Write Down Your Passwords

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Bruce Schneier agrees

[alanw]

From Bruce Schneier's Crypto-Gram, May 15 2001 [schneier.com], and then updated in a news.com article, December 9, 2004 [com.com].

You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

Re:Pseudo-Written Password

[Anonymous Coward]

I've guessed numerous passwords with your technique. I hope you were kidding.

Really?

[aftk2]

What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?

Maybe it's because people really just don't think they're that important. It'll probably take serious problems to change people's minds (like a theft of identity, or fraudulent charges, etc...)

And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems? God...those have probably done more to propagate the phenomenon of writing passwords down than anything else.

Makes perfect sense

[Audent]

If someone's hacking in from outside you want as good a password as possible... That's my fear, not someone sitting at my desk and logging on as me.

Peter Gutmann said the same thing: you fear the hacker, not the guy stealing your PC.

http://computerworld.co.nz/news.nsf/nl/3F25D67E479 80786CC256E6C007EE7D2 [computerworld.co.nz]

So, I'm probably not typical, but...

[IANAAC]

I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.

Re:Passwords suck: simple solution:

[cmburns69]

The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?

With a password, at least you can change it if it is compromised.

Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).

High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..

Re:Really?

[Nugget]

If you use the same password everywhere then CmdrTaco can log in to your bank account.

Login credentials are often stored unencrypted on the server side, leaving your password open for compromise by any legitimate admin of that site or anyone who manages to hack into it.

Do you want to trust your single password that you use to all sites to the least secure of all the crappy web boards you've got an account on?

Re:I'll buy that piece of paper with some chocolat

[nacturation]

Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html [schneier.com]. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.

Re:Pseudo-Written Password

[Scruffeh]

I think the bigger point here is that most people don't care about passwords. They see them as necessary but annoying which is why they use easy to remember things. It's also silly to say writing down passwords is bad or good. People are always going to use different systems which may or may not work well for someone else. I rotate my passwords and do not write them down, another person my just find this annoying. It's all subjective IMHO

Re:So, I'm probably not typical, but...

[Concerned Onlooker]

Web Confidential [web-confidential.com] on my Treo600 works great. It also has a desktop counterpart. (Don't forget your daily backups). That way you can have a strong and different password for everything if you like. You only need to memorize one strong password for opening the Web Confidential file and all your passwords are always with you. Easy, easy, easy.

Re:Really?

[GlacierDragon]

And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems?

Amen!

I have to try to remember a *lot* of different passwords for work. If they unified the logins on these tools, it would help tremendously. You can try to have the passwords sync up, but the reset time frames on them are all offset. I had to change my Corporate password 2 weeks ago, my windows password one week ago, and my network password on Friday. As a result, I've typed in the wrong network password first try almost every time today.

Another frustration is the 100% numeric password for voicemail. It used to change every month. I--and many others--communicate primarily with email. This translated into having to change the password every time we got a voicemail before we can listen to it. It appears that they have changed the reset time length to several months now. Probably because they were tired of resetting passwords for everyone all the time.

Re:Bruce Schneier agrees

[Mavakoy]

Or use a shorthand system i.e.

main login: ML7
mainframe access: I12

To me, these would tell me _exactly_ what the passwords were, but to a passer by, they are meaningless.

Re:Pseudo-Written Password

[LordSnooty]

But what happens if someone moves the Sellotape? And more obviously, what if someone cracks on to your method? The password is right in front of them!

Actually it's not too bad because it requires physical access. At my famous Educational Establishment, there's been a recent spate of hackers using weak passwords to gain access - all from off campus. Make it strong and keep it written down somewhere secure, and you're pretty much safe from the majority of abuses. Keep it hidden innocuously in a book or a file of boring documents, rather like a file in a cake.

Re:Passwords suck: simple solution:

[Mr. Slippery]

start using fingerprint scans, the only way someone can steal your finger print is by lifting it from something you've touched

Which is quite easy [cryptome.org].

But you don't even need to do that - some scanners can be fooled into accepting the latent print you leave on it [bromba.com]. D'oh!

An authentication token that when used leaves behind all the information you need to construct a conterfeit - this is not something I want to rely on.

Biometrics is a fundamentally flawed scheme. A biometric is just a token that you can't replace (a scar on your finger? too bad), repudiate if stolen (I can lift your prints but you can't change them without pain), or use to separate priviledges (difficult to use a different thumbprint at the bank, at the library, and to open your car, unless you have interesting anatomy).

As for passwords, yeah, I've gotten to the point of having to write them down. I used to use only a few passwords - my login and root password, one common for low security sites, one shared one for a few sites I cared more about, and my on-line banking. But as sites put various non-sensical restrictions on password selection ("your password must contain two digits", "your password must not use any non-alphanumeric characters", etcetera), I've had to start writing them down.

"Something you are" reduces to "something you have". "Something you know", as you have to remember more and more things to deal with dozens of systems, reduces to "something you have" (that piece of paper with all the password written on it). It's all about the authentication tokens.

Re:Microsoft hard at work for security

[Cornflake917]

If you read the quote which is in your post. He says "If I write them down AND THEN PROTECT the piece of paper..."

For example, the company I work for has strict policies for protecting passwords. We must keep our computer passwords in locked cabinets or we will face minor to moderate penalties.

Don't treat it like cash

[exp(pi*sqrt(163))]

Use cash!

Just pick up any dollar bill. There's already a convenient unique password made up of alphabetic and numeric characters printed in the corner. For more important passwords use $5, $20, or even the good old Madison.

So if Jackson is on the $20 bill, what do 5 Jacksons make?

Almost, but not quite--here's what I do.

[istartedi]

I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".

Nonsense

[Roadkills-R-Us]

There are plenty of ways to do this. For instance, you can keep the passwords on (picked at random) page 57 of a red notebook that stays locked in your drawer when you're not around, and is only out of the drawer when it's in use. You can leave clues to yourself what they mean.

For instance:

mama: no dates

The actual password, not written down, is "n0datez!" The machine this is for is the largest system you work on (big mama).

If using random strings, try to make it look like serial numbers; again the place or account to use this for should be hinted at (to you), not stated.

There are many, many ways to do this and be very secure. I once left a set of passwords and hints out in plain sight on purpose, just to see if anyone would recognize and try to crack them. They were never cracked, and I'm reasonably certain nobody even tried. They had no idea what they were seeing.

Re:So, I'm probably not typical, but...

[kwalker]

I just got one for my cell phone called MobileSafe. It was $6 from Handango [handango.com] and downloaded directly to my phone. That way I always have my account numbers, CC numbers, login info, and general notes encrypted with 168-bit 3DES (IIRC) on my phone protected by my master password. It's already saved my bacon more than once.

The only down-side is that I can't sync it with anything at home, but I generally don't have to update it very often, so when I do, I also write down the passwords in an encrypted text file on my home machine.

Re:Really?

[baadger]

If all websites started MD5'ing passwords before they were transmitted to the server then this would become completely ineffective for the attack mentioned in grandparent.

Think about it.

Re:Pseudo-Written Password

[Em Ellel]

On a more practical note, back in a day when I backpacked through europe I wanted to have a backup of important data to take with me, in case I lose my passport/bank cards/etc. However being a paranoid freak I did not want to write the numbers down on paper in plain-text, as I would be doubly exposed - I could loose my wallet or I can loose my notebook.

So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.

Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.

-Em

Re:Microsoft hard at work for security

[yagu]

I chose the quote from the summary because it worked best for what I wanted to point out. I did read the article (I always do, or I won't post against it)...

No biggy. I agree with your point we haven't found any scientific solution for morons yet, but that's sort of my point. If we let (as a policy) people just write passwords down, that little slice of moron-dom is the part that always bites us in the rear.

I know the article talked about securing the scrap of paper on which the password is written stowed, and secure, but my experience has been that doesn't happen. And, when combined with the policy that passwords be written down (he almost states they must be written down -- the exposure is greatly increased.

I'm not proposing any rebuttal or solution, I've always found the more oppressive a regime, the more determined hackers are to find a way in. I've been approached many times by the security organizations where I've worked to help them with their policies (I'm pretty good at hacking) and I've always declined -- I find it a difficult universe to exist in where no matter how hard you try, there are always people out there who break what you make.

Security in computers is a losing battle. It's an extension of our social makeup and there'll always be good guys and bad guys and there'll always be breaches. I just think what the article proposes is yet another proposal, and it adds little to overall real security.

By the way, I don't think this is at all a first, seeing a post modded +5 from a poster who hasn't read the article... I've seen a number of what are fairly obvious examples of that. Used to get my dander up, too, but I've come to accept sometimes the poster may have enough credible and useful to add to the discussion without having to read the article (though, not always :-)). And, again, for the record -- I did read the article.

Good feedback.

Re:Passwords are useless.

[Anonymous Coward]

Uh, what about the guys that are creating hashes of all the password combinations that exist in a database. They just need a couple of terabytes to do this in, and with HDs showing up as 300, 400, or even 500gb that's more practical every day. They can then just do a quick search for your password without having to crack anything.

Your 20 character password just means that they need a couple more 500gb HDs, that's all.

It wouldn't take all those years, now would it??

Re:STEGNAOGRAPHY is the answer

[mrchaotica]

I've got a system better than a biometric USB key: I use an app called "Keyring" [sourceforge.net] on my Palm, and store my passwords in that.

Re:Secure your passwords

[tsotha]

Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

Agreed. Sure, some crypto whiz will cut through that clutter in a day or two, but that's probably not the guy who'll lift your wallet at a ball game.

One thing I wish security systems had was some kind of "tripwire" password, i.e. the account is locked if anyone ever tries it. That way you could put the tripwire at the top of the list so if it ever did get stolen the theif would lock himself out permanently before you ever knew your wallet was gone.

Re:Pseudo-Written Password

[jkosturko]

I use a similar technique, using a dollar bill. Take the serial number of a dollar bill and choose an offset between 1 and 4. Type in each character of the serial number number, pressing the shift key for every character that is a multiple of the offset (every third character for example) This way, you have the password "written down," but it is stored in an inconspicuous manner that will not be recognized or comprimized if you lose your wallet. Obviously, don't lose/spend that bill :)

Re:Bruce Schneier agrees

[Anonymous Coward]

My computer is running Windows XP Pro. My passwords are stored in a plain text file, in a folder encrypted using EFS. The only password I remember is my Windows logon password, which is a random string of 20 characters.

My Windows logon password was generated randomly, and written down on a small piece of paper I carried on my person 24/7 until I had it memorized, after which the paper was destroyed. I repeat this process once every six months or so.

Password Safe is probably more secure though, as EFS relies on X.509 certificates that use only 1024 bit RSA (the files themselves are encrypted using AES-256). What I want is a way to create a new certificate for EFS of at least 1536 bits, or better yet, 2048 bits. My past attempts have failed. Apparently the certificate needs to be flagged for use with EFS, which I have not yet figured out how to do.

Re:Pseudo-Written Password

[gengee]

Yes; This is in our corporate information security policies, along with the suggestion that users use memorable song lyrics as the source pass phrase. Most users like that system, as it becomes fun to think up a new password.

14ckwbwtdbwb = Fourteen cannibal kings / wondering blindly what the dinner bell will bring

For a root system password, you may want an even longer password, both for cryptographic security where cryptographic systems support > 8 characters, and more importantly to discourage the use of the root system account by administrators when tools like sudo make its use unnecessary.

ItastD,DIgtiop,lttuatt,wyesok? = I turned and said to Dan, "Dan I guess this is our prime / like they tell us all the time / were you expecting some other kind?"

It's difficult to forget that password, but even in the event you do forget it, there's a strong possibility you'll remember enough to Google-up the answer. And I guarantee administrators will more frequently use (rules-driven, command-logged) sudo when the alternative is a 35-character root password.