If you ask any security expert (or any of the self-proclaimed aficionados out there for that matter) what you should do to keep your passwords secure, you can bet your bottom dollar that one of the first things they will say is ‘never write your passwords down’. Nowadays, keeping a physical log of your password library is commonly considered akin to privacy suicide.
Indeed, simply jotting down your ‘secret’ login details in plain text on a post-it note and sticking it on top of your computer screen is nothing short of foolish security behavior. Likewise, another thing they will tell you to absolutely avoid is re-using the same password(s) for various different logins; every password should be as unique and ‘strong’ as possible.
This is sound advice; if any cyber-criminal steals your username and password information from one place, one of the first things they usually do is to try those same details in many other online services, so writing your re-used passwords down is fraught with risks, and rightly so.
However, the fact is that nowadays the average internet user often faces the reality of having to remember and manage so many different passwords, each of which needing to be as complex and sophisticated as possible, that they simply see no option other than to duplicate them across various sites, accounts and devices or write them down somewhere and refer to them as and when needed.
So, this begs the question, is there any realistic way of keeping a physical log of your passwords that is safe and protected?
Well, information security expert Raef Meeuwisse claims to have found the answer with his book The Encrypted Pocketbook of Passwords which strives to prove that it’s possible to physically store hundreds of separate account, username and password details and use one or more secret keys to help keep the information secure, even if the book itself is accessed or stolen!
Intrigued? So was I, so I jumped at the chance to sit down with Meeuwisse, whose other works include Cybersecurity for Beginners, to discuss his latest book and find out a little more.
Meeuwisse explained that, with 16 years of info security experience behind him, he wanted to create a workable, reliable ‘go to’ password journal that is unique to every owner but also not susceptible to the plethora of vulnerabilities that so often plague digital password management platforms.
“Writing your passwords down is usually thought of as a risk, but actually, if you write them down in a way that you can read but others will find either impossible or hard to break, then that is a safer route than re-using them across different online services.”
With that in mind, Meeuwisse set out to apply a lot of different security techniques into a logbook that uses secret keys and other tips to allow you to be able to actually write down your passwords but in a way that, even if the book got accessed, nobody would be able to read them or understand them.
“I was already incorporating certain secrecy methods in the way I was storing my own passwords and then had the idea of reverse engineering this into a simple platform that I could use myself but could also be made available.”
So with talk of secret keys and cryptic codes, I asked Meeuwisse if The Encrypted Pocketbook of Passwords is something that can be picked up and used by the average person.
“Absolutely. The problem with a lot of the password management services available is that the complexity of what they ask for is so sophisticated that unless passwords are written down somewhere they won’t be memorable.”
The Encrypted Pocketbook of Passwords works much like a standard logbook that allows you to record a lot of information in a very easy to read, simple format for the owner, he added.
Meeuwisse explained that hackers commonly look to target insecure passwords because it’s a technique that works, and the way to defend against it is by taking simple steps to protect your credentials.
“It’s the human factor that cyber-criminals rely on to get in. A lot of the attacks we see are not very clever, they’re actually very lazy, but they rely on the fact people have sloppy username and password management.”
Of course, continued Meeuwisse, there is always the risk that somebody might gain access to your book and attempt to decipher your secret codes, but when you weigh up the comparative risks of that versus those associated with using an online or digitized service, where all a hacker needs to do is remotely find a way of hijacking a user’s legitimate access and they’re in, it’s a safer option.
“Each time new security technology, such as biometrics, gets introduced, there seems to be a fast uptake of finding ways around those new technologies.”
“Don’t get me wrong,” Meeuwisse added, “I love technology, I’m a big fan of keeping things online where it’s possible, but I think there’s just too much information that you’re required to remember and quite frankly how can you trust certain devices at this point in time? How do you keep your passwords ready to hand but also safe from potential malware, because I consider my book safe from malware, but really that’s not the case for electronic devices that have any form of internet connection on them.”
So what has been the general reaction to the book so far?
“People love it, because it’s an issue that really affects everyone” he said. “How do you actually keep all of these different identities in a secure way; in a way that they’re not subject to a password re-use attack? I haven’t had any negative feedback from any security professional…so far!”
“Some people I know have even bought two, as they often want a backup copy! Also, this is something that can be used by different members of the family too.”
In The Encrypted Pocketbook of Passwords Meeuwisse really seems to have come up with a clever, novel idea that makes perfect sense. You should never write your passwords down in plain text for anybody who stumbles across them to read; but if you can use one or more secret keys, that only you know, to keep a practical, physical log of credentials that is unreadable in the hands of another person with a product that is free from threats such as malware, then we may have just found the ideal password solution.
Infosecurity Magazine does not endorse products. The Encrypted Pocketbook of Passwords is available for purchase online here.