Following my post earlier this month on "Ten simple, common-sense security tips," reader John B. asked whether it was safe to store his passwords in a Word DOC file and then copy and paste them into sign-in screens to thwart keystroke loggers. John just has to remember to type in one password: the one he uses to encrypt and password-protect his Word password document.
Of course, John's passwords are vulnerable to clipboard loggers that capture the contents of the clipboard just as key loggers grab your keystrokes. That's why John has to add extra characters to his passwords that he will delete after pasting. (Note that some sites don't let you paste text into the password field.)
In Word 2010, open the file and click File > Info > Protect Document > Encrypt with Password.
Type the password and press Enter, then confirm the password and press Enter again. To limit the type of changes others can make to the document, choose the Restrict Editing option under Protect Document to open the Restrict Formatting and Editing window. You can require Track Changes or limit changes to comments. Other options let you restrict editing to specific people or groups, limit formatting styles, and make the document read-only.
The options are different in Word for Mac 2011: open the document, click Word > Preferences > Security. Enter a password in the "Password to open" and/or "Password to modify" boxes. Other options let you make the document read-only, remove personal information from the file when you save it, and warn that comments and tracked changes are in the document (the option to warn before opening a file that contains macros is selected by default).
The options shown when you click the Protect Document button are Tracked Changes, Comments, Forms, and Read-only, in addition to the password-entry box.
An imperfect workaround for Windows' missing-password option
You can encrypt a file in Windows by right-clicking it and choosing Send to > Compressed (zipped) Folder. Unfortunately, Windows doesn't let you password-protect a file or folder. Here's one clever way to get around that problem.
First, open an innocuously named file, such as "grocery list.txt" or "definitely not my passwords.rtf." Change the text color to match the background color (probably the default, white). Enter your passwords (along with the extra characters to defeat clipboard readers) invisibly at the end of existing lines that have enough room for them, or scroll to the bottom of the document and enter the passwords there. You may also need to disable the spelling and grammar checker in the document to prevent squiggly lines from appearing under the passwords.
If someone selects the text in the line or the entire document, they'll see that there's something there, and if they change the text color the passwords will become visible. Also, the file's contents may be indexed, which could expose the passwords. You can exclude the file from Windows' automatic indexing by right-clicking it, choosing Properties, clicking Advanced under the General tab, and unchecking the option to allow the file's contents to be indexed.
A would-be password thief would need to know which file to look in and then know to look for white-on-white text. Storing your passwords in this manner is not as safe as never recording them, nor is it as safe as using a separate utility that lets you apply a password to a file (come on, Microsoft!), but for lots of folks, it's safe enough.
The How-To Geek explains how to use the Alternate Data Streams feature built into Windows' NTFS to create a secret text file associated with a visible one. Add innocuous text the visible version of the file and store your passwords or other sensitive data in the hidden file.
Unfortunately, the "hidden" text file can still be detected using a simple command-line utility. It appears there are as many ways to find hidden data as there are to hide it in the first place.
For the record, I strongly suggest that you never write down your passwords -- on paper or in electronic form. Still, there's more than one way to stay safe, so go with whatever password methodology works for you.