Slashdot Mirror
Write Down Your Passwords
joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Seriously though, instead of writing down the password, why not using what's already written on the hardware?
For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.
See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.
The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.
There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.
Rock that crushes, Paper & Scissors that don't matter.
Now we know what's replacing Microsoft Passport in Longhorn - pen&paper!
You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.
with my bank name and account number next to it..
Ok, here they are:
Slashdot password: 12345
Personal site password: 12345
Bank account password: 12345
Now my password is even more secure! Yay!
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Tattoos.
I've got the same combonation on my luggage!
(sorry sorry sorry!)
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
We use physical keys to start our cars and to unlock our homes. Why don't we handle this stuff by using a similar strategy. Say a USB dongle that you need to start your computer? I've seen a few implementations of this theme, and I even believe MS threatened to do just this. Is this because the regular (l)users out there want their computer to work like their toaster does?
What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?
Maybe it's because people really just don't think they're that important. It'll probably take serious problems to change people's minds (like a theft of identity, or fraudulent charges, etc...)
And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems? God...those have probably done more to propagate the phenomenon of writing passwords down than anything else.
concrete5: a cms made for marketing, but strong enough for geeks.
If someone's hacking in from outside you want as good a password as possible... That's my fear, not someone sitting at my desk and logging on as me.
9 80786CC256E6C007EE7D2
Peter Gutmann said the same thing: you fear the hacker, not the guy stealing your PC.
http://computerworld.co.nz/news.nsf/nl/3F25D67E47
I am a leaf on the wind
My password vault happens to be Firefox, though.
How do you get your passwords out?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Writing down passwords and storing them in a secure location isn't the issue, it is portability. Most passwords these days need to go with you wherever you are, at home, the office, on travel. If your password is too complicated to remember, then it would have to be stored somewhere on your person. That's the security risk.
I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."
What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.
Common sense...
BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.
I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.
I'm a SysAdmin and at one place I worked, I noticed someone had written 'aaaaa' on their monitor. They wern't at their desk at the time, so I sat down, hit ctrl-alt-del and typed 'aaaaa' into the password field...
This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.
I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
Maybe it's the new trend.
Maybe pen&paper AD&D will be cool again!
Though they can't steal your fingerprint they can steal your fingerprint metric. It all becomes bits at some point and if they have those bits they can buypass having your finger.
As x approaches total apathy I couldn't care less.
And of course, they(M$) will introduce the following security initiative when pen and paper security protocols show evidence of security lapses. White-Out.
The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?
With a password, at least you can change it if it is compromised.
Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).
High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.
Password Safe
Insert witty sig here.
Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
You misspelled right wing scare tactic.
I've always written down my passwords. You just have make sure to keep them on the top of the Mountain of Despair, beyond the River of Doom. Total security!
I use a small PINS database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.
The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.
Kind thoughts do not change the world
#2) The best passwords are illogical. Something like k8iWq3xy. Mixing in letters in and numbers, not based on any words, is a good start. If your program recognizes upper and lower case, mixing that can help too.
#3) The best, very best log in tool for security I saw was a small clock a friend was given from his company. It had some funky algorithm on it, and it displayed a 14 alphanumeric code. When my friend logged in, he had to enter this code, which changed ever 1 minute. This was in addition to his username and password.
#4) People will sniff your network. Nothing is bulletproof. Finding passwords sent is easy. If it comes as clear text, you are screwed off the bat. This defeats #1 and #2, but not #3, because #3 is based on an algorithm that changes every 1 minute.
#5) Set up a policy that only allows 2 attempts to log in, and after 2 failed attempts, it locks out that IP and MAC address for 30 minutes. This will be a major pain when you try and log in and make a mistake. It won't really stop hackers, just the ones with slow/bad proxies. Maybe 1 of the 500 proxies the hacker is using is not as anonyomous as they believe. As for your own use, take a book with you when you believe you might have to log in remotley, just in case you make a mistake. You need something to blow those 20 minutes.
#6) Never, ever log in root from a remote location. Have a crippled account to log into from remote locations. Expect this account to get cracked. Limit the damage. If you must, have 2 computer systems at home. One secured off line, and the other on line. Hell, toss in a third computer connected to the web based on via a serial cable and dump all the logging on that computer. The hacker/cracker can't edit the logging files on that second PC.
#7) When using a computer, always assume the key strokes are being logged. When you get home, change your password for that account.
#8) After you have done all these things, you will still get hacked. Call the FBI. Call your congressman. Lets bomb another country to releave our collective mutual stress.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Let's see... assuming lower- and upper-case letters and numbers are the only allowed components of a password, even a machine capable of one trillion password checks per second would take about 22,337,120,292,586,187,942 years to run through all the possible twenty-character passwords.
So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.
If other reasons we do lack, we swear no one will die when we attack
Anything that requires me to have access to a specific type of hardware (PDA) or a specific operating system isn't going to be a lot of help if you're on the road without your gear or your gear gets stolen and you need access now.
Just do something trivial like rot-5 the 5th character of each password if you're concerned about somebody getting access. That would discourage most people from trying.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Which is quite easy.
But you don't even need to do that - some scanners can be fooled into accepting the latent print you leave on it. D'oh!
An authentication token that when used leaves behind all the information you need to construct a conterfeit - this is not something I want to rely on.
Biometrics is a fundamentally flawed scheme. A biometric is just a token that you can't replace (a scar on your finger? too bad), repudiate if stolen (I can lift your prints but you can't change them without pain), or use to separate priviledges (difficult to use a different thumbprint at the bank, at the library, and to open your car, unless you have interesting anatomy).
As for passwords, yeah, I've gotten to the point of having to write them down. I used to use only a few passwords - my login and root password, one common for low security sites, one shared one for a few sites I cared more about, and my on-line banking. But as sites put various non-sensical restrictions on password selection ("your password must contain two digits", "your password must not use any non-alphanumeric characters", etcetera), I've had to start writing them down.
"Something you are" reduces to "something you have". "Something you know", as you have to remember more and more things to deal with dozens of systems, reduces to "something you have" (that piece of paper with all the password written on it). It's all about the authentication tokens.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Why put the list in cyberspace at all? That's the beauty of paper, nobody online can steal a sheet of paper sitting in your home/office/dorm/loft/cave.
RETURN without GOSUB in line 1050
For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.
I can just see the following request to helpdesk:
Please reset my password as someone borrowed my Sellotape dispenser and I can no longer log in.
-Em
RelevantElephants: A Somatic WebComic...
Liberals call everyone Nazis yet they are the closest thing to it.
I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:
Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
There are plenty of ways to do this. For instance, you can keep the passwords on (picked at random) page 57 of a red notebook that stays locked in your drawer when you're not around, and is only out of the drawer when it's in use. You can leave clues to yourself what they mean.
For instance:
mama: no dates
The actual password, not written down, is "n0datez!" The machine this is for is the largest system you work on (big mama).
If using random strings, try to make it look like serial numbers; again the place or account to use this for should be hinted at (to you), not stated.
There are many, many ways to do this and be very secure. I once left a set of passwords and hints out in plain sight on purpose, just to see if anyone would recognize and try to crack them. They were never cracked, and I'm reasonably certain nobody even tried. They had no idea what they were seeing.
#6a) If you really must, must log in remotely (as root or anyone else, you must always use SSH - no exceptions! Always assume you're network is being sniffed. See (2) above.
Alison
"It is a miracle that curiosity survives formal education." - Albert Einstein
I should expect that kind of talk coming from a young, low uid person like yourself. You kids don't know how good you have it these days. Fancy computer graphics and a machine to keep track of details for you, letting you have your 'action' in 'real time.' Back in my day, we had cardboard cutouts, if we were lucky! Most of us used hand made lead figures that we had to paint by hand! And it could take hours just to do one massive battle because we had to do everything ourselves! In the snow! In our parent's basements! Pssh. You young people these days. I don't want your opinion until your UID is in the lower 50% of the population. PSssh. Kids. Think they know everything. In my day, we were lucky if we knew nothing! You were lucky just to not be a negative container of knowledge, sucking it out of other people until everyone knew nothing. Pssh. Kids.
Edward@Tomato - /home/Edward/ man woman
man: no entry for woman in the manual.
"Qua!?"
The world's most dysfunctional family?
Do not taunt Happy-Fun Ball
Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!
Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.
Most systems don't allow empty passwords.
It's impossible to FORCE good passwords.
1) P4$$w0rd is a really bad password.
2) The same password for your bank and for warezRus.com is a bad idea.
Forcing people to change their passwords all the time encourages bad passwords and passwords on stickys.
Regular password changes are:
a) because you think someone is brue forcing them (so fix that problem, changing the password part way through the brute force sequence doesn't buy you anything.
b) because you think it has been compromised (if it has, it's too late).
Maybe it's just me, but it seems that the liklihood of someone cracking that method is very unlikely.
As you said, physical access is required. (which makes things MUCH more difficult) However, even if physical access WASN'T required, I don't think some hacker would suddenly say to himself, "AH HA! I bet this user is combining the serial number of his roller-chair and product number of his processor to create his password! Let me just try these numbers..."
There is a VERY large combination of passwords available from product/serial/model numbers on various items that reside in a typical office. Even if a hacker somehow broke into Joe Blow's apartment and spent twenty minutes writing down all of Joe's stapler model numbers, he likely wouldn't get them all, and definitely wouldn't need to run a program (remotely) to try all the possible combinations. (Especially given that the password might consist of half a dozen different product numbers!)
All in all, the odds of someone breaking this password aren't likely. If someone was determined enough to go through all afore-mentioned garbage at all, whatever he's getting at must be pretty valuable... and would probably be better protected than just by an arbitrary password.
I think that a fingerprint counts more as "2) Something you have."
Security risks of biometrics.
So my Slashdot password can be easily remembered as IBM!1531@E94# Tried that, and got: "Danger, Will Robinson! You didn't log in! You apparently put in the wrong password, or the wrong nickname. Either try again, or have your password mailed to you if you forgot your password." Please advise.
Not necessarily
One day, I zoomed in on a piece of paper on the corner of his desk. Some rotation & sharpening in photoshop* revealed an IP and the word "gizzards8524". I telnetted** to the IP, tried his usual nickname and that word as the password and bingo - I was in.
He was quite startled when a he got a console chat invitation from...himself.
*as opposed to hollywood's ideas of image restoration that boggle the mind and break the laws of physics.
**ssh wasn't popular yet.
A preposition is a terrible thing to end a sentence with.
I've got a system better than a biometric USB key: I use an app called "Keyring" on my Palm, and store my passwords in that.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Actually, Bruce Schneier wrote exactly such an application, and put in on SourceForge a while ago, where it is now currently maintained:
PasswordSafe
Note: I'm the project's current admin.
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
barring quantum computers, nobody's going to be breaking it within my lifetime.
Or research breakthroughs - nobody has yet proved that one-way functions exist, and it's entirely possible that some genius could figure out a fast factoring algorithm tomorrow and make your crypto worthless. Not likely, but a possibility worth considering.
I write down my passwords, but I do it in an encrypted form. Using a pattern I know, I will write down the password in a scambled form, and insert other letters as well. Anyone looking at the written password would only be able to narrow down the password to about 60 trillion possible combinations. With me however knowing the pattern to look for, and im be able to enter it easily.
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.