Real Security?

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Definitely

[sosume]

Come on, who uses passwords like '%33#Gt(;' nowadays.. especially with multiple logins.

Re:Definitely

[Prof.+Pi]

A pretty easy way to generate passwords that pass most picky password approval checkers is to take a phrase that you can easily remember, and then take the first letter of each word. Include punctiation to get the requisite non-alphanumeric characters. Make at least one numeric substitution if you're required to have a number. For instance:

N4N.Stm.

("News for Nerds. Stuff that matters.")

Re:Definitely

[G-funk]

Oh my god.... I have the exact same password on my luggage!

Re:Definitely

Me. But I probably do it in a very unique way.

I have a three tier password system, with passwords "expiring" every 30 days.

Tier 1 passwords are things like root passwords for systems. These are 100% unique to the server they belong to, and are changed without fail.

Tier 2 passwords are passphrases for my ssh keys for non priviliged accounts. These are the same for 2 or 3 boxes, and again change every 30 days. When I expire tier 1 passwords, they are sometimes moved down to tier 2 for ease of remembrance, tho never for the same servers.

Tier 3 passwords are for websites, like this one. Usually most of my website accounts share the same login details, as Im not really bothered if someone logged onto slashdot and stated that im a gay faggot or whatever. Tier 2 passwords are usually passed on when they expire.

I tend to treat passwords as something like special email addresses. You rarely forget an email address because its in a known format: something @ something . something. So therefor I base my passwords on a similar format, one that I can remember or work out, eg AAAA!AA.AA@A# gives me a more memorable password than #@##23$ssDx_ which would be an excellent password except for the fact that it sucks :/ Saying that, I change the format as often as I change the passwords, every 30 days.

Re:Definitely

[xmath]

Come on, who uses passwords like '%33#Gt(;' nowadays..

I do. :-)

The funny thing is, I don't actually remember the character sequence. Maybe it's because I play the piano, but I remember the hand motions of typing the password. So to pick a password I just generate a few random ones until I find one that "feels" okay.

I wonder how many people do this too

Re:Definitely

[red+floyd]

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Common Sense

[The+Snowman]

Are we increasing security too much, so that the users circumvent it?

Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.

Re:Common Sense

[arnie_apesacrappin]

fail to put any thought into what is needed to be effective

I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.

When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.

After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:

Security training is useless if the user ignores it.

I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.

After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.

Re:Common Sense

[Snorpus]

"Security training is useless if the user ignores it."

I had a similar experience at the Community College where I teach. After the Sobig, Blaster, etc. attacks of a few months ago, they (Information Technology) installed a McAfee program called "Stinger", which runs every time a user logs into the network, and (apparently) scans the hard drive for virus infected files.

Takes 10-12 minutes to run.

Classes are 50 minutes long.

Stinger responds to the STOP button

---> Illusion of Security!!!

The greatest threat...

[Da+Fokka]

to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.

Social engineering can get you a lot further than being a l33t h4x0r.

Re:The greatest threat...

[Total_Wimp]

The human factor can screw you in more than just the social engineering scenerio. One of my favorites is personal firewalls. Since normal humans have no idea what *that* program file is or why it might want to talk on *that* port, they just hit 'yes', and let the attack right in, or they hit 'no', and dissallow a perfectly useful application.

My company now wants to deploy these magical devices to all employee computers and can't figure out what I mean when I say they'll make things less secure. I think this article was dead-on.

TW

Re:The greatest threat...

[cgenman]

Except that security measures necessarily are a human factor. Human nature cannot become the bottleneck in a system designed to work with / thwart human nature. You might as well say that all passwords should be 1MB of random binary culled from decaying atoms, or a 1GB flash disk welded to the spine of the user.

People have a limited memory. They generally remember three or four passwords. Deal with it. Either use biometrics, or a password culled from a sentence (as another poster suggested). Or do a dictionary attack on all user's passwords at signup time, and refuse anything in the OED. Or use one of those nifty word verification challenge-response things that are all the rage in web-facing pages.

People don't change their passwords. Deal with it. Either they're going to write them all down somewhere, or they're going to memorize them. If they write them down, they're succeptable to attack. If you force them to change their passwords, they can't be memorized. But if they are memorized, they can't be compromised with any method that would otherwise catch any login.

And yes, any network can be compromised. You have to reduce the risk, but you also have to work with the way that people work. I worked at a place with randomly generated 8 character ascii passwords. For security's sake, the password system was case-sensitive. For simplicity's sake, the passwords generated were all upper-case. Invariably, new hires were given the password as lower-case (which makes sense to us humans), and then wondered for weeks why it wasn't working yet.

I use a password storage system with 256 blowfish encryption, but the idea that I have to store passwords in a password-protected system is a little scary.

Security is the human factor. How do you give access to one person and not another? How do you verify identity? What can't be faked and / or given away? If by social engineering you mean sneaking into someone's job pretending to be the plant waterer, then stealing the password they have taped to their monitor, then yes, social engineering is part of being a l33t h4x0r. Mitnick's greatest exploits generally involved pretending to be one person to gain enough access to pretend to be another.

Enforcing passwords != Increasing security

[Tony+Hoyle]

You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.

Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.

Re:Enforcing passwords != Increasing security

[dgatwood]

Indeed, it is all too common to see people make things less secure when trying to make them more so. Some classic examples of this include:

• Password aging (people pick weaker passwords as a result)
• Airport screeners no longer doing mand checks for computers (with bomb residue tests and verifying that they really are computers)
• Requiring a different password for every system (my birthday, my house number, my phone number, my dog's name, my mother's maiden name... there, that's the first five...)
• Assinine rules that require a number in your password or other highly specific rules (aha, now our dictionary search can skip any choices that don't contain a number! Oh, and his password is now John1. Real improvement.)
• PIN numbers (false sense of security... it doesn't take long to guess one)
• Security digits on the back of credit cards (also false sense of security, as anyone who steals the card number can probably steal this as well)
• No knives on airplanes (now the only people who will have them are the terrorists)
• Arming pilots (terrorist breaks in, surprising the pilot, grabs the pilot's gun off the shelf, and now he has a gun instead of just a box cutter)
• Antivirus software (fix the real problems, or else they will just keep escalating and lead to a false sense of security)

Or, as I've always said, anyone who claims to be an "expert" probably isn't. Beware especially of anyone who claims to be a security expert.

Two minds about it

[Carnildo]

Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"

As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.

Re:Two minds about it

[Carnildo]

Voice recognition can by bypassed by a $10 piece of technology known as a "tape recorder".

And it can fail to recognize a valid user if they happen to have a sore throat.

Re:Two minds about it

[treat]

Thanks for providing a classic example of a bad security idea. Your voice is not unique to you. Anyone can record it and play it back.

Also, biometrics are worthless as the sole factor because if copied they can not be changed.

If you care this much about security, use s/key (or OPIE) or any similar algorithm. Let the user carry around a device that calculates the next password. RSA securid is nice if you don't trust your users not to share their passwords, though not as secure as s/key.

All the hard problems are solved. Everything that's left is human factors.

Re:Two minds about it

[jonadab]

> thisismylongasspassword

That's better than you think. My /usr/share/dict/words has over 45000 words
in it, which is probably typical. The above password is six words long (which
if anything is pretty short, as sentences go). That means you can brute force
it in about (45000^6)/2 tries, on average. Compare that to a typical "strong"
eight-character password (e.g., "bVi-Q*cY"), which can be brute forced in
(N^8)/2 tries, on average, where N is about 100 or 200 or so, depending on
your character set. The sentence starts looking pretty good -- and it's a
*lot* easier to remember.

> thi!$1smyp4$s

Yes, increasing the length to over 12 characters greatly improves the security
of a traditional ugly password. (N^13)/2 is about N^5 times better than
(N^8)/2, so with an N of around 80 characters (upper and lower case letters,
digits, and about 20 common printable punctuation marks) that's about a
three-billion-fold improvement in the time needed to brute-force it.

I personally tend to favour a combination of these approaches. Take your
sentence (say, "I tend to favour a combination of these approaches.", make
a handful of key substitutions, and you get a password like this:
I-t3nd-2-PHavour-a-c0mbinat|on-0f-these-app roacheZ

The sentence is easy to remember. In addition to the sentence, you have in
the above example seven substitutions. That's a total of eight things to
remember, barely (if at all) harder than tB8k^yQp and pretty much impossible
to brute force. (If you do the arithmetic on this sucker, it's impressive.
Even assuming a clever modified dictionary attack, the sentence is nine
words long (nine *words*, not nine chars), and furthermore there are
several possible ways to mangle each word. The mere electricity your CPUs
would use up running the possibilities boggles the mind; whatever the
password is protecting, you could buy it cheaper.) Then you have to worry
about things like sniffers, surveillance, and rubber hose cryptanalysis, if
the password unlocks something worth anyone's trouble to bother with all that.

Re:Two minds about it

[Lumpy]

that's why I am still fighting with corperate for a great security system here at work.

I have a test system that cannot be cracked form the outside. all users' "paswords" are 4 digits in length. They use a iButton to log in, simply insert it in the reciever on the monitor (it's on a keyfob on ther keys.) and type your pin number.

without the iButton you cant get in or access data, without the pin the ibutton is useless, and dont try to crack the code, you have 4 tries and then your ibutton is erased. you have to get it re-encoded before it will work again.

no more taped passwords under keyboards in drawers, on monitors. the users love it. and it integrates with windows NT and 2000 just fine. (ibutton.com if you want to find a link to the software/company that sells what I am using.)

I can make ibuttons that are single use, and we can have those same ibuttons work as the door entry card-key.

if you want more security, you can get java ibuttons and have a program in the ibutton play cryptography with the computer and generate a random access key on every access, or whatever your heart desires...

you want high security? you have to use a security device to reduce the human factor... ibuttons are the cheapest solution.

Re:Two minds about it

[citog]

You must live in one of the areas with low internet penetration ... I've had the shit kicked out of me several times just for my /. password

Annoying security leads to circumvention

[Karcaw]

In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.

So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.

so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.

Forced password changes

[Rex+Code]

Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

Re:Forced password changes

[mo26101]

About a decade ago, I was a software deveopler working in a building with 2000 users. Back then we wrote apps for win 3.1. Most users 10 years ago were even more clueless that users today, so we often had to install software for them. We would show up and tell them that we need to install something, they would then usually say fine and go take a coffee break. Being win 3.1 we almost always had to reboot for one reason or another in the install. This would then leave us needing to log back on the users computer with the user not there. At this company passwords had to be changed every 30 days and include both letter and numbers. Nobody could remember there password, so when we needed to login and the user was not there, we would just open there top desk drawer. 9 times out of 10 the password was written on a sheet of paper in the drawer. It was amazing how many people did this.

Re:Forced password changes

[dasmegabyte]

It shouldn't be amazing. Average people don't give a shit about security, nor should they. It shouldn't be a part of their jobs, or at least it shouldn't be something that interferes with them.

Does this suck? Sure seems to make your job as an admin harder. But the fact is, you can't rely on end users for security anyway. What happens when Joe in accounting finds out he's about to get downsized and takes it out on the network?

If you secured it right, nothing. He deletes some information, and you get it back in a matter of minutes from the awesome backups and transaction logs you maintain. You invalidate his login, and it's like he never existed. That's security: having a way to fix things when they go wrong, not assuming nothing will go wrong because you demand so much.

Security against hackers is no different. Make sure they can't sniff passwords, make sure nobody has too many rights when they come in to the system from the outside world. And when you have to allow them access to something, make sure they never can do more than a day's worth of damage.

We have a lot of customers who are complete idiots. We know there is no way they will maintain useful logins to our system -- most of them use one login (same password as the log in name) on all of the installed computers they have, because it's easier. So, our new products were designed around this. Nothing is ever deleted from the system using the client application. The client's login can only read information on a server, or mark it invisible. The "root" logins are only known by a handful of people, and are only accepted from the console. And just in case, the whole shebang is backed up daily to tape, and the transaction log cloned and packed hourly.

So we can have our customers call and tell us "My login is carl, password carl" and I no longer roll my eyes. Because "carl" doesn't do anything more than peering through the window of an armored car.

Maybe no security at all

[Rosco+P.+Coltrane]

For example, back when I was going to the University and was living in a slummy student complex where everything that could be stolen was, I used to have a shitty car, and I used to leave my car doors unlocked at night. My car wasn't a good candidate for theft, but when it *was* stolen (it happened twice), it was for joyrides and at least the robbers didn't burst the locks.

So I guess, the software equivalent of that would be to not leave expensive data that could interest people on networked box, and make as much as your sensitive data as possible less sensitive, by simply publishing it. GPL code, for example, doesn't have to be protected.

I'm not saying everything should be released, far from it, but there's a lot of "hidden" data that could just be left readable by everybody, by changing some company policies and being a tad more open about everything, thus removing the desire/need to hack the box it's hosted on.

passwords

[Pompatus]

The biggest problem I have with strong passwords for logins is that everyone seems to have a different idea of what a strong password is. Some people require the first 2 characters to be letters, some require length to be greater than 6 chars while others are a max of 6 chars, and so on.

I have developed a password that I use on systems I can control that consists of 13 characters, both letters and numbers, and a & sign in for good measure. It makes perfect sense to me, I will NEVER forget this password, and you would litterally have to be able to read my mind in order to guess it. But most systems wont accept it for whatever reason or another, so I vary it slightly to conform to whatever rules are in effect. This creates a problem of about 5 variations of what I want my password to be.

I think people need to be educated on how to make a strong password. It should be up to the user to provide a strong enough password, because if the user can't remember it, then the entire process is pointless. We're supposed to show photo id at school to have our password retrieved for us, but it happens so often, that the people behind the counter just do it. How many other places do this same thing, because EVERYONE forgets their password?

Sorry for the long rant, but I felt the need to get all this off my chest :)

Too many passwords - so I write 'em down!

[gilgongo]

I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)

So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?

So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.

So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!

But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.

So, I've closed my account with them. Because I think they're too damn insecure.

Re:Wait a second

[ePhil_One]

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.

Not the source, really

[sphealey]

So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.

Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.

Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.

Besides being offensive, this scenario is, 99.5% of the time, blatently untrue. The security professionals are very much aware that the password systems don't work, and that the userids and passwords are sticky-noted to the monitor. But they have not choice: (1) no better system than passwords has yet been devised (2) they are responding to the demands of UPPER MANAGEMENT for "security NOW, dammit!" (3) upper management in turn is responding to the demands of auditors, regulatory agencies, and ultimately Congress.

The guy in the basement office has about as much control over this process as Pvt. Beetle Bailey does over the war in Iraq.

And really - would those same people who tape the password to the monitor tape their garage door key to the doorframe because "it is too much trouble to carry 3 keys around"? I have 15 keys on my keyring, personally, yet no one makes offensive statements about architects and locksmiths re: "door design".

sPh

Re:Not the source, really

[Have+Blue]

If it was as easy to memorize a 32-character randomly generated password that changes every 30 days as it was to put one more key in your pocket, then no, no one would tape it to the door. But if my garage door key was a 6" half-pound chunk of rebar, damn right I'd find a less secure place to store it.

A Simple Exercise In Self-Auditing

[Bowie+J.+Poag]

Exercise: Make a drawing on paper of what your system looks like from the point of view of people on the outside. Draw it in a similar fashion to how one might draw a house, or a favorite car.

A) If your picture looks like or includes any of the following objects, proceed to step C:

. A block of swiss cheese
. A large question mark
. A fat mall-cop with powdered sugar around his mouth
. A small child in a corner, crying, holding a security blanket
. A Diebold voting terminal

B) If your picture looks like or includes any of the following objects, proceed to step C:

. Fort Knox
. A medieval castle under siege with the invaders having boiling tar poured on them.
. A resettable Viet-Cong boobytrap with dozens of pigs already skewered on it
. The business end of a .357 Magnum
. An illuminated Jesus standing atop an Sun E10K
. A solid, faceless slab of hyperdense radioactive metal extracted from the heart of a neutron star

C) You need to increase your system's security.

Re:password quandry

[thecampbeln]

No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr

Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

I use good passwords, and here's how

[kaan]

And I have to spend nearly zero brainpower remembering a password. Here's what I do...

Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

So an example phrase might be: "i love to post on slashdot"

which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

"iltp05"

That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

Moore's Law vs. Evolution

[Detritus]

Long and complex passwords are a waste of time and do little to increase security. Computer speeds have grown at a rate much faster than the user's ability to memorize "secure" passwords. Any system that allows an attacker to use brute force guessing or dictionary attacks is broken.

My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.

Re:Moore's Law vs. Evolution

[balloonhead]

But why is it that I occasionally have a mental blank and can't remember my PIN, having to turn tail and run after two failed attempts until the next day when I can try again, but when I am so blind drunk I can barely walk or speak, I can stagger two miles home, extract 10 pounds from my account (sometimes at two different terminals), get a kebab, navigate through two locked doors, urinate, undress, and get into (or near, sometimes) my bed?

And who can explain the last three ex-girlfriends' phone numbers that I remembered to call at 4am too? I sure as shit can't remember them during the day.

Password management

[montey]

I recently read a document proposing an alternative approach to an aspect of password management. I have since adopted this approach.

The paper said that one of the biggest threats to password security was the frequency that changes were required.

It seems that a fairly accepted norm is coming in to being in the form of organisations requiring their users to role their passwords once per month, and requiring that these passwords are unique. The problem with this requirement is that people are asked to remember so many passwords that they are tempted to either use weak passwords, or to write them down and stick them to something. Hence the previously secure password is now compromised.

The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter). As a result in any year they have to get to know only 4 passwords (instead of 12), and as such can handle better quality passwords more easily.

My users are far more happy with this approach, and now see it as a reasonable compromise. As such they now buy-in to the concept and we find far fewer people breaching the password policy.

My personal favorite

[DaveAtFraud]

P4ssw0rd!

You will note that it has all of the elements of a good password such as both upper and lower case letters, numerals as well as characters and punctuation. Its also easy to remember.

security is about economics

[sir_cello]

Security is nothing special in itself, it's just another aspect of a problem: all problems have many aspects and as you suggest, usability is another aspect of a problem. Turn the technical aspects of the security lever the wrong way (e.g. too frequent password changes), and you lose on usability, and this potentially has a negative impact on the social aspects of the security level (e.g. the passwords are written on a post it note).

Really, it is about economics and engineering: using the measured amount of resources to solve the problem holistically: technically and socially - understand where all the impacts and flexibile point are. This is no easy task though. Peter Neumann and RISKS have been teaching us these lessons for many years - so there's nothing new here, but it is important to continually reevaluate.

Password Safe

I've got hundreds of randomly generated passwords stored in Schneier's Password Safe (actually, it is a sourceforge project now). I don't have the faintest idea what any of them are. All I remember is the single password for Password Safe, which happens to be a 20+ digit combination of words, initials, numbers, and a couple of symbols -- all of which are easy for me to remember.

The password db is blowfish encrypted (yes, there are some cracking programs out there for it, but I'm not trying to keep the info from the NSA). Only two requirements: 1) don't forget the main password, 2) backup the Password Safe db to multiple places.

The only passwords I remember now are my ATM PIN number, the Password Safe pwd, and that single pwd that I use for every web site that demands registration to function (where I use a fake name as well).

asterisk^8

[meowsqueak]

My password is easy to remember, it's just eight asterisks:

'********'

Sometimes I forget exactly how many, but I usually get it right the second time.

Don't know my own password

[soloport]

Honest, I don't know any of my passwords. If someone were to ask me for my password, I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor. The pattern I type is sort of a rhythm and can be typed very quickly.

I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter ;-)

As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.

Just hope I don't someday encouter a Dvorak!