Opinion: Paper, the least terrible password management tool

With password management app LastPass possibly compromised, a stowed away pad of paper seems more secure than storing sensitive credentials in the cloud.

Ann Hermes/The Christian Science Monitor

June 19, 2015

Passwords are a bane of modern life. We need them for everything – banks, social media accounts, e-mail, online subscriptions and shopping sites, smartphones, voicemail, and apps. Ugh. And security experts like me are always reminding people to make sure passwords are long, have upper and lowercase letters, numbers, and special characters. Not only that, but make sure to use a different – and equally complex – one for each and every account and website that you visit. And don't write it down – ever. 

Yikes! That’s a lot of passwords to keep in your head. 

So for many of us who can't remember their wife's phone number without writing it down (that's me), the password manager was a godsend. One piece of technology that remembered all of our complex passwords. Simply log in with a master password and all of your other passwords are there. Brilliant. 

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

But now what seemed to be an ideal solution for keeping passwords straight – and secure – is suddenly suspect. Password management company LastPass admitted last week that it discovered "suspicious traffic" on its network. Though encrypted user data was left untouched, “account e-mail addresses, password reminders, server per user salts, and authentication hashes were compromised,” meaning that some accounts could be vulnerable.

What do you do, then, when one of the most prominent password managers may be compromised? If you use LastPass or other password managers that store information online in the cloud, you may want to switch to an alternative service that stores its information locally on your machine. Or you may want to just keep your data right where it is in the cloud. It comes down to what risks you are willing to accept and what inconveniences you are willing to endure. 

But there's also a low-tech solution: paper. That might be anathema to many security types, but it works. I’m not talking about putting a sticky note on your monitor or under your keyboard. I’m talking about an unassuming pad of paper filed away in a drawer or someplace only you know about.

That pad of paper is just as secure as your house. Unless you have strangers breaking into your home at night and rummaging through your papers, the pad of paper is probably pretty safe. Yes, there are risks to storing passwords on paper, such as the inconvenience of not being able to access those passwords when you are not at home.

I think the perfect solution, though, is a combination of four password storage methods: online, locally on your device, on paper, and in your mind. Use a password manager such as LastPass that stores passwords online for things that you use often but are low-risk such as online cat forums or e-mail accounts for junk mail. 

Why Florida and almost half of US states are enshrining a right to hunt and fish

For passwords to more important accounts, store those in a password manager that saves everything locally. 

For me, the password to my 401K is on paper because I almost never check it. Passwords to my PayPal, bank account, and the e-mail those accounts are connected to are only in my head. 

And just as other security professionals preach, what's most important is using a different password for each and every website and online service. Yes, it's a pain. But with the rate that password databases are being breached, criminals have learned to quickly try passwords on multiple sites until finding one that works.

For even beefier security, if a website offers two-factor authentication, use it. Two-factor won’t make your account hack-proof, but it does add an additional security layer. And that might be enough to make an attacker move on to the next target. 

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.