My thoughts on why some bad advice is very bad advice.
The August/September 2023 issue of AARP Magazine included a “Tech for Everybody” special section that naturally caught my attention. A headline on the cover caught my eye: “Where to Store All Those Passwords (We have the answer)”. What would their answer be? I wondered. Which of several approaches to password management would they choose?
Their choice surprised and deeply disappointed me. It might even make me question their advice overall. They chose the worst one.
Become a Patron of Ask Leo! and go ad-free!
Writing down passwords
Keeping your passwords written down suffers from two issues: the security of whatever you’ve written them down on, and the fact that writing them down (and having to read them to use them) encourages creating less secure passwords. Using a password manager or vault doesn’t have to be difficult, and it is significantly more secure.
Write them down? Seriously?
Lorrie Faith Cranor director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory says the old-fashioned way is the best. “People used to go around saying ‘Don’t write down your passwords.’ Ignore that advice. You should write down your passwords. Of course keep that record someplace secure, not out in the open.
– AARP Magazine, August/September 2023
Let me be clear: this is horrible advice.
Yes, I absolutely “go around” saying “Don’t write down your passwords.”
But perhaps not for the reason you think.
The classic reason
The reason most folks advise strongly against writing down your passwords is that whatever you write them down on needs to be easily accessible if you’re to use it. Sure, “keep that record someplace secure, not out in the open” is fine advice, but it can be at odds with actually being able to use the technique.
If whatever is written down is easily accessible by you, then it’s easily accessible by an intruder. Thus, all your passwords in one place could be easy pickings for a burglar, a snoopy roommate, or a less-than-trustworthy family member.
That’s a risk, but it’s almost (but not quite) a red herring. As long as you keep it somewhere relatively secure (albeit it a little more inconvenient; I’ll suggest where below) someone would have to be very motivated to go digging to find it.
There’s a bigger problem.
The more important reason
Actually, there are two:
- You’ll choose poorer passwords.
- You’re more likely to re-use passwords.
If you have to reach for a piece of paper every time you need to enter a password, you’ll avoid using those long-and-strong passwords we so often advise. Sixteen truly random characters? Writing them down will be painful enough, but carefully entering them while looking at the written copy? Even if you do try, the frustration of mistyping or misreading a series of characters with no logic to them will wear you down. You’ll go back to choosing things that are either shorter, less random, or both. The result: weaker passwords.
Unless you use a tool to generate passwords, I believe you’re also less likely to bother creating a new one for each new login. It’ll just be too easy to look at your list and say “Oh, that one’s pretty good, I’ll use it here too”, making compromise of one account or the other that much more likely. I could be wrong — you might choose to write down unique passwords for each account — but there’s a high risk you’ll succumb to the temptation.
The one exception
It might be acceptable to write down your passwords if two conditions are met religiously.
- You always keep the written copy secure. I’m thinking lock-and-key secure. Perhaps a locking desk drawer.
- You use lengthy passphrases.
A long passphrase can be more secure than random characters. For example, a five-word 25-character passphrase can be as or more secure than a 16-character random password. While 25 characters feel like a lot, in practice, it’s much easier to type than something completely random.
If you can adhere to those conditions, perhaps paper would be fine.
Another idea I don’t like
The AARP article’s second recommendation is to use your browser’s password manager.
Again, I disagree.
While it’s not nearly as scary as writing them down, browsers often lack important functionality and make the passwords accessible to those who know where to look for them. It can also lock you into using only a specific browser and perhaps even only on a specific platform.
Besides, there are better solutions.
Do this
Use a password manager, already! (I even have recommendations.)
If you’ve figured out how to send email, you can figure out a password manager.
If you’ve figured out how to navigate websites and shop online, you can figure out a password manager.
If you’ve figured out how to cope with Facebook,1 you can figure out a password manager.
You get the idea. Don’t be frightened by some perception of complexity. A good password manager will make keeping your account information more secure and less complex.
Skip the retirement magazines for tech help. Subscribe to Confident Computing instead! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Seriously, this alone is no small feat.
Glad I’m not an AARP member. Their advice doesn’t consider that some government websites have stringent password requirements.
For example, I’m retired Navy and can access my retired pay information on MyPay, which is a Department of Defense website. I’m required to change my password every 150 days. Passwords must be 9 to 30 characters in length, 1 uppercase, 1 lowercase letter minimum, at least 1 number (0-9), and 1 of the following: # @ $ % ^ ! * + = _
I have to change at least 4 of the characters from my previous password, no spaces, and it cannot be one of my previous 5 passwords and should not use any dictionary word in any language.
Social Security has similar requirements.
I use Bitwarden to keep track of the passwords. If I were to write them down in a notebook, each site would need a couple of pages to keep track of the passwords and the changes. Writing them down would make it easy to fall into the trap of changing the passwords once every 150 days and using the same password on both sites, following the KISS principle.
I agree with Leo on this one.
“I have to change at least 4 of the characters from my previous password”
In addition to the fact that changing passwords periodically is nearly useless, this is an indication that those websites are doing security all wrong. If they can tell that 4 characters have been changed, it means they are storing the passwords on their database in plain text. That means that if that database is hacked, the hackers will have all those passwords.
There is another reason for not writing down passwords.
If you write them down, you are statistically less likely to remember them.
That means, you will be more likely to need to look them up next time.
And this BS of websites forcing you to HAVE to use upper case, lower case, numbers and symbols needs to stop. It has been proven to be less secure and harder to remember than pass-phrases.
(as a footnote, my method of coping with facebook is to never go anywhere near it)
Passwords you can remember are not a good idea. If you can remember it, it’s likely you’ll use it on more than one site and if one of those passwords is compromised, for example, if one site is hacked and doing security wrong, they’ll have access to all of those logins that se that password. That’s why we recommend sing a password manager like OnePass or Bitwarden and letting them generate long random unique passwords. Password managers let you easily use upper case, lower case, numbers and symbols,
I am an AARP member and did not read that particular article however there are many times when I do read something and just wonder who is writing this stuff, and where did they get the information, and by gosh I do feel good when I see experts like Leo reinforce my questioning things, even though I am still learning so much about computers (after using them for over 40 years). Continuing education courses at local colleges are great! Thanks, Leo and all the others who offered their insights.
I’m skeptical about any computer article in mainstream magazines. Some might be correct, but many are sensationalistic or just plain wrong.
Sorry Leo, but I agree completely with the AARP article of writing down on a piece of paper the most important passwords I maintain. I’ve been writing them on a piece of paper for decades and I alone know where that piece of paper is located. No one has ever broken into my piece of paper! I’ve tried password managers, and for me find them useless.
I know that you will find this abhorrent, but many extremely bright and competent IT folks I know do this as a rule!
As Leo mentioned, there is an exception as long as you keep the passwords well hidden or locked up securely. Be sure you don’t keep your email address in the same place as your passwords.
I wouldn’t trust a locked drawer, though. A thief would, most likely, pry any locked drawers open to look for valuables.
I literally laughed and tossed that AARP issue in the trash the moment I read that advice. Since AARP is for seniors, there are even more risks to writing them down:
1. They’ll forget where they put the list
2. If a their finds the list they don’t even need to take it – they can take a photo of it and you’ll never know its been copied
3. All the reasons Leo indicates (EXCEPT a locked desk drawer which can be breached in 10 seconds by a determined thief)
5. Your house burns down and takes the passwords with it
6. As a senior, you have accounts with larger balances than a teenager
7. You suddenly die or have a stroke and nobody knows where the list exists as they struggle to manage your affairs
8. Seniors will NOT use 20 character secure passwords – they will use something very simple
What did I do? I went through every account with my mother-in-law and closed out every on she no longer used. For the remaining ones, I used Bitwarden. I set up a free account for her and store them securely. I have a $10 annual premium BW account which allows me to share passwords with my wife, and my wife’s account has all her mom’s passwords and shares them with her mom’s BW account. “Daisy chaining” these accounts gives me access to all passwords, and my wife also has all her mothers passwords too. There is also an Emergency access feature (with premium) if something happens to me or wife.
2. If a thief finds the list they don’t even need to take it – they can take a photo of it and you’ll never know its been copied
General comment on all such advice: If you don’t know what you’re doing or why, and if you don’t have your wits about you, then none of this really matters. If you depend on “advice” you find online, you can find the full spectrum of diametrically opposing advice, each fully “documented” and sounding very reasonable and logical.
I would concur with Leo that AARP is not exactly the best source of technical advice.
To Mark H: Thank you for all that information. This gets me half way to cracking your DoD passwords.
Finally, how soon we forget all about Last Pass.
I don’t trust what AARP says about most any topic!
@Mark Jacobs – The website I used as an example is a .mil site operated by the U.S. Department of Defense. That says something about government bureaucrats, doesn’t it?
On the plus side, the site does use 2FA and has options to use text, email or authenticator apps such as Google or Microsoft. I also receive an email and text notification whenever I log in showing date, time and browser. So if it isn’t me I can do something about it.
That explains it. As they say, there’s a right way, a wrong way, and a military way. The military way can be worse than the wrong way sometimes.
My suggestion:
1) Select some piece of well-known public text, like Washington’s Farewell Address, or Jefferson’s Danbury Baptist letter. Something famous enough that the text is easily available with a quick online search.
2) Choose a common punctuation character.
3) Assign a number to every site that needs a password.
4) The website’s number tells you which word of the text to start your password with. From there, continue until you have twenty characters. When you’re typing, leave out spaces and make it all lower case except for the last character.
5) Follow that with the site’s number, and finish up with you punctuation character.
Your list of passwords and the sites they match with will look something like this:
1 Facebook
2 X (the app formerly known as Twitter – with apologies to Prince)
3 Amazon
Of course, don’t label it “My Passwords”. Just let it be a sticky note with a list of websites. Make sure there’s a backup sticky note somewhere, for when the original gets lost.
Now all you only have two things to remember: Your chosen punctuation character, and which famous piece of text to use. You can even have a copy of the text framed and hanging on the wall by your bookshelf. (It’s famous, after all. Stuff like that belongs by bookshelves.)
Using this system, your Twitter password might be:
scoreandsevenyearsaG2!
If you have a very active online life and have a long list with dozens of websites… Well, sorry, get used to counting while you read. Most folks my age have a very modest online footprint, so my list is short.
This is the best compromise I’ve found to compensate for a failing memory. If I’m away from home, all I need is my sticky note and a cell phone so I can look up the exact text of the famous speech.
@aa1234aa I didn’t mention that the site doesn’t require an email address as a user name, so I don’t use one. Since I have 2FA setup and use the Yubico Authenticator, it requires a Yubikey as well. And I use the password generator in Bitwarden to generate 30 character passwords, so it may take awhile to crack mine.
What I mentioned in my original comment was from the standard instructions that just about every website shows for creating a password when establishing an account.
And as for LastPass, I’m sure every other password manager has reviewed their procedures and processes to ensure that they don’t make that kind of mistake themselves.
I write down parts of my passwords to give me a hint what they are….like first letter of words or first number if a date…and put # of dashes needed to fill it out. That way people would have a harder time figuring out what it is.
I really enjoyed a talk that Lorrie Carnor gave for a UCSF Cybersecurity forum, so I’m disappointed she’d give that advice.
Meanwhile, after 13 years of LastPass, I’m about 1 or 2 months into 1Password. It seems slightly more troublesome that LastPass (have to enter password so often, not good filling on Android, never can get logged in on my work computer). I go back to LastPass temporarily so I can decide if a discount were to come by way, to go back to LastPass for my family since I don’t think my wife likes 1Password.
I use a password manager (Roboform) and let it generate and remember secure passwords, and log into sites automatically. The master password for the vault is a line from an obscure poem (not a nursery rhyme) my Dad used to read to us kids ‘way back in the 1940’s (yeah, I’m ancient.). I don’t need to write it down since it’s burned into what memory I have left. My wife and son both know the password in case I croak.
One drawback to using random passwords is when you have to enter a password for a streaming app you’ve been using on the computer and now want to use the same app on your smart TV streaming platform (Roku for instance). Entering an 18 character random password using the onscreen keyboard can be agonizing. I usually print it out before entering it on the TV, using a font that makes a visual distinction between zero (0) and uppercase oh (O) . Thankfully it’s normally a one-time operation.
Also, fortunately, many of the online streamers now let you sign in on a “real” computer, displaying a code on the TV screen you then enter on the computer.
For those services that require “typed” in passwords remember that length trumps all, so I find it much easier to “type” in an all lower case password, albeit 20 or more characters long.
I’d suggest creating a password using characters on the same row. I thought of that last week after driving myself crazy logging in to my Netflix account when visiting my daughter.
How about turning attention to the source quoted by the AARP article writer? A professor and program director at CMU is handing out this sort of advice?? Cranor should be able to give a rationale for the recommendations, hopefully beyond the obvious “old people” ones.
https://www.cylab.cmu.edu/directory/index.html
I use a password manager and it works well for my computing. However, my smart tv asks for passwords for my various devices so I need to write them down.
I still keep them in a password manager. I just look at the password manager when I need to “type” them into the TV,
As long as you don’t use that same password anywhere else, there’s not too much trouble you can get into if someone gets that password. If you use Prime Video, don’t write that one down. It gives access to your Amazon account.
I am an AARP member, a senior, and a digital forensics examiner, and recently graduated in cybersecurity at 74. I give advice on my blog security4seniors. After reading this, I now have my research for another entry. Password saving is a personal thing. I write down my passwords in a book and as text. I take my book with me when I travel. I store my password text on a secure Icedrive.net 10gb of free storage with a passphrase. I stay away from password savers due to all the recent breaches to major companies like Google and MS and almost every other one. I have hundreds of passwords that I need to keep track of. I had to change 365+ passwords 2 times due to Google breaches. This is why I do not recommend password accounts and if memory serves me right, even one of those has been breached. I trust in myself and not anyone else to secure my passwords.
I’m still using LastPass and I’ll probably continue with it because I understand it’s use, I like the security improvements they’ve implemented, and I look forward to the implementation of passphrases they claim will be coming ‘soon’.
While password security’s important, when it’s combined with 2FA, account security is vastly improved over passwords alone. Admittedly, after I learned about the LastPass breach and what data was stolen, I sat about changing all my Internet account passwords, deleted/canceled any accounts I no longer wanted/used, increased my password length from 12 to 16 characters, and upgraded my account security with 2FA for accounts where I had not yet implemented it, or deleted any accounts that did not support it because if the service provider did not care enough about my account/data security to support 2FA, then I was not willing to trust them enough to use their service any longer.
I consider my behavior on the Internet to be at least as important as my Internet account security measures. For example, I never click any Internet link before I check the URL it will take me to. If the link’s URL isn’t consistent with its label, if I can’t decipher it, or if I have any doubts about it at all, I don’t click it. For those rare occurrences when I want to go where the link purports to take me, I search for the location (from the link’s label) using my web browser and go there that way. I take everything I find on the Internet with a large grain of salt. If I can’t trust Internet links (on web pages or in email messages), I certainly can’t trust anything I read/see there without questioning/vetting it first, especially when I’m on any social media site (e.g.: Facebook, et-al),
I have developed these behaviors over the years from as far back as when MS-DOS could be integrated with Windows 3.1 to present, refining them as the threat landscape changed. My Internet security journey started when I contracted a virus form a program I downloaded from a BBS site. That was the first and last malware I have ever contracted because recovery taught me a lesson I will never forget. Any time I download anything to my computer today, I scan it with Windows Defender and MalwareBytes (free) before doing anything else, even from web sites I ‘trust’ (better safe than sorry).
I hope what I have learned to do helps others remain as safe as possible on the Internet,
Ernie (Oldster)
Replying to Sam Hunt:
“8. Seniors will NOT use 20 character secure passwords – they will use something very simple”
That assumption is just about as bad as the original “write down your passwords” advice
I’m 81 and I surely DO use secure passwords, not ‘something very simple’.
In 1998, I created a misspelled a password and used it for everything. Eight letters, lower case, and once had to have the secretary of my ISP access the account. She tried five or six times. Failed because she spelled it correctly. I still use it on three accounts. I don’t remember what year this “overprotection” began, but I wish I was allowed to use a word that means something to me! One banking account wants my “life history” if I hit one wrong key, not to mention some sites that won’t allow using any part of a previous password, and one that did not allow two of the same letters together (like “oo”). Captcha is downright aggravating considering the images are too dark or fuzzy. Just recently, started to change password and I got “wrong password” before I even started typing. That’s a new one. :). I cancelled AARP years ago. Thanks for the info.
I use a password program. A few years ago I went brain dead and could not remember the password for the password program for about 3 hours. I now have a file with a reminder for that password.
I think it’s important to remember that this article was geared for people like my parents who are 75, less than tech savvy, and not capable of necessarily using a password manger as it’s just one more layer to everything else that already confuses and frustrates them with technology. I’m sorry, but I’m only 43 and I had to start writing them down a few years ago. I simply can’t remember all the passwords required of me anymore either, and I’m not about to release that information to a single source or two to remember it for me. It’s safer in my spots than entrusting a stranger with it. For me personally, that is access to 2 banks, 5+ credit/department store cards, 2 utility companies, an auto loan, a cell provider, the cable company, 3 investment companies, the insurance company, a wireless printer, a wireless modem, Apple codes just to register an iPad, multiple online accounts for shopping purposes, about 6 different work logins, and a few more I’m sure I didn’t recall while writing this. That’s a lot of passwords and usernames to recall. I’m sorry Leo, but asking someone who actually receives the AARP magazine to remember all that is asking quite a lot, especially given the loss of cognitive abilities simply from the aging process. In addition, if there was a family emergency with someone of the AARP age bracket, having that information accessible could be invaluable to someone if there parent has a stroke or worse and they have to step in and pay the bills or cancel accounts.
I tried LastPass briefly a while ago. It didn’t work for me, and particularly in the following cases. Like most folk, I use bank and other financial sites a fair bit. For all of them, a user name and password are not enough. Nowadays, you need ALSO to fill in, for example, digis 1,3 and 4 from your memorable 6 digit key; and letters, 2, 7 and 10 from the name of your favourite teacher. AND then, (certainly with credit cards), you get 2FA – a text to your mobile with a code to confirm it really is you that one wants to pay XYZ Co $330. Do these further hurdles not make the length and security of a password less critical?
Gosh, all this talk about age (old people). Well, I’m 89 and very much into tech. I’ve used LastPass for years and still do. I took the necessary precautions when they were breached and tried two other password managers but went back to LastPass.
In conclusion, age is just a number. Don’t let it get in your way.
You have definitely hit a nerve here Leo! I’m a former elder law attorney who has given such advice as what you question here.
Why would I (and many of my colleagues) have done this? Because most elders are capable of managing their own finances, and some want to have a contingency plan to make it easier for an agent under a durable power of attorney or a personal representative to assist if/when needed. Plus, many may not trust the longevity of the company storing or encrypting their passwords.There are many online tools people can use, and these often need to be updated when circumstances change. Many folks have a mishmash of virtual assets, and it is important for an assisting fiduciary to know of an elder’s “known universe” of accounts, even if the passwords are not up to date.
Our control over the security of our passwords is often illusory, particularly when we must “prove” we are who we say we are or if our personal information has been breached by many third parties, perhaps beginning with a first breach such as the OPM data breach, which occurred back in the 00’s. Thanks for your insightful posts!
Regarding writing down passwords. Here is a secure suggestion. I use the same (therefor easy to remember) beginning 9 letters & numbers. This is not written down in my passwords 4″x6″ notebook. The notebook is hidden but easily accessible from my computer. In that notebook which has tabs for the alphabet. On those pages are different letters or/and numbers for various websites, etc. that I use. There are just 3 or 4 of these letter/numbers. So if any one finds my hidden notebook these are worthless without the first 9 letter/number sequence.
That sounds like a good idea to me. I wouldn’t recommend using the site name after the shared password characters, because if a hacker gets one password, the can figure out others.
I still write all my passwords on paper, but I use them only as a backup. I use Lastpass (yeah I know about the breach). I tried using Bitwarden, but couldn’t get it to work. Compared to Lastpass I found it confusing and not especially user-friendly. But with Lastpass I have not had any issues with anything. I did change all my existing passwords though, which was a bit of a project. I would consider using another pw manager, but just because the others have not been compromised doesn’t mean it can’t happen to them.
It just hasn’t happened to them ———-yet.
So many useful ideas here. Many thanks.
I prefer to do it manually.
1) Open a password generator, eg, LastPass,
2) set it to about 24 characters,
3) copy the generated password, eg, JjTI@!p%qkF4s1i$eYsIxe3l to a docx file that holds ALL my passwords.
4) Save that docx file on a thumb drive, not the home computer,
5) acquire and update two copies of the thumb drive,
6) hide all the thumb drives around the house, the primary one near the home computer.
This doesn’t work for when we’re out of the house, but I hardly ever turn on my phone outside the house, much less log in to anything.
I don’t change my passwords just because they’re old. They should be strong enough to withstand both a dictionary and brute force attack.
It takes a few seconds to get the flash drive when I need to go to, say, my bank’s website, but I’m happy to pay that price for the knowledge no one else has my password.
See any flaws in my strategy? My mind’s open to change.
rick reeves—I use the open-source program KeePass as our Windows password manager, which stores its password database locally only, not in the cloud (AKA “somebody else’s computer”). KeePass runs natively only on Windows, although it can be run under MacOS and Linux using another program called Mono. I’ve been using KeePass for probably 15 years.
We also use the open-source program KeePassXC on our Linux Mint PC, which also stores its password database locally only. KeePassXC is a fork of KeePass. The two programs share the same format for the password database so you can copy and use the database files between the two programs. KeePassXC runs on Windows, MacOS and Linux.
The reason we use both programs is because I’ve been using KeePass forever whereas I only put Linux on an old Windows 7 PC a little over two years ago.
FYI, I’m 75, soon to turn 76.