s a cause for concern. If you travel internationally, a search at the border could reveal your passwords to a foreign government.
But for many people, threats from strangers online are a much bigger concern. Paper can’t be hacked. You can’t be tricked into sending a piece of paper to hackers on the other side of the world. And as long as your wallet doesn’t go through the washer — or as long as you keep a couple of different sheets of paper safely hidden — technical problems are unlikely to unexpectedly erase the contents of a piece of paper. None of this is to say that password managers are a bad idea. They’re not. But for many people, storing passwords on paper is a great solution.
Why do I need so many passwords?
Password re-use is bad because it means that compromising one site can expose you to attacks on other sites too. For example, if you use the same password on a sketchy internet forum as you do for your Gmail account, then if the forum gets hacked the hackers might gain your password and be able to log into your Gmail. From there, they may be able to compromise other accounts and get access to your whole digital life. On the other hand you probably don’t have that many important accounts. Your primary email address, your bank, your credit card, and your retirement account probably need their own passwords. If you use a cloud storage service like Dropbox or iCloud, your passwords for those services should be unique. You might also want a unique password for your Facebook and Twitter accounts. But the total number of high-security passwords is probably a single-digit number. In other words, you should be able to get along with few enough passwords to fit them all on a business card.
For other sites, some password re-use is fine. There just isn’t that much damage someone can do if they gain control of a video streaming account, for example. So pick two more passwords: one password to use on sites with a moderate level of security concern, and a second one for low-security sites like online forums and games. It’s a good idea to avoid using the numbers 0 and 1 and the letters i, L, and O, since these can easily be mistaken for each other. It’s also a good practice to underline the capital letters in each password to make sure you’ll be able to decipher which letters are capital and which are lowercase.
Finally, write down as little identifying information as possible. Don’t write down your username. Write “E” instead of “gmail” and “B” instead of “Bank of America.” Hopefully, if your wallet does get stolen, the thief won’t realize he’s holding the keys to your online identity — at least until you’ve had time to change your passwords.
Don’t leave the paper somewhere where people can copy it. It shouldn’t be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.
If you do use a password manager: First, make sure you make regular backups of your hard drive (you should be doing this anyway). Some password managers (like 1Password) don’t store an encrypted copy of your passwords on their servers. If you’re using one of those programs, then a hard drive crash could mean you lose your password data forever.
Second, memorize the password to your primary email address. There’s always a small risk that a technical snafu or a forgotten master password will lock you out of your password file. If that happens, you’ll need to activate the password-recovery features on all the websites you use. Most websites do that by email. If your email password is stored in your password manager, you’ll be out of luck.
Most password managers allow you to synchronize your data across multiple computers. That’s a convenient feature, but it needs to be used carefully. Never log into your password manager from devices you don’t trust. For example, if you’re traveling abroad, it’s a bad idea to log into your password manager from an internet cafe. If that computer happens to have spyware installed — and many do — the bad guys will be able to access all of your accounts. Also, be wary of fraudulent “phishing” emails and websites that try to trick you into divulging your master password.
What else can I do to secure my online accounts?
Two-step verification. Two-step verification. Two-step verification.
It’s always possible that someone will find your password sheet or crack your password manager and try to log into your accounts. That’s where two-step verification comes in. On most sites, the second authentication step involves texting a security code to the user’s cell phone. That improves security because a hacker who gains access to your password would also have to get ahold of your cell phone in order to compromise your account. Most leading internet companies and many major banks offer two-step verification. The Wall Street Journal has a handy guide to enabling 2-step verification on 11 popular websites.