Slashdot Mirror

← Back to Stories (view on slashdot.org)

Write Down Your Passwords

Posted by Zonk on from the social-hacking-paradise dept.

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

6 of 633 comments (clear)

  1. Bruce Schneier agrees by alanw · · Score: 5, Interesting
    From Bruce Schneier's Crypto-Gram, May 15 2001, and then updated in a news.com article, December 9, 2004.

    You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

  2. Re:Passwords suck: simple solution: by cmburns69 · · Score: 5, Interesting

    The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?

    With a password, at least you can change it if it is compromised.

    Authentication methods can all be broken down into the following categories:
    1) Something you know (such as a password).
    2) Something you have (such as a keycard).
    3) Something you are (such as a fingerprint).

    High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..

    --
    Online Starcraft RPG? At
    Dietary fiber is like asynchronous IO-- Non-blocking!
  3. Re:I'll buy that piece of paper with some chocolat by nacturation · · Score: 4, Interesting

    Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  4. Re:Pseudo-Written Password by Scruffeh · · Score: 5, Interesting

    I think the bigger point here is that most people don't care about passwords. They see them as necessary but annoying which is why they use easy to remember things. It's also silly to say writing down passwords is bad or good. People are always going to use different systems which may or may not work well for someone else. I rotate my passwords and do not write them down, another person my just find this annoying. It's all subjective IMHO

  5. Almost, but not quite--here's what I do. by istartedi · · Score: 4, Interesting

    I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  6. Re:Pseudo-Written Password by Em+Ellel · · Score: 5, Interesting

    On a more practical note, back in a day when I backpacked through europe I wanted to have a backup of important data to take with me, in case I lose my passport/bank cards/etc. However being a paranoid freak I did not want to write the numbers down on paper in plain-text, as I would be doubly exposed - I could loose my wallet or I can loose my notebook.

    So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.

    Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.

    -Em

    --
    RelevantElephants: A Somatic WebComic...