Yes, it’s okay to write down your master password. I don’t know where the idea to not write down your passwords came from, but it needs to stop.
Not only is it okay, but it’s a good idea to have a password manager emergency sheet, as talked about here.
Why Write Down Your Master Password?
We’re forgetful, it’s a part of being human.
Even if you know 100% you won’t ever forget that password it’s still smart to write it down.
Where you keep this paper is the real concern. I recommend keeping it in either a safe in your home or a safe deposit box at the bank. If you have someone you trust you could also give them a copy to keep in their safe or password manager or seal it in an envelope to keep them from peeking.
I can’t tell you how many times I’ve come across people on the internet complaining about losing their master password. You can find them on forums and reviews for the products themselves. It’s by design that a password manager doesn’t allow you to reset your master password because if they could so could someone breaking into their servers or your account.
Theat Model: Home
The reason why it’s safe to write down your master password is due to the threat model. It’s less likely someone will break into your home and find your master password to your password manager.
What is more likely is you forgetting your master password.
Why Not Write Down All Passwords?
Yes, it’s true, writing down all your passwords on paper and keeping that hidden in your home is more secure than a password manager.
But that does not mean it’s better.
People who write down passwords are more likely to reuse passwords. Password reuse is the worst thing you can do when it comes to passwords.
If you used the same password for your bank as you do for some random site, the password is only as strong as the weakest link. If that no name site gets breached so can your bank account.
Also, people are not good at coming up with random passwords. They’ll stick to kids or pets names. The problem is that many people have the same pet or kids names and use the same “?” or “123” appended to the password too.
Curious to see if any of your passwords ever been in a breach before? Check out https://haveibeenpwned.com/Passwords. Wondering if you can trust that site? Check out my post here on it.
Unless you’re willing to give every account a genuinely random password and manually write them down, then pen and paper is not the best way to store passwords. If you or someone you know insist on using a password book, then we have a guide here that can greatly help.
And for the few of you that use an algo or password system you created, please stop doing that, it’s not as clever as you think.
No one likes to talk about death especially if you’re young. It’s not fun, but it is something to consider. You never know what can happen and keeping a piece of paper hidden with the master password to your password manager can be super helpful in these situations.
Don’t just think about what if you pass, but what if you get in a coma or simply can’t use your tech.
A password manager can act as a digital will with all the keys to everything in your life. The mortgage, electric, and all other accounts can get paid on time. Your social media accounts can be shut down properly and not one day get breached to become a spam bot.
You don’t have to tell someone your master password but showing them how they can find it is what you should do.
Personal TidBit: It’s not the passwords to bills that are important but the passwords to the sentimental items like where they kept family photos and letters they wrote. That one little password could keep you from hearing their voice one more time or seeing the pictures they took to relive that day. Trust me, if you have someone you love write down that master password and keep track of all the passwords you use.
Some password managers like Bitwarden even offer emergency access. You set up beforehand who should get access to your account if something were to happen to you. The other person triggers access, and if you don’t respond to the repeated emails within the set time you set they get the account.
Here is a great article from the New York Times about how important it is to have a backup plan for your passwords.
You could even hide your master password in plain sight. I have a post here showing you how you could use a document or a URL as your master password.
Using a sentence or URL you made up is far more secure and easy to hide in plain sight. No one will be the wiser if they come across a list of URL or a document you wrote.
What Do You Think?
I’m curious to hear what others think about writing down your master password and keeping it somewhere safe. Do you use some special method to “hide” the password? Or do you think I’m crazy for recommending to write down any passwords?
I would love to hear your thoughts on this debate!
6 thoughts on “It’s Okay To Write Down Your Master Password”
I’ve just come across your site and I’d hoped it would give me the confidence to formalise my ‘personal opinion’ and advice to my clients – that being – “Write down all your passwords”. Alas you fall short of my hopes and much of it stems from one phrase you use: –
“People who write down passwords are more likely to reuse passwords.”
This is simply not true. It’s nonsensical to suggest it is. The fact is people who DO NOT write down passwords are more likely to reuse the same one(s). People who write down their passwords have the freedom to create a different password for each instance.
By way of explanation, I am an IT Trainer in a community learning centre typically dealing with the retired and over 50s. Probably the most common issue I’m confronted with is the user who seeks help because they’ve forgotten their password.
I agree with what you’re saying, I even address it in the same section.
The problem is that most people don’t create a unique password for every account. They stick with reusing the same password or making slight changes to it. People are bad at being random but password managers are not and this is what this whole post is about. I’m saying it’s okay to use a password manager and to also write down your master password to that password manager.
I’m not against someone creating unique passwords for every account and writing them down but I also know people are naturally lazy and often revert to reusing the same or similar passwords. I cover more reasons why a password book is not as good as a password manager here… https://passwordbits.com/password-manager-vs-password-book/
For your personal situation with dealing with the retired or anyone who is not the best with computers is a unique one. I’ve been dealing with the same and trying to figure out the best solution. Yes, writing down the passwords is a good option but the problem is the user making that password. I plan an article sometime in the future when I find a good enough solution for this type of user. It would be best to get this user to use a password manager and many of them do and love it but there are still a few that won’t.
The ideal scenario is they’re using a password manager and only write down two passwords – the password manager master password and password to the email it’s linked to (as well as the email itself). This would likely reduce the amount of password re-use that occurs, and allow for strong passwords to be generated. I think what you suggested would be the second best option, assuming they’re generating a strong and unique password each time. Password managers are mostly a matter of convenience, so if your residents don’t have much else to do and don’t mind the time taken out of their day then sure, go ahead and write on paper. The second best scenario I mentioned is likely not going to be do-able for most of the population.
What do you think about making use of Signal’s ‘note to yourself’ feature to type your master passphrase as a reminder? Signal is respected for its privacy and we are assuming that you’re a regular person without someone malicious personally targeting you and hacking into your internet or device.
I would prefer to physically write down my master password and keep it somewhere safe. While Signal is great, you are opening yourself up to new attack vectors in the future. It’s hard to hack paper.
If you trust Bob and Alice, let Bob store your master password in his own password manager. Tell him to only give out the password to Alice. Write down instructions for Alice on a piece of paper, in case of urgency. Let her know that she must physically visit Bob to obtain your master password. In this way, both Alice and Bob can be held accountable in case of misuse of your trust and will. To complicate things further, you could leave a secret note to your old pal Tom, to ensure that the transition of password from Bob to Alice goes as planned. There are many ways to complicate things, but it’s important to think about it and to have a plan A, a plan B and perhaps even a plan C. Whatever makes most sense to you.