Write Down Your Passwords

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Pseudo-Written Password

[fembots]

Seriously though, instead of writing down the password, why not using what's already written on the hardware?

For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.

The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.

Re:Pseudo-Written Password

If I have 10 items on my desk with various serial numbers or part numbers on them, and you KNOW FOR A FACT (of course you won't) that I'm using 4 of them, that's still 10!/(10-4)! combinations, or 5040 possibilities. Furthermore, there's the possibility that I added characters in between each item, each one increasing complexity by 62 (assuming ONLY alphanumerics). So in a bad example, with only 10 numbers to choose from, and your having a good deal of knowledge about choices, it is INCREDIBLY unlikely that you'll successfully guess the password before the system locks you out (essentially what a local attack will be limited by anyway). If you grab a copy of the hash somehow (which generally indicates another security problem in itself), your attempts can be rather easily be foiled by character substitutions (password -> p4$5W0rd), each possible one adding another order of complexity to the problem, increading the permutations by at least a factor of 2. Given 3 substitution choices per letter (there will usually be many more than that), 'password' becomes 3^8, or 6561 TIMES more complex.

In short, if this is true, the passwords really, really sucked.

Re:Pseudo-Written Password

[Em+Ellel]

Everyone I know at work with a lot of passwords uses (password protected) software (like pins) to store all of their passwords...

In the end, it is probably one of the better ways , although I always wondered that since now there is a potentially weak password protecting MANY possibly strong passwords, do the strong passwords matter? A simple keylogger will give access to ALL of your passwords in seconds.

-Em

Re:Pseudo-Written Password

[ginotech]

if someone has that kind of access to your computer, you're screwed anyway.

Re:Pseudo-Written Password

[KinkifyTheNation]

Or use a sentence and remove the spaces.

thispasswordwillnotbebruteforced

for example. The only weakness I can think of is that it may or may not be easier for someone to guess it.

Re:Pseudo-Written Password

[JustOK]

Yah, I might pay a dollar to see what happens when some over eager DHS agent sees it when you come back... "Oh, just rambling about 'Europe', huh? Meet any interesting people? What's all these numbers? What specific countries did you go to? Do you have proof of where you stayed in each of these countries?"

Re:Pseudo-Written Password

[ChatHuant]

A better approach to that is take a phrase and change it like so

iLikeFi$he$Bec@useTheyreSoDelicio$

That doesn't add much to your password's security, you know; your changes aren't random enough, especially since "leet" ortography is so prevalent. There are dictionary attack programs that use expanded dictionaries, using also words with the obvious replacements (I/L -> 1, e -> 3 and so on).

Re:Pseudo-Written Password

[spacecowboy420]

IMHO, an even better way is to pick a pattern on your keyboard and alternate your shift key. If you look at this password: o0i9u8&TR% it may look impossible to remember, but if you were to actually type it, it becomes surpisingly simple to remember. Once you know it, it is even difficult to tell someone your password, but easy as hell to remember when typing on a keyboard - just remember the pattern.

Re:Pseudo-Written Password

I tell them that, if they write them down, they should keep the paper with it in their wallet and treat it like cash.

So far, it seems to have helped some, at least.

Re:Pseudo-Written Password

[Mattcelt]

In short, if this is true, the passwords really, really sucked.

Not really. What it means is that users generally really, really suck at picking good passwords.

In order for Mr. Johansson's idea to be truly effective, three things need to happen:
1) the IT department much choose strong passwords for the users. They must NOT allow the users to choose the passwords themselves.
2) there must be an incredibly explicit policy regarding the protection of the media on which the passwords are stored and accessed. The policy must provide stiff penalties for failure to comply, and periodic checks need to be made to ensure compliance.
3) the users need to be educated on the relevant security practices so they know why it is so important to follow the letter of the policy and not circumvent any part of it.

Failure to do any of these will compromise the success of the strategy.

Re:Pseudo-Written Password

[nebs555]

yeah but if you had been pickpocketed by albanian cryptography experts... you'd be buggered

Microsoft hard at work for security

[yagu]

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

Re:Microsoft hard at work for security

[Lord+Kano]

I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

A piece of paper kept in the wallet is better for security than the same 7 letter password getting reused.

We can talk about how things should be in an "ideal" world or we can deal with how things are in this one.

In an ideal world, passwords wouldn't be necessary because everyone would be honest.

LK

Re:Bruce Schneier agrees

[team99parody]

Seems better to keep the long-hard passwords stored in an encrypted file protected by one good password that you remember.

Riddle Me This

[the0ther]

We use physical keys to start our cars and to unlock our homes. Why don't we handle this stuff by using a similar strategy. Say a USB dongle that you need to start your computer? I've seen a few implementations of this theme, and I even believe MS threatened to do just this. Is this because the regular (l)users out there want their computer to work like their toaster does?

Re:And I'll keep it under my keyboard...

[nukem996]

You'd be surpised about how many people do that.

Secure your passwords

[kjfitz]

I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."

What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.

Common sense...

BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

Re:Secure your passwords

[WasteOfAmmo]

BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.

There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.

Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

Merlin.

The Downside of One Really Strong Password (TM)

One Really Bad Mistake (TM) will hurt you a lot more than it would with multiple passwords. I'm careful, I'm sure a lot of slashdotters are careful, but every once in a while someone is going to make a mistake. If it's one password for one place, it's possible to fix that. If it's the same password everywhere that becomes more difficult.

Re:Bruce Schneier agrees

[l3prador]

The "guard them as you would your cash" idea sounds good and is good to a certain extent, however, when someone has stolen your cash, you can generally tell it's gone. A password can be stolen without anything being missing.

Re:Really?

[vidarlo]

What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?

Because ONE security breach would compromise all services? Yes, that sounds right. Also a single malicious administrator could emtpy your bank accounts, take your ID, book a few flights and so?

Do you trust the admins of slashdot enough? There has been breaches in past, there will be in future.

Re:Really?

Why wouldn't a person choose one good password, and only one, and keep it?

Just because I want a login to buy something from a store doesn't mean I want to give the people working at that store the password for my online banking - especially if I'm giving them other banking details to make the payment.

Not as portable as paper

[winkydink]

Anything that requires me to have access to a specific type of hardware (PDA) or a specific operating system isn't going to be a lot of help if you're on the road without your gear or your gear gets stolen and you need access now.

Just do something trivial like rot-5 the 5th character of each password if you're concerned about somebody getting access. That would discourage most people from trying.

Steganography

[CustomDesigned]

When I write down passwords, I use some form of steganography. For example, one of my earlier systems was to add a fictictious address to my address book, with the password encoded within the address using a mnemonic mapping scheme.

I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:

0 - 's', 'z' (think 'zero' and hissing like snakes)
1 - 't', 'd' (1 looks kind of like t)
2 - 'n' (n has two legs)
3 - 'm' (m has three legs)
4 - 'r' (four ends with r)
5 - 'l' (L is latin for fifty)
6 - 'j', 'g' (soft g, like upside down 6)
7 - 'k', 'g' (hard g, k and 7 have diagonals)
8 - 'f', 'ph' (cursive f like 8)
9 - 'p', 'b'

Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.

Passwords-Easy to remember-Repetition is the key

We all use lots of numbers every day,our own bank account numbers, Credit Card Numbers, Phone numbers, etc. We all remember all these numbers, because we use them over and over again. When you get a new credit card, for the first 10-15 online purchases you copy the number for the plastic; afterwards you just know the number, you get it out of your head. The more often you use these numbers, the faster you learn them, without any effort, repetition does the job for you. I think the age is irrelevant, this way happened when I was a kid, this is the way it happens today (I am 59). I know about 40 or 50 numbers I use frequently and they all have at least 7 or 8 digits some 12 digits. Why should passwords be different? Because they are not only numbers? I dont see any difference. The more often you use a password the easier to remember, it would take 10-15 logins to learn it, without doing anything special.

Re:Everything you ever wanted to know about passwo

[Draoi]

#6a) If you really must, must log in remotely (as root or anyone else, you must always use SSH - no exceptions! Always assume you're network is being sniffed. See (2) above.

Re:So Pen&Paper's the new replacement for Pass

Thanks for the link. It's funny how incomplete that page is, though.

They even have a large section on "What We Learned from Passport", but failed to mention the single biggest lession Passport had to offer - that people fundementally don't trust Microsoft with security issues.

Note that this isn't a criticism of Microsoft. Doing security right is a difficult and time consuming process that is really a niche segment of the overall computer market. Because of their volume will always need to remain focused on the mass-market where time-to-market is more important than security. Delaying operating systems to appeal to the security market will only weaken their competitiveness on the desktop that made them so successful. And if they try to do both, they'll have to strike compromises and suck at both.

This isn't a technology issue, it's a business issue; and in the end, Microsoft will continue to rule in the largest spot of the market.

Re:Everything you ever wanted to know about passwo

Wow, that's got to be one of the most random collections of stupid/excessive/ineffective advice that I've ever seen rated +5.

Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!

Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.

Mindless reply

The best passwords are illogical. Something like k8iWq3xy.

That made sense up until the xy (seriously).

The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.

I use something like that. It's called the UNIX epoch. (One-time passwords, they're called. With increasing mobile device usage, this will become more viable although no where near bullet proof. If the device is lost or is cloned, game over. Might also want to look at Netkey, with is a method of hiding passwords.)

Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes.

Not that great of an idea if we are dealing with complicated passwords. Believe me, users will come knocking down the door after about a week.

Re:this guy is thier chief advisor?

[wk633]

It's impossible to FORCE good passwords.

1) P4$$w0rd is a really bad password.
2) The same password for your bank and for warezRus.com is a bad idea.

Forcing people to change their passwords all the time encourages bad passwords and passwords on stickys.

Regular password changes are:
a) because you think someone is brue forcing them (so fix that problem, changing the password part way through the brute force sequence doesn't buy you anything.
b) because you think it has been compromised (if it has, it's too late).

Re:Password Safe is the answer

[eddeye]

It's by crypto genius Bruce Schneier, it uses Blowfish

A few things to keep in mind:

• Schneier handed this project off to others several years ago. His involvement since appears to be minimal. While he wrote the initial version, that code may have long since been sent to the bitbucket in the sky.
• Schneier's crypto credentials are well established, but how is his programming knowledge, especially in regards to security? I don't know of any large open projects he's worked on that give us an indication of this.
• AES and 3-DES are more reliable than Blowfish, having received orders of magnitude more attention from cryptanalysts. Besides which, "uses Blowfish" is a long way from "uses Blowfish correctly with proper handling of the key material and plaintext at every point in its lifecycle".

Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.

Re:I'll buy that piece of paper with some chocolat

[Autobahn]

barring quantum computers, nobody's going to be breaking it within my lifetime.

Or research breakthroughs - nobody has yet proved that one-way functions exist, and it's entirely possible that some genius could figure out a fast factoring algorithm tomorrow and make your crypto worthless. Not likely, but a possibility worth considering.

Re:Password Safe is the answer

[ronys]

Actually, PasswordSafe is actively maintained on SourceForge: http://passwordsafe.sourceforge.net/

You don't need to trust Schneier's rep, as the sources are available...

As to the Crypto, AES is currently much less reviewed than Blowfish, as it'smuch newer and 3DES, while reliable, is relatively SLOW...

Note: I'm the current project admin.

How I write my passwords down:

[stfvon007]

I write down my passwords, but I do it in an encrypted form. Using a pattern I know, I will write down the password in a scambled form, and insert other letters as well. Anyone looking at the written password would only be able to narrow down the password to about 60 trillion possible combinations. With me however knowing the pattern to look for, and im be able to enter it easily.