Write Down Your Passwords

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Pseudo-Written Password

[fembots]

Seriously though, instead of writing down the password, why not using what's already written on the hardware?

For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.

The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.

Re:Pseudo-Written Password

[Scruffeh]

I think the bigger point here is that most people don't care about passwords. They see them as necessary but annoying which is why they use easy to remember things. It's also silly to say writing down passwords is bad or good. People are always going to use different systems which may or may not work well for someone else. I rotate my passwords and do not write them down, another person my just find this annoying. It's all subjective IMHO

Re:Pseudo-Written Password

[Em+Ellel]

On a more practical note, back in a day when I backpacked through europe I wanted to have a backup of important data to take with me, in case I lose my passport/bank cards/etc. However being a paranoid freak I did not want to write the numbers down on paper in plain-text, as I would be doubly exposed - I could loose my wallet or I can loose my notebook.

So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.

Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.

-Em

Re:Pseudo-Written Password

[ginotech]

if someone has that kind of access to your computer, you're screwed anyway.

Re:Pseudo-Written Password

[Erik+Fish]

If they take the Sellotape then you just set the building on fire.

Re:Pseudo-Written Password

[jkosturko]

I use a similar technique, using a dollar bill. Take the serial number of a dollar bill and choose an offset between 1 and 4. Type in each character of the serial number number, pressing the shift key for every character that is a multiple of the offset (every third character for example) This way, you have the password "written down," but it is stored in an inconspicuous manner that will not be recognized or comprimized if you lose your wallet. Obviously, don't lose/spend that bill :)

Re:Pseudo-Written Password

[nebs555]

yeah but if you had been pickpocketed by albanian cryptography experts... you'd be buggered

So Pen&Paper's the new replacement for Passpor

[team99parody]

Now we know what's replacing Microsoft Passport in Longhorn - pen&paper!

Bruce Schneier agrees

[alanw]

From Bruce Schneier's Crypto-Gram, May 15 2001, and then updated in a news.com article, December 9, 2004.

You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

Re:Bruce Schneier agrees

[team99parody]

Seems better to keep the long-hard passwords stored in an encrypted file protected by one good password that you remember.

Re:Bruce Schneier agrees

[l3prador]

The "guard them as you would your cash" idea sounds good and is good to a certain extent, however, when someone has stolen your cash, you can generally tell it's gone. A password can be stolen without anything being missing.

Microsoft hard at work for security

[yagu]

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

Ok.

[cmburns69]

Ok, here they are:

Slashdot password: 12345
Personal site password: 12345
Bank account password: 12345

Now my password is even more secure! Yay!

One Word:

[DrunkenTerror]

Tattoos.

Re:One Word:

[Durinthal]

Particularly in a private region. That way no geek would ever have to worry about someone else seeing it!

Wow...

[MrByte420]

I've got the same combonation on my luggage!
(sorry sorry sorry!)

Re:And I'll keep it under my keyboard...

[nukem996]

You'd be surpised about how many people do that.

Re:And I'll keep it under my keyboard...

[dodald]

I have a single post it note under my keyboard that reads "9uL1i613".

Secure your passwords

[kjfitz]

I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."

What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.

Common sense...

BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

Re:Secure your passwords

[WasteOfAmmo]

BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.

There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.

Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

Merlin.

So, I'm probably not typical, but...

[IANAAC]

I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.

Re:So, I'm probably not typical, but...

[kwalker]

I just got one for my cell phone called MobileSafe. It was $6 from Handango and downloaded directly to my phone. That way I always have my account numbers, CC numbers, login info, and general notes encrypted with 168-bit 3DES (IIRC) on my phone protected by my master password. It's already saved my bacon more than once.

The only down-side is that I can't sync it with anything at home, but I generally don't have to update it very often, so when I do, I also write down the passwords in an encrypted text file on my home machine.

True story

[HaeMaker]

I'm a SysAdmin and at one place I worked, I noticed someone had written 'aaaaa' on their monitor. They wern't at their desk at the time, so I sat down, hit ctrl-alt-del and typed 'aaaaa' into the password field...

Re:True story

[sconeu]

I refuse to play your chinese food mindgames!

Exactly right. . .

[Sialagogue]

This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.

I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.

Re:Passwords suck: simple solution:

[cmburns69]

The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?

With a password, at least you can change it if it is compromised.

Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).

High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..

Password Safe is the answer

[windowpain]

It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.

Password Safe

Re:Password Safe is the answer

[eddeye]

It's by crypto genius Bruce Schneier, it uses Blowfish

A few things to keep in mind:

• Schneier handed this project off to others several years ago. His involvement since appears to be minimal. While he wrote the initial version, that code may have long since been sent to the bitbucket in the sky.
• Schneier's crypto credentials are well established, but how is his programming knowledge, especially in regards to security? I don't know of any large open projects he's worked on that give us an indication of this.
• AES and 3-DES are more reliable than Blowfish, having received orders of magnitude more attention from cryptanalysts. Besides which, "uses Blowfish" is a long way from "uses Blowfish correctly with proper handling of the key material and plaintext at every point in its lifecycle".

Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.

Re:Really?

[Nugget]

If you use the same password everywhere then CmdrTaco can log in to your bank account.

Login credentials are often stored unencrypted on the server side, leaving your password open for compromise by any legitimate admin of that site or anyone who manages to hack into it.

Do you want to trust your single password that you use to all sites to the least secure of all the crappy web boards you've got an account on?

Re:I'll buy that piece of paper with some chocolat

[nacturation]

Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.

My Solution

[3ryon]

I use a small PINS database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.

The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.

Re:Really?

[GlacierDragon]

And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems?

Amen!

I have to try to remember a *lot* of different passwords for work. If they unified the logins on these tools, it would help tremendously. You can try to have the passwords sync up, but the reset time frames on them are all offset. I had to change my Corporate password 2 weeks ago, my windows password one week ago, and my network password on Friday. As a result, I've typed in the wrong network password first try almost every time today.

Another frustration is the 100% numeric password for voicemail. It used to change every month. I--and many others--communicate primarily with email. This translated into having to change the password every time we got a voicemail before we can listen to it. It appears that they have changed the reset time length to several months now. Probably because they were tired of resetting passwords for everyone all the time.

Re:Passwords are useless.

[loqi]

Let's see... assuming lower- and upper-case letters and numbers are the only allowed components of a password, even a machine capable of one trillion password checks per second would take about 22,337,120,292,586,187,942 years to run through all the possible twenty-character passwords.

So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.

I can just see this...

[Em+Ellel]

For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

I can just see the following request to helpdesk:

Please reset my password as someone borrowed my Sellotape dispenser and I can no longer log in.

-Em

Steganography

[CustomDesigned]

When I write down passwords, I use some form of steganography. For example, one of my earlier systems was to add a fictictious address to my address book, with the password encoded within the address using a mnemonic mapping scheme.

I'll share a commonly used mnemonic mapping for numbers. It maps consonants to digits:

0 - 's', 'z' (think 'zero' and hissing like snakes)
1 - 't', 'd' (1 looks kind of like t)
2 - 'n' (n has two legs)
3 - 'm' (m has three legs)
4 - 'r' (four ends with r)
5 - 'l' (L is latin for fifty)
6 - 'j', 'g' (soft g, like upside down 6)
7 - 'k', 'g' (hard g, k and 7 have diagonals)
8 - 'f', 'ph' (cursive f like 8)
9 - 'p', 'b'

Hard c goes with k, soft c with s, etc. So say you wanted to remember your bike combination of (rolls random number with python...) 3254. You construct a phrase with any vowels and spacing desired with the consonants m,n,l,r. For instance, "mine lore" comes to my mind, and I envision Tolkein dwarves chatting up their favorite topic. If needed, you would then write a paragraph about dwarves and mine lore in Lord of the Rings in your notebook.

Almost, but not quite--here's what I do.

[istartedi]

I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".

Re:So Pen&Paper's the new replacement for Pass

[PakProtector]

I should expect that kind of talk coming from a young, low uid person like yourself. You kids don't know how good you have it these days. Fancy computer graphics and a machine to keep track of details for you, letting you have your 'action' in 'real time.' Back in my day, we had cardboard cutouts, if we were lucky! Most of us used hand made lead figures that we had to paint by hand! And it could take hours just to do one massive battle because we had to do everything ourselves! In the snow! In our parent's basements! Pssh. You young people these days. I don't want your opinion until your UID is in the lower 50% of the population. PSssh. Kids. Think they know everything. In my day, we were lucky if we knew nothing! You were lucky just to not be a negative container of knowledge, sucking it out of other people until everyone knew nothing. Pssh. Kids.

Re:Don't treat it like cash

[Amoeba]

So if Jackson is on the $20 bill, what do 5 Jacksons make?

The world's most dysfunctional family?

Re:Everything you ever wanted to know about passwo

Wow, that's got to be one of the most random collections of stupid/excessive/ineffective advice that I've ever seen rated +5.

Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!

Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.

Re:No!

[FirstTimeCaller]

Why put the list in cyberspace at all? That's the beauty of paper, nobody online can steal a sheet of paper sitting in your home/office/dorm/loft/cave.

But I thought you said not to put it on your machine at all!?!?! So what the heck is it doing under your home directory? :-)