Due to the resurgence of a discussion about secure password management procedures, passwords are currently a hot topic on social media.
There are numerous options for managing passwords, some of which are more appealing than others. A software-based management tool is frequently the top suggestion online. Some also combine web browser add-ons with online syncing. Others involve synchronizing passwords with platforms like Dropbox.
Not to mention the venerable practice of sticking Post-It notes on computer monitors, or those who prefer to keep their information on notepads on their desktops. Today, we're here to discuss what is arguably the most contentious approach to password storage.
The Big Book of Passwords
There is one password management tool that is met with a great deal of criticism – the often-maligned Internet password book. These are, as you might expect, actual books that are essentially blank notepads with the phrase "Internet password book" written on the front. Some users could categorize their login information or add more notes as necessary.
They are typically derided on social media as the worst option available for password management for a variety of reasons. It's a contentious argument that resurfaces approximately every six months. BBC technology reporter Zoe Kleinman started the most recent instance of the twice-yearly flurry of excitement:
To make an informed decision about using these password books, it is important to understand the concept of a threat model. The good news is that we'll give you a quick overview of what a threat model entails.
Threat modeling is best characterized as "the process of figuring out what you have that adversaries care about," according to an article by Katie Nickels.
We don't all run the same risks, so we don't all need to follow the same safety measures. It's bad when the most recent sophisticated nation state attack makes the news. However, you can probably carry on as usual, like most people. That clever spearphishing attack that went after about a dozen people worldwide?
About a dozen people are being targeted on a global scale.
You won't see it, and it's very likely that Google won't send you any messages about it. You don't have it in your threat model.
What matters to me, what I want to secure, what I don't care about, and what must remain mission critical at all costs are the main focuses of my personal security concerns. That's my threat model.
Sizing Up Your Adversary
Although you may not need to be concerned about attacks from nation states, you almost certainly will have plans in place for the 600th fake tax return invoice that shows up in your mailbox. It's a part of your threat model that you are aware of, you know what they're after, and you've put defenses in place to counter. It might not be the most significant threat your organization faces, or it might only be a mid-tier threat. It's okay that it will vary depending on the location.
When we see the infamous password book on display, we frequently adopt a one-size-fits-all mentality and write it off as silly or bad form.
Well, it might not be the best situation for someone handling sensitive data. There are much more effective ways for those people to scale up to the potential threats they face and secure their digital needs. However, there are a lot of people out there for whom the book for passwords is ideal:
- People who are simply unaccustomed to or uneasy around computers. This happens frequently.
- Those with cognitive or accessibility issues.
- People who are concerned about losing control by putting all of their passwords in one (digital) basket.
Reusing passwords and choosing weak passwords are the two pillars of bad password habits. Software-based password managers are highly recommended because they are excellent tools for resolving both issues. They work well for making passwords that get progressively more complicated and are all locked behind different secure login procedures. You have access to everything, including regional login lockouts and 2FA. More options are always better.
However, many people will never use password managers.
Perhaps there are too many options available to them, or the tools they are familiar with don't satisfy certain operational needs. It's possible that the tool they really want to use doesn't have a browser extension or that it only works offline rather than syncing online. It's also possible that they simply don't know they exist or find the whole process to be too complicated or fiddly.
Something that should be simple can very easily turn into a hassle depending on the OS, type of device, and feature set. From there, bad habits may start to form, leading to the password manager's eventual removal. Going back at Password123, will just be a quick hop later.
Password Management Books: What Works and What Doesn't
Here are a few typical objections against password books:
- If you misplace the book for passwords while out and about, you'll be unable to access anything.
- People might choose simple passwords over complex ones if they have to enter their passwords manually rather than having a password manager do it for them.
- Over time, password books develop defects that resemble abandonware, such as blank pages, missing entries, logins that have been changed online but not updated, and logins that are never used at all.
Since the arguments against these assertions are lengthy, they are given separate sections:
Loss or Theft of a Password Book
The loss of the password book while away from home isn't all that dissimilar from losing access to a password vault due to glitches in the system, forgotten master passwords, or other unanticipated events. Something has gone wrong in both situations. The password book, at least, is most likely to be kept at home and is dependent on numerous actual physical security measures.
That is a lot more trustworthy than saying that "anonymous criminals have broken into the database of your password management tool and there is nothing you can do about it." You have more important things to worry about than your logins if your house is broken into. Realistically speaking, thieves are seeking expensive items they can steal and resell. The password book in your dresser is irrelevant to them.
Password Books: Encouraging Simple Passwords?
Could books for passwords promote short passwords? It's very likely. To type in dozens of complex passwords from page to screen each time they log in may irritate some people. My observation is that people who write down their passwords are more concerned with making each one special. After all, nobody is using "password123" to fill 30 pages of a password book. What's the use? Sure, we might instead come up with a variety of passwords 1234/5/6 in place of the original, but even so, it's still a little bit more interesting than the alternative.
On the pages, I've also seen people only write their passwords – no usernames, service, or website. Instead, they link particular pages to specific services. Although this is a fantastic deterrent to theft and loss, but I'd be concerned about forgetting the order. This is also a serious drawback if the password book owner passes away and family members need to try to recover the data. How would one even start?
Abandonware in Paper Format?
What a concept, abandoned password books. I believe this one has some merit, but I also believe it offers a glimmer of hope. There was a gradual shift to software password managers, according to someone I know who did this. More power to them if entering a few passwords in a book serves as the confidence booster they need to move logins to the PC. It's also possible that some individuals have typed passwords from password books so frequently that they can remember the crucial ones even now.
This brings my lengthy counterpoint section to a close.
Maybe They're Not the Worst Idea After All
The lesson to be learned from this is that we are faced with an imperfect, messy solution for an imperfect, messy requirement to use our accounts. It might be a good (if not the only!) option in cases where friends or family members simply won't consider using a password manager. How safe it will be for them to drag their logins from screen to page really depends on the person. The password book won't work for everyone, but it will undoubtedly work for someone, and I don't see anything wrong with that.