Write Down Your Passwords 633
joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Pseudo-Written Password (Score:5, Insightful)
For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.
See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.
The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.
There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.
Re:Pseudo-Written Password (Score:2)
Yeah, plus having to buy all that new hardware gets expensive!
Re:Pseudo-Written Password (Score:5, Interesting)
I can just see this... (Score:5, Funny)
I can just see the following request to helpdesk:
Please reset my password as someone borrowed my Sellotape dispenser and I can no longer log in.
-Em
Re:Pseudo-Written Password (Score:5, Interesting)
So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.
Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.
-Em
Re:Pseudo-Written Password (Score:3, Insightful)
Re:Pseudo-Written Password (Score:3, Interesting)
Re:Pseudo-Written Password (Score:3, Insightful)
In the end, it is probably one of the better ways , although I always wondered that since now there is a potentially weak password protecting MANY possibly strong passwords, do the strong passwords matter? A simple keylogger will give access to ALL of your passwords in seconds.
-Em
Re:Pseudo-Written Password (Score:4, Insightful)
Re:Pseudo-Written Password (Score:5, Funny)
Re:STEGNAOGRAPHY is the answer (Score:3, Interesting)
Re:Pseudo-Written Password (Score:3, Insightful)
iLikeFi$he$Bec@useTheyreSoDelicio$
That doesn't add much to your password's security, you know; your changes aren't random enough, especially since "leet" ortography is so prevalent. There are dictionary attack programs that use expanded dictionaries, using also words with the obvious replacements (I/L -> 1, e -> 3 and so on).
Re:Pseudo-Written Password (Score:3, Interesting)
14ckwbwtdbwb = Fourteen cannibal kings / wondering blindly what the dinner bell will bring
For a root system password, you may want an even longer password, both for cryptographic security where cryptographic systems support > 8 characters, and more importantly to discourage the us
Re:Pseudo-Written Password (Score:3, Insightful)
Re:Pseudo-Written Password (Score:3, Insightful)
Not really. What it means is that users generally really, really suck at picking good passwords.
In order for Mr. Johansson's idea to be truly effective, three things need to happen:
1) the IT department much choose strong passwords for the users. They must NOT allow the users to choose the passwords themselves.
2) there must be an incredibly explicit policy regarding the protection of the media on which the passwords are stored and accessed.
How I write my passwords down: (Score:3, Insightful)
So Pen&Paper's the new replacement for Passpor (Score:5, Funny)
Re:So Pen&Paper's the new replacement for Pass (Score:2, Funny)
Maybe pen&paper AD&D will be cool again!
Re:So Pen&Paper's the new replacement for Pass (Score:5, Funny)
Re:So Pen&Paper's the new replacement for Pass (Score:2, Funny)
Bruce Schneier agrees (Score:5, Interesting)
You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
Re:Bruce Schneier agrees (Score:5, Insightful)
Re:Bruce Schneier agrees (Score:3, Informative)
Not as portable as paper (Score:3, Insightful)
Just do something trivial like rot-5 the 5th character of each password if you're concerned about somebody getting access. That would discourage most people from trying.
Re:Bruce Schneier agrees (Score:3, Informative)
PasswordSafe [sourceforge.net] is basically a GUI wrapped around an encrypted file such as you describe. Unfortunately, it's Win32 only, but there are a few [dyndns.org] portable [semanticgap.com] solutions [www.fpx.de] available.
Re:Bruce Schneier agrees (Score:3, Informative)
So, you have an app that, by virtue of being on a portable emulated platform, is OS-portable as well.
Re:Bruce Schneier agrees (Score:3, Informative)
Re:Bruce Schneier agrees (Score:3, Funny)
One password to rule them all
One password to find them
One password to bring them all
And in the darkness bind them.
PasswordSafe (Score:3, Informative)
PasswordSafe [sourceforge.net]
Note: I'm the project's current admin.
Re:No! (Score:5, Funny)
Why put the list in cyberspace at all? That's the beauty of paper, nobody online can steal a sheet of paper sitting in your home/office/dorm/loft/cave.
But I thought you said not to put it on your machine at all!?!?! So what the heck is it doing under your home directory? :-)
Don't misunderestimate people ;-) (Score:3, Funny)
Not necessarily :) I used to know someone who had a webcam in their office. It was one of those geeky "things to do" at the time. He had controls to pan & zoom, control the a small light, etc, on his website.
One day, I zoomed in on a piece of paper on the corner of his desk. Some rotation & sharpening in photoshop* revealed an IP and the word "g
Re:Bruce Schneier agrees (Score:3, Insightful)
Re:Don't treat it like cash (Score:5, Funny)
The world's most dysfunctional family?
Microsoft hard at work for security (Score:5, Insightful)
That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.
Re:Microsoft hard at work for security (Score:2)
then you passwords would be $tret43fHELLO, GFH#$VHELLO, and DSgb45HELLO. You get 3 secure passwords but only have to remember one.
Nonsense (Score:3, Interesting)
For instance:
mama: no dates
The actual password, not written down, is "n0datez!" The machine this is for is the largest system you work on (big mama).
If using random strings, try to make it look like serial numbers; again the pl
Re:Microsoft hard at work for security (Score:3, Insightful)
A piece of paper kept in the wallet is better for security than the same 7 letter password getting reused.
We can talk about how things should be in an "ideal" world or we can deal with how things are in this one.
In an ideal world, passwords wouldn't be necessary because everyone would be honest.
LK
Re:Microsoft hard at work for security (Score:3, Interesting)
I chose the quote from the summary because it worked best for what I wanted to point out. I did read the article (I always do, or I won't post against it)...
No biggy. I agree with your point we haven't found any scientific solution for morons yet, but that's sort of my point. If we let (as a policy) people just write passwords down, that little slice of moron-dom is the part that always bites us in the rear.
I know the article talked about securing the scrap of paper on which the password is written s
I'll buy that piece of paper with some chocolate (Score:2)
My password vault happens to be Firefox, though.
Re:I'll buy that piece of paper with some chocolat (Score:3, Funny)
My password vault happens to be Firefox, though.
How do you get your passwords out?
Re:I'll buy that piece of paper with some chocolat (Score:5, Interesting)
And I'll keep it under my keyboard... (Score:2, Funny)
Re:And I'll keep it under my keyboard... (Score:3, Insightful)
Re:And I'll keep it under my keyboard... (Score:5, Funny)
Re:And I'll keep it under my keyboard... (Score:3, Funny)
mine says "password"
Ok. (Score:5, Funny)
Slashdot password: 12345
Personal site password: 12345
Bank account password: 12345
Now my password is even more secure! Yay!
Wow... (Score:5, Funny)
(sorry sorry sorry!)
Re:Ok. (Score:2, Funny)
So true, by open-sourcing your password, you don't need to worry about security anymore.
Hey a good pass phrase from this (Score:2)
Maybe they have something here.
Now nobody else use it or and promise to forget it after to read this post. Thanks.
One Word: (Score:5, Funny)
Re:One Word: (Score:5, Funny)
Re:One Word: (Score:3, Funny)
That's not how one does private key encryption.
Riddle Me This (Score:2, Insightful)
Passwords are useless. (Score:2)
I have one password for all my low-level stuff (web logins, email, etc.) and one for my banking.
I have never changed them.
Re:Passwords are useless. (Score:5, Informative)
So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.
Really? (Score:3, Interesting)
Maybe it's because people really just don't think they're that important. It'll probably take serious problems to change people's minds (like a theft of identity, or fraudulent charges, etc...)
And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems? God...those have probably done more to propagate the phenomenon of writing passwords down than anything else.
Re:Really? (Score:3, Insightful)
Because ONE security breach would compromise all services? Yes, that sounds right. Also a single malicious administrator could emtpy your bank accounts, take your ID, book a few flights and so?
Do you trust the admins of slashdot enough? There has b
Re:Really? (Score:4, Interesting)
Login credentials are often stored unencrypted on the server side, leaving your password open for compromise by any legitimate admin of that site or anyone who manages to hack into it.
Do you want to trust your single password that you use to all sites to the least secure of all the crappy web boards you've got an account on?
Re:Really? (Score:3, Interesting)
Think about it.
Re:Really? (Score:3, Interesting)
And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems?
Amen!
I have to try to remember a *lot* of different passwords for work. If they unified the logins on these tools, it would help tremendously. You can try to have the passwords sync up, but the reset time frames on them are all offset. I had to change my Corporate password 2 weeks ago, my windows password one week ago, and my network password on Friday. As a result, I've t
he's not the first (Score:2)
My suggestion? Pretend that the passwords are a $500 bill and you're in
Makes perfect sense (Score:3, Interesting)
Peter Gutmann said the same thing: you fear the hacker, not the guy stealing your PC.
http://computerworld.co.nz/news.nsf/nl/3F25D67E47
Problem is portability (Score:2, Informative)
The problem with users is... (Score:2)
Secure your passwords (Score:5, Insightful)
What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.
Common sense...
BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.
Re:Secure your passwords (Score:5, Insightful)
I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.
There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.
Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.
Merlin.
Re:Secure your passwords (Score:3, Interesting)
Agreed. Sure, some crypto whiz will cut through that clutter in a day or two, but that's probably not the guy who'll lift your wallet at a ball game.
One thing I wish security systems had was some kind of "tripwire" password, i.e. the account is locked if anyone ever tries it.
So, I'm probably not typical, but... (Score:4, Interesting)
Re:So, I'm probably not typical, but... (Score:3, Interesting)
Re:So, I'm probably not typical, but... (Score:4, Interesting)
The only down-side is that I can't sync it with anything at home, but I generally don't have to update it very often, so when I do, I also write down the passwords in an encrypted text file on my home machine.
It's probably better... (Score:2)
For example, your password could be your birthdate, or favorite football team, or even the year you graduated from high school. Or all three if a longer password is necessary. It's fairly easy to learn to enter this information backwards as well, for further obfuscation, without making it harder to remember.
Gone are the days when you can leave the password blank or simply use your lo
CFS storage of passwords (Score:2)
This is fairly secure as long as the system CFS is accessed from is not compromised with a key logger. It has the advantages of paper, but with the capability of accessing it from remote with ssh. It also has the bonus of being harder to lo
IF they protect the paper... (Score:2)
True story (Score:4, Funny)
Re:True story (Score:3, Funny)
Re:True story (Score:3, Funny)
It actually makes some sense... (Score:2)
The advantage of this is that you can use relatively obscure and complex passwords because you don't actually have to burn brain cells to keep track of them.
Exactly right. . . (Score:5, Funny)
This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.
I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.
I just use Gnu Keyring on my Tungsten (Score:2)
Fixing the wrong problem (Score:2)
"I have three dogs: elmo, burt and erney"
Password: "1h3dgs:E,B&E."
the point is th
Keepass (Score:2)
I can't re-iterate this enough.
A program like this with the database stored on a keydrive is ideal: your passwords can be as long as you like, cryptographically secure, and be different for all sites.
Well, both are poor choices (Score:2)
Like saying you should really try start smoking sometime because it's worse to use heroin.
I think a good way to come up with non-dictionary passwords while keeping them reasonably easy to remember is to take the first letter in a sentence and somehow mix it up with numbers. Like "I Am A Geek And Like Slashdot" would become "iaagals". Then add some number from your social security number or som
Common passwords... (Score:2)
wrong attitude, wrong solution (Score:2)
Instead, we should learn how to algorithmically generate good passwords ourselves, so that we don't need to memorize a complex character sequence, but just the way how to generate it.
Example: I take the second and fifth letter of the site name I want to log in, which I use as an index to a poem, movie or book name I know, of which I take in turn letters and numbers
While this process sounds complex, once you get used to "your" algorith
Password Safe is the answer (Score:5, Informative)
Password Safe [schneier.com]
Re:Password Safe is the answer (Score:5, Insightful)
It's by crypto genius Bruce Schneier, it uses Blowfish
A few things to keep in mind:
Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.
Re:Password Safe is the answer (Score:3, Insightful)
You don't need to trust Schneier's rep, as the sources are available...
As to the Crypto, AES is currently much less reviewed than Blowfish, as it'smuch newer and 3DES, while reliable, is relatively SLOW...
Note: I'm the current project admin.
My Solution (Score:5, Informative)
The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.
What an insightful article! (Score:3, Informative)
Steganography (Score:4, Insightful)
I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:
Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.Almost, but not quite--here's what I do. (Score:5, Interesting)
I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".
Re:Passwords suck: simple solution: (Score:2)
Re:Passwords suck: simple solution: (Score:2)
Re:Passwords suck: simple solution: (Score:3, Informative)
Re:Passwords suck: simple solution: (Score:5, Interesting)
With a password, at least you can change it if it is compromised.
Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).
High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..
Re:Anyone with 5 digits in their UID has a solutio (Score:2)
Re:Everything you ever wanted to know about passwo (Score:3, Insightful)
Re:Everything you ever wanted to know about passwo (Score:5, Insightful)
Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!
Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.
Re:The worst Slashdot password (Score:3, Funny)
Re:this guy is thier chief advisor? (Score:3, Insightful)
1) P4$$w0rd is a really bad password.
2) The same password for your bank and for warezRus.com is a bad idea.
Forcing people to change their passwords all the time encourages bad passwords and passwords on stickys.
Regular password changes are:
a) because you think someone is brue forcing them (so fix that problem, changing the password part way through the brute force sequence doesn't buy you anything.
b) because you think it has been compromised (if it has, it's too la