The Contrarian View
For years, cybersecurity experts have advocated against writing down passwords, pushing instead for password managers as the secure solution. However, recent events have challenged this conventional wisdom. The repeated breaches of LastPass and other password managers have demonstrated that these centralized password vaults are prime targets for attackers.
The Case for Writing Down Passwords
Important: I only suggest writing down a few personal passwords—not work passwords—and storing them securely in a trusted, private location, like with your tax or legal documents. Remember, though, if your computer has a keylogger or you fall for a phishing scam, how you stored your password won’t matter—you’ll be handing it over anyway.
Consider the attack surface:
- Password manager: Accessible to be attacked 24/7 365 by anyone with an internet connection (LastPass 2022 breach, Norton LifeLock 2023 breach, Bitwarden 2023 vulnerability)
- Written password: Accessible only to someone who physically enters your home and finds your secure storage location. Ask yourself: when was your last break-in or robbery? If those happen more often than password vault breaches, you might want to stick with online storage or memorization instead.
- Memorized password: Only vulnerable to social engineering—and your memory, which might not be as secure as you think.
A Balanced Approach
The reality is that most people need both approaches:
| Account Type | Recommended Storage | Reason |
|---|---|---|
| Banking | Offline (memorized or written) | Highest security need, limited number of accounts |
| Primary Email | Offline (memorized or written) | Used for account recovery, critical security |
| Password Manager | Offline (memorized or written) | Master password should never be stored online |
| Regular Websites | Password Manager | Convenience for low-risk accounts |
Secure Physical Storage Tips
- Use a dedicated notebook, not loose papers
- Store in a locked drawer or safe
- Consider splitting critical passwords into parts stored separately
- Keep a backup in a different secure location
- Don't label the notebook as "Passwords"
The LastPass Lesson
The LastPass breaches of 2022 exposed both encrypted vaults and associated metadata. This incident highlighted a crucial reality: password managers, while convenient, concentrate risk. When they fail, they fail catastrophically, potentially exposing every stored password.