Storing Passwords
September 24, 2015 11:24 AM
Is a password-protected Excel document a good way to store passwords for heirs?
When my husband and I recently updated our wills, I asked the lawyer to recommend the safest online password storage site for our adult children in case we don't live forever and they need access to our financial data. The lawyer's answer sounded somewhat simplistic, but is it? She recommended creating a password-protected Excel document rather than using sites such as Lifelock due to recent systemic hacking on those supposedly secure sites. The lawyer advised printing out the Excel document and storing it in a safe place.
When my husband and I recently updated our wills, I asked the lawyer to recommend the safest online password storage site for our adult children in case we don't live forever and they need access to our financial data. The lawyer's answer sounded somewhat simplistic, but is it? She recommended creating a password-protected Excel document rather than using sites such as Lifelock due to recent systemic hacking on those supposedly secure sites. The lawyer advised printing out the Excel document and storing it in a safe place.
I do exactly that, and I am not 100% comfortable with it. I have a hard copy locked in my safe and an Excel spreadsheet with a long (really long) password on it. The Excel file resides on my hard drive of my pc. It has never been emailed, put on a thumb drive, backed up to the cloud, etc. I think it is safe as long as no one steals my pc and then uses a program to hack that password. It is a risk I live with. I think it is less risky than trusting my passwords to someone other than me.
posted by AugustWest at 11:42 AM on September 24, 2015
posted by AugustWest at 11:42 AM on September 24, 2015
The best way to store this would be to use strong encryption like GNU Privacy Guard. I wouldn't trust Excel's password protection. You could just encrypt the Excel file. Or, you could use Password Safe (here).
If you want to store them online, just create a Google account and store it as a Google Sheet.
You really don't need truly strong encryption unless you think you're a real target for government/big business level hacking. After all, you'll have to write the passphrase/word down somewhere, right? In which case the security of the password for the encrypted thing is all that matters.
So as I'm thinking about this out loud, yeah, why not just print it out, and put it in a fireproof safe, and then all you have to protect is the actual, physical key. Which is also easy to deal with in the event of a death, because you just take the person's keys and see which one works with the safe.
posted by dis_integration at 11:49 AM on September 24, 2015
If you want to store them online, just create a Google account and store it as a Google Sheet.
You really don't need truly strong encryption unless you think you're a real target for government/big business level hacking. After all, you'll have to write the passphrase/word down somewhere, right? In which case the security of the password for the encrypted thing is all that matters.
So as I'm thinking about this out loud, yeah, why not just print it out, and put it in a fireproof safe, and then all you have to protect is the actual, physical key. Which is also easy to deal with in the event of a death, because you just take the person's keys and see which one works with the safe.
posted by dis_integration at 11:49 AM on September 24, 2015
In a larger sense, writing down your passwords and storing them in a safe place (like a safe deposit box) isn't such a terrible idea. Storing them in a single file that may be hackable is not as secure, but better encryption on that file means your data is safer.
The other things to think about are general password hygiene. Ideally, you should have different, strong, passwords for each site and change them regularly. This is harder when you have to also update a physical location.
Also, it's much better security to use two-factor authentication for every site you visit that supports it. This means that even if your password is hacked, the hacker still needs another type of authentication to get your data. To be honest, I don't know a good system of how to "pass along" passwords to others when using two-factor, but it's much much better for you to use it for yourself.
posted by homesickness at 11:52 AM on September 24, 2015
The other things to think about are general password hygiene. Ideally, you should have different, strong, passwords for each site and change them regularly. This is harder when you have to also update a physical location.
Also, it's much better security to use two-factor authentication for every site you visit that supports it. This means that even if your password is hacked, the hacker still needs another type of authentication to get your data. To be honest, I don't know a good system of how to "pass along" passwords to others when using two-factor, but it's much much better for you to use it for yourself.
posted by homesickness at 11:52 AM on September 24, 2015
I'd argue that the excel doc is fine. Frankly unless you're a millionaire or have a specific enemy targeting you your financial data is more likely to be compromised on the bank/investment company's end as part of some larger hack than for someone to go after your passwords directly. Store the excel file somewhere your heirs know how to get it and you'll be fine.
posted by Wretch729 at 11:54 AM on September 24, 2015
posted by Wretch729 at 11:54 AM on September 24, 2015
KeePass is an easy-to-use option. Mitigations proportional to risk: only you know what is at stake.
posted by j_curiouser at 12:00 PM on September 24, 2015
posted by j_curiouser at 12:00 PM on September 24, 2015
Honestly, print them out, seal them in an envelope, and give them to your lawyer to distribute as part of your will. Or put a printed copy in a safe and give your lawyer/children/whatever the key/code. Keeping a digital copy is just asking for it to be lost, corrupted, hacked, deleted, stolen, or whatever.
posted by blue_beetle at 12:00 PM on September 24, 2015
posted by blue_beetle at 12:00 PM on September 24, 2015
Excel's encryption seems fine these days.
What's arguably more important is keeping malware off your computer. Malware can steal your file and keylog the password to it. If your computer is infected with anything, wipe it. It can no longer be trusted. If you're running Windows, use Secunia PSI. It (mostly) keeps software up to date automatically and tells if if there's something you have to do manually. I don't have specific advice for you if you use OS X, other than to say that in spite of what some people contend, you are absolutely NOT invulnerable to attack.
In light of the malware issue, if you're really concerned, consider storing the password file off your PC on two thumb drives that are always kept in sync. (Two in case one fails). Don't plug those thumb drives into anything but your computer. This minimizes the risk of the file itself going missing if you're infected. The flipside is the hassle factor, potential for losing thumb drives or having them break.
I don't go that far, and store my passwords locally and encrypted.
posted by cnc at 12:15 PM on September 24, 2015
What's arguably more important is keeping malware off your computer. Malware can steal your file and keylog the password to it. If your computer is infected with anything, wipe it. It can no longer be trusted. If you're running Windows, use Secunia PSI. It (mostly) keeps software up to date automatically and tells if if there's something you have to do manually. I don't have specific advice for you if you use OS X, other than to say that in spite of what some people contend, you are absolutely NOT invulnerable to attack.
In light of the malware issue, if you're really concerned, consider storing the password file off your PC on two thumb drives that are always kept in sync. (Two in case one fails). Don't plug those thumb drives into anything but your computer. This minimizes the risk of the file itself going missing if you're infected. The flipside is the hassle factor, potential for losing thumb drives or having them break.
I don't go that far, and store my passwords locally and encrypted.
posted by cnc at 12:15 PM on September 24, 2015
I am afraid to create a document and store it on my computer. I have an address book with all my phone and addresses. It is also where I store all of my passwords under the letter P. I write them in pencil because they do change at times. I keep my address book in my nightstand where my family can easily find it. Not everyone in the family has that info just the ones that need to know.
posted by cairnoflore at 12:26 PM on September 24, 2015
posted by cairnoflore at 12:26 PM on September 24, 2015
Seconding blue beetle. Print them out or write them in an address book and store it in a safe deposit box or someplace safe. Even better would be for you and your husband to start using a password manager like KeePass or Lastpass. That way you only have to back up one password, the master password for the manager. It would automatically keep up with password changes on other pages.
posted by irisclara at 12:40 PM on September 24, 2015
posted by irisclara at 12:40 PM on September 24, 2015
The reason I keep both an Excel file and a printed version is that I change my passwords from time to time and I add new accounts from time to time.
posted by AugustWest at 12:43 PM on September 24, 2015
posted by AugustWest at 12:43 PM on September 24, 2015
How often do you update passwords? Are you going to update the Excel spreadsheet every time you change a password? I use Dashlane which keeps track of new passwords. I have one master password for Dashlane. There is no option to recover the master password. If I forget the master password, the only option with Dashlane is to totally wipe out all of the passwords and start over. But if you leave that for your kids, they'll have access to all of your most up to date passwords.
Alternately, all of the passwords you mention are connected to your email, right? Why not just put the password to your email somewhere and update that as needed?
posted by kat518 at 12:44 PM on September 24, 2015
Alternately, all of the passwords you mention are connected to your email, right? Why not just put the password to your email somewhere and update that as needed?
posted by kat518 at 12:44 PM on September 24, 2015
If you know all your important passwords by heart, skip electronic formats entirely and just write them down in a piece of paper and secure that. Just don't forget to update it if you ever change any of the passwords it contains.
If you don't know them by heart and/or are constantly updating them for reasons beyond your control, start using a password manager (I recommend KeePassX) with a strong master password, and print physical copies to store somewhere safe as above.
Excel or other proprietary formats and cloud solutions might be headache-prone long-term due to compatibility issues.
If for some reason you absolutely must have some sort of long-term encrypted electronic format, a standard ASCII or UTF-8 encoded plain text file (ie, as created by Windows Notepad, or exported from your password manager) symmetrically encrypted with GnuPG with a master password seems the most future-proof.
posted by Bangaioh at 1:31 PM on September 24, 2015
If you don't know them by heart and/or are constantly updating them for reasons beyond your control, start using a password manager (I recommend KeePassX) with a strong master password, and print physical copies to store somewhere safe as above.
Excel or other proprietary formats and cloud solutions might be headache-prone long-term due to compatibility issues.
If for some reason you absolutely must have some sort of long-term encrypted electronic format, a standard ASCII or UTF-8 encoded plain text file (ie, as created by Windows Notepad, or exported from your password manager) symmetrically encrypted with GnuPG with a master password seems the most future-proof.
posted by Bangaioh at 1:31 PM on September 24, 2015
This is not the greatest password hygiene, but I use several strings put together in different orders for passwords for various sites. And I have a hint file to help me along. So I'll have G7q4 to remind me that the first string is the 7 character one that starts with G, the second string is the 4 character string that starts with q. I'm not in a position to leave anything behind, but I figure keeping the hint file on my computer in plain text and a paper translation of the abbreviations will work for me. Also, if I need to change my password to h6J5, I put that down on in the hint file, as the sheet already has what h6 and J5 are.
This is probably more work than just using a password manager in all honesty.
posted by Hactar at 1:57 PM on September 24, 2015
This is probably more work than just using a password manager in all honesty.
posted by Hactar at 1:57 PM on September 24, 2015
The lawyer advised printing out the Excel document and storing it in a safe place.
I think this is good advice, the lawyer is only advising you use Excel to format the usernames & passwords in a grid format so you can print them out on paper.
The problematic part comes if you then decide to save and store the s/sheet file on a computer, Excel is really not good as a password store, it has auto-save, auto-complete and all number of complex features that can mess things up.
What I would do is create the s/sheet with websites and usernames save that file for future reference, then type in the passwords (or copy/paste them from your password manager) then you print it and close Excel without saving.
(Make the print out in a large bold font size so that it will still be readable in quite a few years time.)
posted by Lanark at 2:34 PM on September 24, 2015
I think this is good advice, the lawyer is only advising you use Excel to format the usernames & passwords in a grid format so you can print them out on paper.
The problematic part comes if you then decide to save and store the s/sheet file on a computer, Excel is really not good as a password store, it has auto-save, auto-complete and all number of complex features that can mess things up.
What I would do is create the s/sheet with websites and usernames save that file for future reference, then type in the passwords (or copy/paste them from your password manager) then you print it and close Excel without saving.
(Make the print out in a large bold font size so that it will still be readable in quite a few years time.)
posted by Lanark at 2:34 PM on September 24, 2015
I use a password manager and the password for that is stored in my safe deposit box along with other relevant information.
posted by Shanda at 2:37 PM on September 24, 2015
posted by Shanda at 2:37 PM on September 24, 2015
Whichever method you choose, be sure to include *ALL* the relevant log-in info: e.g. does each site require a username or full email address (which email address?), Some sites may require additional PIN or authentication codes, and maybe it's worth making a note of your likely answers to typical "security" questions that some services ask for, if any of them are slightly obscure (e.g. colour of first car / favourite teacher etc.)
posted by dirm at 4:35 PM on September 24, 2015
posted by dirm at 4:35 PM on September 24, 2015
I'd also recommend a password manager -- which is also useful for now while you're still using the web pages yourself. I also use Dashlane (link to a useful FAQ within their web page, from which you can easily get to their main page). They have an Emergency access feature as well which looks perfect for what you want to do. You could print out the passwords and put them in a safe deposit box, but what about when you change them?
posted by 2 cats in the yard at 5:45 PM on September 24, 2015
posted by 2 cats in the yard at 5:45 PM on September 24, 2015
If what you need to do is archive an encrypted list of passwords, use software designed to store an encrypted list of passwords. Then start using it day-to-day as well.
KeePass is what I use. The authoritative copy of my passwords database file lives in my Dropbox account. I keep another copy in USB storage attached to my car keys, and update that occasionally from the Dropbox master; the intent is to have an offline copy that contains my current Dropbox password.
I'm not fussed at the possibility of Dropbox's own passwords database being compromised. Because I'm using KeePass, my Dropbox password is not re-used for any other purpose, as well as being long, machine-generated random, and therefore not crackable. But even if Dropbox were keeping its users' passwords in plaintext (it isn't) and some thief managed to get hold of my KeePass database, they would have to break AES256 encryption, which would only be feasible if they could guess my KeePass master password, which they won't because it is also long and machine-generated random.
KeePass can also export your encrypted passwords to plain text, if you want a printed copy to leave in a safety deposit box somewhere.
posted by flabdablet at 5:52 AM on September 25, 2015
KeePass is what I use. The authoritative copy of my passwords database file lives in my Dropbox account. I keep another copy in USB storage attached to my car keys, and update that occasionally from the Dropbox master; the intent is to have an offline copy that contains my current Dropbox password.
I'm not fussed at the possibility of Dropbox's own passwords database being compromised. Because I'm using KeePass, my Dropbox password is not re-used for any other purpose, as well as being long, machine-generated random, and therefore not crackable. But even if Dropbox were keeping its users' passwords in plaintext (it isn't) and some thief managed to get hold of my KeePass database, they would have to break AES256 encryption, which would only be feasible if they could guess my KeePass master password, which they won't because it is also long and machine-generated random.
KeePass can also export your encrypted passwords to plain text, if you want a printed copy to leave in a safety deposit box somewhere.
posted by flabdablet at 5:52 AM on September 25, 2015
« Older What makes electrical panel double taps so... | Having fun, but lacking sleep. What can I do to... Newer »
This thread is closed to new comments.
LastPass is generally considered one of the better online password sites.
posted by LoveHam at 11:40 AM on September 24, 2015