How unsafe is it to store passwords in plain text files?

[user1397]

Note: I am talking about for a regular Joe desktop user, not a sysadmin or something else. A friend of mine says he keeps all his major passwords in a single plain text file locally on his computer.

I personally feel like that isn't a good idea, because if a hacker gains access to his computer and finds the file then he knows all of his passwords. Then again, if the user doesn't do anything odd on the internet, and just does some mild browsing, word processing, and email, how risky is this? Suppose this person has a typical home setup; something like a modem --> WiFi router (built-in firewall) with WPA2 password --> OS firewall and if Windows then proper antivirus software installed, etc.

Alternatively, what would you suggest for average users who need to keep up with many passwords? Just have them all hand written? Only store them on removable media and disconnect them immediately after using them? Use a single password service like LastPass? Just let the web browser save all your passwords for you?

EDIT: Didn't know about this, looks really cool: https://en.wikipedia.org/wiki/FIDO_Alliance Hope it gets implemented sooner than later.

[grahammechanical]

Here is an illustration.

The security services enter my house and take away my computer. They are looking for subversive documents. But I fooled them. I do not keep subversive documents on the computer. No. I keep them in a brief case. Oh, they took the briefcase away as well. I am not so smart. Then again I am not that stupid either. I keep any subversive thoughts in my head.

With passwords it is different. People can gain access to computers without entering the house if the computer is connected to the internet. With passwords stored in a note book (paper kind of note book) they will need access to the house and to know what they are looking for.

But the game changes yet again if I keep the note book in the laptop case with the laptop. Likewise, keep credit cards in a wallet and keep a list of pin numbers in the wallet for convenience then when the wallet is stolen the thieves have everything they need.

Having passwords in a text file is not much different from having the passwords written on a sticky note stuck to the screen. And that has been done by some supposedly intelligent people.

Regards

[buzzingrobot]

...what would you suggest for average users who need to keep up with many passwords?

Many people seem to like password managers, which create, then encrypt and store, long and complex passwords. I've seen some that automatically insert passwords when needed, and others that rely on a user copying and pasting. The downside: It's a single point of failure.

I'd argue the three most important things anyone can do re: passwords are:

1. Use long and complex passwords. This will not protect you from stolen unencrypted or decrypted passwords, but the longer the password the longer it takes for a brute force attack to come up with it, hopefully long enough to fend off the attack.

2. Use a unique password for any site, etc., where something you value is at risk. E.g., your bank, Amazon, etc.

3. Use two-factor authentication when it is available.

I tend to use the same password at sites like this -- forums, mailing lists, etc. -- because the worst that could happen is someone might post under my username. For the "at risk" sites I use mnemonics and a memorized algorithm of sorts to generate and remember unique passwords for each that are quite long.

Storing clear text passwords on a device is, for most people, going to be more risky that keeping them, instead, on a piece of paper. If your device is compromised, you will not know those passwords have been stolen until someone uses them and you happen to notice the damage. On the other hand, most of us are likely to store that piece of paper somewhere where we'd notice its loss more quickly.

[coldraven]

A long time ago i used to keep all my passwords in a file called README. My logic was that no one actually ever reads the READMEs
Now I keep important ones in my head, they are all quite long and have a mixture of characters.

Your friend would be better off if he kept them in a book* on his shelf. As mentioned above, you would know if you had been burgled but you won't know that you have been hacked.

*something so boring that nobody would look at it, charity shops have lots of them.

[Bucky Ball]

I keep my passwords in a plain text document on a backup drive which is only switched on and connected for backups. I print this out, stick it in a secret spot and add to it by hand, then update the digital version once in awhile.

Don't think I'd be keeping that file on the hard drive on my regular day to day laptop or desktop.

[sammiev]

I have been using KeePass2 ( encrypt and store ) for a few years now. Keeping a USB stick updated as there is just too many computers in my hands.

[montag dp]

If you're going to keep them in a plain text file, you might as well encrypt the file. That's basically all that the password managers do anyway, but with a more friendly user interface.

[kurt18947]

If you're going to keep them in a plain text file, you might as well encrypt the file. That's basically all that the password managers do anyway, but with a more friendly user interface.

That seems like a reasonable tack to take. Encrypted readme.odt document. For sites where $$$ or legal damage could occur due to being compromised, you could have a small separate *buntu install that's ONLY used for those activities. That way any nasties picked up from social or fluff sites shouldn't find anything lucrative or damaging on a daily use partition. Presumably sites with sensitive contents are more security conscious than the likes of Facebook, Twitter or sites that host cat videos.

[mikodo]

Plain text file works for me. Then, encrypt it with GPG symmetrical. I also keep a second copy of the data in KeepassX. Use 26 mixed character passwords I memorized to access them.

External backups.

Won't stop everything but, I need to keep it simple.

[PJs Ronin]

Plain text files? Depends how paranoid you choose to be (I'm one of the tin hat brigade). I use LastPass to help out, but primarily I use:
IMG_0965.JPG