Write Down Your Passwords

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Problem is portability

[seanscottrogers]

Writing down passwords and storing them in a secure location isn't the issue, it is portability. Most passwords these days need to go with you wherever you are, at home, the office, on travel. If your password is too complicated to remember, then it would have to be stored somewhere on your person. That's the security risk.

Re:Bruce Schneier agrees

[Anonymous Coward]

That's what I do. I use a tool that stores passwords encrypted, and I have one very good passphrase I use to decrypt the passwords. Any time I need a password for a Web site, I generate one (32 random letters/numbers) and use that. I don't even know any important passwords, except for the one master passphrase.

Re:Makes perfect sense

[Anonymous Coward]

In my last workplace someone (probably a janitor) stole checks from people's desks.

A Lot of hacking is internal. If you're in a company bigger than a dozen or people or so, you're at risk.

Re:Bruce Schneier agrees

[loqi]

KDE's wallet manager handles this rather nicely.

Re:Passwords suck: simple solution:

[bmongar]

Though they can't steal your fingerprint they can steal your fingerprint metric. It all becomes bits at some point and if they have those bits they can buypass having your finger.

Password Safe is the answer

[windowpain]

It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.

Password Safe [schneier.com]

My Solution

[3ryon]

I use a small PINS [mirekw.com] database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.

The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.

Everything you ever wanted to know about passwords

[John Seminal]

#1) The hackers have huge dictionaries that can crack just about any word, in any language, and with any added numbers, like compaq002 or 01compaq01. Second, they have custom dictionaries that can take 2 or 3 words and put them together in logical ways (like people think). These are all easily cracked. Picking a password by splitting the words of items on your desk and adding them back together is not smart. Comp05HP is not a good password.

#2) The best passwords are illogical. Something like k8iWq3xy. Mixing in letters in and numbers, not based on any words, is a good start. If your program recognizes upper and lower case, mixing that can help too.

#3) The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.

#4) People will sniff your network. Nothing is bulletproof. Finding passwords sent is easy. If it comes as clear text, you are screwed off the bat. This defeats #1 and #2, but not #3, because #3 is based on an algorithm that changes every 1 minute.

#5) Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes. This will be a major pain when you try and log in and make a mistake. It won't really stop hackers, just the ones with slow/bad proxies. Maybe 1 of the 500 proxies the hacker is using is not as anonyomous as they believe. As for your own use, take a book with you when you believe you might have to log in remotley, just in case you make a mistake. You need something to blow those 20 minutes.

#6) Never, ever log in root from a remote location. Have a crippled account to log into from remote locations. Expect this account to get cracked. Limit the damage. If you must, have 2 computer systems at home. One secured off line, and the other on line. Hell, toss in a third computer connected to the web based on via a serial cable and dump all the logging on that computer. The hacker/cracker can't edit the logging files on that second PC.

#7) When using a computer, always assume the key strokes are being logged. When you get home, change your password for that account.

#8) After you have done all these things, you will still get hacked. Call the FBI. Call your congressman. Lets bomb another country to releave our collective mutual stress.

Re:Passwords are useless.

[loqi]

Let's see... assuming lower- and upper-case letters and numbers are the only allowed components of a password, even a machine capable of one trillion password checks per second would take about 22,337,120,292,586,187,942 years to run through all the possible twenty-character passwords.

So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.

No!

[RoverDaddy]

Why put the list in cyberspace at all? That's the beauty of paper, nobody online can steal a sheet of paper sitting in your home/office/dorm/loft/cave.

What an insightful article!

[craXORjack]

I sure hope that Microsoft gets a patent on this new business process of password management because that will encourage them to continue innovating.

...Oh, sorry. I thought we were still doing the sarcasm thing.

Re:Bruce Schneier agrees

[Ann Elk]

PasswordSafe [sourceforge.net] is basically a GUI wrapped around an encrypted file such as you describe. Unfortunately, it's Win32 only, but there are a few [dyndns.org] portable [semanticgap.com] solutions [www.fpx.de] available.

Re:Password Safe is the answer

[RayMarron]

CrypBox [portableprojects.com] is really handy if you have a Palm device - you can carry your password database with you AND have access to it on the desktop.

Re:Pseudo-Written Password

[essreenim]

The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

Thats why I think my solution - http://it.slashdot.org/comments.pl?sid=150601&cid= 12628446 [slashdot.org] - is better. And if its a password that expires every couple of days, use a seperate hash that puts in random bits as well for this task... http://it.slashdot.org/comments.pl?sid=150601&cid= 12628446 [slashdot.org]

Re:Bruce Schneier agrees

[bizard]

which is exactly what systems like Keychain Access [apple.com], Password Wallet [selznick.com] (or Password Wallet [winsite.com]), Keywallet [keywallet.com] etc. are for.

Re:Password Safe is the answer

[Anonymous Coward]

Or you could just buy a Mac and use the Keychain application which is the same concept, except it's integrated into the OS and everything plugs into it.

You can even have it store your ssh passphrases that get intercepted by a third-party ssh-keychain application that inserts the passphrase into your Apple Keychain.

You also can place your keychain on a USB memory key (it's already encrypted) and plug the USB memory key into your laptop and login. If you forget the USB memory key then you login to the system but you don't have any stored passwords.

Re:Bruce Schneier agrees

[Cutriss]

All these people are mentioning Password Manager, but I use Keyring for PalmOS [sourceforge.net] (formerly "GNU Keyring"). This way, I can bring the .PDB database with me in my handheld if I would like to take my passwords on the go, and running the app on a client machine isn't hard since there are a variety of Palm emulators out there for a variety of platforms.

So, you have an app that, by virtue of being on a portable emulated platform, is OS-portable as well.

Re:Bruce Schneier agrees

[Anonymous Coward]

As does OS X's Keychain.

Not likely.

[Evanisincontrol]

Maybe it's just me, but it seems that the liklihood of someone cracking that method is very unlikely.

As you said, physical access is required. (which makes things MUCH more difficult) However, even if physical access WASN'T required, I don't think some hacker would suddenly say to himself, "AH HA! I bet this user is combining the serial number of his roller-chair and product number of his processor to create his password! Let me just try these numbers..."

There is a VERY large combination of passwords available from product/serial/model numbers on various items that reside in a typical office. Even if a hacker somehow broke into Joe Blow's apartment and spent twenty minutes writing down all of Joe's stapler model numbers, he likely wouldn't get them all, and definitely wouldn't need to run a program (remotely) to try all the possible combinations. (Especially given that the password might consist of half a dozen different product numbers!)

All in all, the odds of someone breaking this password aren't likely. If someone was determined enough to go through all afore-mentioned garbage at all, whatever he's getting at must be pretty valuable... and would probably be better protected than just by an arbitrary password.

Re:Bruce Schneier agrees

[ymgve]

Nobody has yet mentioned the strongest reason why this is dangerous: Keyloggers. A malicious hacker captures your master password as you enter it, and suddenly every password you have is compromised.

PasswordSafe

[ronys]

Actually, Bruce Schneier wrote exactly such an application, and put in on SourceForge a while ago, where it is now currently maintained:
PasswordSafe [sourceforge.net]

Note: I'm the project's current admin.