This is a follow up to the GMail Recovery thread which probably needs a thread of its own!

I am a Mentor at our local Computer Club and find password management the biggest challenge amongst our club members (mostly retired with an average age 70!)

Most members come in with their passwords on pieces of paper! Many use the same password for all site logons! (Oops!)

We have tried suggesting Password Manager software, but in most cases, it is a “bridge too far” for most of members! To avoid the “password on bits of paper” scenario we have offered password books as a last resort! A label on the front set to “Cricket Scores 1967 – 1968” usually keeps prying eyes out! In the majority of cases this password book never leaves the home! (except to come to the Computer Club). Frequently a glimpse of their browser password settings amazes them!

Some members are now (reluctantly) ditching their landline and doing what the young are doing, and relying on their mobile phone, (in most cases needed for Two Factor Authorisation). After a while they say that this is the way to go and question why have they not done it before? There are some excellent cheap deals out there which our members have signed up for - unless you are big data user most deals can be done for less than £10 per month. Mine costs me £4.50 per month for 5GB data, 1000 UK minutes, 1000 UK texts and 100 International minutes! We are also noticing a move to using WhatsApp for free telephone calls!

As well as using Have I been Pwned to check if your email address has been found in a data breach, you can use Pwned Passwords that lets you verify if your password has also been exposed in known data breaches! We also suggest members check out How Secure Is My Password?

Scammers are doing their best in attempts to get at our savings, so signing up for the Which? Scam Alerts Service should be high on your To Do list for today, and its free!

Stay safe online Folks!

Full disclosure: I use Roboform Password Manager (paid version) and use it on three devices! There is a learning curve with all Password Managers but it is well worth the efforts! Good luck!

Assuming the passwords themselves are reasonably high quality, not reused across multiple sites, and 2FA used when available, a physical password book is not a bad idea at all. It's effectively an air-gapped password manager, no way to remotely hack or access it, and security is as good as the physical security of wherever it is stored. For most non-technical users, keeping a physical item secure is more intuitive than keeping a digital file.

When we use password manager software, we rely on the security of that software. I've seen users that keep an Excel sheet of passwords on their desktop. Obviously if the PC is in any way compromised, the Excel file could simply be downloaded by the attacker, and then the passwords are all compromised. Passwords on paper can be a better choice than using insecure password manager software, especially one that is hosted in the cloud, where it is also vulnerable to attack.

My suggestion, for users who can manage it, is to use a password manager which supports 2FA. Preferably an offline one that is not dependent on a third party cloud provider.

I use 2FA Authenticator on my iPhone. Roboform is able to link to this app and when entering a login and password for a site on my PC with 2FA it will automatically generate the 2FA code for the site! Really excellent!

I'm not familiar with it, but I'm sure it's fine.

Take care to ensure your password manager is not also in your phone. Otherwise you've effectively turned 2FA into 1FA because now everything an attacker needs to impersonate you is in the same physical device. A useful thought experiment is, if you left your phone in a pub, completely unlocked by accident, and the worst person possible happens to pick it up - what is the worst they could do and how long would it take for you to stop them?

Amazon sells notebooks designed for writing down passwords and web-site info with A-Z index tabs for sites. Could be useful for executor when a senior passes.

- what is the worst they could do -

Hopefully not much as I keep banking etc. apps in a Secure Folder (Samsung Galaxy mobi) which has it's own biometric challenge and auto-locks when I close it. The apps in the Secure Folder also have a biometric challenge on opening.

Of course, services such as a Amazon, Google and Microsoft want to move away from passwords for day-to-day access and instead use Passkeys based on public/private keys which have to be held electronically. Options are in a password manager, the TPM chip on a device or in a hardware enclave such as a Yubikey.

The problem with a book of course is that it is easy for elders to mislay it, not so much in terms of it getting into the wrong hands but just not being able to find it.