Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

I know how it feels...

[XXIstCenturyBoy]

I have a very very clever comment to add to that thread, but I forgot my password :(

Re:I know how it feels...

[AKAImBatman]

No kidding. Someone should invent a special "web token" of sorts that would keep you logged in. You know, it would be transmitted everytime you access the site. It wouldn't have to be very big, maybe a maximum of 4KB.

You know, I better go patent this idea before someone else thinks of it! :-P

Re:I know how it feels...

[Fulcrum of Evil]

Someone should invent a special "web token" of sorts that would keep you logged in.

Tried that. Turns out, nobody wants all their online identities to merge together.

... MSN Passport?

[everphilski]

... nobody seems to be a big fan ...

-everphilski-

Re:I know how it feels...

[19thNervousBreakdown]

He's talking about cookies, dumbasses.

Re:I know how it feels...

[JoeBar]

Fabulous idea. I propose we call it a "cracker"!!

Argghhh, fer crisakes

[Usquebaugh]

Identity 2.0 it's nearly been blogged to death.

Take a look at this really cool presentation, even if you find the subject matter boring the presentation is sharp, http://www.identity20.com/media/OSCON2005/ [identity20.com] /. news for the lazy and ignorant

Re:I know how it feels...

[Tony Hoyle]

There's always PwdHash [stanford.edu].. unfortunately:

- It only works on certain sites - javascript confuses it completely
- They keep changing the f***ing algorythm, so next time you install it none of your passwords work!
- If you're working on another machine you can't log in anywhere.

I gave up on it.. something like that shipped with the browser would probably work though.

Re:I know how it feels...

[Martin Blank]

Imagine if Google implemented GooglePass, though. Everyone would jump on it as the best thing ever!

Of course, it would probably also be done a lot better, but it would still have the issues of a hidden method of implementation and central storage of credentials. The latter part of that sentence would be ignored by a lot of people, though.

Can't remember already...

[richdun]

Nothing for you to see here. Please move along.

Crap, what was the password to view /. stories?

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes

[richdun]

(maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

So could you please elaborate on this and also tell us how you remember other pieces of information, say, like, I don't know, just for example, your PIN, account number, and which bank you use? Just curious...

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

Re:Better than post-it notes

[nizo]

Or what I often do is have some short random string (for example "C@5") which I could prepend before all passwords. The upside is even if someone gets the card, and by some miracle they figure out what it is, they still don't have my passwords. Unless they can read my mind, in which case they will also realize I have a negative bank balance and will go find someone else to steal money from.

Re:Better than post-it notes

[shis-ka-bob]

It is certainly true that the vulnerablity of this is that sombody that has your cheat sheet only has to guess 'dictionary' words (and start with common 3-5 letters ones first). The drawback of yours is that a 'bad guy' that convinces you set up a password on his site will be able to look at your password and he might figure out what your rule is. ( e.g., if one were to use C@5tits on a porn site, a shady porn site operator could simply read the password and guess the rule.) He can then do the dictionary

Re:Better than post-it notes

[soft_guy]

I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.

Re:Better than post-it notes

[Syberghost]

I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.

No offense, but get better sources. Checking for two dictionary words with a number or special character between them is standard, and in fact limiting it to 8 possibilities instead of 10 makes it less secure, albeit imperceptibly so.

Re:simple python script

[LordFnord]

> koat-Dok-wepht
Sorry, I don't recognise that spell.
What next?

> Aw-Uk-Ted-uld-Ac
Sorry, I don't recognise that spell.
What next?

> Nod-wac-Ib-Vawl
You summon a grue.
The grue eats you.
Your score was 0.
You cast 1 spell.

Play again?

Re:Pin Number

[Cro Magnon]

Augh! You bastard!

Re:Pin Number

[arminw]

.....I hope you don't start with 31415926......

No, he starts at the other end of PI.

Re:Better than post-it notes

[cavemanf16]

Damn, that's way too much work! (And what about me and my 30-40 passwords... that's a BIG piece of paper!) Just GPG one file full of passwords, and remember your GPG key.

Re:Better than post-it notes

[AKAImBatman]

Just GPG one file full of passwords, and remember your GPG key.

That's more or less what he did. Look again. The table isn't a list of passwords, rather, it's a standard substitution cipher. For each of the letters, he simply looks up the value to produce the password. The scheme is reversable as well, so you can retrieve the keyword from the password.

Here's an article [wikipedia.org] on substitution ciphers.

Re:Better than post-it notes

[Ed Avis]

Or better, just use your GPG keypair to identify yourself to start with. For example, when you register on a website you could paste in your GPG public key. Then to authenticate, the website encrypts a word with that key and shows it on a page; you decrypt it and enter the original word. So - no need to remember a password for this website, and if the website is cracked or just plain evil, they still can't do anything to access other sites since all they have is your public key.

The browser could automate this pretty easily, of course

Re:Better than post-it notes

[TheRaven64]

Rather than a PGP key, why not a personal SSL client certificate? Support is already integrated into most browsers, and organisations such as CACert issue them for free.

Re:Better than post-it notes

[TheRaven64]

I think you are missing the point. This doesn't need a Firefox plugin. It is already present in IE, Firefox and Safari (maybe Opera - I've not checked). All you need to do is add a client certificate. Then, the first time you establish an SSL connection to a server which requests it, they will get a copy of the signed data, which they can log. Any further attempt to use that site can do the same authentication, completely transparently.

Re:Better than post-it notes

[Anonymous Coward]

Evil sites *could* still cause harm. Think about a man in the middle attack:

1. you got to evilsite.com, and enter your public key
2. evilsite.com automatically connects to bank.com, and enters your public key
3. bank.com encryptes some string, and sends it to evilsite.com
4. evilsite.com sends the encrypted password to you
5. you decrypt the data, and enter that info to evilsite.com
6. evilsite.com forwards the data to bank.com

Now, while you play on evilsite.com, evilsite.com empties your bank account. Not lik

Re:Better than post-it notes

[Anonymous Coward]

To steal an old post to an old comment -- that's a very interesting perl program...could you post the output instead of the well-written perl code, though?

Re:Better than post-it notes

[RDFozz]

On those occasions where I had to write down a password, I would use a trivial ciphering mechanism: for example, move the first character to the end of the password (obviously, this works far better with random passwords than human-readable ones).

Re:Better than post-it notes

[Urban Garlic]

This can fail to comply with password rules -- the password for, e.g.,
your web-request-line account for WXKE radio, zGZuvwaY, doesn't have any
numeric or punctuation characters.

I think a lot of people fail to distinguish between cases where strong
passwords are needed, and where they aren't. For Amazon.com, with its
stored credit-card data, and PayPal, and my bank, and my user account
at work, obviously strong passwords are a good idea. But for slashdot,
nytimes.com, and other sites that just require them for your user-state
info, crappy passwords that never change are just fine, and putting those
on post-it notes on the monitor is also fine.

Great idea, until...

[jxyama]

You encounter very common "change your password every N months and it cannot be the same as the last X passwords."

I wonder how long before we figure out that this very requirement frequently leads to sequencing of the password, which completely defeats the purpose of changing it every so often.

I do like your idea, though, for places where I don't have to change the password every so often.

Re:Better than post-it notes

[misterpies]

Your method would be great except that it relies on you carrying around and frequently consulting a piece of paper in your wallet. As such it's only marginally less secure than just carrying around a note of your passwords in the first place.

How long would it take someone observing you to figure out what you were doing and swipe your wallet? (In an office it would probably be easy for a thief to xerox your codesheet). Then they just need a few guesses for your trivial "unencrypted" password and they're in.

N

Re:Better than post-it notes

[pcraven]

Too slow.

Use a phrase, like: SlashDot Keeps Posting The Same Thing Over And Over
Use the first letters: sdkptstoao
Modify it a bit: SDkptst0a0

You just remember the phrase and you are good to go!

Re:Better than post-it notes

[sik0fewl]

I do something similar, but I use a simpler matrix:

a - a b - b c - c
d - d e - e f - f
g - g h - h i - i
j - j k - k l - l
m - m n - n o - o
p - p q - q r - r
s - s t - t u - u
v - v w - w x - x
y - y z - z

So my bank password would map to "bank" and my slashdot password would map to "slashdot".

Re:Better than post-it notes

[AKAImBatman]

It took me a moment, but I figured out the system. The letters before the dash are the key, the letters to the right are the parts that are used in the password. So for "bank" you have:

b-?p
a-E9
n-4$
k-vw

He actually did make it a bit easier to read, but he forgot to use the ecode tags. Try this version:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

Keep it SIMPLE - Try this instead algorithm

[spineboy]

I just use an algorithm based on the web site, plus an additional few letters. For example if the site is Slashdot your password could be slashDOG8cAt, on Google it could be googDOG8cAt, etc. You can get a little more creative when financial or other stuff is valuable, e.g. a different user name and password algorithm for banks/credit card sites, etc. One important note - treat every computer not in your home as being infected with a virus/key logger - DON'T use public computers for your financial stuff.

Re:Better than post-it notes

[tajmorton]

Look at the first line:

a-E9 b-?p c-&m

That tells you substitute b with ?p, a with E9, etc etc.

So, b (?p) a (E9) n (4$) k (vw) equals a password of ?pE94$vw. Make sense?

Taj

Re:Better than post-it notes

[Doctor Memory]

I hate strong-but-lame passwords. One site I have to use requires a password at least eight characters long, and you must have at least one digit and one uppercase character, but you can't use any non-alphanumeric characters. Why would anyone restrict the search space like that? Unless they're validating using javascript and can't be arsed to come up with a sufficiently capable RE.

If it were up to me, a password field would accept everything except enter and escape. Enter would process the password, and

Frustration

[mysqlrocks]

This frustration is leading to behaviors that could jeopardize IT security, as well as compliance initiatives.

Any good sysadmin knows that if you make the password policy to strick you could actually be worsening your security situation. People will start sticking their passwords under their keyboards or on their monitors.

as usual, blame the users for trying

[yagu]

(BTW, this is basically a dupe from about four or five years ago...)

From the article (and the post):

The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are)...

First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.

As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.

In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.

I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.

Re:as usual, blame the users for trying

[thc69]

Heheh..."too many" passwords. I've found that the username/password pair concept is so alien and nonunderstandable by so many users that it's entirely pointless. My more saavy clients understand how it works, but use a single insecure password (including one who uses "password") everywhere.

I hate to say it, because the whole concept is so incredibly simple to me, but it's just not going to happen with users.

Further, they want to be _told_ that they're secure, they want to make somebody else suffer when thei

Re:as usual, blame the users for trying

[WindBourne]

Funny thing about this, is that a bad password is one of the top problems in *nix world. In the MS world, it is very low on the totem pole. Much more could be accomplished by updating Windows and all its anti-viral software on an everyday basis or by simply upgrading to a superior OS.

Re:as usual, blame the users for trying

[Otter]

(BTW, this is basically a dupe from about four or five years ago...)

Huh? The study came out today! Poor Zonk catches enough flak already, without hassling him over this.

Unless you're saying that we've heard this before, which is certainly true (we get a story like this every week or two), but until the lesson starts to sink in to admins' heads, I say keep 'em coming!

kwallet

[DarkProphet]

I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...

Re:kwallet

[tktk]

What about logins? Don't you ever encounter sites where the login you want has already been taken? Then you have to get the right combination of login and passwords.

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

I won't answer that!

[game kid]

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

I'd answer, but then it'll give insight into my password preferences, and then I'll get c00tz0rs from t3h l33t h4x0r2!!1!eleventyone etc.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

Re:IT requiring password changes

[alan_dershowitz]

Where I work (which shall remain nameless) people get around this password restriction by making their password "SOME STRING"1, then when they have to change it in a few weeks, "SOME STRING"2, and so on. I can't believe this is any sort of superior "security", badgering people into choosing terribly predictable passwords.

Given up

[mikejz84]

I have given up with passwords and just switched to 'asdfasdf1234' never cracked yet.

Information Security

[Divide By Zero]

Something you have (physical key)
Something you know (password)
Something you are (biometrics)

One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Re:Information Security

[John Harrison]

There are products out there from companies such as ActivCard and Protocomm that will securely store your passwords and also enter them via a script. Generally the use has to remember one password (called a PIN) to open up their smart card and then they don't need to remember anything else. Having a token and a single comples password (and/or a biometric) is generally more secure than trying to juggle dozens of individual passwords.

Disclaimer: I install such systems for a living, so I might be a bit bia

Re:Information Security

[99BottlesOfBeerInMyF]

Something you have (physical key)

Something you know (password)

Something you are (biometrics)

I strongly object to this bastardization of traditional authentication scheme theory. "Something you are" is a load of crap. It is an attempt to graft biometrics onto existing theory without evaluating how they really work. Biometrics identifiers are just something you have and need to be evaluated on their strengths and weaknesses on that basis. For the most part biometrics are something you have that you keep with you all the time and cannot easily remove or change. This is good in that it makes them harder to steal and less likely to be lost. This is bad because you cannot put them away somewhere safe and are constantly exposing them to the possibility of being copied. It is also bad because unlike other things you might have and use to authenticate, biometrics are almost impossible to change, so once compromised are a nearly permanent vulnerability. Finally, biometrics are bad because they can lead to the escalation of a crime in that their theft can be physically damaging. Take note of the man who was first kidnapped, then had his thumb cut off when car-jackers wanted to be able to start his fancy thumbprint lock car. Criminals don't need to be given extra motivation to commit mutilations.

Biometrics proliferate these days largely on their "cool" factor. The more blinking lights and high-tech gadgets the more secure it must be, right? Sadly they are being used to replace either the something you know or something you have in traditional biometric schemes, with the end result being less overall security. Biometrics have their place, and that is in a tightly controlled environment, supplemented by human observers to prevent copies from being easily used, and as an additional security measure on top of "something you know" and "something you have" that can't be copied from your beer glass at the bar. They do not belong in an authentication scheme in place of either a traditional "something you know" or "something you have" unless your goal is to have very, very convenient placebo security that is trivially bypassed by design.

Re:Information Security

[darrylo]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger [bbc.co.uk]

Password manager

[Neil Watson]

I encrypt my passwords in a text file. Many passwords I can remember but, some are used infrequently. Keeping them encrypted yet easy for me to access has made my life easier. I wrote about it Here [watson-wilson.ca]

For everyday users I don't think constantly rotating passwords is a good idea. It's too inconvenient for them. Once that happens they start to write them down. I think a combination of a hardware key and a passphrase offer better security. As the saying goes, something you know, something you have or someth

And for the contrary opinion

[joeflies]

CNET commentator mentions that you should take the results with a grain of salt [com.com]. A company that sells tokens wouldn't publish a report saying that most people are ok with passwords. And also note at the end - the actual survey data is not available to you unless you're a member of the media.

Then there's also the fact that Lloyds performed a survey [lloydstsb.com] that contradicts the findings - passwords are fine as long as there's proper education.

Get rid of them

[Otter]

At least part of the problem in my workplace is that there are dozens of different webapps (which is a problem in and of itself), each of which has a different login/pass combination. It is simply impossible to not write them down.

A simple solution would be to just eliminate password protection on most of them. They're only available on the intranet -- is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?

Re:Get rid of them

[Kainaw]

is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?

Funny you should ask... I found the web-based Sexual Harassment training a stupid waste of time and energy. I tried to get it stopped, but management wouldn't listen. So, I wrote a script that pulled everyone's username from LDAP and completed the training for them on the first day it was available. Everyone got a "thank you" email and nobody wasted any time (except me - but then I spend my day reading slashdot).

Re:Get rid of them

[jjoyce]

But now you've got bigger problems 'cause they're all running around playing grab-ass.

The right tool for the job

[El Cubano]

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

Just use the right tool: MyPasswordSafe [semanticgap.com]

There is also a GNOME or GTK tool that is similar, but I didn't like the features nearly as well. This thing will store your passwords in an AES encrypted file protected with (I believe) an arbitrary length passphrase (mine is about 100 characters). I believe that it similar to the password safe (or

One solution...

[jd]

...would be to use one password you can remember, for everything. Almost. The key is in that "almost". You have a password calculator, on which you enter your password and the name of the facility you want to access as one long string. The calculator uses a hash function to turn that into a meaningless string. You now have one unique password per machine you want to use, but only one password to actually remember. Nothing is written down and if anyone examines the calculator, all they'll see is a device tha

Keep it simple

[$RANDOMLUSER]

I use MYCROFTXXX.

I use Password Safe

[alan_dershowitz]

I use Password Safe [sourceforge.net] on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application. In x86 Linux I access it using Wine [winehq.org], which works fine. For my OS X machine, I use pwsafe [dyndns.org], a console app that lets you access Password Safe databases, and dumps the password directly into the X clipboard buffer. (Use the CVS version, the latest regular build can't access the latest Password Safe database format.) I found other unix password safe compatible workalikes to be extremely poor.

This solution works well for me. Just make sure you back up your pen drive.

Simple Method

[abscondment]

I never seem to run into this problem. I have one password, with roughly four levels of complexity. Each version has the same meaning, and as such they're all easy to remember. Which one I use depends on the criticality of the resource it protects, but no matter which one it is, I'm never more than 3 tries away.

Now, when there are policies in effect that enforce password changing and prohibit reuse of old passwords, this presents a problem: it's hard to continue generating new obfustications of the same

What about passphrases?

[jotok]

It's a lot easier for me to remember "It was the best of times, it was the worst of times" or "Iwtbot,iwtwot" than some "strong" password (say, 10 characters, case-sensitive, with special characters and numbers thrown in).

Although we'd still have to deal with most of my co-workers using "Git r dun!" as a passphrase...le sigh.

I work in web hosting...

[Skadet]

In the (California-based!) tech support center. You might be shocked at the number of people who have no idea how security works.

Prime example. When a customer wants to cancel their account, we direct them to an online form which asks for their registration # or domain name and their password to verify their identity. Invariably, the customer forgets their password and when we respond that we can't cancel their account without that information, they ALWAYS ask, "can you tell me my password?"

I am not joki

I'm suprised that nobody has mentioned.....

[8127972]

..... Single Sign-On Manager by RSA. [rsasecurity.com] The IT manager then has the choice of using an RSA SecurID Authenticator, RSA Smart Card, RSA USB Authenticator, a biometric or (god forbid) a password.

Security

[Widowwolf]

Thsi is why i use a free a free program called Password Safe (http://www.schneier.com/passsafe.html [schneier.com]) You remember 1 password to login to your safe and then you can see all your entries from there..and as far as i know there is no limit on #1 the entries in each list, #2 The amount of lists you can have..you just have to remember that one password..a definitely good utility for windows..all you apple and linux heads..dont know if it will work for you.It only takes a second to login and your are ready to go.. and when the fiel that stores them auto encrypts your data..as far as i know no one has broken it..From thier front page

With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.

Re:Security for Apple Heads

[PhunkySchtuff]

Us Apple Heads, as you put it, don't need Password Safe (as good a product as it is) as we have, built right into the OS, the Keychain - an AES128 encrypted file containing

• Web Passwords
• Application Passwords
• Security Certificates
• Public/Private keypairs
• Secure Notes

It integrates with most apps on the system so, for instance, if I go to a passworded site in Safari (the Web browser) and Safari can get the username and password from the keychain (by asking me for my keychain password) and then I can option

Text file with automatic encryption/decription

[Gzip Christ]

Here's my solution... I have emacs set up to automatically encrypt and decrypt files that end in .gpg when I open/save them. It's very handy for safely keeping all my passwords. I use crypt++ [freshmeat.net] and this snippet for my .emacs file:

(setq exec-path
(nconc exec-path
'(
"/usr/local/bin"
)))
(load-librar y "mailcrypt")
(setq crypt-encryption-type 'gpg)
(require 'crypt++)

There's some decent password managers

[Nik13]

Too many passwords? Definately, especially if you work in IT, I have dozens of them to remember... Even for home stuff I got dozens: different forums (web related, IT related, AV related, etc), news sites like /., dozens of online stores, email, etc... It's just too much for my memory, so instead of using the same password everywhere or writing them down or such, I resorted to use a decent password manager. I've picked KeyPass (worth every penny they ask IMHO), but there's lots of others - including some F/OSS ones like KeePass or Oubliette, you can even find a bunch on sourceforge, and they're usually quite simple programs to "tweak or enhance" if they're not exactly like you wish they were (add new cryptos, GUI changes, new features, etc). I've looked at the code of a couple and it was nicely done, good quality code, pretty secure stuff. It would be quite simple to make a basic one from scratch too (using some of the high level languages with very complete libraries and frameworks like we have nowadays), the DPAPI could be useful too.

Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.

Not sure what's out there for linux though...

App on my Palm Pilot

[f_g_goss]

I have two apps on my Palm: one generates passwords, another stores them in a "vault" with a master password. Works well especially the password generator. I just select upper/lower/mixed case, alpha characters and how long to make the password string. Copy-paste into the password vault. Done.

I tried reasoning with the IT people

[TomorrowPlusX]

I made the argument, some time ago, that instead of forcing us to make new passwords every 45 days ( which is basically a solid way to guarantee weak, easily dictionary-attacked passwords stuck on the monitor ) they should allow us to keep our passwords longer the more complicated they are.

Say, I choose an easily dictionary attacked password with just 5 lowercase letters. Whammo -- I'm told I can use that password for 3 days. So I make a 20 character, non-dictionary password with a mix of letters, numbers, random symbols, etc and I'm told I can keep it for a year.

Seems to me that's a reasonable approach: reward people for better passwords.

Suffice to say, I was told: "No way, we like it as it is"

Biometrics not the solution

[millermj]

There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.

Re:Biometrics not the solution

[SydShamino]

Yes, fake fingerprints or retina are a problem for biometrics.

But, a bigger problem (for now) is someone cracking your database of biometric data, and being able to retrieve the information you store to identify people. This is why there is research into Replaceable Biometrics [computerworld.com].

If the stored database cannot be related to the person, then again a criminal is forced to go directly to the source (you) to copy or steal the finger or retina. Ideally, they would then be stopped by not knowing your password, or n

Its easy..

[slashmojo]

There's loads of handy password management apps around for all platforms such as..

Revelation [gnomefiles.org] for linux/gnome.

Lots more you can find on http://tucows.com/ [tucows.com] or your favourite software download site..

I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)

Password Management Software

[binaryspiral]

FlexWallet or eWallet.

I prefer FlexWallet for all of my passwords. I use more than 30 passwords just for systems I am responsible for accessing. It has a desktop app and a pocketpc version that syncs when docked.

Triple encrypted goodness on the database it uses. Now I just have to remember the password for that.

My System for Passwords

[under_score]

I have three "good" passwords upon which I create variants. The three basic passwords all have a pseudo random combination of caps, lowercase, numbers, and punctuation. Then, when I have to change a password due to corporate policy, I simply change a single character so that my password gradually evolves... and stays very memorable. Admittedly, remembering the base passwords in the first place was a bit painful. But so far that I know of in over ten years of use, I have never had a password compromised, including passwords on servers that are publicly accessible. In my own experience, most tech users who are not technically inclined do indeed have very poor passwords: sometimes just their names even. I try to educate people on it but it is hard going. Most people just don't feel that it is worth the bother... and probably from their own perspective, a risk analysis would show they are correct.

My girlfriend does this

[AutopsyReport]

If my girlfriend needs a new password, she doesn't think of something personal to turn into a password, but instead finds objects around the computer (that will usually never stray from it) and uses that as her password. So for example, a Dell Trinitron monitor, her password becomes trinitron. She picks up brand names from things associated with her work area or things around the house, and uses it once. At least the password isn't carried over to different accounts she has, and the password is easy to reme

Didn't there used to be a keychain fob for this?

[mckwant]

I seem to recall something on thinkgeek or something that had five buttons, and required 5+ keystrokes to validate that you could get into the password file. Then, on the attached LCD display, you'd see your passwords.

Seems like exactly the sort of thing that would be useful in this sort of situation. Anybody else had experience with this gadget, or similar?

What's news?

[Tony]

Every few months somebody makes the "discovery" that users can't remember all their various passwords, and that help-desks are swamped changing passwords, usually for the same dozen users that can't remember how to do their own job on the computer, and are always asking for help with some program called "Microsoft," as in, "Oh, I'm using Microsoft, and I need to know how to find out how many departments have gone over budget."

This is the same damned thing that's been going on for almost twenty years. And y

I write my passwords down.

[LionKimbro]

I write my passwords down in a special location in a special book.

• You can't look at my password over the Internet.
• You can't (for at least 30 years) make a robot that will find my passwords.
• If a server that stores my password is compromised, then it is only that password that is compromised.

I have offloaded Internet security into Material security.

I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.

It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.

But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.

I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.

If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.

Re:I write my passwords down.

[Catamaran]

That is also what Bruce Schneier does. [schneier.com]

Simple, elegant solution

[pubjames]

I saw on a web site somewhere (sorry can't remember where) a simple, elegant solution to this problem, at least when it concerns logging on to web sites.

You have a single password. This password is combined with the domain name and then processed with an appropriate mechanism (e.g. MD5) to produce a unique password for an individual site.

I think that's a great solution and think it should be incorporated into all open source web browsers. The user doesn't even have to know it is happening. Much more practical than biometric solutions.

Use tokens, and let users pick their passwords

[m50d]

If you try and force users to use stronger passwords than they can remember or change them too frequently you'll just get post-its and helpdesk. If their passwords aren't secure enough, get them to use etokens or something similar.

I changed my password this morning

[RingDev]

And I had some app running in the background (something FF related?) that kept trying to auto apply my original password (yes I cleared password from inside FF). After the 6th lock out of the day, I got my network tek's to let me reset my password.

Total cost of the password change? Maybe a manhour's worth of time (between myself and waiting on the teks, and the teks stoping their work to fix my account). So maybe a hundred dollars or so. But we have 800+ employees in 5 branches. That's a lot of password change headaches.

-Rick

Password expiring

[BrookHarty]

I started using robotron, way too many passwords to type in daily. I have password safe with over 300 passwords, from sites, servers or applications. Crazy.

Then IT thinks its good to change passwords every 30 days on some sites, password management alone takes 1-2 hours a week, not counting the times I have to change passwords for other people.

If anyone knows a opensource robotron replacement that works in both IE and Firefox, reply. As for password safe, been trying a new opensource one called Keepass [sourceforge.net] that looks pretty nice, and ported to multiple platforms.

the key problem

[timmarhy]

the key problem here, is that people are lazy and stupid.
the best way to secure something without taxing the average persons feeble brain is to use a password and an ssh key on a swipe card or a usb drive.
that way even if someone gets one they are very very unlikely to get the other. it also means you can change the ssh key on them without them having to remmeber anything. hell in a system i'm impementing everyone get a new key when they swipe in for the day and it expires after 24 hours.

Password safes considered unsafe

[hacksoncode]

The notion of having some master password that unlocks a "password safe" that stores all of your crazy passwords for different sites is a powerful one, but it has one huge hole that has bitten me more than once.

Windows (as would be any OS that attained broad use) and/or disk hardware are sufficiently unstable that I occasionally have to scrap my existing data and start over from scratch. Additionally, I use many different computers on different networks to access the same websites, etc. Backups are a pathetic workaround for this, and are themselves a vulnerability.

In fact, any scheme that relies on a password safe resident on one machine will always be susceptible to catastropic lossage, and is a pain to use on other machines. And any scheme that relies on 3rd party storage of the passwords is vulnerable to attacks on that storage and is inherently harder to maintain.

Personally, I think the only thing that will eventually solve this problem is a single password plus a smartcard-like system (with automated backup to some other local storage). We're not going to get there easily, though. And it's not a panacea either, because smart cards can be lost, stolen or fried just as easily.

Ironically, this problem is essentially another variant of the fundamental issue surrounding identity theft: in an information society, it's absolutely crucial that we be able to reliably uniquely identify every person, but anything we use to do that will end up being abused just like SSNs.

The password pyramid

[TheLittleJetson]

At the top, are your ultra secure passwords that you only use for your bank / brokerage / etc. At the next level down, is your password that you use on all your personal computers, encrypted volumes, shell account, etc. Below that, is your password that you use for stuff you login to over the internet and don't want other people logging into (e-commerce, etc). Below that, is the one you use for crap you couldn't care less if people use (nytimes.com, etc.).

If you follow that system, you'll end up with only half a dozen passwords or so, and you'll still be pretty secure, as the important passwords aren't used as often as the less important ones.

easy password

[Ranger]

I have a password that will be easy for everyone to remember, foo.bar. Change it to that and everyone send me your id's and I'll make sure it's secure. That way everyone only ever has to have one password.

I worked for a company that had the most retarded rules for passwords. It had to have a number and a capital letter in it. The number had to between the first and last letters. We had multiple logins for various systems. We had a separate login for our computer, then a login to access our application suite, then a password for each application. And we had 7 or 8 of them. Needless to say, I kept the same password for as many of them as I could. My password was ih8Sprint. And then they made us change them every 60 days, so it became Ih8sprint, then iH8sprint, then Ih85print. You'd never guess who I worked for.

Mobile phones?

[Trejkaz]

I don't work for sun, but I think that the mobile phone makes a pretty good store for passwords encrypted by a master password.

The PC is obviously out of the question if you use different operating systems... for instance, my home PC is primarily a KDE desktop, so its wallet app is used for storing all passwords. But I have no simple way to access that wallet from the Winblows machine I have to use at work.

Phones, however, usually have this "code memo" feature these days, which lets you wrap any information you want in crypto, and seems to be quite useful for password storage.

Of course, the same master password problems apply... if you lose that one password, you lose them all. And if someone steals that one password (and the phone) they steal all your passwords. But it's better than a simple text file on disk somewhere, and much better than the post-it notes.

Security versus the ability to work

[gdav]

Where I work (a university) we used to have a fairly fierce password regime. Change it every four weeks, no re-using of old passwords, minimum eight characters including mixed case, numerals and punctuation - that kind of thing.

Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).

The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.

dedicated PDA

[Maljin Jolt]

One USB stick is not enough for your passwords.

I picked one of my PDAs fully dedicated for only password database, plus other technical details for my machines, net services or other accounts. Methodically not using it for anything else, no network, no usb plug to any machine, ever. Backups on flashcards. Second identical PDA in the drawer, without data but ready to accept backup flashcard at any moment, usualy used for playing with NetBSD.

Today, the database has 726 records of active nick/identities, Maljin Jolt on Slashdot among others. What a pile of sticky labels could that be!

Re:Just use your Social Security number.

[AutopsyReport]

And if the encryption scheme being used was later broken, not only would someone have all the passwords, but all the corresponding social security numbers as well. I'd say that's not too good :)

Re:Just use your Social Security number.

[AutopsyReport]

Wow... Hook, line and sinker. What a bitch!

Re:Just use your Social Security number.

[everphilski]

No letters. Won't pass on some password systems.

-everphilski-

Re:Just use your Social Security number.

[SatanicPuppy]

Don't even need to break the scheme really. Ever notice that some sites, when you forget your password, will email it to you? Email you YOUR password, plain text, through email. Which means they're storing it in a format that is readable to them, AND they think email is an acceptable medium for transporting passwords. Oy vey.

That kind of stuff makes me crazy. Any system I design has completely obfuscated passwords, the sort that can't be retrieved but have to be reset. To authenticate I mangle the password

Re:Just use your Social Security number.

[merreborn]

Just use your Social Security number... Good idea?

No.

That's about as secure as your mother's maiden name, or your dog's name.

Which is to say, it's the worst password imaginable.

Do you want your father/mother to have access to all your accounts?

Hell, for wellsfargo.com, your SSN is your username!

Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one

Re:Just use your Social Security number.

[team99parody]

encrypting the SS#s when we submit them to companies.

Hmm.... For all these guys worrying about using a different password for each website - would it be legal to "make up" fake SS#s when dealing with stupid organizations who shouldn't really have access to it anyway. Personally, I think I'd feel quite a bit safer if my school (where I know the guys running IT) didn't have access to the same SS# for me as etrade.

And for that matter, I'd feel even safer if flakey companies like Visa who use even flak

Re:My password

[game kid]

Somehow I feel that post just invalidated those passwords. ;)