Crack a Password, Save Norwegian History

Christian writes "With the death of the only person who knew the password to an archive held at a museum in Norway, suddenly the data became inaccessible. The result? A nationwide radio appeal asking for "hackers" to volunteer to help solve the problem! The Norway Post has the story." I wonder if they looked under his keyboard yet..

so.. how are we supposed to store passwords?

[dikappa]

This is an interesting issue. Any -minimally skilled- IT operator knows he should never tell passes to other people. But, what if this person dies? How can we safely store passwords so that those can be retrieved if "shit happens"? Probably we cannot use encription (you need a pass to decrypt stuff), so what? Probably for most of us, a piece of paper in a safe place at home is enough, hackers *usually* do not break-in to get passwords. But I guess there is people around protecting *really* important data, and they do not trust anyone... what can they do to make passwords "undiscoverable" until "death" or sudden amnesy?

Re:so.. how are we supposed to store passwords?

Maybe i'm missing the obvious but....

Lawyers are bound to non-disclosure of an individual's last will and testament, if I am not mistaken. (until death, at which time it is revealed to those individuals referenced therein)

It seems, therefore, that the password (or some part of it at least) should be kept in the will, which should only be accessible once you die. Although this will rely on confidence in the lawyer you choose, their firm, etc.
But generally, seems like it should work.
If necessary, tell the other half to one or two other big-wigs, or stored in a safe. So both your death and the aforementioned access are necessary.

Re:so.. how are we supposed to store passwords?

[dangermouse]

You do change them, right?

Hell no.

That is the single most hare-brained bit of common security "wisdom" in the world.

Years ago, I picked a password that's random as hell and was very difficult to remember. No password cracker-- dictionary *or* brute force-- has broken it yet. I use this password on about ten systems.

If I changed those passwords on a regular basis, I'd have to come up with something easier to remember to make up for the decreased learning time. That would likely make my password less secure.

I keep running into admins who-- by hook or by crook-- make their users change passwords periodically. The result? Passwords on Post-It notes; passwords that are the names of pets or wives or firstborn children; sets of passwords that are absurdly simple and that get cycled through.

If they had just let the users keep their original passwords and run a cracker against the shadow file to turn up the overly simple ones, their systems would be a lot more secure. But somebody told them changing passwords frequently was a good idea, and by god their users are going to change passwords frequently.

I see 5:

[Confuse+Ed]

common utilities

1) tar
2) ar
3) grep
4) ps

and not so common
5) rep (well its installed on my system, but I'd never heard of it, further investigation reveals it to be a standalone lisp interpretter from the librep package (see "info librep", I am indeed learning something new every day))

What's needed is a "dead man's 'bot"

[Raetsel]

A simple program... something to send that important email, decrypt the data that you honestly don't have to safeguard anymore, etc. A program to take action when you haven't proven (password | biometric | whatever...) your continued existance on a pre-arranged schedule.

And wouldn't you know it, one exists!

I caught this discussion at Ars Technica last month. It refers to a cool-sounding program called "Dead Man's Switch (DMS)", which caught the attention of the New York Times.

Just a few issues...

• Don't go on vacation for a longer period of time than you have the 'bot set for
  (see either link, "If you're reading this, I'm dead!" type goofs have happened!)

• What happens when you actually do pass on to the great unknown, don't manage to pay your bills, and your (ISP | power company | shell host) kills your service?

• Or, more simply, what if your next of kin just tag the 'ol power switch?

Oh well... no person (or thing!) is perfect. Norway is keenly aware of this right now.

Re:What's needed is a "dead man's 'bot"

[jhines0042]

Seems like this would be an ideal hosted service. On its regular schedule it sends you an email to remind you to go to the web site. If you don't go to the web site within a certain (configurable) amount of time to "reset" the switch then the action is taken. The action is most likely an email release of some data to certain folks.

But for a fee it could be something more complicated.

Of course, keeping this site secure would be most interesting once people started using it for self protection blackmail "you'd better not kill me" purposes like what always happens in the movies.

Info desired to crack the password...

[gdyas]

The following info would help:

• All the names of his family & friends.
  
• All the birth/death/anniversary/etc dates he'd know, especially children or parents.
  
• Prominent words or phrases displayed in his office.
  
• A selection of words germane to his profession.
  

Combine that with the dictionary, mix well, apply cracking script and, most likely, open sesame.

As Richard Feynman used to say about safes, 99.9% of what keeps people from getting in is the perception of security, not real security. This from a guy who used to sneak in & out of Los Alamos at will during the Manhattan project.