If we’re looking at trending topics this season on social media, passwords would be it. And that’s all because of the renewed talks about good password management.

When it comes to password management there’s plenty of options available. The software- based management tool is usually the primary recommendation. And these have some with different capabilities. Such as, online syncing alongside web browser extensions or syncing passwords with services such as Dropbox.

We’re not going to get into the sticky note on our monitor style of password saving or the notepad on desktop option. But we are going to talk about some of the more controversial methods of saving passwords.

The big book of passwords

Perhaps one of the most talked about password management tool is the internet password book or journal. These often-stylish looking physical books that are basically notepads. Some more sophisticated versions, allow the user to group logins by category, or add additional notes as they see fit.

This option is usually ridiculed on social media as the worst password management tool. For instance, Zoe Kleinman, kicked off the latest discussion, she’s a BBC technology reporter. But the response is varied, one man writes “I totally need one of these.”

Firstly, we need to consider should this book be used all by looking at the threat model. What is a threat model, you ask? Good question, that’s what were going to talk about next…

Threat models

A threat model is described as “the process of figuring out what you have that your adversaries care about” according to an article written by Katie Nickels.

To clarify, not everyone faces the same risk, so we all need to have varying precautions based on our own risk factor.

For instance, the spear phishing attack targeting a dozen individuals, is only targeting those individuals worldwide. It’s not affecting us. And we certainly won’t receive messages from Google about it. This is not our threat model, it’s theirs.

So, that means my security needs are based around what I need and what’s important to me. And that’s the same for you. Your threat model.

Sizing up your adversary

Perhaps you don’t need to worry about the targeting spear phishing. But if you’ve been sent 500 fake tax returns of late, best you put something in place. By addressing your threat and putting something in place, that’s known as your threat model.  In other words, you’ve put solutions in place that protect the threat against you.

The big book of passwords tends to generate the impression of one-size fits all approach and set it aside as a bad practice.

Certainly, it comes in below par for someone working with sensitive data. In other words, they need a more security aware approach than the big book of passwords. But the book will be a perfect fit for others out there.

  • People who aren’t particularly comfortable or familiar with computers.
  • Those with accessibility or cognitive issues.
  • People who don’t want to place all their passwords in to one basket

Password managers

When it comes to bad password practice there is:

  • Reuse
  • Poor password selection (weak)

As a result, the software-based password managers are a great way to deal with both of these bad practices. To clarify, they can create complex unique (strong ) passwords, across multiple platforms, all gated behind a number of secure login methods which include 2FA to regional login lockouts. So, it gives good choice and insures good password practice.

But many people won’t bother with a password manager.

Why?

Perhaps the tools they know of doesn’t meet specific operational requirements or there are too many choices. Maybe, there’s no browser extension for the tool they want to use, or it sync offline only. And some may find it too overly complicated or fiddly. While others may not have heard of a password manager.

Depending on OS, and feature set, and type of device something that can be easy, quickly turns into hard task.

After that, comes the removal of the password manager. And then it’s only a short skip back to Password123.

Password management books: what works and what doesn’t

The common objections to password books are:

  • If you lose the book, you’ve lost access to everything.
  • If you need to type in your passwords every time you while reading them from a book, it could tempt people to use simple passwords rather than complex ones.
  • The books need updating every time. It becomes useless if it has missing entries, logins which never end up in the book at all, torn pages, and unreadable letters, symbols and numbers.

Loss or theft of a password book

If you lose a book while you’re out and about, it isn’t all that different from losing access to a password vault. As it’s a technical issue now, with forgotten master passwords and unforeseen occurrences. In both situations, you have a problem.

Meanwhile, a book is most likely to be kept at home and has real-world physical security. It’s behind locked doors.

Whereas the “password management tool has their database broken into by anonymous criminals, and there’s nothing you can do about it.” All your access codes are now in the hands of the criminals.

And if we think about it, burglars who break in to your home are looking for the expensive items they can sell off quickly, not rummaging through your clothes to find your password book.

Password books: encouraging simple passwords?

It’s possible that people using a password might opt for the simpler passwords. Some may find it annoying to write out lots and lots of complex passwords, only to have to write them out again when they login. But in general people who have taken the trouble to write out a unique password understand there importance. Certainly, no one has a password book to write out “password123” a hundred times.

Meanwhile some people write only passwords, no service or other telling information about what system it’s for. Instead, each page is associated to a particular service or website. So, it’s a good defence mechanism against your book getting into the wrong hands.

Abandonware in paper format?

Perhaps using a book can slowly transition a person to use software password managers. Above all, it can be used as a stepping- stone to have confidence about moving logins to the PC. If we’ve got good memories and we’ve typed them a few times, we can remember the important ones anyway

Maybe they’re not the worst idea after all

So maybe the password book isn’t such a bad idea in some situations. Afterall, we’re dealing with an imperfect messy solution for gaining access to our accounts. And each one of us is different. Some people won’t entertain the idea of using a password manager. So, the password book is the only alternative. It really is up to each individual and their threat model. Certainly, the password book can’t work for everyone. But it is a good fit for some.

Whether you decide to use the password book or the password manager software, the main thing is we use unique, complex passwords across the board. You can figure out your threat model and decide if the big book of passwords be enough.