I have been researching the annual “Geek Father’s Day” blog (this was last year’s post) when I came across this “geeky” present.
It is a nice product, with various sections and dividers to highlight and organise your passwords and other sensitive personally identifiable information (PII). It even has a loop for a pen and is pocket sized. In our cyber security courses we do say you can write down your passwords on paper if you really have to – however you have to have a scheme in place to keep that book/list/document very secure and the information it contains obscured. Using an organiser style notebook, that is easily carried – and easily lost/stolen – is not what we are talking about.
To be fair the cover does not say “Secret Password Book”, but when the thief looks inside there is no doubt as to the contents.
Last Thursday was “World Password Day”, I chose not write anything specific for that day because we want people to be thinking wider than just having great passwords, when it comes to their and their organisation’s cyber security.
This blog post is my contribution to password awareness.
Best Practice
Security experts like me will tell you that you need a unique, complicated password for every service you use – the diagram at the head of this post will give you a good guide to the types of password I am referring to. Only if you are extremely gifted will you ever be able to remember such a list of passwords and usernames – so you will need to note them down somewhere. But that somewhere has to be very secure – your online identity and the contents of your bank account will be depending on that security.
You can use an online password bank and smartphone app, but me, I am paranoid, so I like to be in control of where my life secrets are kept, so I opted for an encrypted Microsoft document. There are three useful options for this:
- OneNote notebook encrypted section
- Excel encrypted document
- Word encrypted document
The above is a ranking of how effective I consider each solution. For all of them there are versions for Windows computers, Macs, iOS devices and Android devices. Not sure?
Microsoft OneNote
This is probably the best solution of the three listed. You can get access to your password list from anywhere – your PC, smartphone through the OneNote app and even through a web browser on a PC you do not own (but remember that option comes with its own security concerns). Using the computer and smartphone Microsoft apps gives you peace of mind that no one is trying a man-in-the-middle attack on you by spoofing Microsoft apps – I have not actually heard of an example of this happening but it was something we discussed on the Masters course as a possible attack vector using a side loaded app impersonating a password app.
The flexibility of OneNote as a tool for capturing ideas and information make it ideal for holding secret information in encrypted sections. How you organise the information and use the app is really up to you – so it can usually suit everyone’s requirements.
However using OneNote as a password bank is not without issues. On my smartphone and tablet I can use the biometric security to access the encrypted data, but on my all singing all dancing Windows 11 laptop, with Windows Hello enabled and face recognition and a finger print scanner, I have to type in the password to get access – so giving the “shoulder surfer hackers” an opportunity to steal my all important data:
“One password to rule them all, One password to find them, One password to bring them all and in the darkness bind them.“
with apologies to JRR Tolkien
Microsoft Excel spreadsheet
The ability of Excel to organise information makes it a useful password bank. Use your imagination and it can fit your needs.
To encrypt the spreadsheet:
The same caveat applies here as above – lose the password – lose access to the information. Whatever you see out there on the web about removing password protection from Excel and Word files, it cannot be done. Those old “hacking web pages” offering to sell you the app, or the “free” dodgy download to remove the passwords are referring to much older versions of Microsoft Office. (You are using the latest versions of Microsoft Office – aren’t you? Well that is a whole other blog post).
Microsoft Word document
You can write a list in Word and use the Styles with the References – Table of Contents function to create a pretty good password bank.
You access the encryption in the same way as in Excel:
File – Info – Protect Workbook – Encrypt with Password
Again – lose the password and you are done for.
The problem with using Excel and Word as password banks
There is an issue of flexibility here. The encryption function does not fully work with the online and app versions of Word and Excel. In the smart device Microsoft Office app and Online versions you can open the documents but not edit them – however you can copy your passwords to the clipboard.
Online and smart phone app password banks
I am not going to recommend or even discuss online password bank services. If you want to go that way, great. But if you are going to use such a service, do your due diligence:
- Check the company’s reputation
- See where it operates from
- What are its encryption and privacy policies?
- Ask trusted contacts if they use the service – if not what do they use?
- Do not just use one because you got sent a link via InstaTweeFace!
My parting thoughts
In the password bank debate – encryption is the number one requirement with ease of use second. I fully support any scheme that enables people to use multiple complex passwords, safely – it makes the job of the hacker infinitely harder.
However passwords may become less important in the future. Microsoft, Google and Apple have announced a collaboration with the Fast ID Online Alliance (FIDO) to reduce our reliance on passwords:
But in the future we may not need passwords – have a look at this:
For daily cyber security stories and advice I write a cyber security blog at Smart Thinking Solutions – Cybersecurity Starts in the Boardroom. It is aimed at business leaders and owners who want to know more about the constantly changing threat landscape, so they can remain in the loop. This equally applies if they have to deal with cyber security issues themselves or they have someone else to do it for them.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Here is a great article from the Microsoft blog looking at passwords:
This World Password Day consider ditching passwords altogether – Microsoft Security Blog