How to store passwords written on a physical notebook?

Question

Answers to the question "How safe are password managers like LastPass?" suggest that storing personal passwords on a physical notebook might be a reasonable option:

I know someone who won't use Password Safe and instead has a physical notebook with his passwords in obfuscated form. This notebook is obviously much safer against malware... whether it's at greater risk of loss/theft is an interesting question.

Obviously, a piece of paper is secure against any malware attacks.

The requirement is for an offline access of credentials. For example a small notebook on which you write all your security details for all banks, stores, websites, even combination locks, addresses and all other details you may wish to be able to access from any location in the world.

Also, it can sometimes be easier to look up passwords in a notebook -- e.g. if you travel a lot, you could store passwords on your smartphone using a password manager app. However, this means your phone needs to be charged and operational all the time, which adds another point of failure.

---

Now, disregarding the posibilities that a notebook might be lost, stolen completely, destroyed or otherwise physically harmed, I'd like to focus on a one question:

How would you obfuscate (as mentioned in the first quote) passwords so that they cannot easily be deciphered by someone who is able to throw a glance at the notebook?

On the other hand, the algorithm must be simple enough so that the owner of the notebook can decode his or her own passwords in almost no time.

Bonus questions:

Could such an algorithm be considered more or less secure even if it's posted here on Information Security or does obfuscation always imply security through obscurity (i.e. keeping the algorithm itself secret)?

Could an obfuscation algorithm be designed in such a way that it would be impossible or unlikely to decipher the passwords, even if a hypothetical attacker had access to the notebook for at least several hours? Or would that naturally contradict the requirement that the owner can decode his/her passwords quickly?

Answer 1

In approximate order of increasing complexity (not security, and methods may be combined), here are some ideas that would be easy for anyone used to puzzles/writing code/maths. A more complete idea is below. NB: when I say "secret" I mean not written in the book. These are all easy, and most useful to deter the casual thief.

• Have a memorised secret element, common to all passwords. *
• Minor variant -- an secret element easily derived from the website name/username.
• Put too much information in the book, e.g. know that actually you omit the first 4 characters of each password.*
• Offset the account and password by some constant number of entries. *
• Never write the full username, just enough to be a clue to you.

* These items have the significant vulnerability that once the obfuscation is cracked for one entry, it's automatically cracked for all entries with no further effort.

If the exact algorithm is published, clearly a notebook-thief who could also script login attempts (or a team of course) could apply the algorithm automagically -- or all published algorithms. The type of algorithm could be published, for example:

• From the password as written, call the first digit x and the second y.
• Count x characters from the first punctuation mark (or first character, or first digit).
• Then swap the cases of the next y letters (or preceeding y) letters.
• For a memorised 4-digit PIN, increment the first four letters by the numbers of the pin (e.g. 1234 applied to a!bcd would give b!dfh).

Of course you could:

• Swap the meanings of x and y
• Increment/decrement x and y.
• Count from the first vowel.
• Swap the cases of y consonants.
• Replace digits with their corresponding letters by alphabetic position and vice versa.
• Swap digits for the punctuation on the same key (you either need to be confident in the keyboard layout you'll encounter or know your own keyboard very well.)

All these operations, by definition, can be scripted. But the notebook thief would have to get hold of (or write) a script implementing these (and it's actually quite a variable space even without a secret element. Then they'd have to type in the passwords (an error-prone process with randomly-generated text), run the script over the list, and attempt to log in with the now potentially thousands of passwords per site. And hope that the site doesn't lock out after several failed attempts.

It would be worth keeping a backup list, even if not a backup copy of the book, as a list of sites for which the passwords should be changed/accounts flagged if the book went missing.

As with many security measures, the goal must be to make it too much effort to break in. By combining manual and scripted effort you're doing quite a lot towards that, and increasing your chances that they'll give up.

Answer 2

I created a language for this purpose. None of the symbols look anything like English (no telling if they look like any other language), there are no spaces, several letters are missing, common patterns become single symbols (dis,ing,etc) to prevent easy decoding, it is written from top to bottom, right to left, in a grid with out lines, and I used trash to pad each line.

Depending on how I'm storing it, I also use a shifting code wheel that adjusts on last letter placement. If the last used letter is something like h (caseless system) then add 7 to the next letters code wheel. You can include the code wheels on the page in the trash to further confuse an attacker. Since you can create multiple code wheels per page and shift the numbers how you like, it prevents easy attack. Another option is to overlap code wheels. If you're lazy you can use a number pattern like +5,-2,+3,6 like a PIN.

Answer 3

Write a diary and embed the passwords within the entries. It will not look like a book of passwords. Someone will have to read it to notice the misspelled words. I used an address book where the addresses, phone numbers, and postal codes of close friends and family members which were PINs and passwords. I know my family members addresses and phone numbers, so having them recorded incorrectly didn't matter.

Answer 4

Use a mask.

No, seriously. Use something like medium-thickness cardboard, obtainable from office supply or hobby stores, to create a rigid grid mask, maybe 30x6 character slots in size, and cut out randomly placed holes for maybe 40-50 characters out of those. (You can obviously pick different dimensions, depending on your needs.)

To write down a password, place the mask on top of your notebook, write the length of the password through the first two holes (or pick a special character that always means "this is the end of the password" and write that at the end instead), then the password itself through the remaining holes (either lengthwise or per column first, again your choice), as many as needed. When you are done, remove the mask and fill in all remaining character slots with garbage characters; the more random, the better. To make this easier, start by drawing a grid in the notebook before you fill in the password.

When you need to read a password, simply place the mask on top of the jumble of characters and what remains visible will be the password plus whatever random garbage you used to fill in the character slots that aren't part of the password. (At that point you just need to know how long the password is, hence the termination character or recording the number of characters.)

Keep the mask safe but separate from the notebook, perhaps in your wallet. Consider the mask to be your "master passphrase" of sorts.

This won't really protect against an attacker that specifically targets your scheme and perhaps even you specifically, but it should provide a reasonable amount of security against someone who happens to get their hands on the notebook while having low overhead when you are legitimately using the passwords. The overhead here is when you record a new password in the notebook, which is often a situation that you are able to better control (for example, there is likely no need to change your bank password while you are at an Internet café in a random third-world country).

If you want to enhance the obfuscation factor even further, you can add an offset to the scheme: record how many characters at the beginning to skip when entering the password.

If there is a camera recording your notebook while you are entering the password, it seems just as likely if not actually more likely that it is also recording the keyboard you are using to enter the password, at which point you have lost almost no matter what scheme you use for obfuscating the written-down passwords.

Answer 5

A basic method to minimise the impact of someone being able to find out passwords from glancing over at the notebook would be to have one password per page - if you're looking at that one, that's all they can see.

Another alternative would be to have a Diceware or similar list, and note down the numbers. It adds a step to "decryption", in that the legitimate owner needs to cross-reference with a Diceware list, but it would probably slow down an attacker with access to the notebook for a brief period - they'd probably have to photocopy the whole list, as well as any site specific numbers to be sure of access.

Essentially, though, if the owner can "decrypt" instantly, an attacker can decrypt given time. If they have access for a while, they can clearly take a copy of the contents and work on it without you knowing (by making you find the book somewhere you would consider safe, for example - perhaps in your house where you normally keep your bag, where it might have fallen out naturally).

You could remember a fixed partial password, and only note the variable parts. However, in that case you are relying on none of the sites you authenticate against being breached - as soon as one is, you have to consider the partial part compromised, and change all passwords using it, just as if you'd used the same password everywhere.

The most secure option might be to have a physical safe which the notebook is kept in, and which is only opened when no-one else is around. It seems a little bit overkill for most uses, but that's pretty much the method used for some critical data, such as DNS root signing keys.

Answer 6

There are many better and more secure examples but I thought I'd mention one thing I've used in the past, which is mnemonics in the form of a drawings/comics to represent passphrases. This does require that you can vaguely remember what the passphrase was, however.

An example could be the phrase "Tommy's birthday is on March 23rd!". The comic could consist of a character you mentally recall as "Tommy", celebrating his birthday, with a punchline to a dad-joke (or something with a reference to the site you're using), and dated/signed on March 23rd. You could also add many more comics that do not represent passwords to further obscure them.

To someone walking by, this is merely your sketchbook. Most people are not interested in stealing doodles from a bad cartoonist, and especially would not expect it to be a book of passwords. In the event that someone does steal it and knows your system, they would still need to be able to understand how you mentally process your own drawings which is largely going to be subjective. This can also be hindered by adding filler information within each drawing to add noise to the password for anyone who's trying to decipher it. If you enjoy fantasy, you could even push this further with making mental "laws" about what matters in your fantasy world you portray through comics/drawings.

As I said, there are much better ways to store passwords physically but this may work for people who use mnemonics well and it can also be really fun!

Answer 7

Once upon a time, I wrote down the different PINs for my credit and bank cards. I converted them to base 9 and then added a spurious extra 9 somewhere in each number. I think that was pretty safe, but of course it only works for entirely numeric passwords such as PINs.

Answer 8

I've come across several attempts at a wallet-sized reference card used as your password ciphertext. One example: http://www.passwordcard.org/en

I wouldn't use one of these, but if I did, I'd spend more time on my mental model of how I derived my password, which should provide enough obfuscation that you likely wouldn't be able to acquire the card and the password at the same time. If you were concerned about this, you'd need to come up with some way to shift your cipher. "Row number is the phone number digit with the third character in the domain name of this site, column is the second-from-last character converted to numeric position in the alphabet." So Google.com is O=6 on dial-pad, so sixth row, column is G=7 so seventh column, then decide some other factor for how many characters and which way you read or how you shift each character. Diagonal, up 1 & over 2, etc.

At least with this solution, you can lose the "notebook" and replace it later, and you don't over-complicate matters trying to come up with a secure scheme. If I handed you my "card" with the characters I actually used, the chances that you start in the right spot with any given website, and choose the right direction, length, and so on are negligible.

Answer 9

I use mnemonic clues. So I invent a password I can construct from the clues, and then only store the clues on paper. The clues might be a doodle, or part of a drawing, or something that reminds me what my password is. Or that remind me of the part I haven't memorized. So without knowing what my associations are, it would seem quite difficult for someone to figure out my passwords from my clues.

Does security through memorization count as security-through-obscurity? Seems to me that within the context of the question, this is as far from that as is likely, given that it's a password system, and it's a way to prevent deducing the password by looking at the notebook, unless someone knows me so well that they can somehow deduce from my clues. I'm pretty sure I can make up some passwords not even the people who know me best could ever infer, though that requires more intention to make up a passphrase that's an odd combination of things, which my only context for is remembering the phrase I made up.

Example - an abstract doodle with many symbols and passwords, and I choose a spot for a part of it where there is a little curve, and off in one direction there are three little marks and then a long one, but they aren't distinct from the many other squiggles and dots and so on. But I can remember they're the part I was using to remind myself of my password. The curve reminds me of a body part, and the first two words are that body part in two different languages, then the three marks are a three-tone phrase I know I will remember, such as "yo ho ho", and the slash is some final remark I'll also remember, such as YOW!. So this I can always cause me to remember "gomitoelbowyohohoYOW!"... but I don't think anyone else is even going to know where in my doodle to look, let alone deduce that password.

Answer 10

You have a different threat model for written documents than for electronic ones but the way to handle them is pretty well known: restrict and audit physical access.

It doesn't matter if it's nuclear launch codes or the combination of your little sister diary's padlock except in the specific way you're going to perform that control.

This also means that, if you want to protect this data, you should not simply obfuscate it but encrypt it. One way of doing so could be to encrypt the data with a password, print the cypher text as a QRCode and store that. It doesn't give you much advantage over proper access control, though: it's certainly safer but it's pretty inconvenient to use and will likely fail you when you actually need it.

Answer 11

Write you passwords in invisible ink.

Take a regular book or a notebook that served a different purpose (school notes) and write your passwords in the margins using an ink that can only be visible with a UV light. Anyone who looks at the notebook/book will assume it is what is appears to be while you still have access to the passwords.

Note: I do not know what the lifetime of invisible ink is when used on paper.

Answer 12

In 7th grade our class had us write a journal. I used a simple code which used novel symbols for letters, and noted that at the back. But I soon memorized it and easily wrote it directly.

Using novel symbols is less confusing than using a substitution cypher of the letters. In fact it's rather easy.

It obfuscates but can be broken via normal techniques... if you have normal English (or whatever) text! For passwords of random letters, it's quite safe unless you have some way to break some entries and use the results to read others. That can be improved by having multiple entries and using another hidden method of knowing which one is right.

Answer 13

Just for the sake of completeness, per comments to the question:

Use an existing text or book and derive passwords from there

Print out an article or take a book with you, preferably one that wouldn't arouse any suspicion in the environment(s) you're planning to use the "notebook".

Decide on an algorithm how you derive passwords from the text in the book. Something like "from the first ten words of a specific paragraph, take the first letter and put them together to form the password" is probably a bit too simple, but you'll surely find a personal algorithm that is a little harder to guess.

To map passwords (i.e. parts of the text) to accounts, you basically have two options, but they can also be combined:

• For an account, choose a passage of text that somehow relates to the theme of the account. This requires a little creativity. For instance, the part of a short story where the main character sends a letter to her friend might indicate that the password to your e-mail account is hidden there.
• Put sticky notes or similar in the book. Mark parts of the text and write notes next to them. It is perfectly normal for anyone who's studying a text to sprinkle it with all kinds of annotations. Especially if you're taking this book with you all the time, this is most plausible. Take care that your notes don't make it too obvious that a passage may contain a password. Maybe also mark some parts of the text that do not contain passwords, to draw away attention.

It might come across as just a little strange if you're going to run around with the same book for the next ten years. However, passwords are meant to be changed from time to time anyway. So after some time, get a new book, prepare it as suggested above and change your passwords.

As a bonus, you may want to choose a book that contains source code listings or otherwise technical parts. The idea behind this is that they naturally consist of a lot of special (non-alphanumeric) characters. This way, you can more easily derive a password with special characters from the text.

Answer 14

Rule number one: DO NOT WRITE DOWN YOUR PASSWORD

In the late 60's businesses started using mainframe computers. This was a new concept in business. The owner of the business would find someone that had any aptitude (see had a college class where they actually saw a computer) and ask them (under threat of termination) to become the sysadmin. The new administrator would be provided a login and password. This was a new concept for lots of people. So, they wrote down the password, just in case.

Multiple people were using the mainframe under the same account. The problem was that someone would configure everything for a batch process, come back later to finish it, and discover someone else had gotten in and reconfigured everything for their batch process. It wasn't very efficient. Accounts got set up, and logins and passwords were handed out. And of course, the passwords were written down.

In the 80's it was time to put computers on peoples desks. They were all connected through a network back to the mainframe. This way you didn't have to walk away from your desk to get the results of the work you had the mainframe do. It also gave people just enough horsepower at their desks to do some of the tasks they had the mainframe do. Many systems required eight character passwords to help prevent simple, popular ones from being guessed. Since passwords were now more complex (oh, look, password has 8 characters, and no one would guess it), people wrote them down.

In the 90's there was this new fad that everyone was getting excited about. It was called the interwebs, no, intertoobz, no, wait... Internet. And systems were getting connected. We could send an email instantly instead of having to write one and mail it. So, we started using letters, numbers, and characters in our high security 8 character passwords... that we were still writing down.

In the... ought's(?) we started banking, purchases, and school on line. We created accounts, and used the same password to protect them all. And to make sure we didn't forget this password, we wrote it down.

Here we are in 2015. The average person has 30 different logins and passwords that they have to remember. They should be 15 characters in length, non language based words that include symbols, numbers, and upper and lower case characters. There's also a list of things they absolutely shouldn't be.

Now, I get that we have spent 5 decades training people to violate rule number one. I also get that people hate change and technology.

I don't care what the excuse is. Yes malware is a consideration. However, when you do a real risk analysis, malware is not as big a risk as writing down your password. You may think you are awesome tricky at coming up with a system to hide your password.

All I need is to shoot a photo of a page, and I have as long as I need to crack your password. Once I figure out your system, I can get into anything in the book. That is why this is an unacceptable answer. A computer is a better solution than you are. If it wasn't the case, governments wouldn't be using computers to create and control passwords.

Answer 15

Write/print a piece of paper full characters or use a already written book or an old essay from school, memorize some position and pattern and done.

5000 characters fit on a one page, there are 5000^n different patterns you could potentially take, so with 0 information, the paper is harder to crack than a simple brute force attack on the password itself.

If the number of password attempts is not hard limited, then you will need to print special characters and upper lowercase on the paper aswell or have a long password alternatively.

You can also make some fake marks/fake riddles/fake words onto the paper to seduce an attacker into trying to log in and alarming/informing you potentially.