[Buge]

If your house burns down, you lose your passwords.

If somemone (burglar / law enforcement / intelligence agencies) breaks in, they have your passwords.

If you are memorizing a lot of passwords (I have 500+ in my password database) you are surely going to forget rarely used ones.

If passwords are written down, they can be demanded from you by a warrant/court order. If they are memorized, they cannot.

[landryraccoon]

Cracking a piece of paper can't be automated. A human being has to break in and find and steal it. Most of us are high value enough for a script kiddie to want to steal our credit card numbers, few of use are valuable enough for someone to break into our home just to look for a password.

If your passphrase is an innocuous phrase, like "red dogs like spicy food", how will they you know you have a password to demand? How do they know you have a piece of paper instead of having it memorized?

[Buge]

They can court order you to produce all relevant documents. They don't have to know that the document exists to order you to do it. You could lie to the court that the document doesn't exist, but I wouldn't recommend that.

[__ddd__]

Well if you're willing to compromise on security by trusting a password manager / encrypted volume (plus user opsec) to store your passwords, there are other compromises one can make to facilitate easier memorization. Security by obscurity is a worthless feature when designing a cryptographic system, but it is an invaluable tool for your own personal opsec. Reuse some passwords for services with a lesser threat model, with slight changes. Is it sub-optimal? Sure, but so is trusting a black box program with your passwords, probably running on your everyday (read: unsecure) computer. As your parent noted, you can't automate low tech cryptanalysis, and you're really not that important.

[Buge]

Like you point out, my everyday desktop is already not very secure. I use most of my high value accounts fairly frequently. So most of my accounts would be compromised regardless of what password scheme I use. Installing an open source password manager doesn't lower my security by much.

Previously I tried to memorize passwords. I ended up forgetting a lot. It was frustrating trying to remember what my password was, or even whether I had an account on the site or not. The user experience of being able to ctrl+f through all the accounts that I have in my database is very refreshing.

I have a quite high value video game account, and 6 people have specifically targeted me. They've attempted various things, such as trying to exploit password reuse, and utilizing previous website database breaches that I was in.

[landryraccoon]

See, for your video game accounts imo writing down your password is just a no brainer. Unless you're protecting your account from family members or roommates, nobody is going to steal a piece of paper. And what government agency cares about your video game passwords? If they want to get into your blizzard account they'll just ask blizzard for access.

[Buge]

I have had family members play pranks on me, so that is one attack I'm trying to avoid. But even ignoring that there are problems. Do I keep the paper at my desk? If so, what do I do if I want to log in on my phone when I'm not at home? And like I said, there's the risk of the house burning down. My house is kind of a mess, and I have lost pieces of paper before. I could keep it in my wallet, but what if I lose my wallet? I guess I could keep multiple pieces of paper, but that just increases the chance that I would lose one. And I then I have to worry about keeping the papers in sync. And it's not just the video game account, they also attack the email associated with the video game account, so I have to put that there too. And then the recovery email for that email. Maybe I need to put my cell provider password there too, because people hijack mobile phone numbers some times for sms account hijacking. This just leads to a paperwork overhead problem that would be better for a computer to solve. Digging through my wallet or digging around my desk trying to find a piece of paper, and then typing a password character by character from the paper sounds really annoying.

I don't see what benefit the paper would have. Whether it's paper or a password manager, if my computer is compromised they'll get my accounts with a keylogger.

[robin_reala]

Specifically that’s true for US law. Under UK law memorised passwords can be demanded with prison sentences for failing to produce them. It also doesn’t count at the Us border.

[__ddd__]

That's messed up. In this case, store password DB in deniable TrueCrypt (or similar) volume on an airgapped machine, secured with a memorized passphrase. That way, they can't prove there's something to decrypt, and you haven't memorized any passwords they know about. But it sounds like merely failing to produce a password is a crime in general, which seems unfair to those who have lost / forgotten their password.