Slashdot Mirror

← Back to Stories (view on slashdot.org)

Write Down Your Passwords

Posted by Zonk on from the social-hacking-paradise dept.

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

8 of 633 comments (clear)

  1. Pseudo-Written Password by fembots · · Score: 5, Insightful

    Seriously though, instead of writing down the password, why not using what's already written on the hardware?

    For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

    See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.

    The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

    There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:Pseudo-Written Password by ginotech · · Score: 4, Insightful

      if someone has that kind of access to your computer, you're screwed anyway.

  2. Microsoft hard at work for security by yagu · · Score: 4, Insightful
    "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

    That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

  3. Re:Bruce Schneier agrees by team99parody · · Score: 4, Insightful

    Seems better to keep the long-hard passwords stored in an encrypted file protected by one good password that you remember.

  4. Secure your passwords by kjfitz · · Score: 5, Insightful

    I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."

    What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.

    Common sense...

    BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

    1. Re:Secure your passwords by WasteOfAmmo · · Score: 5, Insightful
      BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

      I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.

      There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.

      Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

      Merlin.

  5. Re:Everything you ever wanted to know about passwo by Anonymous Coward · · Score: 5, Insightful
    Wow, that's got to be one of the most random collections of stupid/excessive/ineffective advice that I've ever seen rated +5.

    Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!

    Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.

  6. Re:Password Safe is the answer by eddeye · · Score: 4, Insightful

    It's by crypto genius Bruce Schneier, it uses Blowfish

    A few things to keep in mind:

    • Schneier handed this project off to others several years ago. His involvement since appears to be minimal. While he wrote the initial version, that code may have long since been sent to the bitbucket in the sky.
    • Schneier's crypto credentials are well established, but how is his programming knowledge, especially in regards to security? I don't know of any large open projects he's worked on that give us an indication of this.
    • AES and 3-DES are more reliable than Blowfish, having received orders of magnitude more attention from cryptanalysts. Besides which, "uses Blowfish" is a long way from "uses Blowfish correctly with proper handling of the key material and plaintext at every point in its lifecycle".

    Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.

    --
    Democracy is two wolves and a sheep voting on lunch.