Secure password storage - for users

We know that we should use strong, unique passwords for every site. How we construct a great password is a problem in it self, but when we have these passwords, how do we store them? How can we keep them safe, while at the same time have them available at short notice when we need to authenticate to a service?

There are some ways you should never store your passwords. You might read this and think it is self-explanatory, but it is far too common to find passwords stored like this.

• Written on a post-it attached under the keyboard at work
• PIN code for a bank card written on the card

Generally, having your password physically attached to the thing it unlocks is a bad idea, especially if access to the object is not totally under your control, or the consequence of losing it is great.

So, after ripping the post-it from under your keyboard, what do you do? Well, a surprisingly low cost and easy solution is to just keep your passwords in a notebook. But wait, that sounds just as bad as having them under the keyboard, and worse, you just put all your eggs in one basket! Yeah, it is not a solution for everyone, but it has its merits. For your average not too tech-savvy friends or family members, the internet may be something that is used rarely, and mostly at home. Keeping your passwords written down at home is much more secure than reusing passwords. With strong passwords, any breach at a site you use can't hurt you. The only attack vector you need to secure against is someone breaking in and stealing your password book. A much simpler task!

But for most of us (and especially you who use your free time reading a security blog), password storage needs to be portable. Having a single hard copy of your passwords and carrying it around poses a greater risk, and is extremely impractical. What if you forget the book at home one day? Or worse, leave it at your favorite craft beer place? No, you need a password manager. This is a program that stores all your passwords securely, that can be backed up, and that can be synchronised across devices.

This is a step many security-minded people are hesitant to take. Moving your passwords into a cloud storage service seems like a bad idea. Well, it might be, but you should consider the alternative. Having weak passwords on all your accounts make them easy targets when account details leak, or sites are attacked. This happens all the time. Placing all your (encrypted) passwords in a cloud service like 1Password or Lastpass is like putting all your eggs in one basket, but they are guarded by people with a singular mission: Protecting eggs (well, passwords really, but you get the picture). If you need more convincing that this is a good idea, read the attached blog post from Troy Hunt.

Remembering unique passwords is an impossible task, so you need help. If you mainly use your computer at home, go with a little book to keep in your drawer. If you are a bit more active on the internet, the best gift you will get yourself this year is a password manager!