[PhantomGremlin]

A notebook is a totally reasonable way for a non-technical person to track passwords securely.

I do this, even though I'm a "technical" person. I do it because I use unique passwords for almost every site I visit.

The notebook never leaves the house, but what if I have a fire? I remember a few passwords, but most of them "poof, gone".

My reckless behavior reminds me of this commercial parody on SNL, long ago:

- A Tradition of Security -

We will make a list of our clients and how much money each of them has given us to invest. We will keep this list in a safe place. If we have time we will make a copy of the list in case something happens to the first list.

http://www.faqs.org/faqs/tv/sat-night-live/commercials/

[dunnevens]

In case of fire, seems like you only need to memorize the passwords for your email accounts. Everything else can be fixed with “reset your password” links.

I’ve sometimes wondered if that would be a useful security scheme. Using email as a de facto pw manager. Memorize your email pw. Use the password reset feature on your critical sites. It would be enormously inconvenient. But it would mean your passwords are never written down and never stored in a pw manager’s database.

Seems like that would make things more secure, but I’m probably overlooking something.

[PhantomGremlin]

It's a complicated issue.

I think some people don't make any real effort to keep track of their passwords, and so reset via email is kind of common.

But what if you're Sarah Palin, governor of some out-of-the-way state (pop. 736,000). Suddenly you're thrust into the spotlight as a VP candidate.

Sucks for her that Yahoo's password reset questions at the time were simple: The Yahoo! account's password could be reset using shared secret questions including "where did you meet your spouse?" along with the date of birth and ZIP code of the former governor to which answers were easily available online.

https://en.wikipedia.org/wiki/Knowledge-based_authentication

Can you trust your email provider not to let your account get "stolen" from you?

I think having a discussion like this on HN is great. It gives people an opportunity to re-evaluate their current procedures.

[throwawayboise]

Do you have your password manager database and private keys backed up in a way that would survive if you have a fire? A lot of people may think they have backups of stuff like this but unless you remember to grab that thumb drive out of your desk drawer (assuming you're home) a fire might still destroy them.

[PhantomGremlin]

No, no, I don't have my passwords anywhere but in a paper notebook. And I don't have any other copies. That's what I meant by "my reckless behavior".

What percentage of people use a password manager? I think on iOS/macOS it's pretty high because Safari offers to save them, but what about non-technical users in general?

As to why I don't use a password manager, I think that the probability of some bug or hack or whatever of the password manager, which would lead to all my passwords being compromised, is greater than the probability of my house burning down.

Do I really want to trust Firefox with all my passwords? Do I really want to trust Google with all my passwords? (Fuck no!) Do I really want to trust some random password manager with all my passwords?

The smart thing to do, which I unfortunately don't, is to memorize a handful of passwords and use a password manager for the rest. E.g. remember bank password, use a password manager for Chipotle and Five Guys.

[ViViDboarder]

> Do I really want to trust Firefox with all my passwords? Do I really want to trust Google with all my passwords? (Fuck no!) Do I really want to trust some random password manager with all my passwords?

There are options like KeePass or Bitwarden that allow you to store your own database file wherever you see fit or self host, respectively.

> The smart thing to do, which I unfortunately don't, is to memorize a handful of passwords and use a password manager for the rest. E.g. remember bank password, use a password manager for Chipotle and Five Guys.

This is the way that I mitigate risk as well. My email password is not present in the db, nor is my checking.

[vgalin]

It should be reasonably safe to store database files on various cloud storages. If you are not willing to do so, it is also possible to keep them on flash drives at your relatives' homes.