It’s OK to save all my passwords in Word, no?

In a follow up to my last blog on password managers, many of my family members and friends have still not picked up on the habit of using them – mostly because of the refused acceptance that there is a small price to pay for increased security; the price being a couple clicks to bring up the password manager app to look up the password for a web site login.

Password managers are still what is recommended to store unique and complex passwords for each authentication/login credentials you may have each domain, computer, web site. But for those family members and friends who have refused to adopt a password manager, I recommend the following.

Instead of saving your passwords in a Word document, save your password hints. We’ll get to how to write these hints later. Save the Word document encrypted, and make the filename something less obvious than passwords.docx – maybe “Favorite Movies.docx.” Depending on PC/Mac version, the encryption feature is found in the Save process under Tools or Options, Security. This is one password you need to remember – make it a good and memorable one.

You may think, Word encryption is not the greatest. True. But this layer of security – encrypting the document with a non-enticing file name – at least keeps the nosey, non-hacker person who might come across your file.

As to what information to keep in the file, you don’t want to store your passwords as-is (in plaintext) in a Word document, even though the file may be encrypted. You should only store information that can help you remember the password. For example, if your passwords are famous movie quotes, to remember the credentials for 2 sites could be saved as:

ebay.com = Clint Eastwood

amazon.com = Jack Nicholson

Each of the above actors has a famous, iconic movie line, and using a consistent transformation method on those quotes, the actual passwords for the sites would be:

ebay.com = gOaheaDmakEmYdaY

amazon.com = yoUcanThandlEthEtrutH

In the above example, the actual passwords are formed by capitalizing the last character of each word in the password hint, and eliminating all spaces and special characters. This transformation process should be memorized and be consistent for all the passwords saved in the Word document.

You can choose whichever transformation process, as long as it’s consistent so you can remember and don’t have to write it down somewhere, eg. capitalize the last 2 characters of each word or capitalize the second character of each word or substitute every first character with a number.

This way, if someone gets a hold of your Word document, and manages to decrypt its password, they will only have a list of password hints, that only you can transform into the actual passwords.

Some other examples of passwords and password hints that you could use:

  • Names of friends and family members, with their birth years as passwords, and the city where they live as password hints, eg.
  • Save in the Word document your password hints:
  • ebay.com = Denver, CO
  • amazon.com = Chicago, IL
  • And from the above password hints, you know your best friend lives in Denver and your aunt in Chicago.
  • Password for ebay.com = JimmyJones1989
  • Password for amazon.com = GertrudeSmith1955

You could even do this:

  • Save in the Word document the following password hints:
  • ebay.com = Go ahead. Make my day.
  • amazon.com = You can't handle the truth!
  • And from the above password hints, use your memorized transformational process, eg capitalize the 2nd character of each word.
  • Password for ebay.com = gOaHeadmAkemYdAy
  • Password for amazon.com = yOucAnthAndletHetRuth

This is “security through obscurity” – much of the information is available but in order for the information to be effective (for the passwords to work), they need to be manipulated using an algorithm that only the user knows but has committed to memory.

You can then email yourself this document. And when you need to look up the password for some site, look up the email, enter the document password to decrypt it, get the info, and use your memorized transformational process to re-construct your password for that site.

This is better than nothing. Better than the alternative of using easy to remember (and crack), simple and the same passwords for all logins. Best to use a password manager, though.

Be safe…

Resources:

https://www.cnet.com/how-to/the-safe-way-to-write-down-your-passwords/

https://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices