Slashdot Mirror

← Back to Stories (view on slashdot.org)

Write Down Your Passwords

Posted by Zonk on from the social-hacking-paradise dept.

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

29 of 633 comments (clear)

  1. Pseudo-Written Password by fembots · · Score: 5, Insightful

    Seriously though, instead of writing down the password, why not using what's already written on the hardware?

    For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

    See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.

    The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

    There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:Pseudo-Written Password by Scruffeh · · Score: 5, Interesting

      I think the bigger point here is that most people don't care about passwords. They see them as necessary but annoying which is why they use easy to remember things. It's also silly to say writing down passwords is bad or good. People are always going to use different systems which may or may not work well for someone else. I rotate my passwords and do not write them down, another person my just find this annoying. It's all subjective IMHO

    2. Re:Pseudo-Written Password by Em+Ellel · · Score: 5, Interesting

      On a more practical note, back in a day when I backpacked through europe I wanted to have a backup of important data to take with me, in case I lose my passport/bank cards/etc. However being a paranoid freak I did not want to write the numbers down on paper in plain-text, as I would be doubly exposed - I could loose my wallet or I can loose my notebook.

      So to resolve this issue I wrote the information using a simple rot-n algorithm with random keys. I wrote down all numbers (including rot-n keys, which looked just like the rest of the data) in my notebook and knew that if I had to use them, it would take me a little time but I could work it out, and if I were to loose the notebook, I could be pretty sure that noone would bother trying to make sense of a bunch of numbers written on the back cover - most likely it will be just tossed.

      Obscurity combined with physical security makes things severely more difficult for a casual snooper. In the end it is a game of making the cost of figuring it out to be more that the desire to do so. Writing down key data, such as passwords, with a little obfuscation goes a long way.

      -Em

      --
      RelevantElephants: A Somatic WebComic...
    3. Re:Pseudo-Written Password by ginotech · · Score: 4, Insightful

      if someone has that kind of access to your computer, you're screwed anyway.

    4. Re:Pseudo-Written Password by Erik+Fish · · Score: 5, Funny

      If they take the Sellotape then you just set the building on fire.

  2. So Pen&Paper's the new replacement for Passpor by team99parody · · Score: 4, Funny

    Now we know what's replacing Microsoft Passport in Longhorn - pen&paper!

  3. Bruce Schneier agrees by alanw · · Score: 5, Interesting
    From Bruce Schneier's Crypto-Gram, May 15 2001, and then updated in a news.com article, December 9, 2004.

    You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

    1. Re:Bruce Schneier agrees by team99parody · · Score: 4, Insightful

      Seems better to keep the long-hard passwords stored in an encrypted file protected by one good password that you remember.

  4. Microsoft hard at work for security by yagu · · Score: 4, Insightful
    "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

    That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

  5. Ok. by cmburns69 · · Score: 4, Funny

    Ok, here they are:

    Slashdot password: 12345
    Personal site password: 12345
    Bank account password: 12345

    Now my password is even more secure! Yay!

    --
    Online Starcraft RPG? At
    Dietary fiber is like asynchronous IO-- Non-blocking!
  6. One Word: by DrunkenTerror · · Score: 5, Funny

    Tattoos.

    1. Re:One Word: by Durinthal · · Score: 5, Funny

      Particularly in a private region. That way no geek would ever have to worry about someone else seeing it!

  7. Wow... by MrByte420 · · Score: 5, Funny

    I've got the same combonation on my luggage!
    (sorry sorry sorry!)

    --
    If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
  8. Re:And I'll keep it under my keyboard... by dodald · · Score: 5, Funny

    I have a single post it note under my keyboard that reads "9uL1i613".

    --
    101010b 2Ah 52o
  9. Secure your passwords by kjfitz · · Score: 5, Insightful

    I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."

    What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.

    Common sense...

    BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

    1. Re:Secure your passwords by WasteOfAmmo · · Score: 5, Insightful
      BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

      I have no idea why more people have not posted similar ideas. For years I have written down many of the numerous passwords that I have. But I also "encrypt" my passwords as I write then down. The "encryption" method can be as simple as the parent suggests or using rot1 or rot25, adding/subtracting X from each number in the password, or including "known to you" bogus letters ("I hereby state that I shall never use the letters E and R in my real passwords") and use these to seed your passwords.

      There are many simple ways to "write your passwords down" without actually putting them on the paper. Use anagrams and pass phrases. Write the answers down where the passwords are the questions or the reverse.

      Be creative. Chances are if someone finds your magic list and thinks "Hey, these are his/her passwords! I 0wn3 them!" that once they try 1 or 2 of them as written and they fail they will discard the list as being old or garbage.

      Merlin.

  10. Exactly right. . . by Sialagogue · · Score: 5, Funny

    This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.

    I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.

    --
    The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
  11. Re:Passwords suck: simple solution: by cmburns69 · · Score: 5, Interesting

    The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?

    With a password, at least you can change it if it is compromised.

    Authentication methods can all be broken down into the following categories:
    1) Something you know (such as a password).
    2) Something you have (such as a keycard).
    3) Something you are (such as a fingerprint).

    High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..

    --
    Online Starcraft RPG? At
    Dietary fiber is like asynchronous IO-- Non-blocking!
  12. Password Safe is the answer by windowpain · · Score: 5, Informative

    It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.

    Password Safe

    --
    Insert witty sig here.
    1. Re:Password Safe is the answer by eddeye · · Score: 4, Insightful

      It's by crypto genius Bruce Schneier, it uses Blowfish

      A few things to keep in mind:

      • Schneier handed this project off to others several years ago. His involvement since appears to be minimal. While he wrote the initial version, that code may have long since been sent to the bitbucket in the sky.
      • Schneier's crypto credentials are well established, but how is his programming knowledge, especially in regards to security? I don't know of any large open projects he's worked on that give us an indication of this.
      • AES and 3-DES are more reliable than Blowfish, having received orders of magnitude more attention from cryptanalysts. Besides which, "uses Blowfish" is a long way from "uses Blowfish correctly with proper handling of the key material and plaintext at every point in its lifecycle".

      Bruce is a cool guy, and Password Safe may be great, but I wouldn't trust it soley on his reputation.

      --
      Democracy is two wolves and a sheep voting on lunch.
  13. Re:I'll buy that piece of paper with some chocolat by nacturation · · Score: 4, Interesting

    Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html. Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  14. My Solution by 3ryon · · Score: 5, Informative

    I use a small PINS database stored on a USB flash drive on my keychain. Instead of launching the application when I need a password I launch a batch file that detects if the drive is plugged in, if so it copies the password file to my profile and launches it (if I'm using either my home or work computer). If the drive isn't plugged in it uses the local copy. If I make an update it copies it back to the USB drive.

    The master copy is on my keyring, but my home and work computers have copies. I've been doing this for a year and I highly recommend the solution. I can now use random passwords.

    --
    Kind thoughts do not change the world
  15. Re:Passwords are useless. by loqi · · Score: 4, Informative

    Let's see... assuming lower- and upper-case letters and numbers are the only allowed components of a password, even a machine capable of one trillion password checks per second would take about 22,337,120,292,586,187,942 years to run through all the possible twenty-character passwords.

    So yes, your statement is true, but the brute-force computer you're theorizing doesn't exist, and probably won't for a long, long time.

    --
    If other reasons we do lack, we swear no one will die when we attack
  16. I can just see this... by Em+Ellel · · Score: 5, Funny

    For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

    I can just see the following request to helpdesk:

    Please reset my password as someone borrowed my Sellotape dispenser and I can no longer log in.

    -Em

    --
    RelevantElephants: A Somatic WebComic...
  17. Almost, but not quite--here's what I do. by istartedi · · Score: 4, Interesting

    I stego my passwords on a small card that I keep with me. Someone can get the card and they don't know what the password is for, and even if they did, they don't know what's the password and what's just a "junk character".

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  18. Re:So Pen&Paper's the new replacement for Pass by PakProtector · · Score: 4, Funny

    I should expect that kind of talk coming from a young, low uid person like yourself. You kids don't know how good you have it these days. Fancy computer graphics and a machine to keep track of details for you, letting you have your 'action' in 'real time.' Back in my day, we had cardboard cutouts, if we were lucky! Most of us used hand made lead figures that we had to paint by hand! And it could take hours just to do one massive battle because we had to do everything ourselves! In the snow! In our parent's basements! Pssh. You young people these days. I don't want your opinion until your UID is in the lower 50% of the population. PSssh. Kids. Think they know everything. In my day, we were lucky if we knew nothing! You were lucky just to not be a negative container of knowledge, sucking it out of other people until everyone knew nothing. Pssh. Kids.

    --

    Edward@Tomato - /home/Edward/ man woman
    man: no entry for woman in the manual.
    "Qua!?"

  19. Re:Don't treat it like cash by Amoeba · · Score: 4, Funny
    So if Jackson is on the $20 bill, what do 5 Jacksons make?


    The world's most dysfunctional family?

    --
    Do not taunt Happy-Fun Ball
  20. Re:Everything you ever wanted to know about passwo by Anonymous Coward · · Score: 5, Insightful
    Wow, that's got to be one of the most random collections of stupid/excessive/ineffective advice that I've ever seen rated +5.

    Just to pick one example, #7 (assume keyloggers, change your password when you get home): what if your home computer has a keylogger on it? Uh, oh, better go to Starbucks and change your password from their network. Wait a minute, somebody might packet-sniffing it. Oh, no, there's no way out, we're doomed!

    Your paranoia is way overblown anyway. I've been an active network/web user for 20 years, and nobody's ever stolen one of my passwords or hijacked an account of mine. People have broken into my house and car and stolen stuff, though.

  21. Re:No! by FirstTimeCaller · · Score: 4, Funny

    Why put the list in cyberspace at all? That's the beauty of paper, nobody online can steal a sheet of paper sitting in your home/office/dorm/loft/cave.

    But I thought you said not to put it on your machine at all!?!?! So what the heck is it doing under your home directory? :-)

    --
    Wanted: witty unique signature. Must be willing to relocate.