Is it dangerous to write down passwords?

I have a list of passwords for some sites I use on an Excel spreadsheet (no macros or anything in it). I've read many places (online and offline) to "remember your password or write it down in a safe place", but others say to "never write down a password!". Is there a consensus in the security field if this is an acceptable thing to do?

As an example of consensus, I know that the advice "do not use an administrator account for non-administrative tasks" is almost universally given/accepted. Is there a similar level of agreement on this stubject?

Edit:

To clarify, I'm specifically looking for the "best practice" agreed on in the field - if there is one - because the advice given by various sites and sources that use passwords are in conflict with each other.

K.A.Monica

Posted 2014-01-01T17:39:29.147

Reputation: 5 887

The best security practice about passwords is to store them only in your head :) But i admit that we cannot remember all passwords (except if you put the same everywhere, what is not very secure neither). Personnaly i use this little software that had an embedded crypted database : http://keepass.info/

– user2196728 – 2014-01-01T17:43:24.830

1Anytime your password can be obtained by anyone you jeopardize the integrity of all the data you have access to. So yes, it's an agreed-upon policy, SOP for security checks includes looking for files or notes with passwords in plain text. So no, you only hurt yourself if you write down your gmail password, but you jeopardize an entire company if you write down your ERP password. – Raystafarian – 2014-01-01T17:43:25.820

If you use a program like Robopass or keepass at least all your passwords are encrypted. Yes, you do have to have a master password, but the rest are securely encrypted. Unless the master password is too weak then you have made the problem worse. – cybernard – 2014-01-01T17:50:53.613

This is such a broad question, the majority of answers will explain how to protect passwords. I think the question is why shouldn't passwords be recorded? and should site policies and accepted standards. You may want to edit the question to reflect that. Or it might do better on InfoSec

– Raystafarian – 2014-01-01T17:54:16.313

possible duplicate of Proper password safety?, How to store passwords

– Ƭᴇcʜιᴇ007 – 2014-01-01T19:39:24.180

Answers

The core idea of passwords is broken. (I know this is a little off topic, but bear with me.) When they were developed analytical machines had not become an idea, and getting a password wrong meant you got kicked at a minimum. By the time unix was being developed, it was already known that passwords had some weaknesses, but as there were physical access controls (door locks) most people were not concerned. Networks changed everything, It just took a while to realize it. No longer were physical access controls effective, and the need for access control grew. Engineering held this at bay for a while by looking at how quickly computers could guess passwords and how much we could remember. These calculations were stretched and broken by advances in computing speed. These days the minimum possibly secure password is longer than we can remember. And every person you share a password with weakens its security. At a minimum for a password to work you must share it with the service requiring authentication, so using the same password with multiple services weakens it further, and using different passwords with different services stress your memory.

So what should you do about it? Until non-password authentication becomes an option here is the current best policy (which has known weaknesses):

Use different passwords with each service generated with no attempt to make passwords you can remember.
Record each password someplace that can be secured.

A password management tool will help in this, and I would recommend using it for low and medium security passwords. For high security passwords and for the password to your password management tool I would write the password on a single sheet of paper (not a pad) on a hard surface that will not pickup impressions from writing and place them in a lockbox or safe.

This is not a perfect solution.

hildred

Posted 2014-01-01T17:39:29.147

Reputation: 506

And tell your loved ones (at least one) where you have stored your master password, or leave it in a place where you know they will find it in case you die. Or if you're paranoia about that, divide the info over several people (you can Google something like 'master password death') – Jan Doggen – 2014-01-01T19:37:05.123

Think about this with common sense.

If you will write your password down - then it can be found and read by others unless stored in really safe environment;
If you will not write your password down - there is no possibility for someone to find it and read it from the paper.

Also, passwords for different accounts must be treated in different ways. Password for your banking account should be secured more carefully ( or not less ) than password for something which is not critical ( i.e. on-line game).

Password itself is useless. Data and account secured by the password - these are things which should serve as criteria of how much effort should be applied in order to prevent anyone finding out the password.

As example - I would not mind write my password from WI-Fi access point at my apartment - because it is fine with me if someone who lives with me will find out this password.

But I will not do this with password for my e-mail - because it is not fine with me if anyone but myself will access it.

Edit:

In addition to that a general rule which can be applied here is:

Every time you are typing or writing your password (would it be login procedure or writing down your password) you lessen its security just because it left your head and now exists as written thing which can be read or gotten by sniffing network traffic. Hackers will have more chances to sniff your password if you log in over the network 70 times per day. If you log in once in a month they have less chances to get it.

Same thing with written down passwords. Every time you write it down its security lessens, because now it also exists outside of your head.

VL-80

Posted 2014-01-01T17:39:29.147

Reputation: 3 867