Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security

Write Down Your Passwords 633

Posted by Zonk
from the social-hacking-paradise dept.
joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
This discussion has been archived. No new comments can be posted.

Write Down Your Passwords

Comments Filter:
  • by fembots (753724) on Tuesday May 24, 2005 @04:57PM (#12628013) Homepage
    Seriously though, instead of writing down the password, why not using what's already written on the hardware?

    For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

    See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.

    The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

    There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.
    • The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days

      Yeah, plus having to buy all that new hardware gets expensive!
    • by Scruffeh (867141) on Tuesday May 24, 2005 @05:11PM (#12628230)
      I think the bigger point here is that most people don't care about passwords. They see them as necessary but annoying which is why they use easy to remember things. It's also silly to say writing down passwords is bad or good. People are always going to use different systems which may or may not work well for someone else. I rotate my passwords and do not write them down, another person my just find this annoying. It's all subjective IMHO
    • by Em Ellel (523581) on Tuesday May 24, 2005 @05:24PM (#12628386)
      For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

      I can just see the following request to helpdesk:

      Please reset my password as someone borrowed my Sellotape dispenser and I can no longer log in.

      -Em
    • by Em Ellel (523581) on Tuesday May 24, 2005 @05:49PM (#12628654)
      On a more practical note, back in a day when I backpacked through europe I wanted to have a backup of important data to take with me, in case I lose my passport/bank cards/etc. However being a paranoid freak I did not want to write the numbers down on paper in plain-text, as I would be doubly exposed - I could loose my wallet or I can loose my notebook.

      So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.

      Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.

      -Em
    • I use a similar technique, using a dollar bill. Take the serial number of a dollar bill and choose an offset between 1 and 4. Type in each character of the serial number number, pressing the shift key for every character that is a multiple of the offset (every third character for example) This way, you have the password "written down," but it is stored in an inconspicuous manner that will not be recognized or comprimized if you lose your wallet. Obviously, don't lose/spend that bill :)
  • by team99parody (880782) on Tuesday May 24, 2005 @04:58PM (#12628021) Homepage
    Now we know what's replacing Microsoft Passport [google.com] in Longhorn - pen&paper!
    • Maybe it's the new trend.

      Maybe pen&paper AD&D will be cool again!
    • And of course, they(M$) will introduce the following security initiative when pen and paper security protocols show evidence of security lapses. White-Out.
  • by alanw (1822) * <alan@wylie.me.uk> on Tuesday May 24, 2005 @04:58PM (#12628023) Homepage
    From Bruce Schneier's Crypto-Gram, May 15 2001 [schneier.com], and then updated in a news.com article, December 9, 2004 [com.com].

    You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

    • by team99parody (880782) on Tuesday May 24, 2005 @05:00PM (#12628046) Homepage
      Seems better to keep the long-hard passwords stored in an encrypted file protected by one good password that you remember.
      • by loqi (754476)
        KDE's wallet manager handles this rather nicely.
      • Anything that requires me to have access to a specific type of hardware (PDA) or a specific operating system isn't going to be a lot of help if you're on the road without your gear or your gear gets stolen and you need access now.

        Just do something trivial like rot-5 the 5th character of each password if you're concerned about somebody getting access. That would discourage most people from trying.
      • by Ann Elk (668880)

        PasswordSafe [sourceforge.net] is basically a GUI wrapped around an encrypted file such as you describe. Unfortunately, it's Win32 only, but there are a few [dyndns.org] portable [semanticgap.com] solutions [www.fpx.de] available.

      • by Cutriss (262920)
        All these people are mentioning Password Manager, but I use Keyring for PalmOS [sourceforge.net] (formerly "GNU Keyring"). This way, I can bring the .PDB database with me in my handheld if I would like to take my passwords on the go, and running the app on a client machine isn't hard since there are a variety of Palm emulators out there for a variety of platforms.

        So, you have an app that, by virtue of being on a portable emulated platform, is OS-portable as well.
      • by ymgve (457563)
        Nobody has yet mentioned the strongest reason why this is dangerous: Keyloggers. A malicious hacker captures your master password as you enter it, and suddenly every password you have is compromised.

      • One password to rule them all
        One password to find them
        One password to bring them all
        And in the darkness bind them.
      • PasswordSafe (Score:3, Informative)

        by ronys (166557)
        Actually, Bruce Schneier wrote exactly such an application, and put in on SourceForge a while ago, where it is now currently maintained:
        PasswordSafe [sourceforge.net]

        Note: I'm the project's current admin.

    • The "guard them as you would your cash" idea sounds good and is good to a certain extent, however, when someone has stolen your cash, you can generally tell it's gone. A password can be stolen without anything being missing.
  • by yagu (721525) <[moc.liamg] [ta] [ugayay]> on Tuesday May 24, 2005 @04:58PM (#12628025) Journal
    "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

    That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

    • The solution is encrypt your password list. Say have string that is added to the added to end of every password on list. So, say your list is:

      1. $tret43f
      2. GFH#$V
      3. DSgb45

      then you passwords would be $tret43fHELLO, GFH#$VHELLO, and DSgb45HELLO. You get 3 secure passwords but only have to remember one.
    • Nonsense (Score:3, Interesting)

      There are plenty of ways to do this. For instance, you can keep the passwords on (picked at random) page 57 of a red notebook that stays locked in your drawer when you're not around, and is only out of the drawer when it's in use. You can leave clues to yourself what they mean.

      For instance:

      mama: no dates

      The actual password, not written down, is "n0datez!" The machine this is for is the largest system you work on (big mama).

      If using random strings, try to make it look like serial numbers; again the pl
    • I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

      A piece of paper kept in the wallet is better for security than the same 7 letter password getting reused.

      We can talk about how things should be in an "ideal" world or we can deal with how things are in this one.

      In an ideal world, passwords wouldn't be necessary because everyone would be honest.

      LK
  • But really, I don't have a problem with this. Why not use one of those password vault type programs which allow users to have a master password to access their other passwords?

    My password vault happens to be Firefox, though.
  • with my bank name and account number next to it..
  • Ok. (Score:5, Funny)

    by cmburns69 (169686) on Tuesday May 24, 2005 @04:58PM (#12628030) Homepage Journal
    Ok, here they are:

    Slashdot password: 12345
    Personal site password: 12345
    Bank account password: 12345

    Now my password is even more secure! Yay!
  • M$SWDYPW

    Maybe they have something here.
    Now nobody else use it or and promise to forget it after to read this post. Thanks.

  • One Word: (Score:5, Funny)

    by DrunkenTerror (561616) on Tuesday May 24, 2005 @05:00PM (#12628054) Homepage Journal
    Tattoos.
  • Riddle Me This (Score:2, Insightful)

    by the0ther (720331)
    We use physical keys to start our cars and to unlock our homes. Why don't we handle this stuff by using a similar strategy. Say a USB dongle that you need to start your computer? I've seen a few implementations of this theme, and I even believe MS threatened to do just this. Is this because the regular (l)users out there want their computer to work like their toaster does?
  • When you've got a brute-force computer that can guess every possible password you can type in (or will type in), there's not much point to having them, is there?

    I have one password for all my low-level stuff (web logins, email, etc.) and one for my banking.

    I have never changed them.
    • by loqi (754476) on Tuesday May 24, 2005 @05:17PM (#12628306)
      Let's see... assuming lower- and upper-case letters and numbers are the only allowed components of a password, even a machine capable of one trillion password checks per second would take about 22,337,120,292,586,187,942 years to run through all the possible twenty-character passwords.

      So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.
  • Really? (Score:3, Interesting)

    by aftk2 (556992) on Tuesday May 24, 2005 @05:01PM (#12628064) Homepage Journal
    What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?

    Maybe it's because people really just don't think they're that important. It'll probably take serious problems to change people's minds (like a theft of identity, or fraudulent charges, etc...)

    And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems? God...those have probably done more to propagate the phenomenon of writing passwords down than anything else.
    • Re:Really? (Score:3, Insightful)

      by vidarlo (134906)
      What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?

      Because ONE security breach would compromise all services? Yes, that sounds right. Also a single malicious administrator could emtpy your bank accounts, take your ID, book a few flights and so?

      Do you trust the admins of slashdot enough? There has b

    • Re:Really? (Score:4, Interesting)

      by Nugget (7382) <nugget@distributed.net> on Tuesday May 24, 2005 @05:08PM (#12628196) Homepage
      If you use the same password everywhere then CmdrTaco can log in to your bank account.

      Login credentials are often stored unencrypted on the server side, leaving your password open for compromise by any legitimate admin of that site or anyone who manages to hack into it.

      Do you want to trust your single password that you use to all sites to the least secure of all the crappy web boards you've got an account on?
    • Re:Really? (Score:3, Interesting)

      by GlacierDragon (820368)

      And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems?

      Amen!

      I have to try to remember a *lot* of different passwords for work. If they unified the logins on these tools, it would help tremendously. You can try to have the passwords sync up, but the reset time frames on them are all offset. I had to change my Corporate password 2 weeks ago, my windows password one week ago, and my network password on Friday. As a result, I've t

  • Bruce Schneier also advocates this method on his website. I don't remember where the article is exactly (read it a little while ago) but he said basically to write them down and keep them where you keep your cash - and protect them as vigilantly. I don't think that was quite complete, myself; if I have $5 cash, I'm not going to try to prevent people from seeing it the way I'd be sure to guard a sheet of passwords from an errant camera.

    My suggestion? Pretend that the passwords are a $500 bill and you're in
  • Makes perfect sense (Score:3, Interesting)

    by Audent (35893) <audent AT ilovebiscuits DOT com> on Tuesday May 24, 2005 @05:01PM (#12628072) Homepage
    If someone's hacking in from outside you want as good a password as possible... That's my fear, not someone sitting at my desk and logging on as me.

    Peter Gutmann said the same thing: you fear the hacker, not the guy stealing your PC.

    http://computerworld.co.nz/news.nsf/nl/3F25D67E479 80786CC256E6C007EE7D2 [computerworld.co.nz]
  • Writing down passwords and storing them in a secure location isn't the issue, it is portability. Most passwords these days need to go with you wherever you are, at home, the office, on travel. If your password is too complicated to remember, then it would have to be stored somewhere on your person. That's the security risk.
  • they think that its hard to remember a alphanumeric password with upper/lower case, but the reality of the situation is that if you write it down, you'll use it for a few weeks but after a while just by rote repetition its in there and no longer an issue. When I get a new job, I create some weird ass password hide a sticky note for a few days around with the hint, and then when i've got it straight, to the shredder it goes...

  • by kjfitz (256432) on Tuesday May 24, 2005 @05:03PM (#12628098) Homepage
    I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."

    What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.

    Common sense...

    BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.
    • by WasteOfAmmo (526018) on Tuesday May 24, 2005 @05:25PM (#12628408) Journal
      BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

      I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.

      There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.

      Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

      Merlin.

      • by tsotha (720379)
        Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

        Agreed. Sure, some crypto whiz will cut through that clutter in a day or two, but that's probably not the guy who'll lift your wallet at a ball game.

        One thing I wish security systems had was some kind of "tripwire" password, i.e. the account is locked if anyone ever tries it.

  • by IANAAC (692242) on Tuesday May 24, 2005 @05:03PM (#12628100)
    I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.
    • Web Confidential [web-confidential.com] on my Treo600 works great. It also has a desktop counterpart. (Don't forget your daily backups). That way you can have a strong and different password for everything if you like. You only need to memorize one strong password for opening the Web Confidential file and all your passwords are always with you. Easy, easy, easy.
    • by kwalker (1383) on Tuesday May 24, 2005 @05:34PM (#12628499) Journal
      I just got one for my cell phone called MobileSafe. It was $6 from Handango [handango.com] and downloaded directly to my phone. That way I always have my account numbers, CC numbers, login info, and general notes encrypted with 168-bit 3DES (IIRC) on my phone protected by my master password. It's already saved my bacon more than once.

      The only down-side is that I can't sync it with anything at home, but I generally don't have to update it very often, so when I do, I also write down the passwords in an encrypted text file on my home machine.
  • To use some bit of knowledge you have rather than writing down something obscure on a piece of paper that you can lose.

    For example, your password could be your birthdate, or favorite football team, or even the year you graduated from high school. Or all three if a longer password is necessary. It's fairly easy to learn to enter this information backwards as well, for further obfuscation, without making it harder to remember.

    Gone are the days when you can leave the password blank or simply use your lo

  • If you have a secure system somewhere, you can use CFS [crypto.com], an encrypted filesystem, to store your passwords for various other systems. Then you can memorize a good password for the CFS system, and refer to it if you forget the password you're using for some other system.

    This is fairly secure as long as the system CFS is accessed from is not compromised with a key logger. It has the advantages of paper, but with the capability of accessing it from remote with ssh. It also has the bonus of being harder to lo
  • which we all know they won't. Most of the time we find them on a post-it note stuck to the monitor. The really sharp ones tape it under the keyboard. The best one I've seen was a guy who kept his taped under his monitor. He'd actually lift this bulky CRT every time he needed to login.
  • True story (Score:4, Funny)

    by HaeMaker (221642) on Tuesday May 24, 2005 @05:05PM (#12628136) Homepage
    I'm a SysAdmin and at one place I worked, I noticed someone had written 'aaaaa' on their monitor. They wern't at their desk at the time, so I sat down, hit ctrl-alt-del and typed 'aaaaa' into the password field...
  • Today, the greater threat to users is having their password stolen somewhere in the network. The number of passwords stolen by actually going up to somebody's desk and reading it is, much lower in comparison.

    The advantage of this is that you can use relatively obscure and complex passwords because you don't actually have to burn brain cells to keep track of them.
  • by Sialagogue (246874) <sialagogue@gBOYSENmail.com minus berry> on Tuesday May 24, 2005 @05:05PM (#12628153)

    This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.

    I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.

  • Remember one password to access the program, and encrypt my more critical ones as strong as I need to.

  • That's the solution to the wrong problem. The problem is those systems allowing the users to use bad passwords. If a your authentication program expires passwords once every six months or so and requires non-dictionary based passwords and a combination of letters special chars. And hard passwords to crack aren't necessarally hard passwords to remember. Especially if you use some type of memory assistance, like a sentance:

    "I have three dogs: elmo, burt and erney"
    Password: "1h3dgs:E,B&E."

    the point is th
  • http://keepass.sourceforge.net/ [sourceforge.net]

    I can't re-iterate this enough.

    A program like this with the database stored on a keydrive is ideal: your passwords can be as long as you like, cryptographically secure, and be different for all sites.

  • Neither writing down your password or picking a simple password is clever, so I don't see why he even discuss this?
    Like saying you should really try start smoking sometime because it's worse to use heroin.

    I think a good way to come up with non-dictionary passwords while keeping them reasonably easy to remember is to take the first letter in a sentence and somehow mix it up with numbers. Like "I Am A Geek And Like Slashdot" would become "iaagals". Then add some number from your social security number or som
  • The most common passwords I have seen at different companies was HOCKEY (unix/linux machines, why I don't know) and YOUSUCK (windows machines, surprising isn't it). And, we can't forget this one, it's everywhere (especially for email accounts): PASSWORD.
  • When we start writing down passwords, we compromise them. Obviously.
    Instead, we should learn how to algorithmically generate good passwords ourselves, so that we don't need to memorize a complex character sequence, but just the way how to generate it.

    Example: I take the second and fifth letter of the site name I want to log in, which I use as an index to a poem, movie or book name I know, of which I take in turn letters and numbers ...

    While this process sounds complex, once you get used to "your" algorith
  • by windowpain (211052) on Tuesday May 24, 2005 @05:08PM (#12628185) Journal
    It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.

    Password Safe [schneier.com]
    • by eddeye (85134) on Tuesday May 24, 2005 @06:23PM (#12628978)

      It's by crypto genius Bruce Schneier, it uses Blowfish

      A few things to keep in mind:

      • Schneier handed this project off to others several years ago. His involvement since appears to be minimal. While he wrote the initial version, that code may have long since been sent to the bitbucket in the sky.
      • Schneier's crypto credentials are well established, but how is his programming knowledge, especially in regards to security? I don't know of any large open projects he's worked on that give us an indication of this.
      • AES and 3-DES are more reliable than Blowfish, having received orders of magnitude more attention from cryptanalysts. Besides which, "uses Blowfish" is a long way from "uses Blowfish correctly with proper handling of the key material and plaintext at every point in its lifecycle".

      Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.

      • Actually, PasswordSafe is actively maintained on SourceForge: http://passwordsafe.sourceforge.net/ [sourceforge.net]

        You don't need to trust Schneier's rep, as the sources are available...

        As to the Crypto, AES is currently much less reviewed than Blowfish, as it'smuch newer and 3DES, while reliable, is relatively SLOW...

        Note: I'm the current project admin.
  • My Solution (Score:5, Informative)

    by 3ryon (415000) on Tuesday May 24, 2005 @05:13PM (#12628252)
    I use a small PINS [mirekw.com] database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.

    The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.
  • by craXORjack (726120) on Tuesday May 24, 2005 @05:25PM (#12628405)
    I sure hope that Microsoft gets a patent on this new business process of password management because that will encourage them to continue innovating.

    ...Oh, sorry. I thought we were still doing the sarcasm thing.

  • Steganography (Score:4, Insightful)

    by CustomDesigned (250089) on Tuesday May 24, 2005 @05:28PM (#12628435) Homepage Journal
    When I write down passwords, I use some form of steganography. For example, one of my earlier systems was to add a fictictious address to my address book, with the password encoded within the address using a mnemonic mapping scheme.

    I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:

    0 - 's', 'z' (think 'zero' and hissing like snakes)
    1 - 't', 'd' (1 looks kind of like t)
    2 - 'n' (n has two legs)
    3 - 'm' (m has three legs)
    4 - 'r' (four ends with r)
    5 - 'l' (L is latin for fifty)
    6 - 'j', 'g' (soft g, like upside down 6)
    7 - 'k', 'g' (hard g, k and 7 have diagonals)
    8 - 'f', 'ph' (cursive f like 8)
    9 - 'p', 'b'
    Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.
  • by istartedi (132515) on Tuesday May 24, 2005 @05:30PM (#12628459) Journal

    I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".

Be careful when a loop exits to the same place from side and bottom.

Working...