Is there a good way to store credentials outside of a password manager?












23















A lot of the users in my company are using their agendas to write down their password and usernames, or Excel sheets with a protected password. I'm hesitant to install software for password management after reading recommendations/feedback on them. Is there any other secure and user-friendly solution to store passwords?










share|improve this question









New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 9





    Spreadsheets are a terrible choice. Offline password managers like KeePass are going to be your best option. Other than that I don't know what anyone could suggest - it's pretty much that or writing them in a physical book.

    – Polynomial
    yesterday






  • 48





    What is it about the recommendations/feedback that’s made you hesitant?

    – Ry-
    yesterday






  • 13





    Depending on your threat model, pen and paper may not be a bad choice.

    – MooseBoys
    18 hours ago






  • 10





    If you store passwords somewhere, doesn't that make it a password manager by definition? 🤔

    – Luc
    11 hours ago






  • 5





    @OrangeDog that's simply not true. It is not a linear trade-off like that. There are lots of security measure that actually increase user-friendliness.

    – schroeder
    6 hours ago
















23















A lot of the users in my company are using their agendas to write down their password and usernames, or Excel sheets with a protected password. I'm hesitant to install software for password management after reading recommendations/feedback on them. Is there any other secure and user-friendly solution to store passwords?










share|improve this question









New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 9





    Spreadsheets are a terrible choice. Offline password managers like KeePass are going to be your best option. Other than that I don't know what anyone could suggest - it's pretty much that or writing them in a physical book.

    – Polynomial
    yesterday






  • 48





    What is it about the recommendations/feedback that’s made you hesitant?

    – Ry-
    yesterday






  • 13





    Depending on your threat model, pen and paper may not be a bad choice.

    – MooseBoys
    18 hours ago






  • 10





    If you store passwords somewhere, doesn't that make it a password manager by definition? 🤔

    – Luc
    11 hours ago






  • 5





    @OrangeDog that's simply not true. It is not a linear trade-off like that. There are lots of security measure that actually increase user-friendliness.

    – schroeder
    6 hours ago














23












23








23


5






A lot of the users in my company are using their agendas to write down their password and usernames, or Excel sheets with a protected password. I'm hesitant to install software for password management after reading recommendations/feedback on them. Is there any other secure and user-friendly solution to store passwords?










share|improve this question









New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












A lot of the users in my company are using their agendas to write down their password and usernames, or Excel sheets with a protected password. I'm hesitant to install software for password management after reading recommendations/feedback on them. Is there any other secure and user-friendly solution to store passwords?







passwords password-management






share|improve this question









New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Jeff Ferland

34.5k778160




34.5k778160






New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









Hajar QhHajar Qh

11613




11613




New contributor




Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Hajar Qh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 9





    Spreadsheets are a terrible choice. Offline password managers like KeePass are going to be your best option. Other than that I don't know what anyone could suggest - it's pretty much that or writing them in a physical book.

    – Polynomial
    yesterday






  • 48





    What is it about the recommendations/feedback that’s made you hesitant?

    – Ry-
    yesterday






  • 13





    Depending on your threat model, pen and paper may not be a bad choice.

    – MooseBoys
    18 hours ago






  • 10





    If you store passwords somewhere, doesn't that make it a password manager by definition? 🤔

    – Luc
    11 hours ago






  • 5





    @OrangeDog that's simply not true. It is not a linear trade-off like that. There are lots of security measure that actually increase user-friendliness.

    – schroeder
    6 hours ago














  • 9





    Spreadsheets are a terrible choice. Offline password managers like KeePass are going to be your best option. Other than that I don't know what anyone could suggest - it's pretty much that or writing them in a physical book.

    – Polynomial
    yesterday






  • 48





    What is it about the recommendations/feedback that’s made you hesitant?

    – Ry-
    yesterday






  • 13





    Depending on your threat model, pen and paper may not be a bad choice.

    – MooseBoys
    18 hours ago






  • 10





    If you store passwords somewhere, doesn't that make it a password manager by definition? 🤔

    – Luc
    11 hours ago






  • 5





    @OrangeDog that's simply not true. It is not a linear trade-off like that. There are lots of security measure that actually increase user-friendliness.

    – schroeder
    6 hours ago








9




9





Spreadsheets are a terrible choice. Offline password managers like KeePass are going to be your best option. Other than that I don't know what anyone could suggest - it's pretty much that or writing them in a physical book.

– Polynomial
yesterday





Spreadsheets are a terrible choice. Offline password managers like KeePass are going to be your best option. Other than that I don't know what anyone could suggest - it's pretty much that or writing them in a physical book.

– Polynomial
yesterday




48




48





What is it about the recommendations/feedback that’s made you hesitant?

– Ry-
yesterday





What is it about the recommendations/feedback that’s made you hesitant?

– Ry-
yesterday




13




13





Depending on your threat model, pen and paper may not be a bad choice.

– MooseBoys
18 hours ago





Depending on your threat model, pen and paper may not be a bad choice.

– MooseBoys
18 hours ago




10




10





If you store passwords somewhere, doesn't that make it a password manager by definition? 🤔

– Luc
11 hours ago





If you store passwords somewhere, doesn't that make it a password manager by definition? 🤔

– Luc
11 hours ago




5




5





@OrangeDog that's simply not true. It is not a linear trade-off like that. There are lots of security measure that actually increase user-friendliness.

– schroeder
6 hours ago





@OrangeDog that's simply not true. It is not a linear trade-off like that. There are lots of security measure that actually increase user-friendliness.

– schroeder
6 hours ago










11 Answers
11






active

oldest

votes


















46














Install a password manager. A good password manager is much, much better than anything you can do by yourself.



They are software created by security professionals, follow strict development rules, and are tested by a lot of people, and attacked by a lot of people. They have better chance of protecting your passwords than anything invented by the average, even the above average user.






share|improve this answer



















  • 16





    how does one know which is a good password manage and if they actually follow all the strict development rules ?

    – Nigel Fds
    21 hours ago






  • 8





    @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

    – Schwern
    21 hours ago











  • I use Enpass and it's very well written.

    – ThoriumBR
    20 hours ago













  • @Schwern awesome, that's good to know

    – Nigel Fds
    19 hours ago






  • 13





    @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

    – Mischa
    14 hours ago



















27














You're probably referring to the recent articles about flaws in password managers.





  • Password managers have a security flaw. But you should still use one. (Washington Post)


  • Password managers leaking data in memory, but you should still use one. (Sophos)


Its right there in the titles, password managers have flaws and you should still use one because they're more secure than what many folks do, like keeping passwords in Excel, emailing them around, pasting them into chat where they'll be logged by everyone...



All software has flaws. Password managers, and security software in general, is held to a higher standard than run-of-the-mill software. The flaws these articles are talking about in password managers are not rookie mistakes, but risk trade-offs.



1Password has a write up about the latest flaw as well as a deep discussion on their forums. It's not a mistake as it is a consequence of a trade-off to avoid other worse memory bugs. The important bit is that your computer must already be compromised and you have recently typed in your master password. As jpgoldberg of 1Password put it...




...we need to consider that for this to enable an attack the attacker must




  1. Be in a position to read 1Password process memory when 1Password is locked

  2. Not be in a position to read 1Password process memory when 1Password is unlocked.


Number 1 requires that the attacker has already seriously compromised the device. Number 2 means that that the attacker (who has seriously compromised your device) only has that control at some oddly limited times.




If your computer is already so compromised an attacker can read 1Password's process memory they don't need this exploit. They can just wait until 1Password unlocks.



And if your computer is compromised, keeping your passwords in an Excel spreadsheet offers you no protection.





Password managers can do other things to add to your security.




  • Share and manage your passwords between all your devices, including mobile devices.

  • Share and manage passwords and credentials with co-workers.

  • Store more than just passwords securely.


    • GPG and SSH keys and passphrases


    • One-time password generators

    • Recovery keys

    • Security questions

    • API keys

    • Notes



  • Inform you of insecure passwords


    • Reused passwords

    • Password breaches



  • Generate secure passwords

  • Auto-fill passwords (avoids being shoulder surfed)

  • Auto-record new accounts


These avoid bad practices such as reusing passwords, using weak passwords, sharing them via email or chat or a shared document, writing them down (whether on paper or a file), and continuing to use breached passwords.






share|improve this answer


























  • Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

    – Sergio Tulentsev
    14 hours ago






  • 4





    Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

    – JeroenHoek
    9 hours ago











  • It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

    – Konrad Rudolph
    6 hours ago











  • @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

    – OrangeDog
    6 hours ago













  • @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

    – Konrad Rudolph
    5 hours ago





















5














The encryption in Microsoft office documents is pretty good and secure for all intents and purposes.



It does offer some weak points



https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office




Previously, if the original creator of a file password either forgot
the password or left the organization, the file was rendered
unrecoverable. By using Office 2016 and an escrow key, which is
generated from your company or organization's private key certificate
store, an IT admin can "unlock" the file for a user and then either
leave the file without password protection, or assign a new password
to the file. You, the IT admin, are the keeper of the escrow key which
is generated from your company or organization's private key
certificate store. You can silently push the public key information to
client computers one time through a registry key setting that you can
manually create or you can create it through a Group Policy script.
When a user later creates a password-protected Word, Excel, or
PowerPoint file, this public key is included in the file header.
Later, an IT pro can use the Office DocRecrypt tool to remove the
password that is attached to the file, and then, optionally, protect
the file by using a new password. To do this, the IT pro must have all
the following:




The IT manager or someone with access to the root certificates can decrypt all documents. So if a malicious attacker would be able to gain access to this, it could decrypt all the password protected documents.



There is the secondary problem of the temp files Microsoft Office. The moment the file is opened in Microsoft Office and the correct password is entered, Microsoft Office creates a temp file that displays the contents.
Anyone browsing to this file can just select it and see the contents in the preview pane of Windows Explorer as long as someone has opened it.



In most windows networks its possible to just browse to the pc of a collegue and look into the documents on his/her pc or to any share they may have those documents on.



So in it's own, on the surface it might seem safe, but down below, someone just has to infect a workstation with a program that lies in wait for any encrypted documents it has access to be opened and then just read the contents of the temp file. And most people will just leave that password document open in the background once opened.



Most password managers have protections in place to only decrypt when needed and then store the password for a short moment into the clipboard before overwriting it, minimizing the possible exposure of the password.



In comparison, password managers offer more security.






share|improve this answer



















  • 4





    By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

    – Oxy
    11 hours ago






  • 1





    Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

    – Tschallacka
    9 hours ago





















3














The safest place to store a password is nowhere. It should be a secure token that only exists in the memory of the holder. Unfortunately, many use a password that is too simple and insecure, for the purpose of making it easier to remember. In contrast, more secure passwords are more difficult to remember (for most people).



If you cannot rely on your memory, you should definitely use a password manager. Password managers prevent even physical access from compromising your passwords. A little physical password book is only as good as the lock on your door, which is far less secure than a master password for a password manager that's stored only in your memory.






share|improve this answer








New contributor




owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

    – lucasgcb
    14 hours ago








  • 2





    @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

    – owacoder
    10 hours ago








  • 2





    I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

    – Dan
    7 hours ago






  • 1





    @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

    – owacoder
    7 hours ago






  • 1





    @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

    – Baldrickk
    7 hours ago



















2














Your only solution is to select passwords, that are hard to break but easy to remember, then you don't need to write them down anywhere!



But seriously, maybe you can ask your IT support to install a password manager server for your whole company, then you don't need to install one on your machine.






share|improve this answer










New contributor




Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 2





    I think that the hesitation is with using a password manager in general, not the local install.

    – schroeder
    22 hours ago











  • But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

    – Paris
    21 hours ago











  • The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

    – Captain Man
    6 hours ago











  • @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

    – Paris
    2 hours ago





















1














Sure! Here's a scheme that will not get compromised very often, if executed perfectly [1]:




  1. Keep a list of sites you have passwords for. Put it somewhere secure enough. [2]


  2. Keep a list of passwords. Keep it folded in your wallet. Be vigilant about showing it when opening your wallet, or when using a password from it. Destroy passwords you've memorized.


  3. If your wallet is lost or stolen, enjoy the huge headache of changing all your passwords.



So, pretty much what a basic password manager does - memorability, mapping to sites, and confidentiality. It's just way more leg work than using a password manager. If you make mistakes doing this, it becomes far less secure than using a password manager. Given human fallibility, perhaps a password manager is better?



[1]: The main ding against this scheme is that you will eventually fall out of practice doing it, and it will be a huge mess when you need to actually change passwords.



[2]: 'Secure enough' will vary greatly depending on your needs. Are you a boring person whose saving their bank credentials? A safe in your basement is probably fine. Are you hiding from the NSA? This scheme probably isn't sufficient, honestly.






share|improve this answer































    0














    I still heartily recommend using a password manager. If that is impossible, and all the following are true:




    • People can choose their own passwords.

    • No one has to share passwords.


      • (Protected Excel files make this seem unlikely.)




    ...then you could suggest a Password Card to keep in their wallet.






    share|improve this answer
























    • The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

      – Adonalsium
      8 hours ago



















    0














    Many recommend password managers. I don't disagree, that is indeed sound advice, but there is another possibility.



    It is fairly doable to let them record information on where to find the password without significantly weakening the integrity of the password - to most attack vectors. Have each bring a personal book (think: Alice in Wonderland or something), which are kept together in a single bookshelf and make every password a combination of 3-4 words from the book. You can then write down anywhere you like the page number, line number and word number of those words. Yes, password lookup will be slower but it will increase the security of your passwords against brute force attempts, it will ensure that physical access to the office is necessary, as well as a who's-book-is-which to break the code in addition to electronic access to their "stored" password. This is a huge improvement over storing the passwords in plaintext in a file on the workstation - which only needs a single successful phishing attempt to work.



    As a bonus, the passwords are more secure and easier to remember. Obligatory xkcd



    But, then again, if they can't be bothered to not write passwords down into an excel file - it can be a tough sell to establish a cumbersome procedure such as this. YMMV.






    share|improve this answer








    New contributor




    Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















    • This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

      – OrangeDog
      4 hours ago











    • It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

      – OrangeDog
      4 hours ago













    • @orangedog but not all of them.

      – Stian Yttervik
      3 hours ago











    • I think you are confused about what a phishing attack is.

      – OrangeDog
      3 hours ago











    • @orangedog Hardly, it rather seems like I am quite convinced.

      – Stian Yttervik
      3 hours ago





















    0














    This depends on who you fear might want to steal your passwords. The safest option is to use a password manager. That said, I use pen and paper.¹



    How I – irresponsibly – store my passwords



    I have a booklet at home with sites and passwords. The only ones I do not write down are that of my personal email and bank accounts. Personal email is important because a lot of the other passwords, at least the most important ones, can be reset using it.



    If someone breaks into my house they can go to the unlocked drawer and take the booklet. This would suck, but I am more worried about them taking my computer, tablet, kettle, etc.




    • Sure, I could tweak the passwords – before writing them down – with some trivial-to-break scheme to deter common thieves. I don't feel it is worth the effort but maybe I'll change my mind if someone breaks into my house.


    • At work I need a couple of passwords, but I've pretty much memorized most of them so I can manage without having the booklet near me. If I forget a password and I am not home I can always reset it; this rarely happens, in part because a lot of the websites I use keep me logged in.


    • There are passwords I rarely use. Say I log into some newspaper website and get logged out after 2 months. I'll search the booklet for the password or reset it.


    • The strength of my passwords depends on the purpose. For newspapers or some obscure forums I'll use easy passwords. If its something work related (or deeply personal, like healthcare website) I use stronger passwords.


    • The hard disk of my personal computer is encrypted with a strong password. This one is also not written down, so I guess that's three passwords I have to memorize. I've been wanting to make a copy and place it in a secure location, maybe a safe.


    • If a computer-skilled thief wants to rob my passwords, I'd worry more about something stored in my machine then a physical booklet.


    • I do not have a job that includes tasks such as the administration of machines (e.g. taking care of mail servers). My booklet wouldn't work for that. For that kind of task I'd probably be looking into 2FA plus a strong password stored in a secure location (e.g. vault) or whatever you're supposed to do at the company.


    • If you're going to store passwords in your computer then use a password manager. Not excel, not a text or word document, but a password manager. Password managers are built with this exact goal – that of storing passwords – in mind. If I were to store passwords electronically, I'd use a password manager.



    • I don't have passwords stored at work.² If I did I'd use a password manager and wouldn't write them on paper. Paper can be stolen, and paper can be lost. Then the creepy guy that finds it can go look into your social media private messages. Nobody wants that.




      • Maybe if its a password no one cares about. I had to create an email account to test something out a couple months ago. Didn't use it for any other purpose. Is it a problem if someone steals the password? No.




    ¹ I've been wanting to look into password managers to find which one would be a good option for me, but never got around to do it. Eventually, the task will get done.



    ² Okay, maybe the browser stores a couple of these. And there are a few private keys stored locally on my workstation.






    share|improve this answer

































      -3














      If you do not want a password manager program, print them out and store then in a safe or something secure rather than just a notebook like your co workers use.






      share|improve this answer








      New contributor




      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 3





        This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

        – Schwern
        22 hours ago








      • 1





        Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

        – ThoriumBR
        20 hours ago



















      -3














      This is not really answering the question about co-workers, but for personal use this works great if you really don't want to use a password manager (like me).



      You can easily store it in your mind: but don't remember the passwords, remember a formula.



      For example, start with a base word, let's say "Password", and think of a couple of custom rules:




      1. Number of letters in website name (Facebook: 8), and add it to the end.

      2. Capitalize matching vowels (Facebook: A and O)

      3. Replace the Nth character with a number equal to number of syllables (Facebook: 2)


      You end up with P2sswOrd8.



      You can now "store" an infinite amount of mostly unique passwords in your head (even with just 3 rules).






      share|improve this answer










      New contributor




      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 4





        This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

        – schroeder
        6 hours ago








      • 2





        Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

        – schroeder
        6 hours ago











      • It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

        – Jeffrey Roosendaal
        6 hours ago








      • 3





        Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

        – schroeder
        6 hours ago











      • The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

        – zakinster
        5 hours ago













      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Hajar Qh is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206090%2fis-there-a-good-way-to-store-credentials-outside-of-a-password-manager%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      11 Answers
      11






      active

      oldest

      votes








      11 Answers
      11






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      46














      Install a password manager. A good password manager is much, much better than anything you can do by yourself.



      They are software created by security professionals, follow strict development rules, and are tested by a lot of people, and attacked by a lot of people. They have better chance of protecting your passwords than anything invented by the average, even the above average user.






      share|improve this answer



















      • 16





        how does one know which is a good password manage and if they actually follow all the strict development rules ?

        – Nigel Fds
        21 hours ago






      • 8





        @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

        – Schwern
        21 hours ago











      • I use Enpass and it's very well written.

        – ThoriumBR
        20 hours ago













      • @Schwern awesome, that's good to know

        – Nigel Fds
        19 hours ago






      • 13





        @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

        – Mischa
        14 hours ago
















      46














      Install a password manager. A good password manager is much, much better than anything you can do by yourself.



      They are software created by security professionals, follow strict development rules, and are tested by a lot of people, and attacked by a lot of people. They have better chance of protecting your passwords than anything invented by the average, even the above average user.






      share|improve this answer



















      • 16





        how does one know which is a good password manage and if they actually follow all the strict development rules ?

        – Nigel Fds
        21 hours ago






      • 8





        @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

        – Schwern
        21 hours ago











      • I use Enpass and it's very well written.

        – ThoriumBR
        20 hours ago













      • @Schwern awesome, that's good to know

        – Nigel Fds
        19 hours ago






      • 13





        @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

        – Mischa
        14 hours ago














      46












      46








      46







      Install a password manager. A good password manager is much, much better than anything you can do by yourself.



      They are software created by security professionals, follow strict development rules, and are tested by a lot of people, and attacked by a lot of people. They have better chance of protecting your passwords than anything invented by the average, even the above average user.






      share|improve this answer













      Install a password manager. A good password manager is much, much better than anything you can do by yourself.



      They are software created by security professionals, follow strict development rules, and are tested by a lot of people, and attacked by a lot of people. They have better chance of protecting your passwords than anything invented by the average, even the above average user.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered yesterday









      ThoriumBRThoriumBR

      24k75873




      24k75873








      • 16





        how does one know which is a good password manage and if they actually follow all the strict development rules ?

        – Nigel Fds
        21 hours ago






      • 8





        @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

        – Schwern
        21 hours ago











      • I use Enpass and it's very well written.

        – ThoriumBR
        20 hours ago













      • @Schwern awesome, that's good to know

        – Nigel Fds
        19 hours ago






      • 13





        @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

        – Mischa
        14 hours ago














      • 16





        how does one know which is a good password manage and if they actually follow all the strict development rules ?

        – Nigel Fds
        21 hours ago






      • 8





        @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

        – Schwern
        21 hours ago











      • I use Enpass and it's very well written.

        – ThoriumBR
        20 hours ago













      • @Schwern awesome, that's good to know

        – Nigel Fds
        19 hours ago






      • 13





        @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

        – Mischa
        14 hours ago








      16




      16





      how does one know which is a good password manage and if they actually follow all the strict development rules ?

      – Nigel Fds
      21 hours ago





      how does one know which is a good password manage and if they actually follow all the strict development rules ?

      – Nigel Fds
      21 hours ago




      8




      8





      @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

      – Schwern
      21 hours ago





      @NigelFds Some, like Password, get audited by 3rd parties. support.1password.com/security-assessments

      – Schwern
      21 hours ago













      I use Enpass and it's very well written.

      – ThoriumBR
      20 hours ago







      I use Enpass and it's very well written.

      – ThoriumBR
      20 hours ago















      @Schwern awesome, that's good to know

      – Nigel Fds
      19 hours ago





      @Schwern awesome, that's good to know

      – Nigel Fds
      19 hours ago




      13




      13





      @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

      – Mischa
      14 hours ago





      @NigelFds Other example: KeePass It is open source can be audited my literally everyone and if you really wish you can even compile it yourself.

      – Mischa
      14 hours ago













      27














      You're probably referring to the recent articles about flaws in password managers.





      • Password managers have a security flaw. But you should still use one. (Washington Post)


      • Password managers leaking data in memory, but you should still use one. (Sophos)


      Its right there in the titles, password managers have flaws and you should still use one because they're more secure than what many folks do, like keeping passwords in Excel, emailing them around, pasting them into chat where they'll be logged by everyone...



      All software has flaws. Password managers, and security software in general, is held to a higher standard than run-of-the-mill software. The flaws these articles are talking about in password managers are not rookie mistakes, but risk trade-offs.



      1Password has a write up about the latest flaw as well as a deep discussion on their forums. It's not a mistake as it is a consequence of a trade-off to avoid other worse memory bugs. The important bit is that your computer must already be compromised and you have recently typed in your master password. As jpgoldberg of 1Password put it...




      ...we need to consider that for this to enable an attack the attacker must




      1. Be in a position to read 1Password process memory when 1Password is locked

      2. Not be in a position to read 1Password process memory when 1Password is unlocked.


      Number 1 requires that the attacker has already seriously compromised the device. Number 2 means that that the attacker (who has seriously compromised your device) only has that control at some oddly limited times.




      If your computer is already so compromised an attacker can read 1Password's process memory they don't need this exploit. They can just wait until 1Password unlocks.



      And if your computer is compromised, keeping your passwords in an Excel spreadsheet offers you no protection.





      Password managers can do other things to add to your security.




      • Share and manage your passwords between all your devices, including mobile devices.

      • Share and manage passwords and credentials with co-workers.

      • Store more than just passwords securely.


        • GPG and SSH keys and passphrases


        • One-time password generators

        • Recovery keys

        • Security questions

        • API keys

        • Notes



      • Inform you of insecure passwords


        • Reused passwords

        • Password breaches



      • Generate secure passwords

      • Auto-fill passwords (avoids being shoulder surfed)

      • Auto-record new accounts


      These avoid bad practices such as reusing passwords, using weak passwords, sharing them via email or chat or a shared document, writing them down (whether on paper or a file), and continuing to use breached passwords.






      share|improve this answer


























      • Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

        – Sergio Tulentsev
        14 hours ago






      • 4





        Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

        – JeroenHoek
        9 hours ago











      • It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

        – Konrad Rudolph
        6 hours ago











      • @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

        – OrangeDog
        6 hours ago













      • @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

        – Konrad Rudolph
        5 hours ago


















      27














      You're probably referring to the recent articles about flaws in password managers.





      • Password managers have a security flaw. But you should still use one. (Washington Post)


      • Password managers leaking data in memory, but you should still use one. (Sophos)


      Its right there in the titles, password managers have flaws and you should still use one because they're more secure than what many folks do, like keeping passwords in Excel, emailing them around, pasting them into chat where they'll be logged by everyone...



      All software has flaws. Password managers, and security software in general, is held to a higher standard than run-of-the-mill software. The flaws these articles are talking about in password managers are not rookie mistakes, but risk trade-offs.



      1Password has a write up about the latest flaw as well as a deep discussion on their forums. It's not a mistake as it is a consequence of a trade-off to avoid other worse memory bugs. The important bit is that your computer must already be compromised and you have recently typed in your master password. As jpgoldberg of 1Password put it...




      ...we need to consider that for this to enable an attack the attacker must




      1. Be in a position to read 1Password process memory when 1Password is locked

      2. Not be in a position to read 1Password process memory when 1Password is unlocked.


      Number 1 requires that the attacker has already seriously compromised the device. Number 2 means that that the attacker (who has seriously compromised your device) only has that control at some oddly limited times.




      If your computer is already so compromised an attacker can read 1Password's process memory they don't need this exploit. They can just wait until 1Password unlocks.



      And if your computer is compromised, keeping your passwords in an Excel spreadsheet offers you no protection.





      Password managers can do other things to add to your security.




      • Share and manage your passwords between all your devices, including mobile devices.

      • Share and manage passwords and credentials with co-workers.

      • Store more than just passwords securely.


        • GPG and SSH keys and passphrases


        • One-time password generators

        • Recovery keys

        • Security questions

        • API keys

        • Notes



      • Inform you of insecure passwords


        • Reused passwords

        • Password breaches



      • Generate secure passwords

      • Auto-fill passwords (avoids being shoulder surfed)

      • Auto-record new accounts


      These avoid bad practices such as reusing passwords, using weak passwords, sharing them via email or chat or a shared document, writing them down (whether on paper or a file), and continuing to use breached passwords.






      share|improve this answer


























      • Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

        – Sergio Tulentsev
        14 hours ago






      • 4





        Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

        – JeroenHoek
        9 hours ago











      • It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

        – Konrad Rudolph
        6 hours ago











      • @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

        – OrangeDog
        6 hours ago













      • @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

        – Konrad Rudolph
        5 hours ago
















      27












      27








      27







      You're probably referring to the recent articles about flaws in password managers.





      • Password managers have a security flaw. But you should still use one. (Washington Post)


      • Password managers leaking data in memory, but you should still use one. (Sophos)


      Its right there in the titles, password managers have flaws and you should still use one because they're more secure than what many folks do, like keeping passwords in Excel, emailing them around, pasting them into chat where they'll be logged by everyone...



      All software has flaws. Password managers, and security software in general, is held to a higher standard than run-of-the-mill software. The flaws these articles are talking about in password managers are not rookie mistakes, but risk trade-offs.



      1Password has a write up about the latest flaw as well as a deep discussion on their forums. It's not a mistake as it is a consequence of a trade-off to avoid other worse memory bugs. The important bit is that your computer must already be compromised and you have recently typed in your master password. As jpgoldberg of 1Password put it...




      ...we need to consider that for this to enable an attack the attacker must




      1. Be in a position to read 1Password process memory when 1Password is locked

      2. Not be in a position to read 1Password process memory when 1Password is unlocked.


      Number 1 requires that the attacker has already seriously compromised the device. Number 2 means that that the attacker (who has seriously compromised your device) only has that control at some oddly limited times.




      If your computer is already so compromised an attacker can read 1Password's process memory they don't need this exploit. They can just wait until 1Password unlocks.



      And if your computer is compromised, keeping your passwords in an Excel spreadsheet offers you no protection.





      Password managers can do other things to add to your security.




      • Share and manage your passwords between all your devices, including mobile devices.

      • Share and manage passwords and credentials with co-workers.

      • Store more than just passwords securely.


        • GPG and SSH keys and passphrases


        • One-time password generators

        • Recovery keys

        • Security questions

        • API keys

        • Notes



      • Inform you of insecure passwords


        • Reused passwords

        • Password breaches



      • Generate secure passwords

      • Auto-fill passwords (avoids being shoulder surfed)

      • Auto-record new accounts


      These avoid bad practices such as reusing passwords, using weak passwords, sharing them via email or chat or a shared document, writing them down (whether on paper or a file), and continuing to use breached passwords.






      share|improve this answer















      You're probably referring to the recent articles about flaws in password managers.





      • Password managers have a security flaw. But you should still use one. (Washington Post)


      • Password managers leaking data in memory, but you should still use one. (Sophos)


      Its right there in the titles, password managers have flaws and you should still use one because they're more secure than what many folks do, like keeping passwords in Excel, emailing them around, pasting them into chat where they'll be logged by everyone...



      All software has flaws. Password managers, and security software in general, is held to a higher standard than run-of-the-mill software. The flaws these articles are talking about in password managers are not rookie mistakes, but risk trade-offs.



      1Password has a write up about the latest flaw as well as a deep discussion on their forums. It's not a mistake as it is a consequence of a trade-off to avoid other worse memory bugs. The important bit is that your computer must already be compromised and you have recently typed in your master password. As jpgoldberg of 1Password put it...




      ...we need to consider that for this to enable an attack the attacker must




      1. Be in a position to read 1Password process memory when 1Password is locked

      2. Not be in a position to read 1Password process memory when 1Password is unlocked.


      Number 1 requires that the attacker has already seriously compromised the device. Number 2 means that that the attacker (who has seriously compromised your device) only has that control at some oddly limited times.




      If your computer is already so compromised an attacker can read 1Password's process memory they don't need this exploit. They can just wait until 1Password unlocks.



      And if your computer is compromised, keeping your passwords in an Excel spreadsheet offers you no protection.





      Password managers can do other things to add to your security.




      • Share and manage your passwords between all your devices, including mobile devices.

      • Share and manage passwords and credentials with co-workers.

      • Store more than just passwords securely.


        • GPG and SSH keys and passphrases


        • One-time password generators

        • Recovery keys

        • Security questions

        • API keys

        • Notes



      • Inform you of insecure passwords


        • Reused passwords

        • Password breaches



      • Generate secure passwords

      • Auto-fill passwords (avoids being shoulder surfed)

      • Auto-record new accounts


      These avoid bad practices such as reusing passwords, using weak passwords, sharing them via email or chat or a shared document, writing them down (whether on paper or a file), and continuing to use breached passwords.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 5 hours ago

























      answered 22 hours ago









      SchwernSchwern

      811514




      811514













      • Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

        – Sergio Tulentsev
        14 hours ago






      • 4





        Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

        – JeroenHoek
        9 hours ago











      • It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

        – Konrad Rudolph
        6 hours ago











      • @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

        – OrangeDog
        6 hours ago













      • @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

        – Konrad Rudolph
        5 hours ago





















      • Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

        – Sergio Tulentsev
        14 hours ago






      • 4





        Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

        – JeroenHoek
        9 hours ago











      • It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

        – Konrad Rudolph
        6 hours ago











      • @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

        – OrangeDog
        6 hours ago













      • @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

        – Konrad Rudolph
        5 hours ago



















      Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

      – Sergio Tulentsev
      14 hours ago





      Storing OTP generators in password managers decreases security, if anything (all eggs in the same basket). I still do it, though :/

      – Sergio Tulentsev
      14 hours ago




      4




      4





      Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

      – JeroenHoek
      9 hours ago





      Using an OTP generator (TOTP usually) from within a password manager secured with a good password (or even 2FA) is still better than not using that functionality, because the TOTP-seed becomes a second secret you need to know in addition to the user's password.

      – JeroenHoek
      9 hours ago













      It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

      – Konrad Rudolph
      6 hours ago





      It's a shame that the 1Password developers defend their product by falsely claiming that you can't scrub memory in a memory safe language. This is false. For instance, in C# you could pin a memory buffer to hold the decrypted content, and subsequently overwrite it. Granted, it makes things more complex since no GUI framework supports rendering text from such a buffer (i.e. it would need to be moved into a managed string at some point) but it's entirely possible (and not hard) to implement such text rendering code.

      – Konrad Rudolph
      6 hours ago













      @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

      – OrangeDog
      6 hours ago







      @KonradRudolph in which case, go ahead and implement it. You also need to get it into a password field on a webpage without relying on manual transcription.

      – OrangeDog
      6 hours ago















      @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

      – Konrad Rudolph
      5 hours ago







      @OrangeDog Sure but these aren’t problems that are specific to managed memory languages, you’d have the exact same problem in memory unsafe languages. “Go ahead and implement it” is an unhelpful reply to somebody pointing out factual inaccuracies.

      – Konrad Rudolph
      5 hours ago













      5














      The encryption in Microsoft office documents is pretty good and secure for all intents and purposes.



      It does offer some weak points



      https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office




      Previously, if the original creator of a file password either forgot
      the password or left the organization, the file was rendered
      unrecoverable. By using Office 2016 and an escrow key, which is
      generated from your company or organization's private key certificate
      store, an IT admin can "unlock" the file for a user and then either
      leave the file without password protection, or assign a new password
      to the file. You, the IT admin, are the keeper of the escrow key which
      is generated from your company or organization's private key
      certificate store. You can silently push the public key information to
      client computers one time through a registry key setting that you can
      manually create or you can create it through a Group Policy script.
      When a user later creates a password-protected Word, Excel, or
      PowerPoint file, this public key is included in the file header.
      Later, an IT pro can use the Office DocRecrypt tool to remove the
      password that is attached to the file, and then, optionally, protect
      the file by using a new password. To do this, the IT pro must have all
      the following:




      The IT manager or someone with access to the root certificates can decrypt all documents. So if a malicious attacker would be able to gain access to this, it could decrypt all the password protected documents.



      There is the secondary problem of the temp files Microsoft Office. The moment the file is opened in Microsoft Office and the correct password is entered, Microsoft Office creates a temp file that displays the contents.
      Anyone browsing to this file can just select it and see the contents in the preview pane of Windows Explorer as long as someone has opened it.



      In most windows networks its possible to just browse to the pc of a collegue and look into the documents on his/her pc or to any share they may have those documents on.



      So in it's own, on the surface it might seem safe, but down below, someone just has to infect a workstation with a program that lies in wait for any encrypted documents it has access to be opened and then just read the contents of the temp file. And most people will just leave that password document open in the background once opened.



      Most password managers have protections in place to only decrypt when needed and then store the password for a short moment into the clipboard before overwriting it, minimizing the possible exposure of the password.



      In comparison, password managers offer more security.






      share|improve this answer



















      • 4





        By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

        – Oxy
        11 hours ago






      • 1





        Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

        – Tschallacka
        9 hours ago


















      5














      The encryption in Microsoft office documents is pretty good and secure for all intents and purposes.



      It does offer some weak points



      https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office




      Previously, if the original creator of a file password either forgot
      the password or left the organization, the file was rendered
      unrecoverable. By using Office 2016 and an escrow key, which is
      generated from your company or organization's private key certificate
      store, an IT admin can "unlock" the file for a user and then either
      leave the file without password protection, or assign a new password
      to the file. You, the IT admin, are the keeper of the escrow key which
      is generated from your company or organization's private key
      certificate store. You can silently push the public key information to
      client computers one time through a registry key setting that you can
      manually create or you can create it through a Group Policy script.
      When a user later creates a password-protected Word, Excel, or
      PowerPoint file, this public key is included in the file header.
      Later, an IT pro can use the Office DocRecrypt tool to remove the
      password that is attached to the file, and then, optionally, protect
      the file by using a new password. To do this, the IT pro must have all
      the following:




      The IT manager or someone with access to the root certificates can decrypt all documents. So if a malicious attacker would be able to gain access to this, it could decrypt all the password protected documents.



      There is the secondary problem of the temp files Microsoft Office. The moment the file is opened in Microsoft Office and the correct password is entered, Microsoft Office creates a temp file that displays the contents.
      Anyone browsing to this file can just select it and see the contents in the preview pane of Windows Explorer as long as someone has opened it.



      In most windows networks its possible to just browse to the pc of a collegue and look into the documents on his/her pc or to any share they may have those documents on.



      So in it's own, on the surface it might seem safe, but down below, someone just has to infect a workstation with a program that lies in wait for any encrypted documents it has access to be opened and then just read the contents of the temp file. And most people will just leave that password document open in the background once opened.



      Most password managers have protections in place to only decrypt when needed and then store the password for a short moment into the clipboard before overwriting it, minimizing the possible exposure of the password.



      In comparison, password managers offer more security.






      share|improve this answer



















      • 4





        By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

        – Oxy
        11 hours ago






      • 1





        Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

        – Tschallacka
        9 hours ago
















      5












      5








      5







      The encryption in Microsoft office documents is pretty good and secure for all intents and purposes.



      It does offer some weak points



      https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office




      Previously, if the original creator of a file password either forgot
      the password or left the organization, the file was rendered
      unrecoverable. By using Office 2016 and an escrow key, which is
      generated from your company or organization's private key certificate
      store, an IT admin can "unlock" the file for a user and then either
      leave the file without password protection, or assign a new password
      to the file. You, the IT admin, are the keeper of the escrow key which
      is generated from your company or organization's private key
      certificate store. You can silently push the public key information to
      client computers one time through a registry key setting that you can
      manually create or you can create it through a Group Policy script.
      When a user later creates a password-protected Word, Excel, or
      PowerPoint file, this public key is included in the file header.
      Later, an IT pro can use the Office DocRecrypt tool to remove the
      password that is attached to the file, and then, optionally, protect
      the file by using a new password. To do this, the IT pro must have all
      the following:




      The IT manager or someone with access to the root certificates can decrypt all documents. So if a malicious attacker would be able to gain access to this, it could decrypt all the password protected documents.



      There is the secondary problem of the temp files Microsoft Office. The moment the file is opened in Microsoft Office and the correct password is entered, Microsoft Office creates a temp file that displays the contents.
      Anyone browsing to this file can just select it and see the contents in the preview pane of Windows Explorer as long as someone has opened it.



      In most windows networks its possible to just browse to the pc of a collegue and look into the documents on his/her pc or to any share they may have those documents on.



      So in it's own, on the surface it might seem safe, but down below, someone just has to infect a workstation with a program that lies in wait for any encrypted documents it has access to be opened and then just read the contents of the temp file. And most people will just leave that password document open in the background once opened.



      Most password managers have protections in place to only decrypt when needed and then store the password for a short moment into the clipboard before overwriting it, minimizing the possible exposure of the password.



      In comparison, password managers offer more security.






      share|improve this answer













      The encryption in Microsoft office documents is pretty good and secure for all intents and purposes.



      It does offer some weak points



      https://docs.microsoft.com/en-us/deployoffice/security/remove-or-reset-file-passwords-in-office




      Previously, if the original creator of a file password either forgot
      the password or left the organization, the file was rendered
      unrecoverable. By using Office 2016 and an escrow key, which is
      generated from your company or organization's private key certificate
      store, an IT admin can "unlock" the file for a user and then either
      leave the file without password protection, or assign a new password
      to the file. You, the IT admin, are the keeper of the escrow key which
      is generated from your company or organization's private key
      certificate store. You can silently push the public key information to
      client computers one time through a registry key setting that you can
      manually create or you can create it through a Group Policy script.
      When a user later creates a password-protected Word, Excel, or
      PowerPoint file, this public key is included in the file header.
      Later, an IT pro can use the Office DocRecrypt tool to remove the
      password that is attached to the file, and then, optionally, protect
      the file by using a new password. To do this, the IT pro must have all
      the following:




      The IT manager or someone with access to the root certificates can decrypt all documents. So if a malicious attacker would be able to gain access to this, it could decrypt all the password protected documents.



      There is the secondary problem of the temp files Microsoft Office. The moment the file is opened in Microsoft Office and the correct password is entered, Microsoft Office creates a temp file that displays the contents.
      Anyone browsing to this file can just select it and see the contents in the preview pane of Windows Explorer as long as someone has opened it.



      In most windows networks its possible to just browse to the pc of a collegue and look into the documents on his/her pc or to any share they may have those documents on.



      So in it's own, on the surface it might seem safe, but down below, someone just has to infect a workstation with a program that lies in wait for any encrypted documents it has access to be opened and then just read the contents of the temp file. And most people will just leave that password document open in the background once opened.



      Most password managers have protections in place to only decrypt when needed and then store the password for a short moment into the clipboard before overwriting it, minimizing the possible exposure of the password.



      In comparison, password managers offer more security.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered 13 hours ago









      TschallackaTschallacka

      25718




      25718








      • 4





        By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

        – Oxy
        11 hours ago






      • 1





        Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

        – Tschallacka
        9 hours ago
















      • 4





        By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

        – Oxy
        11 hours ago






      • 1





        Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

        – Tschallacka
        9 hours ago










      4




      4





      By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

      – Oxy
      11 hours ago





      By "all intents and purposes" what you actually mean is "not for all intents and purposes". Because if even a lousy sysadmin can access what you intend to protect, you've increased the social surface area of attack by at minimum a factor of 2, which is how passwords are cracked in many real world cases. That without taking into account the many flagrant software weaknesses provided by .norm password storage.

      – Oxy
      11 hours ago




      1




      1





      Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

      – Tschallacka
      9 hours ago







      Well, if it's made on a pc without the group certificate pushed, and only you know the encryption key/password, nobody will get to your documents as long as the file is closed. Best case scenario is that you store this document on a disconnected from ethernet, airgapped pc in a soundproof box within a faraday cage. It will protect documents against casual glancing at contents.

      – Tschallacka
      9 hours ago













      3














      The safest place to store a password is nowhere. It should be a secure token that only exists in the memory of the holder. Unfortunately, many use a password that is too simple and insecure, for the purpose of making it easier to remember. In contrast, more secure passwords are more difficult to remember (for most people).



      If you cannot rely on your memory, you should definitely use a password manager. Password managers prevent even physical access from compromising your passwords. A little physical password book is only as good as the lock on your door, which is far less secure than a master password for a password manager that's stored only in your memory.






      share|improve this answer








      New contributor




      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





















      • Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

        – lucasgcb
        14 hours ago








      • 2





        @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

        – owacoder
        10 hours ago








      • 2





        I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

        – Dan
        7 hours ago






      • 1





        @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

        – owacoder
        7 hours ago






      • 1





        @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

        – Baldrickk
        7 hours ago
















      3














      The safest place to store a password is nowhere. It should be a secure token that only exists in the memory of the holder. Unfortunately, many use a password that is too simple and insecure, for the purpose of making it easier to remember. In contrast, more secure passwords are more difficult to remember (for most people).



      If you cannot rely on your memory, you should definitely use a password manager. Password managers prevent even physical access from compromising your passwords. A little physical password book is only as good as the lock on your door, which is far less secure than a master password for a password manager that's stored only in your memory.






      share|improve this answer








      New contributor




      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





















      • Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

        – lucasgcb
        14 hours ago








      • 2





        @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

        – owacoder
        10 hours ago








      • 2





        I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

        – Dan
        7 hours ago






      • 1





        @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

        – owacoder
        7 hours ago






      • 1





        @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

        – Baldrickk
        7 hours ago














      3












      3








      3







      The safest place to store a password is nowhere. It should be a secure token that only exists in the memory of the holder. Unfortunately, many use a password that is too simple and insecure, for the purpose of making it easier to remember. In contrast, more secure passwords are more difficult to remember (for most people).



      If you cannot rely on your memory, you should definitely use a password manager. Password managers prevent even physical access from compromising your passwords. A little physical password book is only as good as the lock on your door, which is far less secure than a master password for a password manager that's stored only in your memory.






      share|improve this answer








      New contributor




      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      The safest place to store a password is nowhere. It should be a secure token that only exists in the memory of the holder. Unfortunately, many use a password that is too simple and insecure, for the purpose of making it easier to remember. In contrast, more secure passwords are more difficult to remember (for most people).



      If you cannot rely on your memory, you should definitely use a password manager. Password managers prevent even physical access from compromising your passwords. A little physical password book is only as good as the lock on your door, which is far less secure than a master password for a password manager that's stored only in your memory.







      share|improve this answer








      New contributor




      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this answer



      share|improve this answer






      New contributor




      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      answered 19 hours ago









      owacoderowacoder

      1312




      1312




      New contributor




      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      owacoder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.













      • Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

        – lucasgcb
        14 hours ago








      • 2





        @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

        – owacoder
        10 hours ago








      • 2





        I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

        – Dan
        7 hours ago






      • 1





        @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

        – owacoder
        7 hours ago






      • 1





        @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

        – Baldrickk
        7 hours ago



















      • Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

        – lucasgcb
        14 hours ago








      • 2





        @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

        – owacoder
        10 hours ago








      • 2





        I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

        – Dan
        7 hours ago






      • 1





        @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

        – owacoder
        7 hours ago






      • 1





        @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

        – Baldrickk
        7 hours ago

















      Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

      – lucasgcb
      14 hours ago







      Does this imply that a password for a service may exist solely in one's head? The other side still needs to store it; little does it matter if you can recall a complex password but their end gets compromised - this is noteworthy specially if you use the same password for other services. Ironically enough, the master Password for a Manager is as close as it gets to relying on your memory.

      – lucasgcb
      14 hours ago






      2




      2





      @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

      – owacoder
      10 hours ago







      @lucasgcb - Proper password storage for comparison purposes should include cryptographic hashing along with salting, thus the password itself is never actually stored. Proper salting also prevents hash comparisons if you do use the same password for different services.

      – owacoder
      10 hours ago






      2




      2





      I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

      – Dan
      7 hours ago





      I would disagree on the last point. We have significantly more experience with physically securing items and documents than we do securing data. Whether the physical security requirements are appropriate for the environment is another issue entirely.

      – Dan
      7 hours ago




      1




      1





      @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

      – owacoder
      7 hours ago





      @Dan - Agreed. We're on the same page I think. Both physical and computational security should be employed. I was just trying to highlight that our perceived and actual physical security often are not equal. We perceive our physical security to be much greater with a lock on the door, but realistically, that may just add a deterrent. Definitely agree with the likelihood of getting infected vs. being broken into, though.

      – owacoder
      7 hours ago




      1




      1





      @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

      – Baldrickk
      7 hours ago





      @lucasgcb the other side should most definitely NOT be storing your password. They should be using a hash of your password, salted at a minimum.

      – Baldrickk
      7 hours ago











      2














      Your only solution is to select passwords, that are hard to break but easy to remember, then you don't need to write them down anywhere!



      But seriously, maybe you can ask your IT support to install a password manager server for your whole company, then you don't need to install one on your machine.






      share|improve this answer










      New contributor




      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 2





        I think that the hesitation is with using a password manager in general, not the local install.

        – schroeder
        22 hours ago











      • But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

        – Paris
        21 hours ago











      • The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

        – Captain Man
        6 hours ago











      • @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

        – Paris
        2 hours ago


















      2














      Your only solution is to select passwords, that are hard to break but easy to remember, then you don't need to write them down anywhere!



      But seriously, maybe you can ask your IT support to install a password manager server for your whole company, then you don't need to install one on your machine.






      share|improve this answer










      New contributor




      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 2





        I think that the hesitation is with using a password manager in general, not the local install.

        – schroeder
        22 hours ago











      • But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

        – Paris
        21 hours ago











      • The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

        – Captain Man
        6 hours ago











      • @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

        – Paris
        2 hours ago
















      2












      2








      2







      Your only solution is to select passwords, that are hard to break but easy to remember, then you don't need to write them down anywhere!



      But seriously, maybe you can ask your IT support to install a password manager server for your whole company, then you don't need to install one on your machine.






      share|improve this answer










      New contributor




      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      Your only solution is to select passwords, that are hard to break but easy to remember, then you don't need to write them down anywhere!



      But seriously, maybe you can ask your IT support to install a password manager server for your whole company, then you don't need to install one on your machine.







      share|improve this answer










      New contributor




      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this answer



      share|improve this answer








      edited 22 hours ago









      schroeder

      78k30173209




      78k30173209






      New contributor




      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      answered 22 hours ago









      ParisParis

      211




      211




      New contributor




      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Paris is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      • 2





        I think that the hesitation is with using a password manager in general, not the local install.

        – schroeder
        22 hours ago











      • But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

        – Paris
        21 hours ago











      • The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

        – Captain Man
        6 hours ago











      • @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

        – Paris
        2 hours ago
















      • 2





        I think that the hesitation is with using a password manager in general, not the local install.

        – schroeder
        22 hours ago











      • But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

        – Paris
        21 hours ago











      • The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

        – Captain Man
        6 hours ago











      • @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

        – Paris
        2 hours ago










      2




      2





      I think that the hesitation is with using a password manager in general, not the local install.

      – schroeder
      22 hours ago





      I think that the hesitation is with using a password manager in general, not the local install.

      – schroeder
      22 hours ago













      But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

      – Paris
      21 hours ago





      But usually the passwords are for something, often for resources on the web. So if you are sending the password through the web, you can also store it on a server that is accessible only internally in your company network, secured by your real password, multiple users can share passwords for some resources, bla bla, <insert advertisment for pwd managment servers here> :-)

      – Paris
      21 hours ago













      The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

      – Captain Man
      6 hours ago





      The problem with this answer is that you cannot force users to do this. Sending something akin to the "correct horse battery staple" example (but more simply explained) as part of the policy may help them learn though.

      – Captain Man
      6 hours ago













      @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

      – Paris
      2 hours ago







      @CaptainMan you could write a password policy that only allows dictionary words and has a large minimum length, but that was more of lame idea in case a password manager is really not wished. but i really believe offering everyone a decent password manager where they don't have to install anything will go a long way. i'm now at the first company that is using one and it is a big help compared to how it was handled in my previous jobs.

      – Paris
      2 hours ago













      1














      Sure! Here's a scheme that will not get compromised very often, if executed perfectly [1]:




      1. Keep a list of sites you have passwords for. Put it somewhere secure enough. [2]


      2. Keep a list of passwords. Keep it folded in your wallet. Be vigilant about showing it when opening your wallet, or when using a password from it. Destroy passwords you've memorized.


      3. If your wallet is lost or stolen, enjoy the huge headache of changing all your passwords.



      So, pretty much what a basic password manager does - memorability, mapping to sites, and confidentiality. It's just way more leg work than using a password manager. If you make mistakes doing this, it becomes far less secure than using a password manager. Given human fallibility, perhaps a password manager is better?



      [1]: The main ding against this scheme is that you will eventually fall out of practice doing it, and it will be a huge mess when you need to actually change passwords.



      [2]: 'Secure enough' will vary greatly depending on your needs. Are you a boring person whose saving their bank credentials? A safe in your basement is probably fine. Are you hiding from the NSA? This scheme probably isn't sufficient, honestly.






      share|improve this answer




























        1














        Sure! Here's a scheme that will not get compromised very often, if executed perfectly [1]:




        1. Keep a list of sites you have passwords for. Put it somewhere secure enough. [2]


        2. Keep a list of passwords. Keep it folded in your wallet. Be vigilant about showing it when opening your wallet, or when using a password from it. Destroy passwords you've memorized.


        3. If your wallet is lost or stolen, enjoy the huge headache of changing all your passwords.



        So, pretty much what a basic password manager does - memorability, mapping to sites, and confidentiality. It's just way more leg work than using a password manager. If you make mistakes doing this, it becomes far less secure than using a password manager. Given human fallibility, perhaps a password manager is better?



        [1]: The main ding against this scheme is that you will eventually fall out of practice doing it, and it will be a huge mess when you need to actually change passwords.



        [2]: 'Secure enough' will vary greatly depending on your needs. Are you a boring person whose saving their bank credentials? A safe in your basement is probably fine. Are you hiding from the NSA? This scheme probably isn't sufficient, honestly.






        share|improve this answer


























          1












          1








          1







          Sure! Here's a scheme that will not get compromised very often, if executed perfectly [1]:




          1. Keep a list of sites you have passwords for. Put it somewhere secure enough. [2]


          2. Keep a list of passwords. Keep it folded in your wallet. Be vigilant about showing it when opening your wallet, or when using a password from it. Destroy passwords you've memorized.


          3. If your wallet is lost or stolen, enjoy the huge headache of changing all your passwords.



          So, pretty much what a basic password manager does - memorability, mapping to sites, and confidentiality. It's just way more leg work than using a password manager. If you make mistakes doing this, it becomes far less secure than using a password manager. Given human fallibility, perhaps a password manager is better?



          [1]: The main ding against this scheme is that you will eventually fall out of practice doing it, and it will be a huge mess when you need to actually change passwords.



          [2]: 'Secure enough' will vary greatly depending on your needs. Are you a boring person whose saving their bank credentials? A safe in your basement is probably fine. Are you hiding from the NSA? This scheme probably isn't sufficient, honestly.






          share|improve this answer













          Sure! Here's a scheme that will not get compromised very often, if executed perfectly [1]:




          1. Keep a list of sites you have passwords for. Put it somewhere secure enough. [2]


          2. Keep a list of passwords. Keep it folded in your wallet. Be vigilant about showing it when opening your wallet, or when using a password from it. Destroy passwords you've memorized.


          3. If your wallet is lost or stolen, enjoy the huge headache of changing all your passwords.



          So, pretty much what a basic password manager does - memorability, mapping to sites, and confidentiality. It's just way more leg work than using a password manager. If you make mistakes doing this, it becomes far less secure than using a password manager. Given human fallibility, perhaps a password manager is better?



          [1]: The main ding against this scheme is that you will eventually fall out of practice doing it, and it will be a huge mess when you need to actually change passwords.



          [2]: 'Secure enough' will vary greatly depending on your needs. Are you a boring person whose saving their bank credentials? A safe in your basement is probably fine. Are you hiding from the NSA? This scheme probably isn't sufficient, honestly.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 8 hours ago









          AdonalsiumAdonalsium

          3,3411720




          3,3411720























              0














              I still heartily recommend using a password manager. If that is impossible, and all the following are true:




              • People can choose their own passwords.

              • No one has to share passwords.


                • (Protected Excel files make this seem unlikely.)




              ...then you could suggest a Password Card to keep in their wallet.






              share|improve this answer
























              • The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

                – Adonalsium
                8 hours ago
















              0














              I still heartily recommend using a password manager. If that is impossible, and all the following are true:




              • People can choose their own passwords.

              • No one has to share passwords.


                • (Protected Excel files make this seem unlikely.)




              ...then you could suggest a Password Card to keep in their wallet.






              share|improve this answer
























              • The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

                – Adonalsium
                8 hours ago














              0












              0








              0







              I still heartily recommend using a password manager. If that is impossible, and all the following are true:




              • People can choose their own passwords.

              • No one has to share passwords.


                • (Protected Excel files make this seem unlikely.)




              ...then you could suggest a Password Card to keep in their wallet.






              share|improve this answer













              I still heartily recommend using a password manager. If that is impossible, and all the following are true:




              • People can choose their own passwords.

              • No one has to share passwords.


                • (Protected Excel files make this seem unlikely.)




              ...then you could suggest a Password Card to keep in their wallet.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 9 hours ago









              MichaelMichael

              1,1851227




              1,1851227













              • The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

                – Adonalsium
                8 hours ago



















              • The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

                – Adonalsium
                8 hours ago

















              The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

              – Adonalsium
              8 hours ago





              The caveat on password cards is that you must wipe them down after use. Most people trace their finger across the card as they track their password. This leaves an obvious trail for someone who obtains your card.

              – Adonalsium
              8 hours ago











              0














              Many recommend password managers. I don't disagree, that is indeed sound advice, but there is another possibility.



              It is fairly doable to let them record information on where to find the password without significantly weakening the integrity of the password - to most attack vectors. Have each bring a personal book (think: Alice in Wonderland or something), which are kept together in a single bookshelf and make every password a combination of 3-4 words from the book. You can then write down anywhere you like the page number, line number and word number of those words. Yes, password lookup will be slower but it will increase the security of your passwords against brute force attempts, it will ensure that physical access to the office is necessary, as well as a who's-book-is-which to break the code in addition to electronic access to their "stored" password. This is a huge improvement over storing the passwords in plaintext in a file on the workstation - which only needs a single successful phishing attempt to work.



              As a bonus, the passwords are more secure and easier to remember. Obligatory xkcd



              But, then again, if they can't be bothered to not write passwords down into an excel file - it can be a tough sell to establish a cumbersome procedure such as this. YMMV.






              share|improve this answer








              New contributor




              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





















              • This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

                – OrangeDog
                4 hours ago











              • It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

                – OrangeDog
                4 hours ago













              • @orangedog but not all of them.

                – Stian Yttervik
                3 hours ago











              • I think you are confused about what a phishing attack is.

                – OrangeDog
                3 hours ago











              • @orangedog Hardly, it rather seems like I am quite convinced.

                – Stian Yttervik
                3 hours ago


















              0














              Many recommend password managers. I don't disagree, that is indeed sound advice, but there is another possibility.



              It is fairly doable to let them record information on where to find the password without significantly weakening the integrity of the password - to most attack vectors. Have each bring a personal book (think: Alice in Wonderland or something), which are kept together in a single bookshelf and make every password a combination of 3-4 words from the book. You can then write down anywhere you like the page number, line number and word number of those words. Yes, password lookup will be slower but it will increase the security of your passwords against brute force attempts, it will ensure that physical access to the office is necessary, as well as a who's-book-is-which to break the code in addition to electronic access to their "stored" password. This is a huge improvement over storing the passwords in plaintext in a file on the workstation - which only needs a single successful phishing attempt to work.



              As a bonus, the passwords are more secure and easier to remember. Obligatory xkcd



              But, then again, if they can't be bothered to not write passwords down into an excel file - it can be a tough sell to establish a cumbersome procedure such as this. YMMV.






              share|improve this answer








              New contributor




              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





















              • This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

                – OrangeDog
                4 hours ago











              • It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

                – OrangeDog
                4 hours ago













              • @orangedog but not all of them.

                – Stian Yttervik
                3 hours ago











              • I think you are confused about what a phishing attack is.

                – OrangeDog
                3 hours ago











              • @orangedog Hardly, it rather seems like I am quite convinced.

                – Stian Yttervik
                3 hours ago
















              0












              0








              0







              Many recommend password managers. I don't disagree, that is indeed sound advice, but there is another possibility.



              It is fairly doable to let them record information on where to find the password without significantly weakening the integrity of the password - to most attack vectors. Have each bring a personal book (think: Alice in Wonderland or something), which are kept together in a single bookshelf and make every password a combination of 3-4 words from the book. You can then write down anywhere you like the page number, line number and word number of those words. Yes, password lookup will be slower but it will increase the security of your passwords against brute force attempts, it will ensure that physical access to the office is necessary, as well as a who's-book-is-which to break the code in addition to electronic access to their "stored" password. This is a huge improvement over storing the passwords in plaintext in a file on the workstation - which only needs a single successful phishing attempt to work.



              As a bonus, the passwords are more secure and easier to remember. Obligatory xkcd



              But, then again, if they can't be bothered to not write passwords down into an excel file - it can be a tough sell to establish a cumbersome procedure such as this. YMMV.






              share|improve this answer








              New contributor




              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.










              Many recommend password managers. I don't disagree, that is indeed sound advice, but there is another possibility.



              It is fairly doable to let them record information on where to find the password without significantly weakening the integrity of the password - to most attack vectors. Have each bring a personal book (think: Alice in Wonderland or something), which are kept together in a single bookshelf and make every password a combination of 3-4 words from the book. You can then write down anywhere you like the page number, line number and word number of those words. Yes, password lookup will be slower but it will increase the security of your passwords against brute force attempts, it will ensure that physical access to the office is necessary, as well as a who's-book-is-which to break the code in addition to electronic access to their "stored" password. This is a huge improvement over storing the passwords in plaintext in a file on the workstation - which only needs a single successful phishing attempt to work.



              As a bonus, the passwords are more secure and easier to remember. Obligatory xkcd



              But, then again, if they can't be bothered to not write passwords down into an excel file - it can be a tough sell to establish a cumbersome procedure such as this. YMMV.







              share|improve this answer








              New contributor




              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.









              share|improve this answer



              share|improve this answer






              New contributor




              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.









              answered 5 hours ago









              Stian YttervikStian Yttervik

              1011




              1011




              New contributor




              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





              New contributor





              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.






              Stian Yttervik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.













              • This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

                – OrangeDog
                4 hours ago











              • It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

                – OrangeDog
                4 hours ago













              • @orangedog but not all of them.

                – Stian Yttervik
                3 hours ago











              • I think you are confused about what a phishing attack is.

                – OrangeDog
                3 hours ago











              • @orangedog Hardly, it rather seems like I am quite convinced.

                – Stian Yttervik
                3 hours ago





















              • This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

                – OrangeDog
                4 hours ago











              • It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

                – OrangeDog
                4 hours ago













              • @orangedog but not all of them.

                – Stian Yttervik
                3 hours ago











              • I think you are confused about what a phishing attack is.

                – OrangeDog
                3 hours ago











              • @orangedog Hardly, it rather seems like I am quite convinced.

                – Stian Yttervik
                3 hours ago



















              This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

              – OrangeDog
              4 hours ago





              This is pretty dumb. Just write your passwords in a notebook and lock it in a drawer (or a fire-proof safe for critical passwords).

              – OrangeDog
              4 hours ago













              It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

              – OrangeDog
              4 hours ago







              It doesn't matter how passwords are stored, a single successful phishing attempt will always compromise them.

              – OrangeDog
              4 hours ago















              @orangedog but not all of them.

              – Stian Yttervik
              3 hours ago





              @orangedog but not all of them.

              – Stian Yttervik
              3 hours ago













              I think you are confused about what a phishing attack is.

              – OrangeDog
              3 hours ago





              I think you are confused about what a phishing attack is.

              – OrangeDog
              3 hours ago













              @orangedog Hardly, it rather seems like I am quite convinced.

              – Stian Yttervik
              3 hours ago







              @orangedog Hardly, it rather seems like I am quite convinced.

              – Stian Yttervik
              3 hours ago













              0














              This depends on who you fear might want to steal your passwords. The safest option is to use a password manager. That said, I use pen and paper.¹



              How I – irresponsibly – store my passwords



              I have a booklet at home with sites and passwords. The only ones I do not write down are that of my personal email and bank accounts. Personal email is important because a lot of the other passwords, at least the most important ones, can be reset using it.



              If someone breaks into my house they can go to the unlocked drawer and take the booklet. This would suck, but I am more worried about them taking my computer, tablet, kettle, etc.




              • Sure, I could tweak the passwords – before writing them down – with some trivial-to-break scheme to deter common thieves. I don't feel it is worth the effort but maybe I'll change my mind if someone breaks into my house.


              • At work I need a couple of passwords, but I've pretty much memorized most of them so I can manage without having the booklet near me. If I forget a password and I am not home I can always reset it; this rarely happens, in part because a lot of the websites I use keep me logged in.


              • There are passwords I rarely use. Say I log into some newspaper website and get logged out after 2 months. I'll search the booklet for the password or reset it.


              • The strength of my passwords depends on the purpose. For newspapers or some obscure forums I'll use easy passwords. If its something work related (or deeply personal, like healthcare website) I use stronger passwords.


              • The hard disk of my personal computer is encrypted with a strong password. This one is also not written down, so I guess that's three passwords I have to memorize. I've been wanting to make a copy and place it in a secure location, maybe a safe.


              • If a computer-skilled thief wants to rob my passwords, I'd worry more about something stored in my machine then a physical booklet.


              • I do not have a job that includes tasks such as the administration of machines (e.g. taking care of mail servers). My booklet wouldn't work for that. For that kind of task I'd probably be looking into 2FA plus a strong password stored in a secure location (e.g. vault) or whatever you're supposed to do at the company.


              • If you're going to store passwords in your computer then use a password manager. Not excel, not a text or word document, but a password manager. Password managers are built with this exact goal – that of storing passwords – in mind. If I were to store passwords electronically, I'd use a password manager.



              • I don't have passwords stored at work.² If I did I'd use a password manager and wouldn't write them on paper. Paper can be stolen, and paper can be lost. Then the creepy guy that finds it can go look into your social media private messages. Nobody wants that.




                • Maybe if its a password no one cares about. I had to create an email account to test something out a couple months ago. Didn't use it for any other purpose. Is it a problem if someone steals the password? No.




              ¹ I've been wanting to look into password managers to find which one would be a good option for me, but never got around to do it. Eventually, the task will get done.



              ² Okay, maybe the browser stores a couple of these. And there are a few private keys stored locally on my workstation.






              share|improve this answer






























                0














                This depends on who you fear might want to steal your passwords. The safest option is to use a password manager. That said, I use pen and paper.¹



                How I – irresponsibly – store my passwords



                I have a booklet at home with sites and passwords. The only ones I do not write down are that of my personal email and bank accounts. Personal email is important because a lot of the other passwords, at least the most important ones, can be reset using it.



                If someone breaks into my house they can go to the unlocked drawer and take the booklet. This would suck, but I am more worried about them taking my computer, tablet, kettle, etc.




                • Sure, I could tweak the passwords – before writing them down – with some trivial-to-break scheme to deter common thieves. I don't feel it is worth the effort but maybe I'll change my mind if someone breaks into my house.


                • At work I need a couple of passwords, but I've pretty much memorized most of them so I can manage without having the booklet near me. If I forget a password and I am not home I can always reset it; this rarely happens, in part because a lot of the websites I use keep me logged in.


                • There are passwords I rarely use. Say I log into some newspaper website and get logged out after 2 months. I'll search the booklet for the password or reset it.


                • The strength of my passwords depends on the purpose. For newspapers or some obscure forums I'll use easy passwords. If its something work related (or deeply personal, like healthcare website) I use stronger passwords.


                • The hard disk of my personal computer is encrypted with a strong password. This one is also not written down, so I guess that's three passwords I have to memorize. I've been wanting to make a copy and place it in a secure location, maybe a safe.


                • If a computer-skilled thief wants to rob my passwords, I'd worry more about something stored in my machine then a physical booklet.


                • I do not have a job that includes tasks such as the administration of machines (e.g. taking care of mail servers). My booklet wouldn't work for that. For that kind of task I'd probably be looking into 2FA plus a strong password stored in a secure location (e.g. vault) or whatever you're supposed to do at the company.


                • If you're going to store passwords in your computer then use a password manager. Not excel, not a text or word document, but a password manager. Password managers are built with this exact goal – that of storing passwords – in mind. If I were to store passwords electronically, I'd use a password manager.



                • I don't have passwords stored at work.² If I did I'd use a password manager and wouldn't write them on paper. Paper can be stolen, and paper can be lost. Then the creepy guy that finds it can go look into your social media private messages. Nobody wants that.




                  • Maybe if its a password no one cares about. I had to create an email account to test something out a couple months ago. Didn't use it for any other purpose. Is it a problem if someone steals the password? No.




                ¹ I've been wanting to look into password managers to find which one would be a good option for me, but never got around to do it. Eventually, the task will get done.



                ² Okay, maybe the browser stores a couple of these. And there are a few private keys stored locally on my workstation.






                share|improve this answer




























                  0












                  0








                  0







                  This depends on who you fear might want to steal your passwords. The safest option is to use a password manager. That said, I use pen and paper.¹



                  How I – irresponsibly – store my passwords



                  I have a booklet at home with sites and passwords. The only ones I do not write down are that of my personal email and bank accounts. Personal email is important because a lot of the other passwords, at least the most important ones, can be reset using it.



                  If someone breaks into my house they can go to the unlocked drawer and take the booklet. This would suck, but I am more worried about them taking my computer, tablet, kettle, etc.




                  • Sure, I could tweak the passwords – before writing them down – with some trivial-to-break scheme to deter common thieves. I don't feel it is worth the effort but maybe I'll change my mind if someone breaks into my house.


                  • At work I need a couple of passwords, but I've pretty much memorized most of them so I can manage without having the booklet near me. If I forget a password and I am not home I can always reset it; this rarely happens, in part because a lot of the websites I use keep me logged in.


                  • There are passwords I rarely use. Say I log into some newspaper website and get logged out after 2 months. I'll search the booklet for the password or reset it.


                  • The strength of my passwords depends on the purpose. For newspapers or some obscure forums I'll use easy passwords. If its something work related (or deeply personal, like healthcare website) I use stronger passwords.


                  • The hard disk of my personal computer is encrypted with a strong password. This one is also not written down, so I guess that's three passwords I have to memorize. I've been wanting to make a copy and place it in a secure location, maybe a safe.


                  • If a computer-skilled thief wants to rob my passwords, I'd worry more about something stored in my machine then a physical booklet.


                  • I do not have a job that includes tasks such as the administration of machines (e.g. taking care of mail servers). My booklet wouldn't work for that. For that kind of task I'd probably be looking into 2FA plus a strong password stored in a secure location (e.g. vault) or whatever you're supposed to do at the company.


                  • If you're going to store passwords in your computer then use a password manager. Not excel, not a text or word document, but a password manager. Password managers are built with this exact goal – that of storing passwords – in mind. If I were to store passwords electronically, I'd use a password manager.



                  • I don't have passwords stored at work.² If I did I'd use a password manager and wouldn't write them on paper. Paper can be stolen, and paper can be lost. Then the creepy guy that finds it can go look into your social media private messages. Nobody wants that.




                    • Maybe if its a password no one cares about. I had to create an email account to test something out a couple months ago. Didn't use it for any other purpose. Is it a problem if someone steals the password? No.




                  ¹ I've been wanting to look into password managers to find which one would be a good option for me, but never got around to do it. Eventually, the task will get done.



                  ² Okay, maybe the browser stores a couple of these. And there are a few private keys stored locally on my workstation.






                  share|improve this answer















                  This depends on who you fear might want to steal your passwords. The safest option is to use a password manager. That said, I use pen and paper.¹



                  How I – irresponsibly – store my passwords



                  I have a booklet at home with sites and passwords. The only ones I do not write down are that of my personal email and bank accounts. Personal email is important because a lot of the other passwords, at least the most important ones, can be reset using it.



                  If someone breaks into my house they can go to the unlocked drawer and take the booklet. This would suck, but I am more worried about them taking my computer, tablet, kettle, etc.




                  • Sure, I could tweak the passwords – before writing them down – with some trivial-to-break scheme to deter common thieves. I don't feel it is worth the effort but maybe I'll change my mind if someone breaks into my house.


                  • At work I need a couple of passwords, but I've pretty much memorized most of them so I can manage without having the booklet near me. If I forget a password and I am not home I can always reset it; this rarely happens, in part because a lot of the websites I use keep me logged in.


                  • There are passwords I rarely use. Say I log into some newspaper website and get logged out after 2 months. I'll search the booklet for the password or reset it.


                  • The strength of my passwords depends on the purpose. For newspapers or some obscure forums I'll use easy passwords. If its something work related (or deeply personal, like healthcare website) I use stronger passwords.


                  • The hard disk of my personal computer is encrypted with a strong password. This one is also not written down, so I guess that's three passwords I have to memorize. I've been wanting to make a copy and place it in a secure location, maybe a safe.


                  • If a computer-skilled thief wants to rob my passwords, I'd worry more about something stored in my machine then a physical booklet.


                  • I do not have a job that includes tasks such as the administration of machines (e.g. taking care of mail servers). My booklet wouldn't work for that. For that kind of task I'd probably be looking into 2FA plus a strong password stored in a secure location (e.g. vault) or whatever you're supposed to do at the company.


                  • If you're going to store passwords in your computer then use a password manager. Not excel, not a text or word document, but a password manager. Password managers are built with this exact goal – that of storing passwords – in mind. If I were to store passwords electronically, I'd use a password manager.



                  • I don't have passwords stored at work.² If I did I'd use a password manager and wouldn't write them on paper. Paper can be stolen, and paper can be lost. Then the creepy guy that finds it can go look into your social media private messages. Nobody wants that.




                    • Maybe if its a password no one cares about. I had to create an email account to test something out a couple months ago. Didn't use it for any other purpose. Is it a problem if someone steals the password? No.




                  ¹ I've been wanting to look into password managers to find which one would be a good option for me, but never got around to do it. Eventually, the task will get done.



                  ² Okay, maybe the browser stores a couple of these. And there are a few private keys stored locally on my workstation.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 49 mins ago

























                  answered 1 hour ago









                  DanielDaniel

                  412315




                  412315























                      -3














                      If you do not want a password manager program, print them out and store then in a safe or something secure rather than just a notebook like your co workers use.






                      share|improve this answer








                      New contributor




                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
















                      • 3





                        This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

                        – Schwern
                        22 hours ago








                      • 1





                        Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

                        – ThoriumBR
                        20 hours ago
















                      -3














                      If you do not want a password manager program, print them out and store then in a safe or something secure rather than just a notebook like your co workers use.






                      share|improve this answer








                      New contributor




                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
















                      • 3





                        This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

                        – Schwern
                        22 hours ago








                      • 1





                        Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

                        – ThoriumBR
                        20 hours ago














                      -3












                      -3








                      -3







                      If you do not want a password manager program, print them out and store then in a safe or something secure rather than just a notebook like your co workers use.






                      share|improve this answer








                      New contributor




                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.










                      If you do not want a password manager program, print them out and store then in a safe or something secure rather than just a notebook like your co workers use.







                      share|improve this answer








                      New contributor




                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer






                      New contributor




                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered yesterday









                      user197001user197001

                      1




                      1




                      New contributor




                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      user197001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.








                      • 3





                        This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

                        – Schwern
                        22 hours ago








                      • 1





                        Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

                        – ThoriumBR
                        20 hours ago














                      • 3





                        This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

                        – Schwern
                        22 hours ago








                      • 1





                        Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

                        – ThoriumBR
                        20 hours ago








                      3




                      3





                      This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

                      – Schwern
                      22 hours ago







                      This is fine as a backup for your super important passwords, like the password to your password manager, but for any day-to-day passwords you need them in a convenient and secure location. A safe will not cut it.

                      – Schwern
                      22 hours ago






                      1




                      1





                      Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

                      – ThoriumBR
                      20 hours ago





                      Keeping the VPN password on a safe is not practical. For your bitcoin cold-wallet is fine, but not for everything.

                      – ThoriumBR
                      20 hours ago











                      -3














                      This is not really answering the question about co-workers, but for personal use this works great if you really don't want to use a password manager (like me).



                      You can easily store it in your mind: but don't remember the passwords, remember a formula.



                      For example, start with a base word, let's say "Password", and think of a couple of custom rules:




                      1. Number of letters in website name (Facebook: 8), and add it to the end.

                      2. Capitalize matching vowels (Facebook: A and O)

                      3. Replace the Nth character with a number equal to number of syllables (Facebook: 2)


                      You end up with P2sswOrd8.



                      You can now "store" an infinite amount of mostly unique passwords in your head (even with just 3 rules).






                      share|improve this answer










                      New contributor




                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
















                      • 4





                        This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

                        – schroeder
                        6 hours ago








                      • 2





                        Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

                        – schroeder
                        6 hours ago











                      • It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

                        – Jeffrey Roosendaal
                        6 hours ago








                      • 3





                        Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

                        – schroeder
                        6 hours ago











                      • The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

                        – zakinster
                        5 hours ago


















                      -3














                      This is not really answering the question about co-workers, but for personal use this works great if you really don't want to use a password manager (like me).



                      You can easily store it in your mind: but don't remember the passwords, remember a formula.



                      For example, start with a base word, let's say "Password", and think of a couple of custom rules:




                      1. Number of letters in website name (Facebook: 8), and add it to the end.

                      2. Capitalize matching vowels (Facebook: A and O)

                      3. Replace the Nth character with a number equal to number of syllables (Facebook: 2)


                      You end up with P2sswOrd8.



                      You can now "store" an infinite amount of mostly unique passwords in your head (even with just 3 rules).






                      share|improve this answer










                      New contributor




                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
















                      • 4





                        This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

                        – schroeder
                        6 hours ago








                      • 2





                        Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

                        – schroeder
                        6 hours ago











                      • It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

                        – Jeffrey Roosendaal
                        6 hours ago








                      • 3





                        Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

                        – schroeder
                        6 hours ago











                      • The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

                        – zakinster
                        5 hours ago
















                      -3












                      -3








                      -3







                      This is not really answering the question about co-workers, but for personal use this works great if you really don't want to use a password manager (like me).



                      You can easily store it in your mind: but don't remember the passwords, remember a formula.



                      For example, start with a base word, let's say "Password", and think of a couple of custom rules:




                      1. Number of letters in website name (Facebook: 8), and add it to the end.

                      2. Capitalize matching vowels (Facebook: A and O)

                      3. Replace the Nth character with a number equal to number of syllables (Facebook: 2)


                      You end up with P2sswOrd8.



                      You can now "store" an infinite amount of mostly unique passwords in your head (even with just 3 rules).






                      share|improve this answer










                      New contributor




                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.










                      This is not really answering the question about co-workers, but for personal use this works great if you really don't want to use a password manager (like me).



                      You can easily store it in your mind: but don't remember the passwords, remember a formula.



                      For example, start with a base word, let's say "Password", and think of a couple of custom rules:




                      1. Number of letters in website name (Facebook: 8), and add it to the end.

                      2. Capitalize matching vowels (Facebook: A and O)

                      3. Replace the Nth character with a number equal to number of syllables (Facebook: 2)


                      You end up with P2sswOrd8.



                      You can now "store" an infinite amount of mostly unique passwords in your head (even with just 3 rules).







                      share|improve this answer










                      New contributor




                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer








                      edited 6 hours ago









                      schroeder

                      78k30173209




                      78k30173209






                      New contributor




                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered 6 hours ago









                      Jeffrey RoosendaalJeffrey Roosendaal

                      1032




                      1032




                      New contributor




                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      Jeffrey Roosendaal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.








                      • 4





                        This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

                        – schroeder
                        6 hours ago








                      • 2





                        Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

                        – schroeder
                        6 hours ago











                      • It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

                        – Jeffrey Roosendaal
                        6 hours ago








                      • 3





                        Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

                        – schroeder
                        6 hours ago











                      • The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

                        – zakinster
                        5 hours ago
















                      • 4





                        This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

                        – schroeder
                        6 hours ago








                      • 2





                        Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

                        – schroeder
                        6 hours ago











                      • It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

                        – Jeffrey Roosendaal
                        6 hours ago








                      • 3





                        Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

                        – schroeder
                        6 hours ago











                      • The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

                        – zakinster
                        5 hours ago










                      4




                      4





                      This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

                      – schroeder
                      6 hours ago







                      This really isn't a question about how to create memorable passwords. We already have a canonical question about that. Password patterns are inherently insecure, and your system does not account for needing to change the password. What do you do, change the rules for every password you have when you need to change just one?

                      – schroeder
                      6 hours ago






                      2




                      2





                      Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

                      – schroeder
                      6 hours ago





                      Your answer to the question is basically to use a password formula, and there is already an answer that covers that option. Your example formula has a lot of flaws, and I would not recommend this formula at all if I was recommending formulas.

                      – schroeder
                      6 hours ago













                      It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

                      – Jeffrey Roosendaal
                      6 hours ago







                      It was about storing credentials, and this is how I store them. When hacked, just use a backup base word. It's the password that got hacked, not the formula. Also, where did I pretend this is a perfect? The above rules are just an example, showing how easy it is to create unique passwords with even some simple rules that are easy to remember. And who knows, it may help OP.

                      – Jeffrey Roosendaal
                      6 hours ago






                      3




                      3





                      Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

                      – schroeder
                      6 hours ago





                      Wait, so in your formula you still have to remember a unique word per site? How do you store that word? No, you are not storing anything, you are generating the password. And no, it is not perfect, it's not good either. There are far more secure patterns to choose.

                      – schroeder
                      6 hours ago













                      The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

                      – zakinster
                      5 hours ago







                      The entropy of this password generation method is dramatically low. If one knows your "formula", he only needs to know the base word and the target website name to deduce the password. If you rely on your formula being secret, once it's discovered (through retro-engineering of leaked passwords or social-engineering of yourself), one would be able to deduce all your past and future passwords. Remember that security through obscurity is an illusion.

                      – zakinster
                      5 hours ago












                      Hajar Qh is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Hajar Qh is a new contributor. Be nice, and check out our Code of Conduct.













                      Hajar Qh is a new contributor. Be nice, and check out our Code of Conduct.












                      Hajar Qh is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206090%2fis-there-a-good-way-to-store-credentials-outside-of-a-password-manager%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

                      He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

                      Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029