Slashdot Mirror

← Back to Stories (view on slashdot.org)

Write Down Your Passwords

Posted by Zonk on from the social-hacking-paradise dept.

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

3 of 633 comments (clear)

  1. Password Safe is the answer by windowpain · · Score: 5, Informative

    It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.

    Password Safe

    --
    Insert witty sig here.
  2. My Solution by 3ryon · · Score: 5, Informative

    I use a small PINS database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.

    The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.

    --
    Kind thoughts do not change the world
  3. Re:Passwords are useless. by loqi · · Score: 4, Informative

    Let's see... assuming lower- and upper-case letters and numbers are the only allowed components of a password, even a machine capable of one trillion password checks per second would take about 22,337,120,292,586,187,942 years to run through all the possible twenty-character passwords.

    So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.

    --
    If other reasons we do lack, we swear no one will die when we attack