Slashdot Mirror
Write Down Your Passwords
joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Seriously though, instead of writing down the password, why not using what's already written on the hardware?
For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.
See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.
The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.
There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.
Rock that crushes, Paper & Scissors that don't matter.
Now we know what's replacing Microsoft Passport in Longhorn - pen&paper!
You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
It is safer to post it on here, and be sure to write the username down and what it is used for.
That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.
But really, I don't have a problem with this. Why not use one of those password vault type programs which allow users to have a master password to access their other passwords?
My password vault happens to be Firefox, though.
For context, click Parent.
with my bank name and account number next to it..
Ok, here they are:
Slashdot password: 12345
Personal site password: 12345
Bank account password: 12345
Now my password is even more secure! Yay!
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Thats where I find most cubicle passwords written down.
M$SWDYPW
Maybe they have something here.
Now nobody else use it or and promise to forget it after to read this post. Thanks.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
Dang, why did that MSFT guy have to spill the beans!
...
It's 1337 44xx0A
-- Tigger warning: This post may contain tiggers! --
This is why we need to drop the outdated idea of passwords as soon as possible and start using fingerprint scans, the only way someone can steal your finger print is by lifting it from something you've touched or putting a gun to your head, or cutting your finger off, and that's all in the realm of science fiction and left wing propaganda...
This comment does not represent the views or opinions of the user.
Tattoos.
I've got the same combonation on my luggage!
(sorry sorry sorry!)
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
We use physical keys to start our cars and to unlock our homes. Why don't we handle this stuff by using a similar strategy. Say a USB dongle that you need to start your computer? I've seen a few implementations of this theme, and I even believe MS threatened to do just this. Is this because the regular (l)users out there want their computer to work like their toaster does?
while its not the best idea. It is what I do. I pick ungodly long and hash-like passwords write them down and guard it with my life. After a while I do end up remembering them. The paper is a safe guard against forgetting them and being locked out of my accounts.
When you've got a brute-force computer that can guess every possible password you can type in (or will type in), there's not much point to having them, is there?
I have one password for all my low-level stuff (web logins, email, etc.) and one for my banking.
I have never changed them.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?
Maybe it's because people really just don't think they're that important. It'll probably take serious problems to change people's minds (like a theft of identity, or fraudulent charges, etc...)
And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems? God...those have probably done more to propagate the phenomenon of writing passwords down than anything else.
concrete5: a cms made for marketing, but strong enough for geeks.
Bruce Schneier also advocates this method on his website. I don't remember where the article is exactly (read it a little while ago) but he said basically to write them down and keep them where you keep your cash - and protect them as vigilantly. I don't think that was quite complete, myself; if I have $5 cash, I'm not going to try to prevent people from seeing it the way I'd be sure to guard a sheet of passwords from an errant camera.
My suggestion? Pretend that the passwords are a $500 bill and you're in a bad neighborhood.
I keep meaning to do this, but changing passwords is such a hassle...
Just use your slashdot UID!
If someone's hacking in from outside you want as good a password as possible... That's my fear, not someone sitting at my desk and logging on as me.
9 80786CC256E6C007EE7D2
Peter Gutmann said the same thing: you fear the hacker, not the guy stealing your PC.
http://computerworld.co.nz/news.nsf/nl/3F25D67E47
I am a leaf on the wind
My password vault happens to be Firefox, though.
How do you get your passwords out?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Writing down passwords and storing them in a secure location isn't the issue, it is portability. Most passwords these days need to go with you wherever you are, at home, the office, on travel. If your password is too complicated to remember, then it would have to be stored somewhere on your person. That's the security risk.
If you have a card in your wallet/purse with no identifying information on it, but on which is written your complicated password, this is an effective tool for password protection which I have recommended to friends for years.
However, this only applies to non-home computer security. At home users will invariably store passwords for websites and bank accounts and leave their computers unlocked and easily compromised.
So... if you are trying to protect the use of a password in a public place, and deter remote access to your information through guess-hacking this is a good system.
-Ian
Mordac isn't going to like this.
-------
And we also have a cancel button...in case you don't want toast.
then they'll take it when they chop off your hand and pry out your eye to get thru the security station just like they've already done in Hong Kong.
...
Seriously, most passwords are fairly easy to guess. Making them too hard defeats the human engram, forcing people to write them down somewhere.
You can get 99 percent of the possible security with only 1 percent of the effort by choosing a system that's not easily hackable and not based on the typical password schemae anyway
-- Tigger warning: This post may contain tiggers! --
Gee, is that your Slashdot password?
they think that its hard to remember a alphanumeric password with upper/lower case, but the reality of the situation is that if you write it down, you'll use it for a few weeks but after a while just by rote repetition its in there and no longer an issue. When I get a new job, I create some weird ass password hide a sticky note for a few days around with the hint, and then when i've got it straight, to the shredder it goes...
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."
What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.
Common sense...
BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.
I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.
For example, your password could be your birthdate, or favorite football team, or even the year you graduated from high school. Or all three if a longer password is necessary. It's fairly easy to learn to enter this information backwards as well, for further obfuscation, without making it harder to remember.
Gone are the days when you can leave the password blank or simply use your login name again and expect any level of security. Hackers eat that stuff up. But if you protect your account better than the rest it's more likely they'll move on to some other schmoe who isn't as hip to security as you are.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
If you have a secure system somewhere, you can use CFS, an encrypted filesystem, to store your passwords for various other systems. Then you can memorize a good password for the CFS system, and refer to it if you forget the password you're using for some other system.
This is fairly secure as long as the system CFS is accessed from is not compromised with a key logger. It has the advantages of paper, but with the capability of accessing it from remote with ssh. It also has the bonus of being harder to lose and easier to back up than a bunch of paper, and the backups of CFS are unreadable without the password, unlike extra paper copies.
Seriously, it just comes down to who you trust more.... people with access to your work area (where password would be written), or potential hackers. If you trust the people you work with (or your family members, for those at home) then what is the problem with writing down your pass? I know my dad has every one of his passwords written on the monitor itself on his home pc.
My friend has something like this, but a little more secure. For about $80 CAD, you can get one just like his. What is it? A fingerprint scanner.
When he has a login anywhere, instead of Firefox typign it on pageload, he just pushes his finger onto the pad. Chances of someone faking his hand?
Let's just say low.
Foxed Design
I agree with writing it down, but storing passwords on your computer, even encrypted, is horrible.
"A man is but the product of his thoughts what he thinks, he becomes." -Mahatma Gandhi
I typically like to use about 3-4 passwords that I rotate between sites, with different usernames. If I forget one of the passwords, I can usually guess it on the second try.
My passwords are at least 6 letters, and 6 digits. Hopefully, that is secure enough.
which we all know they won't. Most of the time we find them on a post-it note stuck to the monitor. The really sharp ones tape it under the keyboard. The best one I've seen was a guy who kept his taped under his monitor. He'd actually lift this bulky CRT every time he needed to login.
DeviantArt Page
NSFWOne Really Bad Mistake (TM) will hurt you a lot more than it would with multiple passwords. I'm careful, I'm sure a lot of slashdotters are careful, but every once in a while someone is going to make a mistake. If it's one password for one place, it's possible to fix that. If it's the same password everywhere that becomes more difficult.
PEN15 as a password.
Are you telling me we aren't supposed to use HHKJK-D4FWY-34B2D-RB7K2-C2QVJ for all of our passwords?
I'm a SysAdmin and at one place I worked, I noticed someone had written 'aaaaa' on their monitor. They wern't at their desk at the time, so I sat down, hit ctrl-alt-del and typed 'aaaaa' into the password field...
Let's get this straight -- writing down passwords is a bad thing. Remembering passwords isn't that difficult in the end if you use a proper scheme. A securityfocus article suggests creating an acronym from the first line of a song. Makes enough sense. Add a bit of 1337 to it by changing some letters to numbers and you can be a bit safer.
Now on the other hand, if you wrote down some sort of hash to a password that you mentally decode to create the REAL password, then it may not be so bad. Still gives someone a place to start, thoguh. In most cases, though, having a physical record of a password just screams "BAD IDEA!"
Today, the greater threat to users is having their password stolen somewhere in the network. The number of passwords stolen by actually going up to somebody's desk and reading it is, much lower in comparison.
The advantage of this is that you can use relatively obscure and complex passwords because you don't actually have to burn brain cells to keep track of them.
This sig has been temporarily disconnected or is no longer in service
I like how Slashdot is listening to Microsoft for security advice.
"Screw slashdot." -- Linus Torvalds
I personally keep all my passwords in an Excel spreadsheet and protect it with a master password. As you say there is nothing wrong with that. Unfortunately, I end up still using the same set of passwords (about 5) anyway. :)
This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.
I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
For example, always prefix your password with your dog's name, so one account uses "FidoBlargh" and another uses "FidoAnakin", but write down only the "Blargh" and "Anakin" parts.
Write them all down and keep them next to your Mastercard. Pretty much the same security mechanism.
The problem is: what if your wallet is stolen, its one call to cancel the Mastercard, but how are you going to change all those damn passwords? Especially if you don't remember any of them.
Maybe writing them down and locking them in a safe is better. Or maybe keep the master list in your wallet and a copy in a safe so that if its stolen you can log in and change them all before the thief realizes what he has.
Raydude
Remember one password to access the program, and encrypt my more critical ones as strong as I need to.
A goal is a dream with a deadline
And so begin the "my UID is smaller than your UID" posts...
Maybe it's the new trend.
Maybe pen&paper AD&D will be cool again!
That's the solution to the wrong problem. The problem is those systems allowing the users to use bad passwords. If a your authentication program expires passwords once every six months or so and requires non-dictionary based passwords and a combination of letters special chars. And hard passwords to crack aren't necessarally hard passwords to remember. Especially if you use some type of memory assistance, like a sentance:
"I have three dogs: elmo, burt and erney"
Password: "1h3dgs:E,B&E."
the point is that system administrators should be activly sending out emails and talking to users who might have a problem with this, not disregarding important aspects of their jobs, like educating users as to a very important piece of their security.
RandomAndInteresting.comdefending the world from stupidity since 1979
I can't re-iterate this enough.
A program like this with the database stored on a keydrive is ideal: your passwords can be as long as you like, cryptographically secure, and be different for all sites.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Neither writing down your password or picking a simple password is clever, so I don't see why he even discuss this?
:-p
Like saying you should really try start smoking sometime because it's worse to use heroin.
I think a good way to come up with non-dictionary passwords while keeping them reasonably easy to remember is to take the first letter in a sentence and somehow mix it up with numbers. Like "I Am A Geek And Like Slashdot" would become "iaagals". Then add some number from your social security number or something to make it truly alphanumeric and voila.
There are numerous other ways, and if I have to use a password somewhere, I really prefer to pick my own. If it's randomized and forced on me by some admin for "maximum security", I'll almost guaranteed write it down somewhere. Instead I'd prefer said admin to run my personally made password through an extensive dictionary to ensure it's not simply an easy victim for a dictionary attack, and maybe also check it's alphanumeric. I really dislike those enforced passwords like "3zq@q!02". Jee, thanks, let me get a pen and paper.
Beware: In C++, your friends can see your privates!
And of course, they(M$) will introduce the following security initiative when pen and paper security protocols show evidence of security lapses. White-Out.
The most common passwords I have seen at different companies was HOCKEY (unix/linux machines, why I don't know) and YOUSUCK (windows machines, surprising isn't it). And, we can't forget this one, it's everywhere (especially for email accounts): PASSWORD.
When we start writing down passwords, we compromise them. Obviously.
...
Instead, we should learn how to algorithmically generate good passwords ourselves, so that we don't need to memorize a complex character sequence, but just the way how to generate it.
Example: I take the second and fifth letter of the site name I want to log in, which I use as an index to a poem, movie or book name I know, of which I take in turn letters and numbers
While this process sounds complex, once you get used to "your" algorithm you don't even have to think much about it any more. That way, I am now using up to 48 quality passwords (long, mixed capitalization, including punctuation, interdispersed numbers) without having any troubles at all remembering.
It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.
Password Safe
Insert witty sig here.
Since the jerks at google tell the browser not to remember the password (autocomplete="off" ) I've picked a really simple password.
(No, I don't want them to remember it a couple of days)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
. . . on a Post-It note on my monitor.
However, this only applies to non-home computer security. At home users will invariably store passwords for websites and bank accounts and leave their computers unlocked and easily compromised.
... and more mentally secure.
Or use unsecured default password WiFi thus making it all a waste of time. 90 percent of all WiFi-capable laptops are insecure.
I give them chocolate, it makes the laptops feel better about themselves
-- Tigger warning: This post may contain tiggers! --
Controversial ideas on security from a Microsoft employee?
That we're taking seriously?
Did I miss something?
Mac users have a very powerful tool for password management in the Keychain Access program (which many users pay little attention to). You can store many strong passwords then remember one strong password to unlock and use them all. Additionally, when Keychain Access is locked, you can store the various password files it creates on a server (or on a flash drive) with peace of mind because it's DES encrypted. Note also that you can now sync Keychain Access via .Mac.
I've taught some of my friends to memorize one strong password, then use it to unlock Keychain Access which will simplify the process of assigning separate strong passwords for each account, server, etc. (or at least as strong as each scenario will allow). Because I often also need to access passwords from a PC, I also keep a short spreadsheet of "vital" passwords on the flash drive as well and I encrypt that with Kremlin (which is cross platform).
"...all the labours of the ages, all the devotion, all the inspiration, all the noonday brightness..." yada yada
That is very secure and easy to remember. Years later I still can log in to places I've totally forgotten about. Show people these techniques and the problems go away.
Just use an acronym. example:
il1k2b1k!
"I like to bike."
Just use shortened words, make substitions like i=1, s=$, etc., and maybe an oddball character or two like the exclamation point.
It looks difficult, but once you make up a password in this fashion and use it a couple times, it becomes automatic to remember. It's much easier than having to memorize a whole random string of meaningless characters.
At the bottom of my desk drawer. But I encrypt them with a method I'll never forget. As long as no one else figures it out I can write them down and change them frequently if needed.
When I have enough money to make it worth the effort to steal it, maybe I'll get a better system. But even as it is I don't see how someone could figure out my system.
Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I happen to use really easy phrases and terms so that I can remember what my passwords are.
I then have a numeric category for all the sites and apps that I use Ex: Bank = 5, Email = 6, ect...
I then ROT# the term where # = the category the password is in. Viola!
It's worked for me.
wtfisit2u
If clerks (in the study) never noticed the gunk on everyone's fingers as they demolished the "security" of these systems, what chance does any system have in the relative privacy of a cubicle or home?
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I've always written down my passwords. You just have make sure to keep them on the top of the Mountain of Despair, beyond the River of Doom. Total security!
I do this, and I've I done it for a while. Basically, for anything that can be memorized instantly, there's already a rule for in crack. So, I've been doing this since 1996, evolving offer time, until the point where I choose random passwords, ;-], not actually being able to remember, since they aren't really words, unless they stuck a keyboard in front of me... Its like of like a sports swing, or a combo move in a game, once learned, you bypass conscious thought to perform them. A better example still, would be like tying a shoe-lace, I can do this w/o thought, and in fact
rejecting ones that are too hard to type, one needs to be able to type it quickly, as well, after a while I learn the new password, but they are complicated enough, that its more muscle memory than anything else, I'd need to be at a keyboard
to remember the whole password, If injected w/ sodium pentathol I'd probably only be able to give up the first 3 characters of any password
, thinking about it only makes it harder.
Bite My Ass Amazon
Bite My Ass Microsoft
Bite My Ass Google
Easy enough to actually remember, without writing it down.
Substitute numbers/special chars if required.
B1te My A$$ D311
I use a small PINS database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.
The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.
Kind thoughts do not change the world
For providing us with an EXCELLENT reference to SpaceBalls the movie.
If having the user write down passwords is good, why can't the "lookup" be automated to save all that typing...That way logging in could require none of the user's memory at all, and be much more secure, because the card could use a rolling code or hash-algorithm scheme, so that the data being passed back and forth between the card and the system is never the same, and the card contains all the secrets, and will not release them under any circumstances. Ultra-paranoid sysadmins might want to require a password or at least a username along with the card, but as long as users are taught never to leave the card unattended, I think it's not really necessary. This username/password crap is so insecure and outdated. My Dell laptop at work has a smart-card reader built in, and Windows already has support for this kind of authentication. My company hasn't tried to deploy it though.
Pen and paper may provide you with an airgap from the internet, but it is also not very convenient. I would prefer someone use some sort of a password safe, remember only one very difficult password/phrase and make sure they change that often. http://passwordsafe.sourceforge.net/
Here I thought I was going to be able to make a, "I just reduced my UID size by 70%, and you can too if you send me your password" post.
My little site.
They never have been, and you're not responsible for any charges made by someone who has stolen your number.
There is absolutely nothing wrong with writing down passwords. As long as the user protects the paper they are written on. If it wasn't against our corporate policy, I'd encourage our users to do it. We expect them to use strong passwords, but don't give any viable way for them to remember them. Do you think the average user is going to remember upwards of 5 strong passwords for each different application they need to access. I Don't.
For example,
1. Select a date.
Thursday March, 14th 2005
2. Take the first letter from the day
m
3. Take the first letter from the day March 3rd falls on in 2006
mt
4. Take the last number in the day
mt4
5. take the number of the month.
mt43
6. take the third and second letter of the last day in the months
mt43uh
7. take the last number of the day of the next week.
mt43uh1
8. take the first letter from the first 3 days in the next month.
mt43uh1fss
Memorize the algorithm, and wirte down the dates.
Funny ;-)
Seriously, MS replacement for Passport seems to be InfoCard. Now I know this is MS, but this does actually look like a cool concept (we'll have to wait and see about the implementation).
Kim Cameron (the lead guy on this) is actually pretty adament that this need to be an "Open" system that others can implement. We'll see if that ends up meaning "open source", but interesting none the less.
"reality has a well-known liberal bias" - Steven Colbert
#2) The best passwords are illogical. Something like k8iWq3xy. Mixing in letters in and numbers, not based on any words, is a good start. If your program recognizes upper and lower case, mixing that can help too.
#3) The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.
#4) People will sniff your network. Nothing is bulletproof. Finding passwords sent is easy. If it comes as clear text, you are screwed off the bat. This defeats #1 and #2, but not #3, because #3 is based on an algorithm that changes every 1 minute.
#5) Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes. This will be a major pain when you try and log in and make a mistake. It won't really stop hackers, just the ones with slow/bad proxies. Maybe 1 of the 500 proxies the hacker is using is not as anonyomous as they believe. As for your own use, take a book with you when you believe you might have to log in remotley, just in case you make a mistake. You need something to blow those 20 minutes.
#6) Never, ever log in root from a remote location. Have a crippled account to log into from remote locations. Expect this account to get cracked. Limit the damage. If you must, have 2 computer systems at home. One secured off line, and the other on line. Hell, toss in a third computer connected to the web based on via a serial cable and dump all the logging on that computer. The hacker/cracker can't edit the logging files on that second PC.
#7) When using a computer, always assume the key strokes are being logged. When you get home, change your password for that account.
#8) After you have done all these things, you will still get hacked. Call the FBI. Call your congressman. Lets bomb another country to releave our collective mutual stress.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
That's really representative of the MS mentality:
Do something stupid as long as it prevents you from doing something equally stupid or worse. I guess that makes sense in a PHP's mind... It's great that Microsoft shoot for ever lower standards.
It makes as much sense as becoming an alcoholic so you would be too drunk to go and do crack.
EvilCON - Made Famous by
While this is important to mention, a more even approach would be to weigh whether your biggest risk is from outside crackers (and thus excellent passwords are most important) or from inside crackers (and thus onsight security is most important).
I knew this UID would come in handy one day. YAY!!!!1one
:-)
Put another password in.
I use a rather nice piece of kit which goes by the name of KeePass ( http://keepass.sf.net/ ), and a 78-bit master password for that. Works wonders, and can use external drives as keys or parts of keys (So you have the traditional something you know, something you have).
How many people can read hex if only you and dead people can read hex?
i could carry one of these....
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
And so begin the "my UID is smaller than your UID" posts...
I don't know why you guys bother with this pissing contest when I win every single time.
Anonymous Coward - UID Null
- Oil Paints replacing Microsoft Paint in Longhorn
- A printed dictionary replacing Word's spell checker.
Perhaps Longhorn really will revolutionize the computng industry.Anything that requires me to have access to a specific type of hardware (PDA) or a specific operating system isn't going to be a lot of help if you're on the road without your gear or your gear gets stolen and you need access now.
Just do something trivial like rot-5 the 5th character of each password if you're concerned about somebody getting access. That would discourage most people from trying.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Why put the list in cyberspace at all? That's the beauty of paper, nobody online can steal a sheet of paper sitting in your home/office/dorm/loft/cave.
RETURN without GOSUB in line 1050
I will write them down as a phone number in my wallet... the first 3 numbers are bogus and the rest of the number is the pin.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
First Post
passwordsafe = good program
I've found a great way for making many complex but easily remembered passwords is creating a simple process.
For example:
Take your user name and make your password 1 letter after.
Username: abcd
Password: bcde
Username: MyUserName01
Password: nzvtfsobnf12
This way your passwords are all different and not at all easy to guess or dictonary attack.
A problem with this might arise if you use the same username for everything. In which case another simple step could be added to prevent the passwords from being the same.
By adding the name of the site after the password for example.
Username: abcd
Password: bcdeyahoo
Username: MyUserName
Password: nzvtfsobnfslashdot
Let's face it... of course, the use of fingers, palms, voices, footprints will have the privacy advocates up in arms, but it's going to be bloody handy (NPI) just presenting your palm to the wall-mounted reader, Star Trek-style (used as a general representation of sci-fi, I never watched the thing) when compared to remembering 10 passwords.
It's now called D&D and has always been cool!
For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.
I can just see the following request to helpdesk:
Please reset my password as someone borrowed my Sellotape dispenser and I can no longer log in.
-Em
RelevantElephants: A Somatic WebComic...
Another approach beyond generating random passwords for each site and writing them all down would be to generate a separate password for each site based on a formula. The formula would take some information about the site (such as the domain name) plus a master password and generate a new password for that site.
If you use such a scheme, then you just need to choose a master password and a formula, and then that defines the password for every possible site you might create an account with. Thus, there's a lot less bookkeeping to do.
One important thing, though: in choosing the formula, it would be helpful if knowing the password for one site would not help you guess the password for another site. Luckily, this is easy to achieve by using one-way hashes. Let me give an example of a scheme that uses MD5 (although there are better one-way hashes out there).
Let's say your master password is aydjrcg and that you want to choose a password for the account name joeuser at the site gmail.com. What would your password be? Well, all you have to do to generate one is to find the md5 hash of some string like aydjrcg!joeuser!gmail.com. That md5 happens to be 226726945b66a89ed4b6b5a0f8da6ee9. That's a bit cumbersome to type, so maybe it'd be best to UUencode it or use some other scheme that maps it to common printable characters (other than just 0-9 and a-f), but the principle remains the same.
The handy thing about this scheme is that a standard scheme for doing this can be created (and thus it can be done in software), and thus an individual only needs to remember their master password. Since you only need one master password, you can choose a fairly complex and safe one.
One weakness of this idea is that you are sort of putting all your eggs in one basket. But then, if you write all your passwords on a piece of paper, you are doing that too, and you have the additional burden of carrying around that piece of paper and the additional risk that someone can steal it from you. (You are also relying on the one-way hash not having a flaw that can be exploited, but even if it does have a flaw, it's still not as bad as just using the same password for two different sites.)
The worst password that a Slashdot reader can use is the initials of all the girls that you have made love with since middle school.
Even a simple BASIC program running on an old Commodore could probably crack that one in a few minutes.
Now the initials of all the girls that wouldn't make love with you, no matter how much you begged...that would be a secure password.
Liberals call everyone Nazis yet they are the closest thing to it.
For example, if I had to write down a seven-character password, I would write down:
and then put it on a stickie on my monitor.
Can you guess what the seven-character password is? [I used a suggestion from the javascript I linked above.]
I have one strong password. I don't know any of my passwords besides it, even though I have 30+... I just keep the open source program Oubliette on a usb keychain drive. http://www.tranglos.com/free/oubliette.html/ I also have a truecrypted backup. Using the same password everywhere and writing it down is just plain stupid.
The same people who want you to use Internut Exploder. confirming the text shown in an image is ghey, get rid of it.
IMAGE VERIFICATION IS EVIL!
Oh, write them down somewhere secure? You must mean, like, that Keychain app Apple's got, or any of the other tons of password organizers out there!
Thanks for coming out Microsoft, too bad you yet again missed the bus by several years.
If anything was to happen to you, having your passwords written down would allow your surviors to access your accounts - which can be otherwise impossible. Consider the case of the Marine whose parents were unable to access his email after he died - http://www.infowars.com/articles/military/yahoo_re fuses_give_dead_marine_password.htm
Pen and paper doesn't crash and still works the same when the power goes off. If you write your password with good ink on acid free paper kept in a dry dark place, someone may find your password intact 3000 years from now. I don't know about the computer system though....
All theory is gray
I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:
Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.Just pick up any dollar bill. There's already a convenient unique password made up of alphabetic and numeric characters printed in the corner. For more important passwords use $5, $20, or even the good old Madison.
So if Jackson is on the $20 bill, what do 5 Jacksons make?
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
You would have your credit card, e-mail, .etc all reachable with one password. You would be owned like you've never been pwnd before!!
My solution. Blend culture into your "e-life" Come up with a rhyme that you use to make passwords.
Like: bah bah black sheep have you any wool!!!
Now generate a SHA hash for your rhyme.
Carry the sha program wherever you go..flash drive, CD, floppy whatever you use. All your passwords would be hashes of the rhyme
Example:
your e-mail password: SHA("bah bah black sheep have you any wool-email"); Your credit card. SHA("bah bah black sheep have you any wool-ccard"); etc etc etc. You would never have to worry about forgetting your passwords. They would all be based on one rhyme.
But you better keep you sha program handy wherever you go.
Also, you cannot replace common sense. Dont use dodgy cafes. Patch your home computer as much as possible. Use Linux or OpenBSD or something for your sensitive data!! ; )
All you ever need is a good strong hash function (as long as it's still strong!) and a nice nursery rhyme!!!!
I store most of my passwords on some off the wall free password manager website that looks like it was designed in 1997. I am confident that any two bit script kiddie could and probably already has compromised their server.
It serves as constant reminder that password based security is no security at all.
Why?
They aren't capable of recognizing "chicken sandwich" or "barbeque sauce" as being part of the thumbprint.
Those new IBM ThinkPads are just begging to get lunch crusted in the fingerprint reader thingy. We got a few of them here, and within a week, food was becoming a problem.
Engineers are such pigs, I swear.
Each really important password should be in the heads of a few people or written down and locked in a safe - but since it's easy to get root on just about anything with boot media it usually doesn't matter a lot in those IT guy hit by a bus situations.
I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
I write down the passwords on paper.
You try to find that paper in the mess that is my desk. I have trouble doing so on my own...
True obscurity.
Shortly after getting a "real" job, post grad school, I got a PDA and bought a password-minder program for it.
I don't trust myself to remember the 6+ passwords for the 10+ systems I have to use, each with differing requirements.
It's not unusual for me to try and login to the travel-expense manager web app, that I use maybe once every six months, and just blank on my username and password combo. Thankfully, I can easily find it in my password minder program.
And then there's the 100+ passwords for misc. websites, both trivial and important...
ShoutingMan.com
This Microsoft guy is an idiot... Senior Program Director for Security Policy? Please.
Creating and remembering complex passwords is trivial if you have a system. Here's one that works well for everyone I've introduced it to:
Think of a long word, or even a phrase, that you will easily remember. For example, let's use "iloveslashdot".
Now, take all of the vowels and replace them with punctuation or numeric characters that resemble the letters. So, "iloveslashdot" becomes "!l0v#sl@shd0t".
You can modify this "core" password for use at different sites/services. Let's say your bank is Bank of America... the password could then become "b0f@!l0v#sl@shd0t". Your ebay password, using this system, would be "#b@y!l0v#sl@shd0t".
The nice part about this system is that it can be modified for obscurity. Above, I used a 4-letter abbreviation for the various sites/services and attached it before the "core" password. You could add it to the middle or end of the password as well.
As long as you are consistent with your vowel/punctuation character replacements and the unique identifiers you use for your various sites/services, this system is almost impossible to forget. Even the biggest BOFH i've encountered uses this method and has no issue remembering 14+ character passwords that have extraordinary complexity.
There are plenty of ways to do this. For instance, you can keep the passwords on (picked at random) page 57 of a red notebook that stays locked in your drawer when you're not around, and is only out of the drawer when it's in use. You can leave clues to yourself what they mean.
For instance:
mama: no dates
The actual password, not written down, is "n0datez!" The machine this is for is the largest system you work on (big mama).
If using random strings, try to make it look like serial numbers; again the place or account to use this for should be hinted at (to you), not stated.
There are many, many ways to do this and be very secure. I once left a set of passwords and hints out in plain sight on purpose, just to see if anyone would recognize and try to crack them. They were never cracked, and I'm reasonably certain nobody even tried. They had no idea what they were seeing.
Put all your eggs in one basket, then WATCH THE BASKET
a) don't write the password on a peace of paper, instead just write what websites/stuff a particular password is used for so that you can change them all once in a while.
b) Create a Crazy Sentence and use the first letters and certain combos to make a good random password:
Ex: In the Future, cars will run on Solar Energy and Dog Food 9. = !n+h3FC3!11r0nS3&DF00d9
Afterwards, you can just repeat the sentence in your mind and you will subconsciously be able to choose the correct letters to type.
Pen & paper? Too high-tech for me, I use a pencil, you insensitive clod!
We all use lots of numbers every day,our own bank account numbers, Credit Card Numbers, Phone numbers, etc. We all remember all these numbers, because we use them over and over again. When you get a new credit card, for the first 10-15 online purchases you copy the number for the plastic; afterwards you just know the number, you get it out of your head. The more often you use these numbers, the faster you learn them, without any effort, repetition does the job for you. I think the age is irrelevant, this way happened when I was a kid, this is the way it happens today (I am 59). I know about 40 or 50 numbers I use frequently and they all have at least 7 or 8 digits some 12 digits. Why should passwords be different? Because they are not only numbers? I dont see any difference. The more often you use a password the easier to remember, it would take 10-15 logins to learn it, without doing anything special.
#3) The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.
Most likely an RSA SecurID. They are all supposed to be unique, and are very expensive to replace. We use them for VPN passwords across the net between databases.
#6a) If you really must, must log in remotely (as root or anyone else, you must always use SSH - no exceptions! Always assume you're network is being sniffed. See (2) above.
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
Not a huge fan of RSA or their product SecurID (R), however, there are other brands and what not. With some many dang passwords, I'd be up for a Challenge-Response or Token Passwords a la SecurID ... and just build it into my cell phone. ... add bluetooth, and add RSA/DSA key exchanges (ssh-style, for various uses) ... and one has a really nice password tracker. (I hate paper.)
[ Don't flame me about Bluetooth viruses. ]
They even have a large section on "What We Learned from Passport", but failed to mention the single biggest lession Passport had to offer - that people fundementally don't trust Microsoft with security issues.
Note that this isn't a criticism of Microsoft. Doing security right is a difficult and time consuming process that is really a niche segment of the overall computer market. Because of their volume will always need to remain focused on the mass-market where time-to-market is more important than security. Delaying operating systems to appeal to the security market will only weaken their competitiveness on the desktop that made them so successful. And if they try to do both, they'll have to strike compromises and suck at both.
This isn't a technology issue, it's a business issue; and in the end, Microsoft will continue to rule in the largest spot of the market.
AKA SecureID. Nearest open source equivalent is S/Key.
Advice: on VPS providers
With regards to #3, that sounds like something like RSA's SecurID key fob.
It's official. Most of you are morons.
Why, of course I write down my passwords. All except one: my GPG password never gets written down, and it's used to encrypt my password list.
Does kind of make for a 'break one; break them all' system, but I'm quite careful with nmy GPG key .In fact, it's currently sitting on a broken hard disk, along with my password list. D'oh!
Another alternative would be to use a non-obvious system ties to the site. Slashdot password could be calculated by hashing the word 'Slashdot'. The only problem is that it must be hard for a person to take my Slashdot password and derive the system, and it's quite nice if I can calculate the passwords quickly and in my head.
I should expect that kind of talk coming from a young, low uid person like yourself. You kids don't know how good you have it these days. Fancy computer graphics and a machine to keep track of details for you, letting you have your 'action' in 'real time.' Back in my day, we had cardboard cutouts, if we were lucky! Most of us used hand made lead figures that we had to paint by hand! And it could take hours just to do one massive battle because we had to do everything ourselves! In the snow! In our parent's basements! Pssh. You young people these days. I don't want your opinion until your UID is in the lower 50% of the population. PSssh. Kids. Think they know everything. In my day, we were lucky if we knew nothing! You were lucky just to not be a negative container of knowledge, sucking it out of other people until everyone knew nothing. Pssh. Kids.
Edward@Tomato - /home/Edward/ man woman
man: no entry for woman in the manual.
"Qua!?"
You could always get an iris scanner alternativly.
It might be an idea to write down a difficult 8 character password, and keep it in your wallet. Then extend this difficult to crack password with a more easily remembered one. This prevents anyone from logging into your PC if they find your secure password, and it keeps network hackers from guessing your simple one. Of course, one could brute force your simple password using the network if they found out your secure one, but this is not such a likely scenario. And it's all about mitigating risks...
"#5) Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes. This will be a major pain when you try and log in and make a mistake. It won't really stop hackers, just the ones with slow/bad proxies. Maybe 1 of the 500 proxies the hacker is using is not as anonyomous as they believe. As for your own use, take a book with you when you believe you might have to log in remotley, just in case you make a mistake. You need something to blow those 20 minutes."
Makes it pretty simple if somebody wants to launch a DoS attack against you.
This is just another Micro$oft scheme to get your passwords. First, they convince you to write down your passwords, then they send the Micro$oft Ninjas (MSN) or Micro$oft Death Ninjas (MSDN) to sneak into your house in the middle of the night and steal your passwords.
Rhapsody in Numbers
Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!
Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.
Do you think that more passwords are hacked each year, or that more are discovered written on a piece of paper and then used? /didn't rtfa
A friend of mine has a good rule "Never store a written password within 8 feet of your computer". (why 8 feet, and not 10?? 10 sounds like a rounded-off number that quickly degenerates to 5, and then 2 8 sounds like it was chosen for a reason -- Just tell them that it was chosen for social engineering reasons).
Another thing that I'll do is not actually put the password itself onto paper == instead, I'll put something from which I can generate the password. For passwords that I use often enough to memorize I'll destroy the written version once I've got it memorized.
For short passwords (e.g. Solaris 8,9) I suggest that people use the mnemonic method
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
In addition to writing them down and putting them in your wallet/purse/whatever, I recommend creating long passwords that are easy to remember by putting 3 or 4 characters separated by something like a period --- for example 4dt35z2en is difficult to remember, but 4dt.35z.2en is not only a better, more secure password; it is also much easier to remember!
You would have to have a password protected document, with an easy to guess password to guard the list.
When he has a login anywhere, instead of Firefox typign it on pageload, he just pushes his finger onto the pad. Chances of someone faking his hand?
Right, so he uses it to login ANYWHERE. So he goes into a cafe and plugs it in (meanwhile people are looking at hime like he's a nutter - which he is!!) I am an assraping haxor with spyware + keystroke etc. recorder on his cafe machine. No matter what exotic approach he takes there still has to be a plaintext version of his password on the computer at some point so he can login (this is why audio DRM's music files dont work!! : )
Now Not only do I have the password, but if I got his email account name and bank details etc, I have the passwords for all of them too since he is using one master password.
Now I have all his money and buy many many fingerprint scanners of my own for my uber ass-rape facility in a secret mountain layer...
Yeah, it is! See, I even logged on as him to prove it!
And make sure you leave it on a post-it note stuck to your monitor, or in a desk drawer, your laptop bag, or somewhere else where absolutely no one would possibly think of looking for it.
Voluntarily giving passwords away (ie through phishing or other kinds of trojan horses), having them intercepted (by packet sniffers, keystroke loggers, etc.), or brute-force search are much bigger threats to password integrity than guessing. In none of those cases does a complicated password that would need to be written down fare any worse than a "stupid, easy to guess" password. Password guessing seems a comparably minor threat, and would only seem to apply to really dumb passwords (birth dates, '123456', etc.).
"(Man) tries to live his own life as if he were telling a story. But you have to choose: live or tell." --Sartre
Just use a passphrase! You can write out an entire phrase (with spaces and special characters) for Windows passwords. Infact, this post could be used for a passphrase!
The best passwords are illogical. Something like k8iWq3xy.
That made sense up until the xy (seriously).
The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.
I use something like that. It's called the UNIX epoch. (One-time passwords, they're called. With increasing mobile device usage, this will become more viable although no where near bullet proof. If the device is lost or is cloned, game over. Might also want to look at Netkey, with is a method of hiding passwords.)
Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes.
Not that great of an idea if we are dealing with complicated passwords. Believe me, users will come knocking down the door after about a week.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Time to switch to decaf, buddy.
To confirm you're not a script, please type the text shown in this image: rnqdfnj
A cool way to always have good passwords is to just choose a short phrase that you'll remember and run the text through MD5. So, if you're creating an account for your PC at work, you might use something like "Work PC password, May 2005" and then just run it throgh something like this.
This will give you a good mixed-case, alphanumeric password, and you can always retrieve it if you forget it, as long as you can remember the phrase that you used (which is much easier than remembering Qwy4%!Xx). The only other caveat is that you must have access to the web or to a machine with an MD5 generator.
And, being an uber-geek, you can even go one step further and eliminate that last requirement. You can make up your own algorithm for converting a phrase into pseudo-random characters. Keep it simple, and something that you can do with pencil and paper! You have to be able to remember the algorithm a month from now (when IT forces you to change your password) or else it's useless. But if you keep it simple, you'll have no trouble remembering how to do it. I've been using this system for a while now and it works like a charm.
APG
Get a password keyring and stop worring about it.
Actually I have the first version of the keyring, which didn't come with a dock and was a whole lot cheaper ($60 if I remember correctly). The new version sounds better for businesses but not a great improvement for individuals.
Still. These completely solve the problem of creating and remembering secure passwords. What more d'you want?
To this readership I pose a problem. This one may fall into the category of mundane for some, however, for others, it may prove to be quite the conundrum.
The Problem:
Write down many, strong passwords,
or,
Use the same strong password everywhere.
Given: that a 'strong password' represents a password created using the most secure, or unbreakable, methods currently available; that 'write down' requires a physical object with the passwords inscribed on them in a way that is decipherable to the owner without possibility of memory loss causing an inability to decipher; and that 'everywhere' denotes the group of systems requiring user identity authentication by means of a stored password check setup, where 'systems' are generally electronic in nature.
This question may be the final, and most crucial, step to creating a maximally secured electronic system. There will always be a need for the user of the system to prove its identity, while there will also always be a potential for the user to forget what it has to do to authenticate.
This problem does not consider any alternative solutions, nor does it consider biometric methods(1), however its author most certainly does.
(1) Biometrics should be considered insecure in any system where the user is not in the same physical location of the system and should also, therefore, be considered inadequate as applied to all system a particular user might access.
If this problem appears mundane at first read give it some time and mull over it until you find yourself posing a question about your own belief on the matter
;uhm... what happens when someone *spends* the money?!
;treehead
"If any part Linux was stolen, then Windows was the biggest heist in history."
Jesper:
Talkin' outta turn -- that's a paddlin'.
Lookin' out the window -- that a paddlin'.
Starin' at my sandals -- that's a paddlin'.
Writin' down your passwords -- oh you better believe that's a paddlin'.
I still remeber the system generated TSO password from 30-freaking years ago
It was three Kay seven six victor victor zulu romeo!
but, there was no toprow stuff in it.
A better technique is to remember a phrase that can be expressed in a brief series of charaters, something like "I am not a crook" for example might become iM!a(cr?)
But then the shifted key strokes can give you up to a shoulder surfers... if you're in a situation where that might be an issue.
In that case multiple double taps on the home row will help obfuscate the sequence.
Just last night (literally) I was looking at all the passwords I have written on my password list. I have over 40 different websites that I have visited that require a login name and password. I will NEVER remember 40 different passwords and login names. Some of those sites I visit about once a year (airline sites for travel). If you have only one or maybe two sites that require login passwords, good for you. The rest of us use more of the internet than just slashdot and our work site. Our only reasonable options are:
- one password and login name for everywhere (bad security).
- individual passwords and login names for each site, but written down (bad security).
- stop using the internet (not going to happen).
I choose to keep using the internet and store my passwords and login names (over 40 currently, over 50 including past sites I don't visit anymore) written on a piece of paper that I have to pull out (no, it's not taped to my computer) when I visit the sites that require it.
And I am posting as anonymous coward because I have no account here and I do not want to add anymore damn logins and passwords when it's not neccessary.
"Lets bomb another country to releave our collective mutual stress."
Bomb your own country and cut down the transport costs. Bombs are heavy!
And blowing yourself up means never being stressed again.
I am anarch of all I survey.
he's an idiot. the answer isn't to let users do what they want with thier passwords. if you ALLOW people to pick their passwords, they will pick shit ones everytime. he's solution does nothing at all. the answer, is to FORCE them to use a good password, and to change it reqularly. allowing them to put it on a sticky note on their monitor is a shitty shitty idea. MS is never gain street cred in the security world taking advise from morons like this guy.
If you mod me down, I will become more powerful than you can imagine....
I think most passwords should be opened up to having any length combination of any key on your keyboard. So you password could be your favorite line from a movie, or something. Why limit it to so many characters of just alphanumeric ?
*DrugCheese rants*
I write mine down on the back of my auto insurance "id card" (actually a piece of paper, not an actual card, and when folded in half is roughly the size of a business card). Since proof of insurance is required for vehicle registration renewals, plus you always need it on you whenever you might get pulled over by the cops, it's an important piece of paper to always hang onto, but has zero monetary value in and of itself. It also expires every 6 months and I get a new one from my insurance company. Every 6 months also seems at minimum a good time to be changing passwords too, and I then write them down onto the new insurance card.
I like option #8; let our Air Force handle it!
Microsoft garbagemen recive big bonuses
Officially: "No comments"
http://www.sans.org/rr/whitepapers/authentication/ 1636.php
I dont like the suggested way to deal with required password changes (add a number to the end) because it goes against best practice. I did however question why adding numbers to the end of passwords during a force change is not recommended and all I came up with is:-
- if you know users have strong passwords, the reason why you still force them to change passwords reguarly is to mitigate the risk that someone else other then the user has gained access to that password. So by simply adding numbers to the end of passwords voids the mitigation of the required password change.
If you have a few hundred extra, sure.
Foxed Design
I've found it easier and more secure to remember a passphrase as oppose to a password.
"Look where we worship" -- Jim Morrison
e.g., Apple's Keychain. Of course, Microsoft has taken steps towards this, but no one trusts them.
Maybe it's just me, but it seems that the liklihood of someone cracking that method is very unlikely.
As you said, physical access is required. (which makes things MUCH more difficult) However, even if physical access WASN'T required, I don't think some hacker would suddenly say to himself, "AH HA! I bet this user is combining the serial number of his roller-chair and product number of his processor to create his password! Let me just try these numbers..."
There is a VERY large combination of passwords available from product/serial/model numbers on various items that reside in a typical office. Even if a hacker somehow broke into Joe Blow's apartment and spent twenty minutes writing down all of Joe's stapler model numbers, he likely wouldn't get them all, and definitely wouldn't need to run a program (remotely) to try all the possible combinations. (Especially given that the password might consist of half a dozen different product numbers!)
All in all, the odds of someone breaking this password aren't likely. If someone was determined enough to go through all afore-mentioned garbage at all, whatever he's getting at must be pretty valuable... and would probably be better protected than just by an arbitrary password.
I like the discussion you're starting, but if you're going to create a numbered list for something as hard and important as security, you should probably put more effort into it. (I'm unqualified to make a list, but I would like to respond to yours.)
#1) The hackers have huge dictionaries that can crack just about any word, in any language, and with any added numbers, like compaq002 or 01compaq01. Second, they have custom dictionaries that can take 2 or 3 words and put them together in logical ways (like people think). These are all easily cracked. Picking a password by splitting the words of items on your desk and adding them back together is not smart. Comp05HP is not a good password.
Huh? Dictionary attacks might succeed on more passwords than you would imagine, but ANY added numbers? I don't think you understand how large of a domain you're describing.
#2) The best passwords are illogical. Something like k8iWq3xy. Mixing in letters in and numbers, not based on any words, is a good start. If your program recognizes upper and lower case, mixing that can help too.
Not illogical so much as random (or at least very high-entropy). If you rely on a pattern for generating passwords, so can someone trying to guess them.
#3) The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.
You're talking about SecurID.
#4) People will sniff your network. Nothing is bulletproof. Finding passwords sent is easy. If it comes as clear text, you are screwed off the bat. This defeats #1 and #2, but not #3, because #3 is based on an algorithm that changes every 1 minute.
No, some algorithms are provably "bulletproof," or crypto wouldn't work at all. However, complex and/or large systems often contain oversights, so redundant security mechanisms are a good call.
#5) Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes. This will be a major pain when you try and log in and make a mistake. It won't really stop hackers, just the ones with slow/bad proxies. Maybe 1 of the 500 proxies the hacker is using is not as anonyomous as they believe. As for your own use, take a book with you when you believe you might have to log in remotley, just in case you make a mistake. You need something to blow those 20 minutes.
No. This allows a malicious third party to prevent you from logging in without knowing your password.
#6) Never, ever log in root from a remote location. Have a crippled account to log into from remote locations. Expect this account to get cracked. Limit the damage. If you must, have 2 computer systems at home. One secured off line, and the other on line. Hell, toss in a third computer connected to the web based on via a serial cable and dump all the logging on that computer. The hacker/cracker can't edit the logging files on that second PC.
Or, use SSH
Great, so on the new Tablet PC's you can simply "write" your password in the PW box.
Heh.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
"#4) People will sniff your network. Nothing is bulletproof. Finding passwords sent is easy. If it comes as clear text, you are screwed off the bat. This defeats #1 and #2, but not #3, because #3 is based on an algorithm that changes every 1 minute."
Actually, this only defeats #3 for the remaining part of that minute. With code sniffing the network, its trivial to reply that login information in under the time remaining. A better solution would be to use a algorithmic addition to the password *and* encrypt your login information, just be sure to use encryption that takes longer than sixty seconds to break on a fast machine. (Think, publicly reviewed encryption algorithm with a large enough key).
Evil Overlord list of things to do:
5) The artifact which is the source of my power will not be kept on the Mountain of Despair beyond the River of Fire guarded by the Dragons of Eternity. It will be in my safe-deposit box. The same applies to the object which is my one weakness.
- http://www.eviloverlord.com/lists/overlord.html
WTF is wrong with you people.
Line noise. At least eight characters of it.
#wG/+"s2
Memorize the damn thing. Seven repetitions moves data from short term to long term memory. If you have some sort of cognitive disability, then by all means, write them down. The majority of you, I suspect, simply need to step away from teh b0ng.
^..^
WHat are you, in the Russian Space program?
Phoa, dayam, how did u get that password?
Thats the planetary password for a air sheild i know!!!
http://www.google.com.au/search?q=spaceballs+the+m ovie
In the U.S., you can invoke the 5th amendment to refuse to answer questions about a password, but you can not refuse to hand over written material. So if your password is protecting something you'd rather keep out of sight from the feds, you would be well advised not to write it down.
I can barely keep track of my passwords as it is, forget trying to keep track of a piece of paper. Sheesh, what is this, the late 20th century?
Holy shit! He said what? I guess that explains a lot. Sure, write your password down and put it underneath your keyboard. How about using an easy to remember phrase like "I like sex" but replace some of the letters with crazy symbols like $ for s and 3 for e, etc. That makes a very strong password, actually. It's the one I use, in fact. Can you guess my password now? I don't think so.
Currently hooked on AMP
#7) When using a computer, always assume the key strokes are being logged. When you get home, change your password for that account.
This is not practical when travelling for extended periods without a notebook PC.
When I was last travelling, I would occasionally need to log into my Internet banking facility to transfer funds to my Visa card account (it's widely accepted by ATMs). Since I never really knew if the local Internet cafe PCs had keyloggers installed, I'd open up Notepad as well as the site, and intersperse the keystrokes going into the username and password fields with random keystrokes into the Notepad window. I'd also randomly move the windows around, so that even if the keylogger logged mouse actions, it would not be easy to follow.
It was a PITA, but since I was visiting some countries where the balance of my account at the time would be enough to buy an apartment, I didn't want to risk it.
www.psynch.com
www.mtechit.com
They added that because for the past few days Slashdot was crap flooded with spam from previous articles.
From what I can figure out its only required for people that don't have good karma, and users not logged in.
Security is as hard as it is important to get right, and respectfully, John, you're not qualified to compile such a list. (Nor am I, admittedly.) You can't identify something as prevalent as SecurID, you're misstating security fundamentals, and you're conflating related concepts.
Passwords are relevant only for authentication, and better schemes involve additional proofs of identity (e.g. SecurID tokens). A good security policy correctly uses crypto primitives to create layered defenses that supply mutual authentication, secure communication, and data integrity. A good password is generated randomly from a large domain, is stored securely, and is not reused for multiple purposes.
Consistency requires you to be as ignorant today as you were a year ago. -Bernard Berenson
So my Slashdot password can be easily remembered as IBM!1531@E94# Tried that, and got: "Danger, Will Robinson! You didn't log in! You apparently put in the wrong password, or the wrong nickname. Either try again, or have your password mailed to you if you forgot your password." Please advise.
I use a simple system to generate and remember passwords. I'm posting it here so others can use it. If it has problems, please let me know!
First, memorize a long sentence or paragraph. It should not be a well known sentence.
Next, form passwords by choosing two consecutive words and placing a number between them. The number between each word can correspond to which sequential pair they are in the sentence. For example, if your sentence began with "Four score and seven years ago" the first password would be four1score and the second score2and.
You don't want to use the same password everywhere, so next choose a simple numbering scheme for the types of accounts you are protecting. Let's say you choose 00 for accounts you don't care much about (so you use it often for things like NYT registration), and other numbers for other types of accounts. Embed the number somewhere in your password, perhaps at the end. Just be consistent in where you place them. If placing at the end, the example passwords now become four1score00 and score2and00.
You now have a system that can generate a large number of strong passwords, and all you have to do is remember the sentence you started with, and the account number system.
To get started, choose the first two words in your sentence, and password protect everything according to account type. Everyone once in a while (e.g. once a year), move to the next pair of words and incrementally update passwords as you encounter old ones.
The real utility of this system comes into play when you forget a password, since there are only a small number of combinations to try. Simply determine which account types might have been used, and then try previous word combinations. I've gone back and logged into accounts that I haven't accessed in years, where the password was long forgotten.
Make a difference: move to a swing state.
Usually you can just run 'java myprog.jar' or double-click it to run (if Java is available). Perhaps he was concerned about the unverifiable security of the Java VM? Also, I know Bruce did Blowfish, but wouldn't AES/Rijndael or even his own Twofish be a better choice?
I frequently use steganography to write down my passwords and pins. I take and old, legitimate document or drawing and write my password into it in a way that it does not stick out like a sore thumb. I'm also not stupid enough to make the password a single word in the document. (otherwsie someone could do a dictionary attack using the keywords from a desktop search database. Instead I'll break it up into several peices and put them in places that make sesne to me but no one else. That is to say, since I wrote the document it's easy for me to see what does not belong. For example, pehaps the zipcode is wrong for my address. Further by using phonem type passwords it's very easy to incorporate these into other words. I highly reccomend this. It beats the tape dispensor method. you can cary the document with you on a USB key. and if you are paranoid you can even encrypt the document with a master password or use a biometric USB key.
Some drink at the fountain of knowledge. Others just gargle.
So how do you write down your password in those paperless offices that Microsoft is always talking about? Carve it into the desk with a letter opener?
Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).
You're forgetting: (4) Something you do. Everyone does things in subtly unique ways. If we could build a security mechanism that picked up on that, it would be the most effective, since you don't have to remember or carry around anything.
For instance, I bet everyone types differently. I bet if you profiled a person's typing and built up a record of the average timing that particular individual took between typing any two particular letters, you could have a program to figure out whether it was really the individual typing or not, regardless of what it was they typed. The login prompt could then just ask you to retype something shown on the screen so it can profile your typing characteristics.
Sure, at the moment this requires a bit too much guesswork or intelligence, but something like that would certainly be the most user-friendly and non-annoying implementation of security.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
[grin]
Danger, Will Robinson! You didn't log in! You apparently put in the wrong password, or the wrong nickname. Either try again, or have your password mailed to you if you forgot your password.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Picking a password by splitting the words of items on your desk and adding them back together is not smart. Comp05HP is not a good password.
But B&m:7599-BtBr} would be, and was just generated from an item on my desk. Easily rememberable to me.
Something like k8iWq3xy.
All alphanumeric eight character password? A bruteforce check would crack that on average in ~4.9e+55 attempts. That's a very small number to today's computers. A high end home computer will chew through that in a very short period of time.
Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes.
So all I have do to DOS your system is do two failed logins remotely so that your switch's MAC gets locked out?
And get ready for all of your passwords to get harvested as your insane policy causes everyone to write their password down on post-its.
Never, ever log in root from a remote location.
Never, ever allow remote root logins. Period. SSH is easily configured for this.
Expect this account to get cracked.
Log in wisely and you shouldn't get cracked unless there's a really good reason you're being targeted. [hint: you aren't]
If I ever have a word with M. Johansson it will be "SSH"
Isn't a full blown GUI program a bit overkill?
Seems to me that a list of OverlongSuperComplexHardToRemember passwords can easily be stored and read from a simple text file that's been encrypted. Using something like ccrypt (available for Windows with Cygwin) and typing
$ ccrypt -c path/to/secret_password_file | grep slashdotlogin
and entering the requisite password when prompted allows you to read the information from your screen.
A bit simpler, no?
Not necessarily
One day, I zoomed in on a piece of paper on the corner of his desk. Some rotation & sharpening in photoshop* revealed an IP and the word "gizzards8524". I telnetted** to the IP, tried his usual nickname and that word as the password and bingo - I was in.
He was quite startled when a he got a console chat invitation from...himself.
*as opposed to hollywood's ideas of image restoration that boggle the mind and break the laws of physics.
**ssh wasn't popular yet.
A preposition is a terrible thing to end a sentence with.
A colleague of mine went away on a long vacation and told me her password, which she always kept as "pookie" (the Garfield teddy bear) with two digits appended, so I could log in as her if necessary.
A few weeks later I went to log in to her account and couldn't - password had expired or something - so I called the admin folks and asked them to reset the password. "What do you want it reset to?". Thinking... "ummm, now what was it...oh yeah, wookie. It's April, right, so make it wookie04". Done.
The following week, I'm on leave, my colleague returns and I get the following text message:
her: "cant log in. password?"
me: "w.....04"
her: "???"
me: "wookie04!"
her: "WTF?"
Here's the solution I came up with for my users.
Take some card out of your wallet. it could be a health care ID, a drivers license, business card, etc.
pick a column or diagonal through the text.
Voilla, a password you can carry with you.
Suprisingly effective at generating hard to guess passwords.
...to come up with good and memorable passwords. Especially if you love music or movies. Just pick your favorites and take a phrase or quote from them. Wayyyyy back in the past at another job (servers have probably been nuked by now), I had a really good one from the Blade Runner: The line was "Good Evening JF"! as said by his replicant toys. So my password became, 'goodeveningj.f.' Long, easy to remember and complex enough to never be guessed. Simple.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
At one company I had to have 6 passwords that needed changeing at different times. Some as soon as after 1 week. Others after 1 month and others after 30 days.
So the only way to remember the paswordsets du jour was by writing it down.
I have tried to explain to the IT people that what they did made the system LESS secure, but they kept by the story that many passwords changed often was the best way to work. The best excuse they had that 6 was not so bad. They had to write down 30.
At an other company where I had just one password, I just phoned in every month to say I forgot my new password. They did a reset and I could change it back to the old one. I used the same password for several years without ever having to write it down. The difference with the first and the last company was that with the last I used a secure password and with the first I used easy passwords.
Don't fight for your country, if your country does not fight for you.
That'd be a pretty cool idea... imagine if tablet PCs allowed you to do a little doodle as your password. If you get it structurally close to the stored version then you're allowed access...
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
Today's lockout policies of (x bad attempts before account locked out for y minutes) are even easier to DoS, since you can lockout an account from anywhere, just by feeding it bad passwords.
At least with IP/MAC lockout, only the originating system is locked out. Yes IP/MAC are spoofable, but
a) this raises the bar. Now the attacker must know both your account name and your IP/MAC
b) in many cases, such spoofing can be reduced or eliminated with proper ingress/egress rules at switches and routers, and additionally by IDS.
The *IAA's rejoice at these steps backwards, one industry speaker commenting "Ha! Let's see them pirate now!"
"Where do you want to hobble to today, old timer?" was revealed as Microsoft's new slogan.
kurzweil_freak
5th Kyu Genbukan Ninpo/KJJR student
Be the darkness that allows the light to shine.
No, he's right. AD&D has, and still, sucks.
"Nobody owns the fucking words man." - James Dean
It's okay; write them down. Just surround them with a page full of fake passwords. It would take somebody all day to enter all of them.
My passwords are tattooed on the inside of my eyelids.
http://www.forgetyourpassword.com/
A great alternative to writing down passwords!
(posted anonymously - don't want to compromise the stupid bastards too much!)
I have a friend that has her PIN's on the credit card.
She will never forget them...
As many people on this forum have already pointed out, people and strong passwords generally don't mix. The real solution is biometrics. A retinal scan or fingerprint is much more difficult to "steal" than a password. Yes, it can be done, but not easily; certainly not by 99.99% of those who can and do steal passwords.
Don't underestimate the power of The Source
In 15 years of Net use, I have had my machine broken into once. But then, logging into my machine over a telnet connection on a university network and then su'ing to root may not have been among my more brilliant ideas . . .
I don't think this was stressed enough in the comments. Passwords are useless beyond home security. If you need real security you need to go beyond passwords. But for 90% of people, passwords that are familiar but non-dictionary based, possibly written down in a safe place, will do just fine. No need to worry about any of the parent's comments except when you use a public computer (never use a public computer to enter ANY passwords, period). And don't make any enemies...
"A bit simpler, no?"
No.
I wouldn't want to drag Cygwin around with me everywhere just to open an encrypted password file.
And you can forget about teaching the average Windows user about grep.
Step 1: pick a catch PHRASE, not word, with some meaning to it.
"Worst. American Idol. Ever." for example (with a meaning of "She Bangs").
Step 2: Convert the meaning to symbols in some cutesy way, such as "She!sShe!s". You can work l33t-5p34k into it somehow (just be consistent so you can remember it). This is your password, but you only write down the catch phrase.
Lather. Rinse. Repeat as necessary.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
If you have a Mac with OS X, you can store your passwords in the built-in secure keychain. It basically means that you really only need to remember one password - the one to your keychain - in order to have access to all of the other passwords.
By default with the default install your keychain password is the same as your account's login password; but that's easily remedied if you're concerned about it.
The keychain is also a great place to keep secure notes where you put, for example, your kid's Social Security number, installation keys for programs like MS Office or Adobe Photoshop, or other information that you won't remember but don't want just sitting there in your documents folder in a plain-text file.
#DeleteChrome
But that will display your password in plaintext. Password Safe program allows you to enter your master password, choose the appropriate login, it shows you your username and you double-click on the entry to have it copied to the clipboard. Paste into your browser's (or other app's) password field, and nobody (not even you!) can see what it is by looking at the screen.
:)
There are some logins even I don't remember the password to, such as my eBay and PayPal accounts. All I need to remember is the one master password and then make sure I don't lose the password file!
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I tend to use the first letter from each word of the opening line out of a book. Non-dictionary strings, plus I pick books that are relevant to where I work.
Like Mein Kampf...
Task Mangler
I'm a SysAdmin and at one place I worked, I noticed someone had written 'bbbbb' on their monitor. They wern't at their desk at the time, so I sat down, hit ctrl-alt-del and typed 'bbbbb' into the password field AND IT DIDN'T WORK. interesting eh.
This is why I've always been a proponent of pass phrases instead of pass words.
1) It's a lot easier to remember the phrase "My dog is jake" than it is to make a password that's "j4k3d0g!"
2) The number of permutations for passwords is MUCH higher, and will take much more work with a brute force generator. I mean, how long will it take to crack a string of 255 characters? Or longer? (I'm sure someone here will do the math). Plus, with passwords of indeterminate length, it'll be even harder. It's the million monkeys theory. Has there even been a few thousand monkeys yet that have managed to write one sentence of a great work of literature?
3) Then, you can have your passwords stored in an anonymous looking book in case it gets forgotten. Like, say, the opening line to your favorite comic. Who's going to look there? Or, a phrase like "I miss my high school sweetheart". That's a lot easier to remember than some random hashed word.
Reeses
"Since everybody will know the password, it will become unnecessary to guess the password," said a Microsoft spokeswoman. "This will be the cause of unbreakable security."
.
.
.
.
Oh well, you get the point.
Sorry to have to post this anonymously...
I just read today that Wachovia has lost control of some of their customers accounts - much of it attributable to their criminal employees.
No shit, really? Gee, I thought that'd NEVER happen. Actually, I'm surprised it took this long. I saw this coming 10 years ago. Simply stroll through their offices and you'll be sure to find more than a few passwords stickied to the monitor, under the keyboard, etc.
I was a consultant who worked there (during the Corestate/Meridian years) and after that shocking experience, I decided to do my banking (and my consulting) elsewhere. While today's news is no surprise to me, it certainly confirmed what I'd felt all along - the greatest security risks are from within.
With all the buyouts of banks that go on, chaos reigns and security is a total joke. The CEO's get their golden parachutes and those execs that remain battle it out. Meanwhile, IT issues that existed at each bank before only get worse and new issues appear when a merger is completed. Want to be a successful criminal? Get into IT, work as a temp at a place like Wachovia, and look for post-it notes...
Why would you ever need to log in remotely as root?!
Beware middle clicking to paste passwords in browsers, since middle clicking outside of the password box in Mozilla/Firefox/Netscape will spam DNS servers everywhere with your secret pass phrase. I've changed passwords a couple times because of this... feature.
Installing Windows is bad for security
Pictochat Art!!!
I often have several magazines open to different articles on my desk. My password will derive from some article title, usually something with 3 four letter words (to get to 12 chars). I then insert a special char between words instead of spaces, and append the page number. I can circle the article title without raising suspicion, and unless you know the trick plus the special character...easy for me difficult otherwise.
for three years. No problem yet. If anybody can get close enough to me to guess them, I'm screwed anyway. I've got my bank password written down sitting on my old Compaq machine as I write this. Break into my room to find it if you think $62 is worth the effort! Why did I write it down? Because the asshole bank sent me a message saying somebody from overseas had been probing the account (probably a phisher's email anyway), so on the off chance I went to the account and changed it to something else I've used, but might not remember I did so. Sure enough, I didn't until I remembered to look at the paper!
This stuff is WAY overblown (except for really secure places like banks).
The real issue is: do you have anything worth protecting? 99% of HOME users don't (unless it's their SSN or a bank account number with PIN, which is obtainable a hundred other ways.) Corporate users should be under a sophisticated single-sign-on/token/biometric/blah-blah system anyway.
So whether people write them down or not is totally irrelevant to real security issues.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Think about it. Paper cannot be "hacked" like wireless devices. It can easily be hidden, and if necessary, the data can be encrypted. It can easily be destroyed beyond recovery. It can be cleared and written over many times, is easily indexed, can be read without the help of any device, and is allowed on airplanes. Name another medium that provides all that.
It takes just a moment and an action to destroy. It takes some time and thought to create.
Nope. Once you use a SecurID code it is burned. If you want to log in to another SecurID protected service, you have to wait for the code on your fob to change. (Trust me, I ran into it enough at the last job I had that used one.)
I log into 20+ different networks and computers in a given week. i can use the same password scheme on about half, but the rest all use mutually excluseve password schemes, ie, some only allow 4 digits, some require 6 letters or digits, but exclude characters, some need caps, others disallow caps, some need at least 8 letters and a special characetr, anyway you get the idea.
The problem is, most also require a new password every 3 months, and some i dont log into that often, others keep the same one forever, some password schemes change.
Im a bright guy. I get security. I had a strong password scheme that was working, then in the course of a week, my brain jsut broke down. I could NOT keep tract of any, or remember the old ones. I still havent worked it all out. I dont know what went wrong, it was jsut like some kind of cascading failure of my brain. I think i finally hit some kind of wall in my memory. Anyone else had this happen?
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
If you're remote administering a server in a co-lo farm where you've not set up a privileged user account for maintenance. There are times when you *must* be root and where console access is simply impossible.
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
From digi.no where they have had a similar discussion (but in Norwegian), a very good tip was given:
Make a hard password leaving two open spots. Never write down the password, and remember where in it you left the open spots.
Now every time you create a new password, store the location, maybe even username, the two missing letters, and that's it!
If now someone took your notebook, they would only know two characters needing to crack the X characters remaining and need to figure where the two letters fit in addition.
In my 13-year career as a lead dev, I never once laid eyes on most of the machines I had root or Administrator on. I doubt many of them even had a video card installed.
Well, writing them down as-is is not ideal but it's tonnes better than using the same password or simular password per site. I do have an alternative that I thought worked:
/cvs/MyProject
Write on a pad or text file Unix commands. You know, like >tar cvfz MyProject-1.2.tar.gz
Take the two or three letters from each word to make the password, for example tavcMy12/M
The only trick is to align websites with passwords which is solvable and God knows there's a million combinations of common Unix commands to remember. There should be no way a coworker/bandit can guess correctly that your passwords are in clear sight and no two passwords should ever look simular.
Just a suggestion.
Oz
I have loose formulas for creating strong passwords and methods for obfuscating them when I write them down. I deliberately don't tell anyone.
But in general, my passwords are effectively random mixed case alpha/numeric sequences generated and obfuscated using techniques similar to those described above, and seeded by a selection of text sources. While the password itself is saved somewhere secure, I can usually rememebr how I derived the password rather than digging up the stored version.
I also keep a tray of useless decoy keys and gibberish Post-It notes in my desk drawer at work.
Another neat tr1ck is to us3 th3 l3tt3rz "e",and "i" no-one suspects that!
Xix.
"Everything is adjustable, provided you have the right tools"
This is Microsoft. Microsoft is good at:
a. being big
"a" and "b" are problems that belong to the business management domain. Business managers at Microsoft rule. So do business managers at medium software companies and up.b. selling
When business managers rule at any given workplace, in order to advance economically beyond a certain given point, an individual needs to "become" a business manager. "Success" inside medium-to-large software businesses is measured by a combination of hyerarchical position and remuneration. Higher hyerarchical position and remuneration are achieved by individuals whose actions increase sales volume. Sales volume is increased by decisions made at a managerial level. "Success" at medium to large software businesses does not correlate in any way with technical excellence.
In order to become a business manager, you need to either: give up on whatever you're doing and go back to college and study business management, or keep doing what you do while learning how to think think and act like other (prefferably senior) business managers in your place of work in hopes for a "promotion" to a position in management. The latter results in very strange -if not pathetic- behaviour.
Business managers are not known for being exceptional in any endeavor related to either science nor the humanities. Mr. Johanson's reasoning is typical of the above-mentioned behaviour. When confronted with such commonsense nonsense, I tried to remember that for every problem there is at least one simple solution that is wrong and that working for a medium-large software factory is not the only way to advance economically, not to say intellectually. ;-)
HAD
nobody's ever stolen one of my passwords or hijacked an account of mine
Correction: To your knowledge, nobody's ever stolen one of my passwords or hijacked an account. Just because you haven't noticed doesn't mean that it hasn't happened.
It's scary being a Flash and Flex developer on Slashdot. You guys are unnaturally rabid.
+1 HSR comment.
I've been doing it for years, but I generally don't talk about it unless directly asked, since it goes against the grain of traditional security advice. My feeling is, 1) My passwords are no more valuable than anything else in my wallet, and 2) if my wallet gets stolen, I will know near-immediately and change all my passwords (probably even before cancelling my credit cards.)
Actually, Bruce Schneier wrote exactly such an application, and put in on SourceForge a while ago, where it is now currently maintained:
PasswordSafe
Note: I'm the project's current admin.
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
barring quantum computers, nobody's going to be breaking it within my lifetime.
Or research breakthroughs - nobody has yet proved that one-way functions exist, and it's entirely possible that some genius could figure out a fast factoring algorithm tomorrow and make your crypto worthless. Not likely, but a possibility worth considering.
I used to work for a human rights group that a (not the US) large government was actively trying to mess with. If I am not using a mac, which of course has the password keychain (Brilliant) then I think the best thing to do would be to write the password down in a long string of mutually unintelligble keystrokes, or a long list, or add an extra character or two. I would write my 6s to look like bs, + and T. The user of course would remember what is what, but if the paper is comprimised, the data is not.
"prohibiting users from writing down their passwords.."
Users won't stop writing down their passwords just because you prohibit them from doing so. By all means, suggest to users good ways of dealing with passwords.
But some users are going to write them down, send them in a reply to an email from fake_security@yourbank.com and stick them on a postit note on their computer.
So when their computers get compromised, sack them and get someone who is not as dumb.
If you find someone's wallet, there's a reasonable chance that the phone list or calendar has their PIN listed in it. Every time we talk about hiding a PIN, at least one person offers this as their ingenious solution.
Xix.
"Everything is adjustable, provided you have the right tools"
He is right, people should write down passwords.
People are bad at remembering good, strong passwords. So as he suggests, you end up with a small number of passwords (which may or may not be strong), that are used everywhere. The problem with this is that a password gets used in more than one location with varying degrees of security and information. For example, I could use by password for online banking also when I register for a mailing list.
The problem with this is that the mailing list info is of low value and my login details are going to be less well protected than my bank login details.
So concievably, someone could hack the mailing list server, get my login details and use them to access my bank account. Now if you consider that a single password may be in a large number situations, this becomes a serious problem.
I found an article a while ago that pointed out just this flaw with the MS Passport scheme, unfortunately I can't find it right now.
So our approach should be to write down passwords and protect our password "safe".
My approach has been:
1. Use Keyring for Palm. Passwords are encrypted with 128 3DES.
2. Never use the same password is more than one place.
Keyring backs up to my desktop whenever I do a sync. I can also read passwords on my desktop using KeyRingWin.
My dekstop is backed up to my file server, which is then backed up to a USB drive.
I consider this to be a relatively secure approach that also provides me with backups of my passwords.
This does leave one issue. I have created a single point of failure. Get the password for the encrypted password store, and you have all of them. This is mitigated somewhat by the fact that the password store is only stored on my local network and palm. You also need to get to the password store itself. You also could brute force it, but again you would need to get to the password store itself.
meh
OS X has had their keychain tool in the OS since practically day one.
Win32 has lots of good options for this, the Passwordsafe tool created by Bruce Schnier originally is a wonderful option for this, especially since there's a PocketPC version available too.
There's a rather bad implementation of this tech in IE already, why not just make a nice encrypptedpassword storage tool a standard part of windows instead of making these idiotic suggestions in an attempt to say something 'newsworthy'.
Hopeless executive hot air as usual from MS. While I have no problemm believing there are some talented people working for MS, their execs have never given me that impression,.
Writing down passwords... has War Games and Mathew Broderick taught us nothing? (grin) No matter how clever they think they are... the folks with the important passwords will always hide them in the most obvious places...!
I've always used my first name as my password for everything and I've never never had it hijacked, so it must be good.
#9) When constructing your tin-foil hat, make sure the shiny side is facing outwards.
Think of all the bullsh*t a user carries around in their brain....inane senseless stuff, but they remember it.
If they cant remember something as simple as a password, they dont deserve access to my systems.
But that will display your password in plaintext.
:-)
The passwords are prompted for, and nothing typed appears on screen (fairly standard stuff). If using ccrypt, the only thing that appears in plaintext is the decrypted contents of your encrypted file, after you've chosen to decrypt it (and before you cleared your screen buffer, of course).
Clipboard-anything is always a Bad Idea(TM). It's fairly trivial (read "ActiveX, among other methods), to read the contents of the Windows clipboard. Then again, I think clicking/double clicking anything is a Bad Idea, as well, especially when the multiple steps of loading and clicking your way through GUI can be repaced with a one line command.
But let's not forget that even though it's easy for someone to make a complex password and write it down, they also want it to be easy to access... hince they are going to stick that Post It note or whatever they choose to write it on in a place they can easily find -- whether that be under the keyboard, on the monitor (a common thing) or just anywhere in their office space, people tend to do this on a regular basis. Now what a good company precedure would be is to ban this type of activity. Issue warnings and such to people that do not follow this rule and potentially terminate them if they choose not to do it. After all, this may sound like a bad idea to fire them, but you wouldn't want your company to be breached by a social engineer who is out to get your precious intellectual property, now would you? Plus, for the simple fact of them not following the rules creates a flaw in management and shows bad teamwork. It's just not good for business.
"Instant gratification takes too long." - Carrie Fisher
Clipboard-anything is always a Bad Idea(TM). It's fairly trivial (read "ActiveX, among other methods), to read the contents of the Windows clipboard.
.bash_history for *nix), someone sharing the system scanning `ps -aux` for command-line parameters, etc. I think the clipboard is the lesser of two evils.
Probably about as trivial as writing a keyboard event handler I'd imagine. The point is that at least it isn't displayed in plaintext at any point unless you manually choose to edit the password. Plus you don't have to worry about command line histories (eg:
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I understand that having different passwords for various logins is essential for security reasons ( otherwise .. if you have same password for all logins ... you are as safe as the least safe system !!!) ... This is a small trick i use ... my passwords are made up of 2 parts ... first part is a some text with special characters common to all my passwords and second part is dependent on where i login ... fr eg. if my common part is 'foo' then my slashdot password would be 'foo/.' or 'fooslash' and my yahoo password would be 'fooy!' or 'fooyahoo' and so on .... This has several advantages ... 1) easy to remember since you only have to remember the common part ( its like having a single paswword!) , 2) password is different for different logins so its secure ... hope it helps .... ( btw my slashdot password is NOT 'foo/.' ;)
While I was in the Air Force they preached computer security (CompuSec) day in and day out. The biggest threat wasn't from hacking or malicious software, but from someone walking by your desk, seeing your Post-It-Note with your password on it and memorizing it. The other issue was with someone calling an employee and telling them they were the Help Desk and they needed their password for some reason or another. I used to do this to people, to teach them, and was surprised at the number of morons who would give out their password. I would say, "Hi this is [my name], I need your password to remotely log you into the XXXX server so that I can back up your XXXXX files". Most people would just give me their password. Anways, password security is a real problem if the information being password protected is important.
I write down my passwords, but I do it in an encrypted form. Using a pattern I know, I will write down the password in a scambled form, and insert other letters as well. Anyone looking at the written password would only be able to narrow down the password to about 60 trillion possible combinations. With me however knowing the pattern to look for, and im be able to enter it easily.
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
Some thief who also happens to know something about malicious hacking steals your wallet/password list which conveniently states not only your password, but probably also the computers that each one goes to. Another telltale sign that MS is run by fucking morons. Here's the solution. This is not a solution for the casual user, because the casual user typically wouldn't follow this anyway. Create a difficult password (mine are usually 10 to 14 characters, randomly created entirely from my head, contain at least a couple special characters, and a couple of caps. If I'm working on a desktop, I also throw in alt+255 as well). I memorize these usually very difficult passwords, and use usually one or two for everything. Personal comp gets one, and because it's a work computer, that one gets a totally different one. Websites usually get a very simple one, because frankly I don't really care if someone breaks into my fileplanet.com or gamespot.com account. Nothing terribly interesting in there.
Why not combine the two techniques? Make one part of your password long and complicated and write it down in a safe place. Memorize the other part of your password, never write it down anywhere, and keep it for a long, long time. That way, if your wallet and keys are stolen, they might get your credit card, burgle your house and steal your car, but the porn collection on your laptop will be safe. Er. For example.
So this is Microsoft's view on security. And they wonder why people don't take them seriously when saying they wish to dominate the security sector...
The Dutch will inherit the earth. If not, we'll settle for a bit of ocean. Beta delenda est!
My passwords aren't case-sensitive, you insensitive clod! It only takes 423,880,471,170 years to run through all my possible twenty-character passwords :(
So what one has to do in order to get rid of the complex meaningless passwords is define a single master password for both PasswordMaker and Firefox and with the help of their encryption capabilities use it to respectively generate and auto-fill distinct passwords for all the sites he/she is registered on.
The need to enter the master password into PasswordMaker is slightly unpleasant, considering that you already enter it once for FF's session, but, hopefully, this will be dealt with in the future PM's versions.
Highly recommended stuff.
I occasionally write important passwords down, but not in the way they're used. Numbers get changed by a particular method, and the sequence of characters is changed as well.
..
But backing it up is sooo important
...20 characters of random data, it would have to be pseudorandom. I do remember reading the police cracked a 20 letter password that consisted of five words, all lowercase. Probably "fuckoffyoustupidcops" or something like that.
The key to a good password is to create one that only makes "sense" within the context. For a very high-security password, I recommend starting with a passphrase you remember easily, like a quote, saying or similar then add three typos - letter, capital, number or sign. Example: "simXplever8ygoodpas.sword" - remember "simXple" , "ver8y" , "pas.sword" (easier than remembering the typos alone).
Remembering three flawed word comes rather easy, certainly much easier than even a standard "random" password like hjk2Edn3. And yet the number of permutations makes it several orders of magnitude more difficult to find. It is slightly longer to type though, but since it is more "normal" typing I find it just as easy.
Kjella
Live today, because you never know what tomorrow brings
There is a CRITICAL backdoor in blowfish that Bruce put in the code and NEVER admitted or corrected in print for many years, long after 30 commerical crypto liraries foolishly embedded the exploit.
:
:
It looks like an innocent mistake in the code... but the sinister weakness was deliberate. I caught it VERY early on and spent years pointing it out to others that Bruce is a shill, a dupe, or merely the worlds most retarded programmer.
Discussion of the Blowfish backdoor never found in all original normal test suites:
There is a problem whenever the most significant bit of key[index] is a '1': for
example, if key[index]=0x0080, key[index], a signed char, is sign
extended to 0xffffff80 before it is ORed with data.
For examle, when:
(index&0x3)==0x3 (such as index=0x3,0x7,0xf, etc.)
- -and-
(key[index]&0x80)==0x80 (or when k[index]=0x80,0x81,etc.)
data=0xffffff80 (0xffffff81,etc.) upon exit from the above
"for(k=...)" loop. ORing all of these 1's into data
effectively wipes out 3/4 of the key characters! (that is,
3/4 of the key characters are known to be set to 1 when the
4th key byte to be ORed into data has a 1 in the most
significant bit.) For a randomly selected 32-bit key,
there is a 50% chance that 3/4 of the key could be
considered as all '1's, even if they weren't that way to
begin with. The length of the key is irrelevant to the exploit.
The line of code was
data = (data 8) | key[index];
it should have been similar to
data = (data 8);
data |= ((unsigned long)key[index] & 0x00FF);
Anyways the weakness made blowfish trivial to crack for many years.
Using different passwords everywhere my help, but not that much. There is only one password someone needs to get access to most of your accounts: your email - and they may not even need that. Most emails passwords are sent in plaintext and can be sniffed on the network or keyboard.
Just about every bank, brokerage, etc. site will email you a password or password change/reset URL if you "forgot" your password. If someone has access to your email - or the network your email is delivered to - you're easily toast.
Those of you using webmail and checking it from an internet cafe on Soi Cowboy, take note.
I have all my passwords on posters around my office in stereogram form. The only trouble is my office mate often spends hours sitting at his desk with his eyes glazed over and I don't know if he's just zoned out or if he's tryiong to steal my passwords!
----------------------------------- My Other Sig Is Hilarious -----------------------------------
All you have to do is convert each character to its corresponding ASCII number and then XOR it with a value of your choice. If you XOR the result, you'll get the original character. For those that don't know, XOR is exclusive OR. Truth Table: a b c 0 0 0 0 1 1 1 0 1 1 1 0 a XOR b = c c XOR a = b c XOR b = a No commoner will know how to decode your written down password then. Just hope the commoner isn't a slashdot reader, :/
well, in my case, I would have to remember about 20 passwords and change them on a regular (90 days) basis. Almost all of them must contain upper case, lower case, numbers and special characters... :) :))
Theres no way I could remember that many passwords along with my private ones, especially when I dont need to log on to some system for say 2-3 weeks. So I store a plaintext file with all my passwords on a network drive, with restricted access. If anyone should get this file, it will be the IT guys responsible for it
But with all the project documents stored on network drives, some login info will be the lesser loss in this case
I think this problem has to do with being lazy. You can remember passwords, you just have to actually make an attempt to try (which nobody wants to want to do these days). I recommend you at least store your passwords in a encrypted file that has weak security then to be writing them down somewhere.
"with over 250 million active Passport accounts and over 1 billion authentications per day."
anyone else read this as meaning *only* 3 crashes per machine per day!
they are doing well these days aren't they..
Here's a simple technique I use for keeping all my card PINs straight.
I have one secret 4 digit number that I remember.
I subtract this number from the PIN for a card using modulo arithmetic.
I write the result on the back of the card.
So if my secret number is 9427 and the actual pin is 9876, I write down 0459.
Now I only have to remember one number for all of my cards, each card has a different PIN, and if the bad guys get my card and try the number helpfully written on the back, it won't work.
If only I could get my bank to use the adjusted number as a panic code...
"World Domination - a fun, family activity"
Using ssh is often usefull, but in this scenario it helps a little.
Why would you do that? If you are going to loose your wallet, first take out the money, credit cards, and passwords.
Of course this won't help if you lose your wallet.
Sure - but it gets to the point of absurdity very quickly. Nothing is 100% secure; everything is a compromise. All you can do is take *reasonable* precautions - SSH is reasonable, telnet is not.
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
1) think of a system to create your password for different classes of things (eg, banking, personal accts, office accts, mailing lists, misc).
2) write down in a spreadsheet in some 'truncated' manner (eg, 1st and last character of password). not just anywhere, and encrypt file with a good password that you make sure will remember.
I changed the moderation to 4 and read through all the comments. I saw all kinds of things about people using mental hashes, combining parts of words from things on their desks, and several very arcane sounding methods of generating new passwords. But I didn't see much about passphrases.
It's always been my understanding that this is probably the best option, assuming the system will allow 25+ characters for passwords, which, sadly, many don't.
The passphrase "try to crack this password fools", even without any extended characters, would just take too long to try to crack through conventional means. Add in some puncuation and capital letters and it becomes even more difficult to crack. And it is something I can easily remember, moreso than a random password like "E4#b.?8Y". So is there a good reason, aside from many sites only allowing 16 or fewer characters for passwords, not to use passphrases?
Wyrd One
There is this device that people have for containing things that are valuable - it is called a "wallet".
I write down my passwords and keep them there until I have them memorized. It is really 1337!
Some of the systems where I work require a new password every 30 days, and one of those is a system I only have to access once or twice a week.
By the time I have the PW memorized, it's time to change it again.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Something like the product at http://www.argosytelcrest.co.uk/pwsafe/ Pretty much everyone has a browser on the devices they use to access systems, and it seems to avoid the need for a million and one local passwordsafe all storing out of date copies of the password.
Al Sutton
When I worked at Northwest Airlines as a programmer, I needed regular access to:
* Windows NT/Novell
* Three different Unisys OS2200 DEMAND environments for development/support.
* Three different Unisys OS2200 TIP environments for development/support (one USAS, two UNIMATIC).
* Two Solaris servers for development/support
* IBM TSO/ISPF (mainframe) for change management.
* IBM CICS environment for hours/projects (PCS).
* AIX server for maintaining intranet site.
The platforms involved had vastly different password length and content requirements and did not share security information.
At my current position, I need access to a Linux box, a Solaris box, three OS2200 boxes, Novell, and a whole pile of different applications (some web based, some not) for training, time reporting, change management, problem monitoring, and various other things.
Some of the latter could share a common password if the various vendors got together and agreed to implement a standard (since all are access via my Windows XP Pro box), but the former are all server logins on platforms which are quite different from each other (Solaris and Linux aren't, but neither is remotely like OS2200).
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
All the other stuff is un-necessary if you can do this. If your computer is physically isolated, with no net connection, most of your problems are solved. Any sensitive information should, in general, be separated from the internet by an airgap.
At home, I have a Windows box which my children use for educational software. It's never been cracked, and never gotten a virus or spyware. It's more secure than my online linux box. Why? The airgap. I've removed the modem and NIC from the Windows box.
To give an ecommerce example of security through air gap, take the order and credit card number via net, then write it to a csv file of orders which gets burned twice a day to cd and carried to the offline machine. On the online machine, keep only the name and last 4 digits of the card number, so next time that customer shows up, you can safely offer him the choice to use the same card. Safely, because even if the online machine gets cracked, the cracker gets only a name and 4 digits, without the expiration date and remaining digits. If the online machine gets cracked, only that orders placed since the last CD was burned can be compromised.
The offline machine stores the credit card numbers and prepares the orders for processing. Of course, the credit card processing still has to be done online. Stick the CD of numbers, et cetera, into an online machine, and have it transmit numbers, amounts, et cetera, to Visa. If you want to be really serious about security, this machine could be reinstalled before each batch (via Ghost, or some Linux Live CD, or so).
This all sounds practical, but it's cheaper and easier to just do everything on the online machine, so it'll never happen.
See what I've been reading.
What about using an algorythm to generate passwords for different sites? For example, I could take the name of the site (eg. Slashdot), write any specific word after it, so I'd get for example Slasdhotasdfg, then md5 it. My password would be c03d483f205d67c7f8d5a509d55c50f7. Seems pretty secure, doesn't it?
They shouldn't share a common password. If they did then getting access to the password on one system would give access to all the others.
However, they could share a common authentication mechanism such as using a public/private key pair. At least the three Unix boxes can be accessed using ssh and a keypair; it's a shame that there is no real equivalent for Windows (unless you do something very funky with Samba and domain controllers).
-- Ed Avis ed@membled.com
-- Ed Avis ed@membled.com
Good gravy. Talk about backwards. Passwords should be long and intuitive and used on secure machines with secure communications so that you can use the same password on a group of trusted machines without having to write them down.
Out with the password, in with the pass-phrase, and in with TOKENS.
I see. So if has never happened to you, then it doesn't happen to anyone.
Cool! What was your username again? ;)
That sounds like a cool feature actually. Have the password on a paper on the desk, possibly in encrypted form. Then touching the paper to an area on the computer, the password is read into the machine, but not stored. So the paper acts as a key, that isn't able to be seen by simply breaking into the machine.
Saskboy's blog is good. 9 out of 10 dentists agree.
I think you've got yourself a great startup idea there. Ever think of writing that up in a business plan and bringing it to VC's? And all that time when I posted the grandparent posting I thought I was just trolling; but this is actually very cool.