Password books

[Blackthorne]

I've seen a lot of posts on places like LinkedIn lately espousing the use of password books, stored securely in a safe/secret location and only accessed when necessary.

Personally, I can see the efficacy in it, but I'm not sure I could ever support it in a professional setting.

What do we all think? Is there a valid use case?

[doctor_tran]

If a password book is needed in a professional setting, the root cause is the identity / authentication / authorization strategy. 

I can't think of any widescale legit reason to use a password book in a professional setting. 

The closest scenario I've run across is the CEO giving some of his passwords to his assistant who kept it in a book in her desk. Passwords like his linkedin, twitter, etc (things not tied to enterprise directory services). Our solution was to set up the enterprise password vault to allow the CEO and his assistant to manage the passwords on a platform where we have monitoring and access control. 

[Name_Too_Long]

The biggest thing I saw related to passwords (aside from users just straight sharing passwords with each other) was credential stuffing with info from public breaches.  What that means is that having different credentials for each service is absolutely vital.  The problem is, most humans have finite memories and remembering 80 bajillion different sets of creds just isn't going to happen.  So, you need to store them somewhere other than in your brain.  Password managers are the obvious solution, but not everyone likes them (my parents, for example).

That's where a notebook comes in.  They're cheap and inherently easy to understand and use; the learning curve is flat.  For most people, having a set of creds looted from a data breach (which they can do nothing about) and then stuffed into every form on the web is more likely than someone physically stealing that notebook and then logging into those services.  Those risks can be further reduced by using hints in the notebook rather than explicit information or using uncommon skills that the person has (e.g. writing in shorthand) so that even if the notebook is physically stolen, the thief doesn't have information they can easily use.

For certain threat models, a legitimate argument could even be made that dead tree and graphite/ink are a better option than software-based password managers.  The level of social engineering/hacking required to get access to someone's password manager account from halfway around the world is going to be significantly lower than what it would take to get them to mail you their notebook.

So, bottom line:
Is it a perfect solution?  No.
Is it better than reusing creds?  Definitive YES!
Is it "good enough"?  Probably.  Depends on threat model, what they're doing to protect the notebook, and if they're taking any additional mitigative measures.

[munin]

Depends on the circumstances.

It's well better than nothing, and if your organization doesn't have anything more ergonomic - yeah, that's a tragedy, but sometimes shit's just -like- that, so I'd rather see that than the usual iteration-based or whatever strategies folks tend to rely on.

I don't mind 'em for home users - the threat surface is different, and it's easier to get someone to maintain a safe-enough password book than to walk them through installing a password manager on all their devices, only to have them change everything to 'hunter2' in a huff when they upgrade their phone and something glitches out and you're not immediately there to help.

Different threat surfaces, y'know?

[m0x]

I worked in environment for a while where having a password book in a locked drawer was part of the "disaster recovery" strategy for the org. This was a pretty small and very under funded environment, so it made sense given the situation. In most cases this isn't ideal, though I think it depends on the specific situation; to echo on what @munin said, the threat surface matters.

[Name_Too_Long]

That's more or less my preferred method for "break glass" creds, regardless of size or funding.  Dedicated accounts that should never be touched with painfully long, random passwords, on paper, in a notary sealed envelope, in a safe.

If you've gotten to the point you need those creds, something has gone horribly, horribly wrong and your password management system is among those affected.

In the meantime, they work as canaries.  If anything changes with them, or they do anything, you've got a different sort of problem to the ones they were intended to help with.

[Boccraft]

People are creatures of habit and many find it easier to reach for a notebook than to use a password manager. From personal experience, I can say that for many people it is a tolerable compromise if they are not allowed to have their passwords in plain text, but they are allowed to have corresponding mnemonic devices at hand. For example, the password in the office can consist of the first letters of a file/book + a year and special characters. Or pseudo-documents (from invoices to business cards) that contain hidden passwords are also suitable. Of course, this approach is not perfect, but it is much more secure than Post-It notes. 

[malic1ousLaught3r]

I don't think I mind the notebooks, in a "better than nothing" kind of way, since (and someone please PM me if they know who said this) "if an attacker has physical access to your device it is not your device anymore." And I'd def prefer that folks use a notebook if the alternative is re-using passwords, though I'm by no means exempt from that sin.