TL;DR
Don’t store passwords in plain text! Use a password manager like KeePass or Bitwarden (with local storage enabled). If you absolutely must roll your own, use strong encryption (like Argon2) and salting. Avoid simple methods like basic file encryption.
1. Why Not Just Write Them Down?
Writing passwords down is risky. Anyone with access to the paper can see them. Storing them digitally in plain text files or spreadsheets is even worse – easily accessible, vulnerable to malware, and a huge security risk.
2. Password Managers: The Best Option
Password managers are designed specifically for secure password storage. They encrypt your passwords and provide features like auto-filling and strong password generation.
- KeePass (Free & Open Source): Stores passwords in an encrypted database file (.kdbx). You need to remember a master password.
- Bitwarden (Free/Paid): Offers both cloud storage and the option to store your data locally. More user-friendly than KeePass for some.
Both are excellent choices. Bitwarden’s local storage is enabled in settings.
3. Rolling Your Own: Advanced (Use with Caution!)
If you need to store passwords locally and can’t use a password manager, here’s how to do it securely – but be warned, this requires technical expertise. Incorrect implementation can leave your passwords vulnerable.
3.1 Encryption
Use a strong encryption algorithm like Argon2id. Avoid older algorithms like DES or MD5 which are easily cracked.
# Example using Python and the cryptography library (requires installation: pip install cryptography)
from cryptography.fernet import Fernet
def encrypt_password(password):
key = Fernet.generate_key()
f = Fernet(key)
encrypted_password = f.encrypt(password.encode())
return key, encrypted_password
def decrypt_password(key, encrypted_password):
f = Fernet(key)
decrypted_password = f.decrypt(encrypted_password).decode()
return decrypted_password
Important: This is a simplified example using Fernet for demonstration. Argon2id is much more secure and recommended for production use.
3.2 Salting
Salting adds randomness to each password before encryption, making it harder for attackers to crack them even if they get access to the database. Never reuse salts!
import os
import hashlib
def generate_salt():
return os.urandom(16).hex()
def hash_password_with_salt(password, salt):
salted_password = password + salt
hashed_password = hashlib.sha256(salted_password.encode()).hexdigest()
return hashed_password
3.3 Storage Format
Store passwords as key-value pairs, where the key is a unique identifier and the value contains both the salt and encrypted password (separated by a delimiter).
Example: website1:salt_value|encrypted_password_value
3.4 File Security
Protect the file containing your passwords with appropriate operating system permissions. Limit access to only yourself.
4. Things to Avoid
- Basic File Encryption: Tools like 7-Zip or WinRAR encryption are not designed for password security and can be vulnerable.
- Storing Passwords in Plain Text: Never, ever store passwords without encryption.
- Reusing Salts: Each password must have a unique salt.
- Simple Encryption Algorithms: Avoid outdated or weak algorithms like DES, MD5, or SHA1.