Slashdot Mirror
Write Down Your Passwords
joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.
The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?
With a password, at least you can change it if it is compromised.
Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).
High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
If you use the same password everywhere then CmdrTaco can log in to your bank account.
Login credentials are often stored unencrypted on the server side, leaving your password open for compromise by any legitimate admin of that site or anyone who manages to hack into it.
Do you want to trust your single password that you use to all sites to the least secure of all the crappy web boards you've got an account on?
Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I think the bigger point here is that most people don't care about passwords. They see them as necessary but annoying which is why they use easy to remember things. It's also silly to say writing down passwords is bad or good. People are always going to use different systems which may or may not work well for someone else. I rotate my passwords and do not write them down, another person my just find this annoying. It's all subjective IMHO
And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems?
Amen!
I have to try to remember a *lot* of different passwords for work. If they unified the logins on these tools, it would help tremendously. You can try to have the passwords sync up, but the reset time frames on them are all offset. I had to change my Corporate password 2 weeks ago, my windows password one week ago, and my network password on Friday. As a result, I've typed in the wrong network password first try almost every time today.
Another frustration is the 100% numeric password for voicemail. It used to change every month. I--and many others--communicate primarily with email. This translated into having to change the password every time we got a voicemail before we can listen to it. It appears that they have changed the reset time length to several months now. Probably because they were tired of resetting passwords for everyone all the time.
http://glacierdragon.smugmug.com - Check out my photos. No need to buy, even though I do need the money!
I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
On a more practical note, back in a day when I backpacked through europe I wanted to have a backup of important data to take with me, in case I lose my passport/bank cards/etc. However being a paranoid freak I did not want to write the numbers down on paper in plain-text, as I would be doubly exposed - I could loose my wallet or I can loose my notebook.
So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.
Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.
-Em
RelevantElephants: A Somatic WebComic...
I use a similar technique, using a dollar bill. Take the serial number of a dollar bill and choose an offset between 1 and 4. Type in each character of the serial number number, pressing the shift key for every character that is a multiple of the offset (every third character for example) This way, you have the password "written down," but it is stored in an inconspicuous manner that will not be recognized or comprimized if you lose your wallet. Obviously, don't lose/spend that bill :)