You thought you have seen everything in information security? What about this notebook from Staples for US$ 28.69 to write down all your passwords? It is called the Clever Fox Password Book, 4.37″ x 5.67″ (Q0-70Z6-LIBI). Other retailers are selling this notebook, too.
Everything that is dear to you can be written down, like email settings, ISP connection details, and of course all of your passwords. As writing down long, strong passwords is tedious, I recommend going back to true and tested passwords like “123456”. And do not use hard to read special characters like ‘`”^. As this password keeper book has been designed to be anonymous without an obvious title on the cover, I also recommend writing “My secret passwords” on the cover and spine. How else will you find it again in your bookshelf?
On a more serious note, I might stick to my digital password manager app that lets me synchronize passwords securely between Windows, Linux, and Android. The password manager allows me to use long, strong passwords which I could not type into a password field easily. Considering my handwriting, complex passwords written down by me are typically WORN: Write once, read never.
Does this mean password managers are the final answer to password management, giving the user 100% security? Of course not.
I personally use (Counterpane) Password Safe. This tool has been originally designed by security preacher Bruce Schneier, who I met personally in Munich once, and to whom I have a lot of respect. The tool became open source eventually and now the source code can be examined by anyone for vulnerabilities.
The current version of Password Safe is 3.70.1. I only found known vulnerabilities for versions 2.11, 2.16 and 3.0BETA1 (CVE-2006-3675) and version 1.7(1) (CVE-2001-0984). Two vulnerabilities in 23 years, this is what I call pretty secure.
One weakness of password managers is the master password. The master password is the key to the kingdom. It will unlock the password database and give access to everything that has ever been documented. If a perpetrator would get access to the master password, it’s game over. Password Safe solves this by a) allowing different master passwords per password table and b) by supporting two-factor authentication using the YubiKey token. Knowing the master password and having access to the password database would not be enough for a perpetrator to be successful.
New vulnerabilities might become public in the future. Like with all software, the user must make sure to always use the latest, stable version from a reputable source. With these security measures in place, I feel very confident about the risk level in the way I manage all of my passwords.
As an exercise, create a threat analysis for a paper notebook now, in which you have written down all your secrets. Remember, you have to have the notebook with you at all times, otherwise you have no access to the documented passwords. The book itself is not protected by a master password or token of any kind. This is called one-factor authentication of the worst kind („something you have“). Anybody who gets physical access to the notebook and can read your handwriting can take over your digital life.
In contrast, I can securely access the database of passwords on my desktop computers as well as on my smartphones. I do not have to read or even know passwords anymore: The password manager copies them from the database into the clipboard and then into the password field of the application I need to access. I do not have to protect the password database itself as the entries in there are encrypted by the highly secure Twofish algorithm. To my knowledge, there has never been a full cryptanalytic attack on the algorithm.