Practical Computer Advice
from Martin Kadansky
Volume 13 Issue 12
November 2019
Organizing Your Passwords on Paper: A Simple Approach



To read this issue on my website, please visit:
http://kadansky.com/files/newsletters/2019/2019_11_30.html

The problem

Keeping track of your many passwords can be a chore, sometimes even a nightmare. Many people (including me) recommend using technology for that, ideally a secure file or database of some kind that is encrypted with a strong and unique "master" password. However, for many people that can be an undesirable, unworkable, and overly complicated approach.

In my opinion, there's nothing wrong with using a paper system to keep track of your passwords, as long as it helps you in a reasonable way, you can keep it up-to-date, and you store it in a secure place. And, since you won't be storing it online (in the "cloud") nor on your computer or mobile devices, it's inaccessible to online hackers.

Read on my advice on how to do this well.

How to begin

I recommend that you take the following general approach:
  • Gather: Find all of your current password records, notes, etc. and put them in a single pile or file folder or box. This may include loose sheets or scraps of paper, notebooks, post-its etc.
  • Features: Think about what a better system would look like.
  • Security: Think about where you will store your paper password system to keep it safe.
  • Decide: Choose the paper system that you'll use.
  • Start: Begin putting your passwords into your new system.
  • Long-term maintenance: Keep your passwords up-to-date going forward.
Also, keep in mind that (unless you only have a handful of passwords) you're probably not going to set up this new system in an hour or even a day. This is a project, and it will take some time. If you think that this will be difficult for you to do on your own, ask someone you know and trust to help you. It's worth the effort, and you can do it!

Gather

Go get your password notes and put them all together in one place. This may include
  • Post-it notes stuck to your monitor
  • Scraps of paper on your desk or under your keyboard
  • Loose pages filled with information
  • Spiral-bound or loose-leaf notebooks
  • Pages in your calendar or day planner
  • Index cards
  • Rolodex
You may also have some electronic password notes:
  • Word or Excel files on your computer
  • Emails to yourself
  • "Notes" app in your smartphone or tablet (iPhone, iPad, Android, etc.)
Features

In my experience, a good password-management system (whether paper or electronic) has the following features:
  • Clear: For each entry, it clearly and legibly shows a Title or Description (e.g., "Email," "Facebook," etc.), Username, Password, and other related information as appropriate, including the associated website or company name and other helpful notes. For each password in particular, it should clearly distinguish uppercase from lowercase letters ("A" vs. "a"), letters and numbers and symbols (uppercase letter "O" vs. digit 0, letter "S" vs. digit 5, lowercase letter "l" vs. digit 1 vs. vertical bar "|"), etc.
  • Easy to find a password, sort by Title, and insert new ones: Over time, any system that puts multiple entries on a page will become a mess, since you will be forced to add new ones at the end (out of order), which will then require you to search the entire collection every time you're looking for something, and may also create confusion if you end up with near-duplicates. Instead, you should be able to insert new entries where they belong and keep the collection sorted by Title.
  • See also: For any item whose Title might be ambiguous (or one of any number of choices), you should be able to create additional "synonym" entries that refer back to the primary one. For example, you might put your email account information under the primary Title "Email," and then (in case it's helpful) you could have secondary entries for "Comcast" or "Gmail" that simply say "see Email" and nothing else, much like a classic library card catalog might have. This is also better than having identical, repeated information in separate entries, because when that password changes, you will only have to update the main entry, avoiding confusion later.
  • Security: See below for more details about this.
  • Backup copies: You should be able to make a copy that you can store somewhere else, using a photocopier or multifunction printer, which you would ideally store securely, off-site.
  • Subset for "on-the-road" use: When traveling, you should be able to take (or even better, take copies of) just those passwords that you'll need during your trip, without taking the entire collection.

Security

Your paper password records should be kept out of sight, ideally under lock and key. Otherwise, anyone with access to your home or office might see them.

You might also find these "security through obscurity" techniques useful:
  • Omission: Some people like to use special prefixes or suffixes with many of their passwords but omit them from their records in case someone gets unauthorized access. For example, if the actual password to your Gmail account is "abc123" and if "abc" is also a common prefix on many of your passwords, then you might only enter "123" in your password records, as long as you will remember later that you did this.
  • Abbreviation: If there are common words that you use in many of your passwords, you might abbreviate them in your records. For example, instead of the actual passwords "Bluebird123" or "Potato456" you might write "B123" and "P456" in your password records.
  • Reverse or Scramble: You might reverse the characters in your passwords, so instead of the actual password "Bluebird123" in your records you might write "321dribeulB" to reverse it, or "B3l2uledbri" to mildly scramble it, taking the characters in this order: 1st, last, 2nd, 2nd-to-last, 3rd, 3rd-to-last, etc.
  • Variety: You could use multiple methods like these, as long as you can later reliably tell which method you've used for which password. For example, using A=abbreviation, R=reverse, and S=Scramble, the actual password "Bluebird123" might appear as "A-B123" or "R-321dribeulB" or "B3l2uledbri-S" in your records.
However, you should write down these "obscurity" techniques (which are all mild types of encryption) and store that explanation in a separate secure place, not only for yourself (in case you forget your system), but also especially if you share your password records with someone else that you trust for safekeeping.

Decide

Next I suggest that you decide what paper system will work best for you.

I suggest using a separate, relatively small piece of paper for every password entry, for example:
  • Index cards: 3"x5" and 4"x6" are common sizes; I recommend lined ones ("ruled") over blank
  • Loose-leaf (hole-punched) pages; I recommend a size like 8.5 x 5.5 (half-sheet) or smaller, with lines
  • Rolodex cards, also called "rotary cards"
Also, be sure to keep a supply of blank cards or pages nearby (along with a pen or pencil) to make it easy to add more entries.

How you will keep your paper collection together? For example, you could use:
  • Binder clip for a relatively small collection
  • Card file, case, box, or drawer
  • Recipe box
  • Loose-leaf or 3-ring binder or notebook
Don't label it "Passwords," choose something less obvious or innocuous, or don't label it at all.

Using a bound, paper address book (with pages or sections for each letter of the alphabet) might seem appealing, but if you have more than a handful of passwords it will probably get messy sooner than you expect.

Start

One final decision: Are you going to use pencil or pen?
  • Pencil: Easy to make changes with a good eraser
  • Pen: Can be more legible; when making changes, instead of crossing things out I recommend "white-out" (correction fluid or tape) to keep it readable and minimize confusion in the future
I recommend that each entry have separate rows that include the following:
  • Title: Describes the item using a unique phrase, e.g., "Email," "Email-Comcast", "Comcast-John," "Comcast-Mary," "Facebook," etc.
  • Username: Often your email address, sometimes another identifier
  • Password: Be careful to distinguish uppercase from lowercase, digits from letters, etc. I suggest using underlining (or double-underlining) to make it very clear which letters are capitalized.
  • Notes: This might include the associated website or company name, why you have this account, when you created it, or other helpful notes as appropriate.
You're now ready to get started. I suggest:
  • Start anywhere. The goal is not perfection, but to create a reasonable, practical system that will help you and save you time.
  • Work your way through each item (post-it, piece of paper, or page) in the pile.
  • For each entry, write its information (see below) onto a new card or page, and then put it into your new system in alphabetical order by Title.
  • As you finish transcribing the information from each original item, mark it as done (cross it out, check it off, etc.) and put it in a very separate (and temporary) "done" file.
  • When you finish the pile of originals, look around for more passwords that you might have missed.
  • Shred the "done" pile. Since it contains extremely valuable information, do not just throw it away.
Long-term maintenance

Whether paper or electronic, having good, up-to-date password records requires diligence.

I recommend that you commit to updating your password records as soon as you can after a change, including whenever:
  • A password changes: After writing in the new password, I also like to write the previous password (along with when and why it changed) in the Notes area.
  • You create a new account
  • You close an account: Rather than throwing away the card or page, I prefer to add "-Closed" to the Title, but if you are motivated to discard an entry, be sure to shred it.
  • You realize that you haven't used that account in years: Don't throw the card or page away, since that account probably still exists. I suggest adding "-Old" or "-Obsolete" to the Title, or start a separate "Old Passwords" collection.
Periodically make a backup copy:
  • Ideally every 6 or 12 months,
  • Write today's date on the first page so you'll know when you made the copy, and then
  • Put it in a separate, secure place, like a safe deposit box, or give it to a trusted friend or colleague.
  • Have an extra index card or page in your collection where you write down when you made each backup copy and where (or with whom) you stored it.
  • Shred all previous backup copies.
And if you have a will or estate plan, you should talk to your attorney or executor about either including a copy of your passwords, or at least information about where you keep your passwords or who to contact to get them.

Where to go from here
How to contact me:
email: martin@kadansky.com
phone: (617) 484-6657
web: http://www.kadansky.com

On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter

Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter

Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.

Copyright (C) 2019 Kadansky Consulting, Inc. All rights reserved.

I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.