The safe way to 'write down' your passwords

Use MS Word's document-protection features to apply a password to your encrypted password file, or hide your passwords in plain sight, but to defeat clipboard loggers you need to add extraneous characters you'll delete after pasting.

Tech Culture

Following my post earlier this month on "Ten simple, common-sense security tips," reader John B. asked whether it was safe to store his passwords in a Word DOC file and then copy and paste them into sign-in screens to thwart keystroke loggers. John just has to remember to type in one password: the one he uses to encrypt and password-protect his Word password document.

Of course, John's passwords are vulnerable to clipboard loggers that capture the contents of the clipboard just as key loggers grab your keystrokes. That's why John has to add extra characters to his passwords that he will delete after pasting. (Note that some sites don't let you paste text into the password field.)

In Word 2010, open the file and click File > Info > Protect Document > Encrypt with Password.

Microsoft Word 2010 Protect Document options
Apply a password to a document in Word 2010 by choosing the Encrypt with Password option under Protect Document. Screenshot by Dennis O'Reilly/CNET

Type the password and press Enter, then confirm the password and press Enter again. To limit the type of changes others can make to the document, choose the Restrict Editing option under Protect Document to open the Restrict Formatting and Editing window. You can require Track Changes or limit changes to comments. Other options let you restrict editing to specific people or groups, limit formatting styles, and make the document read-only.

The options are different in Word for Mac 2011: open the document, click Word > Preferences > Security. Enter a password in the "Password to open" and/or "Password to modify" boxes. Other options let you make the document read-only, remove personal information from the file when you save it, and warn that comments and tracked changes are in the document (the option to warn before opening a file that contains macros is selected by default).

Microsoft Word for Mac 2011 security options
Word for Mac 2011 lets you require a password to open and/or modify the file, make the file read-only, and remove personal information on save. Screenshot by Dennis O'Reilly/CNET

The options shown when you click the Protect Document button are Tracked Changes, Comments, Forms, and Read-only, in addition to the password-entry box.

Microsoft Word for Mac 2011 Protect Document settings
Four ways to protect documents in Word for Mac 2011 are Tracked Changes, Comments, Forms, and Read-only. Screenshot by Dennis O'Reilly/CNET

An imperfect workaround for Windows' missing-password option
You can encrypt a file in Windows by right-clicking it and choosing Send to > Compressed (zipped) Folder. Unfortunately, Windows doesn't let you password-protect a file or folder. Here's one clever way to get around that problem.

First, open an innocuously named file, such as "grocery list.txt" or "definitely not my passwords.rtf." Change the text color to match the background color (probably the default, white). Enter your passwords (along with the extra characters to defeat clipboard readers) invisibly at the end of existing lines that have enough room for them, or scroll to the bottom of the document and enter the passwords there. You may also need to disable the spelling and grammar checker in the document to prevent squiggly lines from appearing under the passwords.

If someone selects the text in the line or the entire document, they'll see that there's something there, and if they change the text color the passwords will become visible. Also, the file's contents may be indexed, which could expose the passwords. You can exclude the file from Windows' automatic indexing by right-clicking it, choosing Properties, clicking Advanced under the General tab, and unchecking the option to allow the file's contents to be indexed.

A would-be password thief would need to know which file to look in and then know to look for white-on-white text. Storing your passwords in this manner is not as safe as never recording them, nor is it as safe as using a separate utility that lets you apply a password to a file (come on, Microsoft!), but for lots of folks, it's safe enough.

The How-To Geek explains how to use the Alternate Data Streams feature built into Windows' NTFS to create a secret text file associated with a visible one. Add innocuous text the visible version of the file and store your passwords or other sensitive data in the hidden file.

Unfortunately, the "hidden" text file can still be detected using a simple command-line utility. It appears there are as many ways to find hidden data as there are to hide it in the first place.

For the record, I strongly suggest that you never write down your passwords -- on paper or in electronic form. Still, there's more than one way to stay safe, so go with whatever password methodology works for you.

Autoplay: ON Autoplay: OFF