Write Down Your Passwords 633
joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Pseudo-Written Password (Score:5, Insightful)
For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.
See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.
The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.
There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.
Microsoft hard at work for security (Score:5, Insightful)
That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.
Re:Bruce Schneier agrees (Score:5, Insightful)
Riddle Me This (Score:2, Insightful)
Re:And I'll keep it under my keyboard... (Score:3, Insightful)
Secure your passwords (Score:5, Insightful)
What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.
Common sense...
BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.
The Downside of One Really Strong Password (TM) (Score:1, Insightful)
Re:Bruce Schneier agrees (Score:3, Insightful)
Re:Really? (Score:3, Insightful)
Because ONE security breach would compromise all services? Yes, that sounds right. Also a single malicious administrator could emtpy your bank accounts, take your ID, book a few flights and so?
Do you trust the admins of slashdot enough? There has been breaches in past, there will be in future.
Re:Really? (Score:1, Insightful)
Just because I want a login to buy something from a store doesn't mean I want to give the people working at that store the password for my online banking - especially if I'm giving them other banking details to make the payment.
Re:Pseudo-Written Password (Score:2, Insightful)
In short, if this is true, the passwords really, really sucked.
Not as portable as paper (Score:3, Insightful)
Just do something trivial like rot-5 the 5th character of each password if you're concerned about somebody getting access. That would discourage most people from trying.
Re:Secure your passwords (Score:5, Insightful)
I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.
There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.
Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.
Merlin.
Steganography (Score:4, Insightful)
I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:
Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.Re:Pseudo-Written Password (Score:3, Insightful)
In the end, it is probably one of the better ways , although I always wondered that since now there is a potentially weak password protecting MANY possibly strong passwords, do the strong passwords matter? A simple keylogger will give access to ALL of your passwords in seconds.
-Em
Passwords-Easy to remember-Repetition is the key (Score:1, Insightful)
Re:Everything you ever wanted to know about passwo (Score:3, Insightful)
Re:So Pen&Paper's the new replacement for Pass (Score:1, Insightful)
They even have a large section on "What We Learned from Passport", but failed to mention the single biggest lession Passport had to offer - that people fundementally don't trust Microsoft with security issues.
Note that this isn't a criticism of Microsoft. Doing security right is a difficult and time consuming process that is really a niche segment of the overall computer market. Because of their volume will always need to remain focused on the mass-market where time-to-market is more important than security. Delaying operating systems to appeal to the security market will only weaken their competitiveness on the desktop that made them so successful. And if they try to do both, they'll have to strike compromises and suck at both.
This isn't a technology issue, it's a business issue; and in the end, Microsoft will continue to rule in the largest spot of the market.
Re:Everything you ever wanted to know about passwo (Score:5, Insightful)
Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!
Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.
Re:Pseudo-Written Password (Score:4, Insightful)
Mindless reply (Score:1, Insightful)
That made sense up until the xy (seriously).
The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.
I use something like that. It's called the UNIX epoch. (One-time passwords, they're called. With increasing mobile device usage, this will become more viable although no where near bullet proof. If the device is lost or is cloned, game over. Might also want to look at Netkey, with is a method of hiding passwords.)
Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes.
Not that great of an idea if we are dealing with complicated passwords. Believe me, users will come knocking down the door after about a week.
Re:Pseudo-Written Password (Score:2, Insightful)
for example. The only weakness I can think of is that it may or may not be easier for someone to guess it.
Re:Microsoft hard at work for security (Score:3, Insightful)
A piece of paper kept in the wallet is better for security than the same 7 letter password getting reused.
We can talk about how things should be in an "ideal" world or we can deal with how things are in this one.
In an ideal world, passwords wouldn't be necessary because everyone would be honest.
LK
Re:Pseudo-Written Password (Score:2, Insightful)
Re:this guy is thier chief advisor? (Score:3, Insightful)
1) P4$$w0rd is a really bad password.
2) The same password for your bank and for warezRus.com is a bad idea.
Forcing people to change their passwords all the time encourages bad passwords and passwords on stickys.
Regular password changes are:
a) because you think someone is brue forcing them (so fix that problem, changing the password part way through the brute force sequence doesn't buy you anything.
b) because you think it has been compromised (if it has, it's too late).
Re:Password Safe is the answer (Score:5, Insightful)
It's by crypto genius Bruce Schneier, it uses Blowfish
A few things to keep in mind:
Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.
Re:Pseudo-Written Password (Score:3, Insightful)
iLikeFi$he$Bec@useTheyreSoDelicio$
That doesn't add much to your password's security, you know; your changes aren't random enough, especially since "leet" ortography is so prevalent. There are dictionary attack programs that use expanded dictionaries, using also words with the obvious replacements (I/L -> 1, e -> 3 and so on).
Re:Pseudo-Written Password (Score:3, Insightful)
Re:Pseudo-Written Password (Score:1, Insightful)
So far, it seems to have helped some, at least.
Re:Pseudo-Written Password (Score:3, Insightful)
Not really. What it means is that users generally really, really suck at picking good passwords.
In order for Mr. Johansson's idea to be truly effective, three things need to happen:
1) the IT department much choose strong passwords for the users. They must NOT allow the users to choose the passwords themselves.
2) there must be an incredibly explicit policy regarding the protection of the media on which the passwords are stored and accessed. The policy must provide stiff penalties for failure to comply, and periodic checks need to be made to ensure compliance.
3) the users need to be educated on the relevant security practices so they know why it is so important to follow the letter of the policy and not circumvent any part of it.
Failure to do any of these will compromise the success of the strategy.
Re:I'll buy that piece of paper with some chocolat (Score:2, Insightful)
barring quantum computers, nobody's going to be breaking it within my lifetime.
Or research breakthroughs - nobody has yet proved that one-way functions exist, and it's entirely possible that some genius could figure out a fast factoring algorithm tomorrow and make your crypto worthless. Not likely, but a possibility worth considering.
Re:Password Safe is the answer (Score:3, Insightful)
You don't need to trust Schneier's rep, as the sources are available...
As to the Crypto, AES is currently much less reviewed than Blowfish, as it'smuch newer and 3DES, while reliable, is relatively SLOW...
Note: I'm the current project admin.
How I write my passwords down: (Score:3, Insightful)
Re:Pseudo-Written Password (Score:3, Insightful)