Too Many Passwords 516
LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"
Information Security (Score:4, Informative)
Something you know (password)
Something you are (biometrics)
One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.
You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.
And for the contrary opinion (Score:3, Informative)
Then there's also the fact that Lloyds performed a survey [lloydstsb.com] that contradicts the findings - passwords are fine as long as there's proper education.
... MSN Passport? (Score:5, Informative)
-everphilski-
Re:Better than post-it notes (Score:4, Informative)
b-?p
a-E9
n-4$
k-vw
He actually did make it a bit easier to read, but he forgot to use the ecode tags. Try this version:
I use Password Safe (Score:5, Informative)
This solution works well for me. Just make sure you back up your pen drive.
Re:Better than post-it notes (Score:5, Informative)
That's more or less what he did. Look again. The table isn't a list of passwords, rather, it's a standard substitution cipher. For each of the letters, he simply looks up the value to produce the password. The scheme is reversable as well, so you can retrieve the keyword from the password.
Here's an article [wikipedia.org] on substitution ciphers.
Re:Just use your Social Security number. (Score:3, Informative)
No.
That's about as secure as your mother's maiden name, or your dog's name.
Which is to say, it's the worst password imaginable.
Do you want your father/mother to have access to all your accounts?
Hell, for wellsfargo.com, your SSN is your username!
Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one request/second, could be cracked in 11 days -- And 1/second is a very slow rate!
Security (Score:4, Informative)
With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.
There's some decent password managers (Score:5, Informative)
Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.
Not sure what's out there for linux though...
Its easy.. (Score:2, Informative)
Revelation [gnomefiles.org] for linux/gnome.
Lots more you can find on http://tucows.com/ [tucows.com] or your favourite software download site..
I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)
Re:Just use your Social Security number. (Score:1, Informative)
sometimes i wish my parents would have just not gotten me an SSN, not like I get much use out of it.
Re:Better than post-it notes (Score:1, Informative)
Re:Better than post-it notes (Score:3, Informative)
Re:I write my passwords down. (Score:3, Informative)
Re:simple python script (Score:2, Informative)
apg -m 12 -x 14 -t
IgcusbavZeb7 (Ig-cus-bav-Zeb-SEVEN)
koatDokwepht (koat-Dok-wepht)
AwUkTeduldAc (Aw-Uk-Ted-uld-Ac)
gizJogcypnot} (giz-Jog-cyp-not-RIGHT_BRACE)
NodwacIbVawl (Nod-wac-Ib-Vawl)
vekOypevpast5 (vek-Oyp-ev-past-FIVE)
It pronunces nicely random passwords that can be pronounced so that you can remember then.
Pronounciation is in brackets.
Jason
Re:Better than post-it notes (Score:1, Informative)
perl -e 'foreach $x(A..Z) { print "$x: ".chr(int(rand 94)+33).chr(int(rand 94)+33)."\n"}'
Re:I use Password Safe (Score:1, Informative)
Sorry 4 my bad english, cheers..
dedicated PDA (Score:3, Informative)
I picked one of my PDAs fully dedicated for only password database, plus other technical details for my machines, net services or other accounts. Methodically not using it for anything else, no network, no usb plug to any machine, ever. Backups on flashcards. Second identical PDA in the drawer, without data but ready to accept backup flashcard at any moment, usualy used for playing with NetBSD.
Today, the database has 726 records of active nick/identities, Maljin Jolt on Slashdot among others. What a pile of sticky labels could that be!
Re:I use Password Safe (Score:2, Informative)
http://keepass.sourceforge.net/ [sourceforge.net]
Re:Better than post-it notes (Score:3, Informative)
No offense, but get better sources. Checking for two dictionary words with a number or special character between them is standard, and in fact limiting it to 8 possibilities instead of 10 makes it less secure, albeit imperceptibly so.