[yosito]

> A piece of paper is the most secure solution

I beg to differ. A piece of paper can easily be found by someone. Much easier than hacking a password manager. Unless you're storing that piece of paper in a safe, it's not secure. The only advantage of paper is that it's not exploitable remotely.

[mjthompson]

> A piece of paper can easily be found by someone. Much easier than hacking a password manager.

A piece of paper in a locked drawer is potentially accessible to a person breaking into it. It is probably an unsophisticated burglar looking for money. They are probably located in the vicinity of your neighbourhood and have rocked up to your home, and will not evade capture for long. They will likely leave DNA. If they decide to swipe your notebook, it will be immediately apparent you have been compromised, as your drawer is open and your notebook open or missing. Your notebook may be looked at momentarily, perhaps passed to one or two people, more likely, it will be thrown into a gutter as soon as the burglar realises it has no money in it, or just left untouched.

A password in a locked password manager is potentially accessible to a person breaking into it. It is probably a sophisticated cyberattacker looking for credentials. They are probably located overseas and have remotely connected to your home network, and will evade capture. They will leave no trace. If they decide to compromise your vault, it may not be immediately apparent you have been compromised, as your password manager is still there. Your vault will be scrutinised intensely, and your credentials will be sold to many others on a darknet forum.

I know which I'd rather.

[NavinF]

If someone sees a list of site/user/pass, wouldn't they take a photo of it instead of stealing the entire notebook? It just seems like the obvious thing to do.

>They are probably located in the vicinity of your neighbourhood and have rocked up to your home, and will not evade capture for long. They will likely leave DNA

Did you get that from CSI: Miami? Nobody is gonna collect DNA samples just because some stuff went missing in your home. The cops will file a report and tell you to file an insurance claim.

[mjthompson]

Burglars are in and out in a matter of minutes. There's no way they're standing there taking photographs. Like I said, they want money (and easily hocked valuables). No street criminal is interested in your Google Account login.

Australian here. When my house was broken into Police forensics came that afternoon and fingerprint dusted all points of entry and lifted prints. Do they not do this in your jurisdiction? I have just realised DNA is probably poor shorthand for that.

[emodendroket]

Honestly the American cops are unlikely to bother with that. But still, I agree that a burglar is unlikely to bother with your password notebook.

[maccard]

If someone has remotely compromised my home network how do I know they haven't just installed a keylogger, and are capturing the passwords that I type in via a sticky note?

I'm just a person on the internet, so my threat model may be different to yours, but my threat model is for the most part phishing, social engineering, data breaches, and the likes. The majority of these are fixed by password autofill (for the most part)

[usrusr]

> It is probably a sophisticated cyberattacker looking for credentials

It is probably the script of a sophisticated cyberattacker leveraging some vulnerability for looking for credentials of thousands of people at once. Yes, the burglar is a total non-threat by comparison (unless they happen to be working for your very personal enemy intelligence agency)

Good security practice would add a memorized element to the stored passwords as an informal second factor. Are there password managers that have good support for that when auto-filling and updating?

[kmonsen]

I used to work in a pretty secure environment. The way to store passwords was to write them on a piece of paper and put that paper in your personal safe. This was inside a building with armed guards.

I guess it all depends on where your risk/convenience preference. I would say just like the best camera is the one you have with you, the best way of storing passwords is the one you are willing to use. Perhaps pen and paper in a safe is the best way, but if that means insecure easy passwords are used for many sites I guess password managers are better.

[numpad0]

There’s an assumption that no malicious actors exist in any physical proximity. A strange thing to say but so far probably true enough.

[enaaem]

If you hide it in a random book, it will be unlikely found by anyone. Burglars don't steal books.

[usrusr]

When you hide it in a random book, and need to access it frequently, you end up with the plot device where the hyperintelligent detective guy immediately realizes that there can only be one reason this particular book looks more used than all the others.

The real threat of course is that you'll definitely not remember yourself (because you only use it for that one ring master password which you never use)

[jsmith99]

Yes but there is very low correlation of risk - much less than if your password manager is online.