Keeping passwords safe with the Bullet Secure method

I’m going to show you a page of my Bullet Journal with a collection of my passwords listed on it. I hope that I can trust you not to disseminate the sensitive information I’ve written down.

After tackling the problem of recording future events, I realised that there was another key part of my Bullet Journal setup that people often assumed was a tool that needed to be digital. This part was the recording of passwords.

We all know that strong, long and complicated passwords are a key factor in securing our online lives. We also know that it is really bad practice to use the same password over and over.

Keeping a written note of passwords is something that’s frowned upon in many circles. What if my list is stolen? How do I secure it? How do I encrypt plain, handwritten text?

What I’d like to share is my method that has evolved over time. I call it The Bullet Secure method.

Here’s how it works:

Start a new page in your Bullet Journal called Passwords / Logins or something that works for you.

Think of a long, memorable phrase, that you can easily recall. It could be your favourite quote, a song title, a nursery rhyme, anything that will stick in your memory.

i.e. Humpty Dumpty sat on a wall, Humpty Dumpty had a great fall

Now write down the first letter of each word in the phrase. This will make up the bulk of your password.

giving us: hdsoawhdhagf

If you are using a service that requires you to regularly update your password for security, then add a number to the end of your phrase.

final password: hdsoawhdhagf01

Now to safely record this password in your Bullet Journal write down the first one or two letters of your passphrase, together with dashes for the rest and finish with writing the end number.

my new passphrase is: hd———-01

When you need to update your password, simply increase the end number by one more in the sequence and record that.

You now have a strong, difficult to guess, easily updated password recorded in the notebook that you have with you all the time. It doesn’t matter if someone else views your page, as only by knowing the exact phrase can they guess your password.

This method had worked for me for a long time now and has not let me down. As I’ve become more used to using the Bullet Secure method, I’ve learnt a few extra tips which make passwords even more secure.

If you’re really comfortable with the passphrase, you don’t need to record the exact number of letters as dashes. You can just use a line. For example one of my passphrases is now simply U______67.

If your phrase incorporates “I” or names, you can capitalise these letters to again make the end password even more secure.

Humpty Dumpty sat on a wall becomes: HDsoaw

If your phrase incorporates words such as “for”, “ate”, “one”, “to” or similar that sound like numbers you can record these as the number digit for even more security

i.e. I like eggs for breakfast could generate Ile4b

Finally if you are worried about losing your Bullet Journal and your passwords, simply take a photograph or scan of the page and store this digitally.

You don’t need to sacrifice security for recording data in an analogue format. Using this method, your Bullet Journal can hold all of your most important passwords, and relieve you of yet another thing to worry about.

9 Comments

  1. This is an awesome idea! I do something similar, without the lines or dashes (I just record the capitals and numbers that I need to remember). I’ve avoided putting this in my bullet journal for the reasons you mentioned, but for sanity’s sake, I may have to take your advice. Thank you!

  2. Alastair, are you suggesting a catchphrase for each website? That would be so many catchphrases! I have , though, in a few cases used a similar coding phrase, and added at the beginning or end a word describing the subject or site, such as HDsoawHDhaghealth for anything to do with health–medical websites, doctor offices, health insurance, etc–and then adding numbers or symbols to those for each site, as in doctors 01, 02, and 03. I do have three or four different phrases I use, also, to evoke different topics. For instance, for entertainment websites I might add” bored” or “timewasters”, or in other cases I might put “work” or “art” or “$” and then number those by site. I very much appreciate your tip for keeping the catchphrase secret, too. thanks.

    1. Hi Teresa,
      I tend to use a new catchphrase for the important sites i.e. those that I give financial details to or order from. For general sites that I only use for info or chat, I might reuse the same phrase but change some numbers.
      I like your method you’ve explained here though, really interesting.
      The key to me is to be able to generate and then recall any number of complicated passwords as and when required, in a way that someone reading my journal could not work out, which I find this method fulfils.
      Thanks for the insightful comment.

  3. Dear Alastair. Speaking as a Linux Admin who needs to keep things secure for people.. I can tell you right now: this is not secure in any meaningfull way. (Besides the fact that you basicly are still remembering your passwords, you are just writing down a hint to it)

    Especially the bit about simply adding a number at the end when you need to change passwords. Oh my gosh that is utterly useless in the eyes of a brute force attack.

    “Ile4b”…. That’s not very strong at all….

    Correct passwords are: “NG{T;gk&WmIeM^*;4Q#O-JMnk” and “Lr#)2;Pb2}n[wz~If*>@]e8cF”

    And since one cannot remember such things, one needs a password program.

    The only other option that makes sense, is to combine the name of the website with a chosen word like I could use “sheep” and “alastairjohnston” which would create: “sahleaesptairjohnston” and create variations based on that principal.

    You would only write down the word you used, or even something better like “$”:%#” you can write down those things and hope no-one figures it out.

    1. Hi Mark, thanks for the comment.

      In your work I can absolutely see that this method would not be best for you. If you needed to manage hundreds of passwords, then an online system would be more appropriate.

      But for my needs, and those of many other individuals, this system is simpler and perfectly effective.

      With regards to adding a number at the end of a password when it changes often, I would only use this method on a site that does not hold anything important for me, but requires a password and requires it to change.
      For example if you did crack my short password for say http://www.picturesoffluffykittens.com I wouldn’t be overly upset. And more importantly I wouldn’t have used it anywhere else.

      “lle4b” may not be a very strong password, but “ydywdywdygsoytvsagadslbis” is.

      I would record this as “ydy_is” in my bullet journal and be able to remember the whole phrase easily with what I’ve recorded. But I would challenge anyone, reading my bujo, to guess what that passphrase is from this entry

      One does not necessarily need a password program.

      1. Efective: yes, secure: no. Even when you do not care about the kitten websites, others will. They can use it to steal your identity, send spam in your name.

        There is no excuse for using sub-par passwords, this is you life you are talking about.

        “ydywdywdyjlsdkfljakj” etc. is not a good password, it really does need capitals, special characters, etc. It’s not about me guessing, it’s about how fast a computer can go through all the options.

        Please understand that the world needs better passwords, not easier ways to remember them. Password managers will help in the remembering department, and in the future, hopefully, we will not need passwords anymore šŸ˜‰ We will use our phones and two factor auth or something.

        1. Mark,

          If anyone wants to send Cute Kitten spam in my name, well the best of luck to them šŸ™‚

          Whilst I agree that we shouldn’t use sup-par passwords I disagree that the ones I use and keep a reminder of in my Bullet Journal, using the method I wrote about, are sub-par.

          Yes, a computer crunching data in a deliberate attempt to crack any password will eventually get there, but for most of the time, my method is acceptable and secure enough for my needs.

          Password managers themselves can be a security risk. As seen in security breaches to sites like LastPass where the master passwords, emails etc were compromised. To quote Ars Technica

          “Even when those passwords are robustly protected, as they appear to have been by LastPass, many experts say the cloud remains an unsuitable storage environment given the vulnerability of Internet-facing servers.”

          Using a third party password manager, in the cloud does not guarantee security either, so I guess we both prefer systems that are not 100% perfect.

          Even two-factor authentication could be compromised if you’d stolen the phone and had physical possession of it.

          I’m offering a tool that you and I can choose to use or not. If it’s not for you, fine. For me, in my real world use, I’m happy with it and for now will continue to use it.

Leave a Comment

Your email address will not be published. Required fields are marked *

15 − 9 =