Yes, it’s okay to write down your master password. I don’t know where the idea to not write down your passwords came from, but it needs to stop.
Just so we’re clear, I’m saying it’s okay to write down your master password to your password manager. I’m not saying it’s okay to keep all your passwords in a notebook. Let me explain why.
Why Write Down Your Master Password?
We’re forgetful, it’s apart of being human.
Even if you know 100% you won’t ever forget that password it’s still smart to write it down.
Where you keep this paper is the real concern. I recommend keeping it in either a safe in your home or a safe deposit box at the bank. If you have someone you trust you could also give them a copy to keep in their safe or password manager.
To be extra secure you can leave out what the password is for or use something to help you guess it.
I can’t tell you how many times I’ve come across people on the internet complaining about losing their master password. You can find them on forums and reviews for the products themselves. It’s by design that a password manager doesn’t allow you to reset your master password because if they could so could someone breaking into their servers or your account.
Theat Model: Home
The reason why it’s safe to write down your master password is due to the threat model. It’s less likely someone will break into your home and find your master password to your password manager.
What is more likely is you forgetting your master password.
Why Not Write Down All Passwords?
Yes, it’s true writing down all your passwords on paper and keeping that hidden in your home is more secure than a password manager.
But that does not mean it’s better.
People who write down passwords are more likely to reuse passwords. Password reuse is the worst thing you can do when it comes to passwords.
If you used the same password for your bank as you do for some random site, the password is only as strong as the weakest link. If that no name site gets breached so can your bank account.
Also, people are not good at coming up with random passwords. They’ll stick to kids or pets names. The problem is that many people have the same pet or kids names and use the same “?” or “123” appended to the password too.
Unless you’re willing to give every account a genuinely random password and manually write them down then pen and paper is not the best way to store passwords.
And for the few of you that use an algo or password system you created, please stop doing that, it’s not as clever as you think.
No one likes to talk about death especially if you’re young. It’s not fun, but it is something to consider. You never know what can happen and keeping a piece of paper hidden with the master password to your password manager can be super helpful in these situations.
Don’t just think about what if you pass, but what if you get in a coma or simply can’t use your tech.
A password manager can act as a digital will with all the keys to everything in your life. The mortgage, electric, and all other accounts can get paid on time. Your social media accounts can be shut down proper and not one day get breached to become a spam bot.
You don’t have to tell someone your master password but showing them how they can find it is what you should do.
Personal TidBit: It’s not the passwords to bills that are important but the passwords to the sentimental items like where they kept family photos and letters they wrote. That one little password could keep you from hearing their voice one more time or seeing the pictures they took to relive that day. Trust me, if you have someone you love write down that master password and keep track of all the passwords you use.
Some password managers like Bitwarden even offer emergency access. You set up beforehand who should get access to your account if something were to happen to you. The other person triggers access, and if you don’t respond to the repeated emails within the set time you set they get the account.
Here is a great article from the New York Times about how important it is to have a backup plan for your passwords.
You could even hide your master password in plain sight. I have a post here showing you how you could use a document or a URL as your master password.
Using a sentence or URL you made up is far more secure and easy to hide in plain sight. No one will be the wiser if they come across a list of URL or a document you wrote.
What Do You Think?
I’m curious to hear what others think about writing down your master password and keeping it somewhere safe. Do you use some special method to “hide” the password? Or do you think I’m crazy for recommending to write down any passwords?
I would love to hear your thoughts on this debate!