I keep mine in a file in a drawer. My threat model doesn't cover people breaking in and finding them as well as knowing my password managers master password.
Unless your threat model includes someone breaking into your locked filing cabinet and stealing the post it note with your master password on it. There are some passwords that I don't write down anywhere.
A notebook and pencil in your desk drawer solves this problem reasonably well if you're patient. In some ways that is more secure than having all the passwords stored where an attacker can grab them from the comfort of their living room.
You can keep a physical password book. For someone to get it, they need to physically steal it. If you keep it at home in a fairly safe location, it seems fine to me.
If someone breaks into my home, they’ve got it. But that’s not a threat model that scales, so it’s not a major concern to me.
What kind of threat scenarios are you looking at ?
> If you are not storing them in a secure manner, then using 2FA is not really an additional layer of security.
Even if you simply have them written on a post-it note glued to your monitor people would have to physically break in your home to access them, which to me sounds like a very big additional layer of security for most people (as in: it won't happen unless you're a target for something big). Back them up to an off site (physical or digital) locations in case of a fire/flood/&c.
> However, even using your password manager would not make much sense, as if someone gains access to it, 2FA will not protect you from anything.
If that's how you see it then nothing is "safe". Memorising them ? Storing them in a physical bank safe ?
I wouldn't sweat it unless you're a person of interest in which case you'd probably already be in contact with security professionals.
My approach is that anyone breaking into my home could do far more damage, and I'd have far more to worry about, than taking my passwords -- ultimately, nothing I have electronically is valuable/secret enough that someone is going to specifically target me and break into my house to try and gain access. Having a paper copy of my master password isn't much of a liability in that threat model (and probably makes me more secure day-to-day - I can use a longer, more complex master password without the fear that I will forget it and lose access to everything).
Most password managers have an emergency kit, where you can print your master password and other info, and put it somewhere like a safe, bank vault, etc
I would put it somewhere more secure than wallet/purse, unless you are forgetting your master password daily. I put mine in a place similar to a hidden folder in a filing cabinet. I haven't forgotten my master password yet, but I know that it's there if I need it.
I literally print them, and store them in a safe place.
One of the few actual hard-copy things I have. Don't write down any other passwords. One of them is to my password manager, so storing it in the password manager doesn't really make sense.
Personally, I don't believe in leaving something like a password database exposed. That's akin to leaving a safe in the street. While someone might not be able to get in right away, why make it easier?
For you, I would just keep a copy elsewhere (friends computer etc.) or just get an additional device (mobile or otherwise).
Most threats are online indeed, so it makes the most sense to store your passwords offline. However, doing so in a notebook labeled "password minder" is the offline equivalent of a honey pot.
But if you buy a cheap pulp novel, small enough to carry around, and write your passwords in the margins, that would take you a long way.
I copy my 1Password keychain onto a USB drive, space is cheap so a 16gig USB drive contains backups going back like 6 months. This drive also includes other bits of data, like tax returns.
There are now two of these drives. Once every two weeks, or after significant changes are made, I rotate them in and out of a safe deposit box.
At home I have the other in a fire safe.
One of my notes in my keychain is also instructions on what to do in case of my inevitable demise :) What credit cards I have, what services I use, all of that type of information.
The master password is stored in a safe location that only immediate family know about. Along with location they know how to handle my affairs if something were to happen to me.
It's a great backup system, but also helps handle taking care of things when I'm gone as 1Password stores data about whatever you want and keeps it secure.
Hope that helps with some more ideas for how to use your password manager to make your life easier.
Another way to look at this, is to ask yourself what your threat model is. For example, if your primary concern is losing your laptop while traveling, then writing down your pass phrase and keeping it with other important paperwork (tax returns, property deeds, birth certificate etc) in a home safe or a bank safety deposit box seems totally reasonable. If you have concerns about Protecting your data from law enforcement, then the pass phrase needs to be stored out of the reach of a warrant - a trickier proposition.
reply