Our lives have grown to become very digital, you can do anything online these days, from the now ubiquitous shopping to casting a vote for the parliament, depending on where you live¹. With the convenience of the online presence, comes the nuisance of having to create logins and passwords everywhere, and they can become quite numerous²! Every security specialist will say you should pick different, difficult to guess passwords at each website³, but this doesn’t scale, and you’ll likely not remember them all. Sure you can use password managers, like I do with Bitwarden ⁴, or trust that the password alternatives, like Google Passkeys, are here to stay, but that’s not what I want to talk about in here, I want to discuss about One-time Passwords (OTPs).

When using a popular service, like Gmail or GitHub, you probably have been prompted every now and then with a reminder of all your security configurations: whether you have two-factor authentication (2FA) enabled, the recovery phone/mail, trusted contacts, and so on. Some of those will also give you an option to download a list of passwords that can only be used once, and their goal is simple: store this somewhere safe, so that if you forget your password or lose your 2FA device, you are not locked away from your account. I downloaded a bunch of those, but then I wondered:

Where would be safe enough for me to store those keys?

Bear with me as I overthink this subject and explore many different options:

1. Store them on my wallet: I used to keep a hand-written card in my wallet, my thought being: “the wallet is with me at all times, so I’ll be sure to know where the passwords are and, since they are with me, they are safe”. Of course this argument doesn’t hold itself true for even a full minute, since the first thing that comes to mind to many is that I can be robbed and have both my wallet and phone taken away, and there goes my logins.
2. Keep them home on a handwritten note: This sounds ok at first, and is already a better alternative to the wallet, such that if you’re robbed while on the street, you still have something to resort to, but at the same time the notes are there for any curious visitor to peruse.
3. Keep them home stored on your computer: It offers some more security over the second one, since the computer would be password-protected, but also, what if the computer breaks?
4. Hand your passwords to a trusted partner/friend: Very dangerous, not because the person might betray you⁵, but because they will need to pick a way to store it and how can you be sure it is a good way and they are overthinking like you are?
5. A combination of the above: You add redundancy over the passwords being lost, but at the same time they are easier to snatch.

Here’s how my mind felt after thinking about this for a few minutes:

AHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

I still have no definitive answer and am just trusting that whichever option I pick, it will not have to be used anytime soon, if ever. Am I overthinking this? Surely, but so much of our data and important assets are protected by finicky passwords these days, it just feels so fragile. If you’ve solved this riddle, let me know, in the meantime I’ll put my head in a bucket of ice to cool down.