Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

Information Security

[Divide By Zero]

Something you have (physical key)
Something you know (password)
Something you are (biometrics)

One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

And for the contrary opinion

[joeflies]

CNET commentator mentions that you should take the results with a grain of salt [com.com]. A company that sells tokens wouldn't publish a report saying that most people are ok with passwords. And also note at the end - the actual survey data is not available to you unless you're a member of the media.

Then there's also the fact that Lloyds performed a survey [lloydstsb.com] that contradicts the findings - passwords are fine as long as there's proper education.

... MSN Passport?

[everphilski]

... nobody seems to be a big fan ...

-everphilski-

Re:Better than post-it notes

[AKAImBatman]

It took me a moment, but I figured out the system. The letters before the dash are the key, the letters to the right are the parts that are used in the password. So for "bank" you have:

b-?p
a-E9
n-4$
k-vw

He actually did make it a bit easier to read, but he forgot to use the ecode tags. Try this version:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I use Password Safe

[alan_dershowitz]

I use Password Safe [sourceforge.net] on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application. In x86 Linux I access it using Wine [winehq.org], which works fine. For my OS X machine, I use pwsafe [dyndns.org], a console app that lets you access Password Safe databases, and dumps the password directly into the X clipboard buffer. (Use the CVS version, the latest regular build can't access the latest Password Safe database format.) I found other unix password safe compatible workalikes to be extremely poor.

This solution works well for me. Just make sure you back up your pen drive.

Re:Better than post-it notes

[AKAImBatman]

Just GPG one file full of passwords, and remember your GPG key.

That's more or less what he did. Look again. The table isn't a list of passwords, rather, it's a standard substitution cipher. For each of the letters, he simply looks up the value to produce the password. The scheme is reversable as well, so you can retrieve the keyword from the password.

Here's an article [wikipedia.org] on substitution ciphers.

Re:Just use your Social Security number.

[merreborn]

Just use your Social Security number... Good idea?

No.

That's about as secure as your mother's maiden name, or your dog's name.

Which is to say, it's the worst password imaginable.

Do you want your father/mother to have access to all your accounts?

Hell, for wellsfargo.com, your SSN is your username!

Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one request/second, could be cracked in 11 days -- And 1/second is a very slow rate!

Security

[Widowwolf]

Thsi is why i use a free a free program called Password Safe (http://www.schneier.com/passsafe.html [schneier.com]) You remember 1 password to login to your safe and then you can see all your entries from there..and as far as i know there is no limit on #1 the entries in each list, #2 The amount of lists you can have..you just have to remember that one password..a definitely good utility for windows..all you apple and linux heads..dont know if it will work for you.It only takes a second to login and your are ready to go.. and when the fiel that stores them auto encrypts your data..as far as i know no one has broken it..From thier front page

With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.

There's some decent password managers

[Nik13]

Too many passwords? Definately, especially if you work in IT, I have dozens of them to remember... Even for home stuff I got dozens: different forums (web related, IT related, AV related, etc), news sites like /., dozens of online stores, email, etc... It's just too much for my memory, so instead of using the same password everywhere or writing them down or such, I resorted to use a decent password manager. I've picked KeyPass (worth every penny they ask IMHO), but there's lots of others - including some F/OSS ones like KeePass or Oubliette, you can even find a bunch on sourceforge, and they're usually quite simple programs to "tweak or enhance" if they're not exactly like you wish they were (add new cryptos, GUI changes, new features, etc). I've looked at the code of a couple and it was nicely done, good quality code, pretty secure stuff. It would be quite simple to make a basic one from scratch too (using some of the high level languages with very complete libraries and frameworks like we have nowadays), the DPAPI could be useful too.

Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.

Not sure what's out there for linux though...

Its easy..

[slashmojo]

There's loads of handy password management apps around for all platforms such as..

Revelation [gnomefiles.org] for linux/gnome.

Lots more you can find on http://tucows.com/ [tucows.com] or your favourite software download site..

I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)

Re:Just use your Social Security number.

[Anonymous Coward]

the first 3 digits aren't related to where you were born. they're related to where you were living when received your SSN. i didn't get a SSN until the 5th city I lived in, it has nothing to do with where I was born, and everything to do with where I was living when I was registered.

sometimes i wish my parents would have just not gotten me an SSN, not like I get much use out of it.

Re:Better than post-it notes

[Anonymous Coward]

Security through obfuscation is not security.

Re:Better than post-it notes

[soft_guy]

I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.

Re:I write my passwords down.

[Catamaran]

That is also what Bruce Schneier does. [schneier.com]

Re:simple python script

[jaseuk]

Take a look at apg.. Find it on freshmeat/google..

apg -m 12 -x 14 -t
IgcusbavZeb7 (Ig-cus-bav-Zeb-SEVEN)
koatDokwepht (koat-Dok-wepht)
AwUkTeduldAc (Aw-Uk-Ted-uld-Ac)
gizJogcypnot} (giz-Jog-cyp-not-RIGHT_BRACE)
NodwacIbVawl (Nod-wac-Ib-Vawl)
vekOypevpast5 (vek-Oyp-ev-past-FIVE)

It pronunces nicely random passwords that can be pronounced so that you can remember then.
Pronounciation is in brackets.

Jason

Re:Better than post-it notes

[syncomm]

Oddly enough, I have been doing something very similar. This should generate a key for you:

perl -e 'foreach $x(A..Z) { print "$x: ".chr(int(rand 94)+33).chr(int(rand 94)+33)."\n"}'

Re:I use Password Safe

[Anonymous Coward]

I like PassSafe too, but I carry it on my USB pen (with my PortableFirefox and my PortableThunderbird) all encrypted with truecrypt [sourceforge.net] that gives one level more of security (in windows, that extra level is very good ;)

Sorry 4 my bad english, cheers..

dedicated PDA

[Maljin Jolt]

One USB stick is not enough for your passwords.

I picked one of my PDAs fully dedicated for only password database, plus other technical details for my machines, net services or other accounts. Methodically not using it for anything else, no network, no usb plug to any machine, ever. Backups on flashcards. Second identical PDA in the drawer, without data but ready to accept backup flashcard at any moment, usualy used for playing with NetBSD.

Today, the database has 726 records of active nick/identities, Maljin Jolt on Slashdot among others. What a pile of sticky labels could that be!

Re:I use Password Safe

[loyukfai]

FYI, there is a similar project called KeePass.

http://keepass.sourceforge.net/ [sourceforge.net]

Re:Better than post-it notes

[Syberghost]

I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.

No offense, but get better sources. Checking for two dictionary words with a number or special character between them is standard, and in fact limiting it to 8 possibilities instead of 10 makes it less secure, albeit imperceptibly so.