Slashdot Mirror
Writing Down Passwords?
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
can anyone recommend a centralized password storage software solution that works well for them?
No, no, just post them to Google Groups! That way you can always get back to them no matter where you are!
Given a choice between free speech and free beer, most people will take the beer.
Aren't all the reasons that this is a good/bad idea the same as they were then?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Has anyone used this product at all? http://keepass.sourceforge.net/ If so would you care to comment on using it?
For routers themselves, I write the password on the surface of the router itself with my handy alcohol pen. That pretty much solves that problem.
which ran a few weeks back, and which has some pretty sound reasoning behind it.
I do believe that there is also "some pretty sound reasoning" when the users decide to share their whole drive together with the passwords on P2P. I mean, by doing that, one can sleep peacefully knowing that his password is redundantly stored, for the next n years.
Give me a break. Security is designed by the need for it. There is a need to protect your email password because even email has a legal standing as a form of communication. Same goes for your personal and work files.
When you write them down, don't put any login association with the word. Worst case, you have to enter a bunch of passwords in to check which one is right.
One peice of paper with several words on it won't mean anything to someone who gets a hold of it.
ogg
Black cat, searing pain, flames...? I must be in Heaven! - Homer Simpson
Honestly, it really depends on where you write them. If you keep them secure, then you're okay. Personally, I keep all of my passwords in a protected file on my Tungsten.
However, if you're prone to writing them on PostIts and sticking them to your monitor...
Successfully condensing fact from the vapor of nuance since 1998.
I use Password Safe, but I write down things I need to access from multiple computers (like my router's password). I also try to keep a written copy of everything somewhere safe.
Are written down. I just can't remember where.
Cheers,
RM
Nobody's as dumb, as I appear to be
In your own home, who else is going to find a piece of paper with your password on? For a router that you configure and forget, writing down the password sounds reasonably sensible to me.
If I can't remember four simple letters, then I don't deserve to watch my pr0n.
I don't write them down because I generate passwords with a little app that I wrote that scrambles together 2 or 3 passwords I can remember and generates a upper/lower/number/letter/symbol password for my usage... but I don't see a problem with writing down a password. I would probably keep it in my wallet or whatever and not just have it laying around. Maybe even do something clever like make all the consanants upper case and the vowels lower case but write it down in reverse, or add two to the numbers and keep all numbers 0-7 .. you could get clever with it and still keep it simple to decode.
The Technomancer
"Men of lofty genius when they are doing the least work are most active."-
I figure that it would be a lot safer to have a secure password in my wallet than an insecure one committed to memory.
However, I imagine that there's merits to both sides of the argument.
I write my passwords down, most of them anyway, on my Palm, using Keyring.
Everything's protected by a master password and triple DES, so it's fairly secure.
I found out about KeePass (http://keepass.sourceforge.net/) on that previous story, so I've started using it. It's a very handy utility to have! It can keep track of all my passwords for various email accounts, websites, etc. It's a simple program that (based on my experience so far), just works!
If you wanted portability, you could keep your password database on a USB memory drive and carry that around with you.
I see that they just released 1.0 on June 4th - congrats!! I highly recommend people check it out!
write down my password? ha! I have mine tattoo'd. In fact, all I need is a speculum and a magnifying mirror to retrieve it. it was the best i could come up with, other than Zaphod Beeblebrox brain-brand style. but that is just BIZARRE, you know?
I like to write them down in my Slashdot journal so I can access them from anywhere.
My mom likes to be "organized" so she would write her online financial passwords (controlling access to most of her retirement savings) on post-it notes stuck on the wall next to her computer. After one of her friends came for a visit and used my mom's computer to check email, my mom decided it would be safer to keep her passwords in little black book. That worked pretty well until she took the book with her on a plane trip and stuck it in the seat pocket in front of her and forgot to take it with her when she left the plane. Later, when she told me the story I was like, "You know, it might not be a bad idea to change your passwords." and she was like "Oh, now that you mention it, maybe I should."
I suggest writing them down then, locking then lock them in the safe, then lock the key in a safety deposit box.
It's not writing them down is insecure by it self. It's just your office isn't secure.
....because to get all your passwords, the l33t after-school hackers would have to *gasp* leave the basement, and presumably do some breaking and entering to get your list...
There are those who do leave their front door key under the mat, but even they don't hang a bloody great sign on the door to remind them where it is.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Corporate rules to not write down passwords aren't pertinent to home users. Sure, you don't want your kids to know the password for the childproofing software, nor do you want them to know your bank password.
Kiss your ass goodbye if you lose that password!
Intron: the portion of DNA which expresses nothing useful.
This week I wanted to log in to an old ICQ account to retrieve some old friend's information. I forgot the password for ICQ I though I would never forget. The hotmail account's password for password retrieval for the ICQ number I also forgot because I used to used it for subscriptions only.
Over time your brains dump the information it does not use. Write the passwords down and secure the them physically.
If you mod this up, your slashdot background will turn into a beautiful sunset!
Hide them where cr@ck3rz will least expect them - your blog!
Simpy
Writing the passwords down is good for remembering, and that itself is not what makes it a security issue. It is writing it down and leaving it for someone else to find that is bad.
A year back at my old school, a teacher left her password for school network access taped to her monitor. A student found it used that to take down the enire network. Took down everything from the entire school's grades, email, library system and of course internet access.
I also have some written in files on Yahoo and google's email files. Nothing important though.
If it's important then I will keep it separated in paperwork.
Either that, or call the help desk like I do.
They always seem to know what it is.
We're on a first name basis.
I dream in binary.
Is the username with the password?
Did you munge the password you wrote down by some scheme known only to you? (example: first character of password is off by one position [ a becomes b], last character is off by the number of characters in the pw)
Is your choice between a simple pw like "kitten" which you remember, or "z0rtvoid-numrut" which you write down..
I do write down pw's, after having forgotten a root pw twice and having to edit a shadow pw file.
Good luck to anyone finding my written pws to find out how to use them, though.
Should you drive on the left hand side of the road, or the right hand side?
Despite what some people seem to think, there's no "right" answer other than following the context. I live in the US and routinely drive on the left hand side of the road... on one way streets where I'll be turning left soon. I've done it on interstates... where the right hand lanes were closed due to construction and the oncoming traffic was moved onto the access road.
Writing down passwords is the same deal. It's a Bad Idea in your cubicle. It's a Cause For Termination Idea if you're a sysadmin.
But on a router at home, or in a locked wiring cabinet? It's a damn good idea. On a card in your wallet, especially in that zippered compartment so it can't accidently slip out? Good idea, unless you routinely leave your wallet unsecured. In which case you're an idiot with bigger problems than just writing down your passwords.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Paypal is better than a credit card for security?!
Sounds like something I would see on www.thedailtywtf.com .... not on Slashdot.
Be sure to use very strong encryption, like ROT-13.
And by environment I mean the work being done using those passes as well as where the machines are versus the passwords written down.
For instance, I never write down my PGP passwords and take advantage of the long passphrase feature to use long but easily remembered phrases memorable only to me personally. Why would I leave a PGP password where anyone could get sensitive financial files decrypted?
For IM and such, I often do write them down, but keep them altogether in a place so safe, even I can rarely find it. : )
Okay, that was partly a joke. I have a secured storage place where I keep those passwords that are to things that aren't extremely important, but a pain in the backside to do the forgotten e-mail password routine when I restore a box.
I'd love OS-independent USB keys with password challenge ability to replace much of the passwords I have to remember.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Well, how good is your physical security?. If the system will be accessed from an environment where there are likely to be unauthorized people wandering around all the time (large office, public area, etc), then don't write it down. If the system will be accessed from a place that only people you trust have access to (home), then it's not a danger- and if your home is ever compromised, having your router password in plain sight is the least of your worries.
May 2001 Crypto-gram
I use the "key+computer" convention.
/. password may be
Every so often, I make up a new "key." This may be the name of a friend, my favorite TV show, or whatever.
For each new or changed password, the password is key+nameofcomputer or key+nameofservice.
I also change o's to 0's and i's to 1's.
For example, next year my
StarTr3kSlashd0t
and the year after that
Battl3starGalact1caSlashd0t.
This way, I only have to remember the current and previous "master passwords."
For really important passwords, like those an employer or spouse may need, I write them down and put them behind lock and key, and make sure the people who will need access will have access when they need it.
Yeah I'm an anonymous coward for this, for obvious reasons.
I thought everybody knew that post-it notes on the bottom of your keyboard are the only safe place store passwords!
"What does slashdotting mean?"
"You've never heard of slashdot?"
"I know it makes websites not work."
.. in one now very huge text-file. The text-file is encrypted with a long master passwords which I hope I will never forget, because if I do, I am screwed. I use Another Password Generator http://www.adel.nursat.kz/apg/ to make random passwords for every new service I encounter, so no two services have the same password.. and they all look like tajEbAmAb or something. The way I do it limits me to using a lot of services from home, but it does give me good security and allows me to only remember that one password for the text-file.
9/11: Never forget it was a false-flag operation
Radius
I think it depends on the environment. Is your router in a secure enough location that writing down the password and taping it to the bottom going to make it secure? If so, then by all means do it. This also allows you get select better passwords that you don't have to remember. Personally I think selecting a good password and taping it to the bottom of the router is far more secure than selecting your house number, or dogs name and not writing it down.
Netgear routers are inexpensive, and low on features and are generally bought by individuals, and small businesses. They don't have super-high security needs, so the physical security of the router itself is usually enough. If you have physical access to the router itself, you could just as easily push the configuration reset button on it, or steal the router and replace it with a duplicate.
AccountKiller
I generally tend to write down the more obscure ones in my desk where I work (which is at 552 W. Cou... oops).
But I write them out of context, meaning I don't write down the username or system they're for (unless they're associated with my standard login name, and I have those memorized). If I'm especially paranoid about certain ones, I just hide them or obscure them in an easy to remember way.
If you are at all concerned about security and want to follow best practices and only have to remember one password...
http://www.tranglos.com/free/oubliette.html
I once had a customer at the gassstation where I worked who had many plastic passes with all different passcodes.
On the passes he had post-its.
I asked where they where for.
He showed them to me. It were tables with mostly arbitrary numbers in the cells. He only had to remember the combination of cells to recover the code from the pass with the post-it on it.
If you mod this up, your slashdot background will turn into a beautiful sunset!
I've represented the password to my Wells Fargo bank account in numerous places...even on my monitor. All I did was sketch a kitten on fire. Another upside is that the drawing is sexy.
For random passwords I pick something within sight of my desk. That way one quick glance can 'reveal' my password to me and no one else. (I'm not talking passwords like 'mouse' or anything but I've used the manufacturer name of my mouse before)..
See Jon Udell's
Simple single sign-on article from May 2005:
It points out a few simple solutions that will solve many people's problems.
Simpy
If I can and I am *evil* then "All your routers are belong to us."
If your routers are behind lock and key, then this is a good solution.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have them on a tabular sheet, slightly encoded in a unique method that I invented for myself. I store this sheet in the safe deposit box at the bank. I am very careful when transporting this information around, but other than that, if the crooks manage to get into the safe deposit box, I've got much bigger problems than some passwords to pr0n sites and such.
If its for a big company server you're going to want to keep it in a vault or something if you *must* write it down. But then again, you coul keep an old laptop full of passwords in a vault.
"I may be full of crap about this game, and I may be wrong, and that's fine." -Jack Thompson
Writing them down is low risk assuming you're not using the password to keep someone on-site from accessing your data. In general, for something like a wireless access point, who cares if it is written down on a scrap of paper someplace? Most of those passwords are there to prevent external people from getting on your network or changing the config. Generally those people are trying to get in remotely. They'd have to break into your house to read that scrap of paper just so they can log into your AP. That's a lot farther then you average script kiddie is going to go. If you have real honest reason to fear that someone could break in just to find your online stock password written on a Post-It note, then I'd suggest you're probably in a financial position where installing an actual building security system would be well within your means--in which case once again, writing your passwords down wouldn't really be much of a risk unless you happened to leave the note sit out so that the cleaning lady could snatch it up or something...
Hexy - a strategy game for iPhone/iPod Touch
If you write your passwords skillfully (for example, coded in even a simple way, scribbled amongst some other notes in your telephone directory or small paper notebook) chances anyone would get to them without you knowing about it are close to none. Especially so if you are a normal citizen and have no reasons to expect any government intelligence agency has developed a specific interest in you.
All those Big-Brotherish surveillance techniques work miracles, but only against electronic media. They are totally useless against a note scribbled on a piece of old fashioned paper.
I have a rather large master password list for every server at work which I store this way. It's quite handy.
Just don't post-it them on your desk or computer and don't write "Password for xyz.com"
This comment does not represent the views or opinions of the user.
Then I have a few *really* strong passwords that I use to encrypt text files holding passwords that either belong to myself or other entities (customers, etc.) using GPG's symetric method. I retain copies of these files locally, but I also store them for safe keeping on my primary gmail account.
Trust me -- nobody's guessing the hard password, nor is it brute-force-dictionary crackable. Unless there's a major breakthrough in cryptanalysis or quantum computing, my files are safe for a good while.
No, I'm not arrogant. But I think I go through the hoops that a "normal" person need go through for securing this kind of stuff. My adversaries don't include the US Gub'ment, multinationals, or other countries.
Method of processing duck feet
http://passwordsafe.sourceforge.net/
Originally developed by Bruce Schneier so you know the crypto doesn't suck, this software is both free and very easy to use. I don't know what I'd do without it.
The security of writing down passwords depends upon the security of the paper they are written upon.
If you have a router/firewall on your Internet connection, and you write the password(s) to the router on a piece of paper taped to the router, then you are not really reducing your security - if the bad guys are in the room reading the password you are already in trouble.
However, if you write your workstation password down on a piece of paper under your keyboard, and other people can reasonably be expected to have access to your office, then you are greatly reducing your security. If, on the other hand, you have your password written down on a piece of paper you keep in your wallet, then the reduction in security is fairly minimal - especially if there is nothing in your wallet that would lead the bad guys to your workstation.
www.eFax.com are spammers
I was royally ticked. They should've known better.
Granted, I was calling from my phone-of-record but caller-ID can be faked.
Most help-desk people will reset your password and find some way to get it to you.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I like KeePass for password storage. It's secure, well organized, AND I get to say "Keep Ass" a lot. I don't know why that's funny, it just is.
-- Minds are like parachutes... they work best when open.
Bruce Schneier also reccommends this - see this and scroll down to the paragraph on passwords. I actually use GPass, which I like a lot. I remember one long random password and make sure to back up my data file to a second hard drive. The ability to copy usernames and passwords to the system clipboard is nifty.
A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.
Can someone recommend a good new root password for my box? LOL
If you mod me down, I *will* introduce you to my sister!
so it may be good to write down your passwords, as long as they are secured either on your person at all time, or locked in a vault someplace...
either way this is no real sub for godd old fashioned remembering things... just change your passwords on a timely schedule.
i have 20+ sites/programs that i change my passwords for ranging form ssh tunneling, to remote email servers to FTP servers...
i have 5 master phrases, one for each type of password protedted app/protocal, that i use to create strong alpha numeric symbolic passwords from. esentially its my own leet speek. i write down a single hint on a sticky in my wallet that will remind me of the type of replacement i used. as i use the same type of replace ment for all phrases, though it changes regularly...
there is no real good reason to write down passwords to any thing you want to keep secure. write down a hint that only you will understand, and make sure that you will remeber what it means.
just to show you kinda what i do ill use one of my old phrases:
midgetslutsdontlikeanalsex
how are you not gonna remember that....now just replace two character with numbers (preferbly not 0 for o or anything like that..more like 3 for 0)
and then replace two more letters with special characters.
a possible password using this type of "encryption" could look like:
1i@get0l9y0@o)tlikea)alsex
that will probably take a long time to break...
look just make one base password, and every so often add or subtract from it. DuH! or is that Doh! Don't make life hard, unless you have it easy.....
Sig Hansen?
I have a few passwords that I use everywhere with variations. I write down the variations. For instance, schoolpass! means my school password followed by an exclamation point. workpassnosym means work pass with symbols removed (for when non-alnum chars are disallowed), etc. It's always fairly obvious looking at it what i mean. I have a few to work from that I've been using for a long time (and are sufficiently unguessable) and just go from there.
Normally I have some sort of mnemonic device connected with my passwords. If I can think of the key, say "rootbeer," I can remember my password "r00|b3eR." So if you write down the key of a mnemonic device, someone else who reads it will not likely be able to extrapolate the password from the key (if they even realize it is a mnemonic key), though you will.
... to discuss such trivial things on /.?
/.
Maybe it is time to find a replacement for
Is there anyß
A really neat method I've used in the past:
:)
record the last five characters of each password on a card. Even indicate which box is which.
Then, memorize the first three characters, and use them in all locations.
Works great.
if you can't remember your passwords, why don't you save them all in a single file and encrypt it?
Bruce Schniers (now Open Source) App:
Password Safe
Is exactly what you need to "write down" passwords with. You only need remember a single password to decrypt the database. And since the database uses Blowfish, it is pretty damn good.
I have over 50 username/password combos stored in mine with a strong password to open the database itself.
If you need to write down a password, this is the way to do it.
Try to hack my 31337 firewall!
You will even find this referenced in "secrets and lies." Writing down a password and keeping it under your sole control is not really any different than using some other token to access a system.
This act turns the password into "something you have" instead of "something you know." Since passwords are not strong authentication by themselves this does not undermine security any more than relying on password security itself does.
Writing the password down and leaving it in a public area or in your desk, however, is a HUGE risk. Whoever wrote that guide should be keelhauled for not making a distinction. The typical cluless user will assume that leaving a password on his/her monitor at work is fine, because Netgear knows more than the "experts" in the IT department.
I suppose that since I'm an Infosec professional, that makes me an "expert."
yes, and copy it to the clipboard which I can empty the moment you access one of my spiked pages....
My rules for passwords for others: - use simple, easy to guess ones so you won't forget them
- use a set of simple passwords and rotate them through your different accounts, so you have just a small set to try (less than 3....?) - tape your root password under your keyword (or administrator...) - publish your mail passwords by using unsafe pop3 - router passwords, as with all devices you have that you either administrate through a web interface or a serial link: use permanent marker, bottom of the device
- email your passwords to yourself frequently via unencrypted links, so you are sure they are stored in some email account of yours somewhere
- use all free avalable password management software you can get, prefer those that need to be connected to the Internet while encrypting your passwords for the local store ..... :-}
- writing passwords on a piece of paper is useless, unless you note also exactly for which computer and account they are, where the device/terminal is, and what the dial-up modem number/password are.
- don't bother to protect modems and cable routers with passwords: nobody will hack these because they are boring and don't contain your private information
- keep the world at peace: one password for all occasions!
My rules: I use the NOYB method to safeguard my passwords. Mike
Well it really comes down to this... writing it down isn't necessarily a security risk, posting it on your monitor using a post it note is... so if you write down or print out all of you passwords, then lock it in a safe for future access, I don't see any reason for that to be insecure. We do it at our work, but then again we have so many abstract passwords for service accounts that it would be almost impossible to remember them all. CO4x4Guy
If I am setting up a netgear or any other router and give it a password of course I write down the password and tape it to the bottom of the device. We are trying to keep other wireless users off of the network. If they can read the password off of the bottom of the basestation, then they are in your home and you probably do not mind them being on the network. As long as you can't see the password from outside the house then you are quite secure and if you forget the password its waiting for you.
What genius! and here's an even better idea: post them in public and then go to an online forum that gets, like, a bazillion hits a day and TELL EVERYONE you did it! That way when the MIB show up to ask you about those quesitonable images they heard about or your activities online the other night when MSN went dark, they won't have to bother with breaking out the demerol and the rubber hose to "coax" those PGP passphrases out of you...
i'm shaking my paper-note cracker in anger.
http://kiskis.sourceforge.net/
It's java - and it really runs on Win 98, Mandrake, CentOS, WinXP and Mac OS.
It's easy to use, the passwords are encrypted, and because I can run it on all of the OS' that I use, I can carry the app on my USB drive with n encrypted copy of my password DB and I can always use it.
It's open source, and I've found the developer to be receptive to helping.
YMMV, but I'm pleased.
Respectfully,
Anomaly
But Herr Heisenberg, how does the electron know when I'm looking?
When I write down a password, I do two things:
1) Obfuscate them by adding an extra character to the beginning and end of the password. Make up your own variation on this. Prefix the password with a number, say, 4, and add an extra character to the password inserted 4 characters from the start of the password
2) Captain Obvious, don't write "PASSWORD" on your post it note.
Chris
Not writing down your passwords isn't always good advice. Though it pains me to say it, Microsoft is right on this one.
People often pick awful passwords or pick the same password for unrelated uses, like they use their SuperSekrit company password that accesses all our financial data as their webmail password because two good passwords are hard to remember. I'd much rather people write two good passwords down than use a bad one, or use an important one in an insecure way. Just protect whatever you write it down on, and if it ever does get lost, change it!
In the educational industry, my clients have to worry about audits in order to stay accredited. These audits are now switching to a 3-month period on passwords. Against common security protocols, I'm telling my users to write the passwords down, even going so far as to say to keep their passwords in a notepad locked in their desk or cabinet, to avoid increasing the average "I don't remember my password" calls to their help desk staff from 5 per day to maybe 1 per day.
Granted, any security expert can tell you that 70% of corporate theft comes from the inside, but the auditors must not know about this, because they are sticking to the 90-day insanity. Help desk staff can only be expected to spend so much time on ridiculous things like this.
Maybe they'll realize that all an employee has to do is look at the pink stickie in the top left of their coworker's monitor to access the 50 bajillion social security numbers of all the students, but hey, I guess Frannie in marketing (who is leaving her job to go work at a Rolex watch operation in Toronto) is just as trustworthy as Pam in records (who's worked for the university for the last quarter-century).
Just because you write it down doesn't mean that it has to be left out in the open. Write it down and lock the piece of paper in a desk draw or if you are really paranoid, or a password for a high security system, in a small safe.
The Economics of Website Security
Porn wants to be free!!
I keep two copies of any critical passwords written down.
The first copy is placed in a sealed envelope and stored inside a safe in a room with a combination lock (the server room). This copy is to be used by my boss if anything should happen to me; every so often I check that the envelope is still okay. I'm not worried about the list going missing since (a) it's in a safe that only management can access and (b) it's in a locked server room that only four people access regularly. Even if someone did get the password list, they already would have had physical access to the equipment.
The second copy is kept in my wallet. I write the passwords down without any indication of what they're for and then fold the paper up and put tape around the edges. The idea is that should I leave my wallet lying out (I don't) the person is going to have to cut the tape on the paper and I'll notice that.
1. Choose your password and memorize it. (Yeah right!)
2. Implement it.
3. Put your password into a ROT-13 proggy and --write down-- the output of THAT.
If anyone finds the rot-13d password youve written down they wont get anywhere at all with it. Only you will know..
At my work, we issue a credit-card style password card using a Zebra printer. The thinking is, because it is an "official" looking card people will keep it in their wallet and it is reasonably secure; as secure as their physical MasterCard. Not 100% secure, but better than having passwords like "cat" or "dog" - since it is the password to our web based CRM, having weak passwords would be a disaster; we would be SK'd in a couple of hours.
We looked at it as the lesser of two evils. Also, no more dumbass "i forgot my password" calls to the helpdesk.
for a few weeks I was using:
"antidisestablishmentarianism(underscore)(my zip code)"
Ok. for a few days.
FLR
If you are willing and able to get into the wire room by any means ( either by breaking in, or sneaking in, or even walking in ), why would you bother with the password? You could just insall a hidden tap and be done with it.
On just how secure I want to be. If I'm on a system where some security nimrod has decided that I must use a bizzarre password that follows his rules and then change it every few weeks. I write it down and post it on the monitor.
On the other hand if it is something important I have Mnemonics that I use. I try to not have a lot of memorized passwords, and I will only memorize a password for a system where it will never change.
Considering the large number of passwords we have to use in today's world, I use the same password on all the non-security things in my life (like I really care if you can read my voice mail). I keep the number of truely secure accounts to as small a number as possible.
One gripe: Forcing someone to change their password every so many weeks shows that you know nothing of security. Brute force cracks will work before the password rolls over, so social engineering is your biggest fear. Constantly changing passwords are easier to socially engineer because users have a harder time remembering them, and just get annoyed by it. If you want a user to truely 'own' his/her password and not share it, you have to make it special to them so they keep it private.
Or better yet, make it embarressing.
I am the all-purpose IT guy for a small restaurant chain in Seattle. Part of my tool kit that I carry to the restaurants when something breaks is a roll of masking tape and a sharpie.
Everything - IP settings, usernames, passwords - gets written on strips of tape that get put on the devices.
If physical access = root access anyway, what's the threat? I once had a restaurant manager who had stolen $200,000 put her restaurant's server through the dishwasher to destroy the evidence. She didn't need any passwords to do that, and it was quite effective.
Besides, everything is kept in the same locked room as THE SAFE with all the MONEY. The people with physical access to it also have access to everything in paper form.
I have a file of passwords that I keep on my PC, but it's PGP/GPG encrypted so only my master passphrase can open it. So I can get my passwords when I need them and not worry so much about someone finding the file.
rooooar
I totally depend on Keychain as well, a brilliant builtin piece of functionality. Although, unfortunately even Apple doesn't do a great job publicizing it or explaining it (afaik). You just kinda know about it or you don't.
write down all your passwords on a small piece of paper and tape it to a 100 dollar bill. That will ensure that you no one else will ever find them.
1. pick a number (one to three digits probably)
2. add 5
3. multiply by 3
4. square this number
5. add the digits over and over until you get only one digit (i.e. 64=6+4=10=1+0=1)
6. if the number is less than 5 then add five otherwise subtract 4
7. multiply by 2
8. subtract 6
9. use this number to select a letter of the alphabet 1=A, 2=B, 3=C, etc.
10. pick the name of a country that begins with that letter
11. take the second letter in the country name and think of an animal that begins with that letter
but wait...
there are no elephants in Denmark!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
at a developers conference last year. He talked about how important passwords were, and how he often changed his. He then attempted to log in and do the rest of his talk...and could not remember his password. We all laughed at him.
I have several words. None of them are english words and some are in a language that I created myself. I mix those words with certain number patterns that mean nothing to anyone other than myself.
The only problem is if I forget with word/number combination I used with a particular site and there is a low limit for wrong guesses.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
http://www.freshmeat.net/projects/passwordms
There was an article about password storage and management some time back in the "Linux Journal". I think this is the article on their web site here:
http://www.linuxjournal.com/article/7853
Writing them down is crazy. I have never once written down a password. Since I have touched a computer, I have remembered my passwords in my head. Either that, or click on the Lost Your Password Link. It might be stupid, but I take my security in high priority in this Big Brother, back-stabbing world. You should do your best to remember yours too.
If you don't have time to do it right, when do you have time to do it again?
I always write down all of my passwords, but never on a computer, only on paper.
For the typical home user, this is probably good advice. TFA is making this suggestion because the alternative, choosing an easily-remembered weak or nonexistent password, is worse.
Your only worries are someone breaking into your house, in which case you are likely to know about it pretty quickly and will hopefully remember to change your password. And your haxx0r punk roommate / child / spouse who will use the password for whatever nefarious means they can think of. Geez, it's just a router password. It's easier and more profitable for a burglar or family member to steal / guess an ATM PIN.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
The easiest way to remember a password, is to think of a phrase, and then turn it in to an acronym.
So, if your phrase is something like: 'The quick brown fox jumped over the lazy dog' your password is: 'tqbfjotld'. The beauty of this system is the characters at first glance are seemingly random, but easy to remember because they're associated with something.
BeauHD. Worst editor since kdawson.
KeePass rocks.
All you have to remember is the one password for the archive, then everything inside is a double click to spawn a browser or PuTTY window, and a double click to copy the password to clipboard. Even wipes the clipboard after 10 seconds. Ctrl-H shows or hides the password if you need to see it.. I tend to leave mine as asterisks all the time.. Also has a password generator with good configurability and a "quality" checker that rates how hard a password is to crack. You can even configure it to launch apps a la command line for other types of programs beyond web/ssh ones.
It's an awesome and free app. I use it religiously at the office for the 30+ systems I have accounts on.
If you haven't tried it, check it out.
I'll also use this opportunity to remind folks that they simplify the problem in the first place by using an algorithm for their passwords. Like:
[favorite number] + [first letter of site/host] + [last letter of site/host]
So an example for an account on amazon.com might be like: "64438an"
(those plusses are concatenates/appends)
Pros:
1) You never have to "remember" a single password. Just remember your magic number and you can always derive the password at any point later.
2) passwords are unique per site. if someone finds out one, it's not used anywhere else (execpt clearly for sites that have the same first and last letters, which is pretty rare)
3) passwords appear random at casual glance.
4) At periodic cycles (depending on your level of paranoia) change the magic number across all your sites. Worse case scenario is a seldom visited site that you have to try maybe the previous number or the one prior to it... usually not hard to do if the numbers have any significance for you.
Cons:
Not an option where the passwords are assigned for you.
My example above is very simple. You can easily spice up the algorithm to include caps, punctuation, interspersing the letters and numbers, using subsequent letters (like amazon = "an" -> "bo" from above), etc. But once you pick the system, just apply it everywhere and you essentially never have to remember an actual password ever again. It's worked for me for nearly a decade now and the only time I've had any problems is when the site itself changed names and I had to recall the old name... a pretty uncommon occurance.
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
Things change. Your brain is organic matter. Brain cells die; neural pathways are pruned without your full conscious control.
I've known several admin types who've had to resort to writing down passwords and other crucial pieces of information as they age. You are no different. Write your passwords down and place them under lock and key, or be prepared for the day when you can't remember that one password.
Don't write down the actual password but a hint that will remind you what the password is. Who is going to see "password:a bad dog" and guess the way you have chosen to spell the name of the dog that your parents used to tell an funny story about when you were a kid. Just make sure you haven't been still telling the same old "bad dog" story and using the dogs real name recently.
Magic Eight Ball: Outlook not so good., Hmmm, how about Excel and Word?
or how about including numbers with that? :D wow, this is really a good idea!
Take care!
I tell my users that if they do write down their password/creds that they should treat it in the same way they do their drivers license or passport. After all, those are credentials too and it provides a good analogy so people can better understand what their responsibilites are regarding them.
That's often not enough though. I also tell them the first time I see their creds in the open that I'll remind them of the policy. After that, their password documents will be destroyed immediately and without notice on sight if discovered in the open again... and that their password will be changed just as fast.
Call that a bit draconian if you will but I see it as a way to meet people in the middle. I can issue strong passwords without having to think about wether people will remember them, and as long as people treat their credentials like responsible adults I don't have to worry about adverse disclosures.
Truth is people are going to write down their passwords no matter what you tell them to do. Providing a climate where people aren't afraid of admitting it and setting an official policy regarding how that's handled can help you manage risks that otherwise would be hard to approach.
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
Give me a break. Security is designed by the need for it. There is a need to protect your email password because even email has a legal standing as a form of communication. Same goes for your personal and work files.
So? Seems to me you may be addressing a point that the author is not raising. He's not asking if having a password is better than not having one; he's asking about the advantages and disadvantages of writing down a password?
Suppose you value the loss of a piece of data at, say, over $50,000. Consider how you would feel about carrying the passwords to that data in your wallet.
Sound like a bad idea?
OK, does carrying around the keys to a new Mercedes sound like a bad idea?
So, if we've established its not necessarily ridiculous to write your passwords down provided that you take the same care of them you do your car keys, the question remains whether there are advantages and disadvantages. The disadvantage is that your wallet may be stolen. The advantage is that you can use a key that is cryptographically hard to break, as opposed to ginning up something you can remember.
Threat assessment is key I think.
The password to your work account may be a good candidate for the wallet treatment. A pickpocket has to know where you work, and what your user id is, to make use of your password.
The PIN to your ATM is a bad idea, because the pickpocket gets a complete set of what he needs to get access to your account: the card and the PIN.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
A while ago I started to change my passwords often and use the titles (scientific) articles connected to my work to provide me with passwords by using first or last letters of the words (plus the odd number/sign).
I can change them often, usually, I can recall the paper (because I usually have read it) but because I did read them, they don't even sit on my table.
And I can always look them up in Medline...
What I loose in redundancy I make up in lenghts of the passwords (the current one has 13 letters...)
Look not everyone is running networks for fortune 500 companies or government agencies. For most of us we don't need any more computer security than the security we have for our house.
If you keep your passwords in a drawer at home the only vulnerability you face is someone breaking in to steal them or sneaking a look. Yet anyone who could break in or seriptitously look in your computer drawer could probably just plant a keyboard sniffer.
For low security home use, and especially if the hardware would only cause a network outage, the expense and difficulty of losing passwords more than outweighs the risk of writing them down comprimising them.
Besides, if you can write down the passwords you can make them very random as you don't need to remember them. This means you gain *more* security from purely remote attacks and for most people this is all they are concerned about.
If you liked this thought maybe you would find my blog nice too:
My passwords are so long and contain so many non-[a-z][0-9] characters and are ordered so they are awkward to type in, that the average person would conclude that my mpegs are not worth the effort. :-)
I keep all of mine in my palm pilot, which is always conveniently situated in my back pocket.
When I find I need a new one, I just transfer them over. Manually. I am old-school.
-- yawn. --
Remember, all the information needed to steal your identity is written on small pieces of paper in your wallet. (according to TSA and DHS they are required to prove you are not a terrorist)
There are also credit card numbers, untracable cash, and pictures of you and your family. But we keep these documents secure. Why not add a card with important passwords on it. Just don't link it to a specific machine, account or website.
Bryan
I telnetted it in with a direct cable back in 1999, so I sure hope it's one of my standard ones, cause if I ever have to upgrade my router, it's gonna be heck to pay.
Write them down in code form - use a series of uncommon words - like say Hindi versions of Innuvut food (not known by many) - and a series of numeric and symbolic entries - and you defeat almost any cracking scheme. Then just write down a pattern - say xxxxxYY to indicate SGIAN87 where you know what the xxxx is likely to be and the YY is likely to be - and store that part somewhere else. Don't tape it to the bottom though.
-- Tigger warning: This post may contain tiggers! --
From http://www.vi-improved.org/wiki/index.php/VimGpg, change your .vimrc file to allow Vi to edit GPG encrypted files. It automatically asks for the password, decrypts the file, re-encryptes it when you're done, and it doesn't cache the plaintext.
Works well for me, since I can access my passwords from anyplace that allows me secure shell access, and I'm not carrying around a thumb drive that can get lost, broken, or lose it's data.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
If you work for the US government or any of its contractors, writing down any passwords to classified information or resources is a bad idea. I'm pretty sure it's a punishable offense.
The Internet is full. Go away.
I know a fellow at work that uses a cryptocard to access the company network while offsite (much more secure than a username/password combo - at least you'd think so). However, he's written the pin on the back of the card - "1235", because apparently it wouldn't let him set "1234". Sigh.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
A Palm and a little (free/libre) application called "Top Secret." I rememember one password and all the other ones are encrypted as are CC numbers, etc.
One way is to hide your password in a shopping list of horrors:
G0atSphincter
0ctopusBeaks
BlackAngusF0reskin
etc. etc.
Just write it out by hand, remember to leave out spaces when typing them in, and not only do you have a visible password list, no one will ever bug you to cook for them.
My web password is "asdfghjkl" - just like everyone's, right? Oh... all my UNIX passwords are "root", just like my username... just like everyone else. ... and my Cisco password is "admin"... just like everyone else.
No need to write anything down.
Personal machines at home aside, what the hell is any company doing using textual strings for authentication? Biometrics is the way to go. A thumbprint scanner, retina scanner, nearly foolproof, and the user only has to remember to bring his head and hands. Granted, this is a stretch for some dunderheads, but there you have it. (Thanks for giving me the opportunity to write "dunderheads"...)
There are a lot of programs that let you write down all your passwords in a single place and still encrypt them with a master password. Mozilla has something built in. If you want something more portable, get a Palm or PocketPC. There are also desktop solutions and solutions that work from memory sticks.
if you write down your passwords, david lightman will continue to hack into the school server and battle military supercomputers.
I delete everyone driving on the left hand side of the road. If they were important they'd drive on the right hand side.
For a home wireless router, you're trying to defend against hackers without physical access to your home from stealing your resources or snooping your network. Writing the password for your router down is almost by definition not a problem, since anyone physically in your home could already plug into your wired network.
For most other home applications, unless you believe the government or those with grudges against your are willing to go to a lot of trouble to hack you, you're probably still only worried about random or semi-random online attacks. Again, written passwords shouldn't be a problem.
If you're trying to hide your porn collection from your SO, the written password is probably not such a good idea -- depending on how computer-savvy your SO is.
Your online bank or PayPal password is another consideration -- if you have a piece of paper clearly marked "PayPal userid and password" sitting on your desk and a thief breaks into your house, well, why wouldn't he take that and try to drain your bank account too?
And so on. The point is, you can't ask the question "how secure is this" in a vacuum -- you have to understand what the potential threats to the resource being protected are, and which measures you are taking to counter which threats.
We used to feel safe from online attacks. After all, if someone tried to brute force a rather simple password with a dictionary attack, such an attack would fail, because it could be easily detected and login attempts from that location can be blocked long before the password could be guessed. However, a recent attack strategy that is becoming more popular is to pick a random user, and a randomly chosen password from a password dictionary and try that login at a random ip. This is surprisingly successful! Why? Because you are statistically just as likely to get in this way, as you are if you are attacking a specific location. So long as you don't care about a specific target, but just want to get into some/any computer this is a good attack strategy. Once in, you can install a simple script that will continue the process, attacking more computers from the ones you already have access to. Many computers have been compromised in this manner, and are acting as zombies as evidenced by my log files. The number of these "attack logins" that I get every day is astounding! Now, to remember your password requires a certain amount of work, but to be secure the password requires a certain amount of entropy. The greater the entropy the harder the password is to guess, but the harder it is to remember. In a security class on campus the professor asked the students to login and register a password, telling us that it was to check our grades, but he then gave us the hash of the passwords, and told us to have fun breaking each other's passwords. I found nearly half of them, with a standard dictionary attack. Fully half of these computer science students in a security class were using passwords that were clearly un-safe. Sure, you can memorize one or two high entropy passwords, but you really don't want to use the same password for everything. Many "high entropy" passwords no longer have high entropy, because they are now in the dictionaries of common passwords. If you use one password in many locations, especially on un-trusted web locations, the chances that your password will end up in a password dictionary used by hackers goes up rather rapidly. If you use different passwords for each location, then you must remember all of them, and this becomes increasingly difficult. The solution? Write your passwords down, then you can use truly cryptographically safe passwords, and at what cost? If your passwords are stolen, then you are in trouble, but it is rather easy to protect against that, and the chances of getting hacked from a remote location are much higher than are your chances of getting hacked from a local person who could steal the written version of your passwords. My solution is to keep all my passwords on my keychain, in a single file, which is encrypted with a single cryptographically safe password. I also have a single backup stored at home. If I loose my keychain, I am ok... if someone steals my keychain, I am ok. And my passwords are safe. This used to be paranoid, but the number of zombie machines out there, randomly guessing passwords is making this a reasonable solution. I have seen at least one account in the research lab where I work compromised in the manner described above because the professor in question had a good password, but one that just wasn't good enough.
I always tell people to use a good/strong password and tape it to the bottom of a router a home. I figure if someone has physical access to your router to see your password, your system has long since been compromised.
Let's be reasonable. That depends on 1) what you do with the piece of paper you wrote the passwords on, and 2) the way you wrote it.
Why? If you keep it, say, in our wallet, that implies in somebody having to steal it in order to get your passwords. You're then forcing a possible attacker to rob you first in order to get what he wants, and that's not really easy in most cases.
And I why should I be careful with the way I write? If you managed to forget it somewhere, it's less obvious an attacker will get something if you don't specify what the passwords are for. E.G.:
less secure note
"Ebay account username: dumbdude, password: ebay_in"
less insecure
"smarterdude lockin" (employing non-related words)
It's easier to keep in mind only the usernames you need for each service. With practice, this is far more secure than employing passwords that are easy to remember.
Smart people will recognize here a way to probe for trusted people working in the same enviroment than you. Leave a piece of paper with a few fake username/passwords around. You can even put some web addresses or email accounts on it. Then check the access logs sometimes.
A very effective honeypot =)
I promise not to use this information.
Although it requires that you buy some hardware, you could consider getting a barcode reader and encoding your password into a barcode. Whenever you're asked for your password, just swipe your barcode (on whatever you printed your barcoded password to- paper, card, etc.) through the reader and you've entered the password. That way, you can carry your password around with you (in a safe manner, of course), most people won't know what it is, you can randomly generate any crazy password string and not have to worry about forgetting it, and everyone's happy! Just be sure to change your password and update your barcode every so often...
I have a few passwords and similar secret information written down. I keep them in my gun safe.
I consider that to be very strong security and completely reasonable.
I have the password on my wireless router written on the router, the password to my Linux box written on the box, and several other passwords to devices written on the device.
The general idea is that I don't care if physical access is obtained-I have other thing to worry about then, but I want remote access to be limited.
If the device is accessed physically, then I have someone in my house who ought not be there. I will either be away or more worried about my personal safety, and the safety on my handgun, than having my system turned into a zombie box or having my high speed internet access stolen!
Phil
Laugh, it's good for you!
Try it for yourself. Try searching for "Macslut" and "password", oh wait....sh*t!
Really, common sense is needed here. Writing down a password hidden amongst a bunch of text on a bunch of papers on a desk that nobody has access to is not as risky as writing down the password that unlocks everything on the bottom panel of your monitor.
I used to have a sys admin who was a jerk about resetting passwords "for security", so I made a point of creating a dry erase panel on the bottom of the monitor that read "The Password is ___", and then filling in the password whenever it changed.
I use SplashID.
Like many others, I need to remember lots
of passwords, including lots of root passwords
to SSH into machines; so I have modified SSH
so it will decrypt a file containing tripple
machine -- user -- password,
given a master password, which happens to
be my root password and that for a 'gringotts'
file of all other interesting secrets so
I only have one password to remember, and change
so I commend the 'gringotts' approach, also
available from Schneier PasswordSafe? for
Windoze.
You do have to copy the files to a CD or floppy
and put a post-it note on it in case you get
run over by a bus!
Could some visitor climb under my desk and look at the password if they wanted? Yes, but they could also climb under the desk and hit the reset button, and it's not *that* big a stretch to figure out that the DHCP is now set for 192.168.0.0/24 instead of 192.168.1.0/24.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I am the (one and only) sysadmin at a K-12. I have done a decent job of keeping documentation, but what am I supposed to do with passwords? There are so many of them and they are mostly in my head or in my PDA. Should I write them down somewhere? Should I keep them offsite? Any suggestions?
So your bank pass might be "qimybank41", your slashdot pass might be "qislashd41", and your paypal "qipaypal41".
This generates a 9-10 character password that is cryptographically strong while enabling you to instantly remember any password for something you use.
It is, of course, strongest when the first and last sets of keys are randomly chosen; you should also practice common security such as not letting people read over your shoulder.
If you don't reveal your modifying keys (intentionally or by stupidity), the only way your pass will be cracked is if your computer is already compromised (ie, packet sniffers and keystroke loggers).
Self-referential sigs are rarely entertaining.
You mean if he's wrong! The poster says no one will find it! Reminds me of 'Wargames' where the school's passwords are on the secretary's desk.
http://en.wikipedia.org/wiki/Signature_bloc
Since Keepass is windows only, I suggest Linux readers Gringotts or this article for other ideas. Also have a look at FSF's suggestions for encryption here.
mine are all in a text file that is then encrypted. There are simply too many to remember these days and I find myself refering to that file frequently. As long and I dont forget my passphrase I guess this is a good solution. Mike
$ whatis msft msft: nothing appropriate
On the subject of password storage, I love programs like KeePass for personal use, where I am the only person accessing the file. However, none of these programs work very well in a multi-user environment primarily because of file locking issues and the like.
:)
At work we have several passwords which need to be shared between multiple people (admins, devs, management, etc). Yet I have been completely unable to find any truly multi-user variation on this theme. Also, all of the desktop apps that I have found use a single master password, and have no capability for a username/password style of authentication to control who can see what passwords.
If anyone knows of anything like this, I would greatly appreciate some sharing. (Or if someone wants to write one, I'd happily beta test for you
I to have been using a couple of different password apps, first on my Handspring, then moving to "Keyring" on my Tungsten last year. Unless you're in an environment where there's a government sanction against recording certain passwords on your PDA, it just can't be beat.
Luke, help me take this mask off
I'm sorry, but anyone who says it is OK to write down a password is giving bad advice. Why? You might ask, well...
Writing down a password means you have 2 places that it exists - your brain (maybe) and the piece of paper. Now, in general, most people are close enough to their brain to monitor it. This doesn't hold true for your piece of paper.
Do you ever lock your wallet in a locker when you go to a gym? How about when you go to the beach? Does it stay inside your shoe? How about when you are at home? Is it on a table by the front door - even when you sleep or are working in the basement or mowing your lawn?
From the earlier article, I know that if I can get access to Ballmer's wallet for ~17 seconds, (2 to open it, 5 to find the piece of paper, 3 to unfold it, 2 to take a photo, 3 to fold it, 2 to replace the paper and wallet), I have all of his passwords. Is this worth breaking into a locker or his house? Quite possibly - depending on who I am. I know a lot of people in the financial world who have passwords for their accounts that perform electronic bank transfers. I know one who routinely authorizes transfers of $100s millions a week.
This is why we don't have passwords stored in the clear in the passwd file. We store a hash of it. So it doesn't exist anywhere except in the user's brain. In your wallet, it is as secure as a $5 padlock, than ANY locksmith can get the combination to by contacting the manufacturer with the serial number. (Yes, if you use a Medeco lock you are safe, but who buys them for their locker?) Even worse, your lock uses a key, that anyone who practices for a few days can pick, and a professional can pick in a few seconds. Now your password is compromised and you have no clue at all that it has happened.
It might be tough to come up with a good password generation scheme and remember a lot of passwords, but it isn't impossible. If you use a pattern of [abbreviation of favorite movie][couple letters of website address][abbreviation of a book][code for website use][any word or part thereof] you have a tough "random" password. This type of password was shown to be as good as a truly random password in a study that was in a fairly recent issue of IEEE Spectrum or Computer. (I don't remember which one).
Attackers go for the weakest link in the security chain. Don't make me ask: "What's in your wallet?" Ouch. That was so lame it hurt me, and I came up with it.
* - Code could be ccv for Credit Card Visa, obj for online banking, joint account, or completely unrelated like x1j for Slashdot account.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Here's a real world example of what happens when passwords are not managed appropriately. A relative recently died. He knew the end was coming and so wrote down a password list, safe combination, bank account numbers and the like. But he forgot about the decade-old cc:Mail files he had sitting on his computer. The data is of possible historical, maybe even legal interest. The c:\LOTAPPS\INSTALL.TXT file says it's cc:Mail 6.03. Does anyone have a notion of how to crack them?
It's writing them down and pasting them ON THE FUCKING COMPUTER THE PASSWORD APPLIES TO!
If you store them in your wallet and your wallet gets stolen, you'll KNOW IT and can change the passwords long before they represent a risk - because your wallet is more important to you than your passwords (unless you're the President or system administrator of something really valuable to YOU.)
I don't know why every computer doesn't come with a connector that accepts devices which hold your encrypted passwords. Oh, wait, they do - it's called USB and USB thumbdrives. (Okay, some old machines maybe don't have USB - upgrade!)
Lose your thumbdrive? Put it in your wallet. You won't lose that unless you're a real moron or get pickpocketed a lot.
Hint: don't use a regular wallet, use an ankle holster or neck holster. I got pickpocketed on the Number 38 Geary bus in SF (notorious for pickpockets), so I got a neck case to hold my cards and money. It could hold a thumbdrive, too. Only problem is it looks funny under my shirt...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
For the longest time, I kept all my passwords in a notebook and used the following method... slksnakajdh uqoplpolws Which would spell "slash", if you take the first letter, then count over to the fifth letter on the bottom line, then count five more over on the top line, then five over on the bottom, then five over on top. Just because five is my favourite number.
Meh.
Sorry, those lines should have been
slksnakajdh
uqoplpolws
I keep forgetting about slashdot converting everything to html formatted by default (ie/ no line breaks unless specified).
Meh.
KeePass is my most highly recommended application for keeping track of your passwords securely.
http://keepass.sourceforge.net/
Everybody seems to have a killer app, GPL'd or not, or a magic USB-something to keep the passwords safe. But how can you be sure that your specific technology is not flawed? Crypto-math is strong (or so we suppose) but methods, procedures and people are less so.
Is much better to resort to a different mechanism that would require the intruder both technological knowledge AND physical access. So, write down the darn password!
Even in the 'obvious' attacks of co-workers or angry ex-wives, by using a written media you limit greatly the number of people with access to your stuff (No packet sniffer can read that paper on your desk). Those attackers will be likely be deterred by the fact that a break in would quickly connect to an specific group of people.
Carlos J. Hernandez
cuz there is no way in hell they'll remember the crazy ass ones I generate and change every 6 months. i'd rather have someone have to physically breach security than beable to have their way with the systems should they break in via the internet somehow.
I use Strip to keep my passwords on my PDA. The database is AES encrypted, and I've found it quite convenient. Downside is that the password generation doesn't appear to work properly with PalmOS 5. Anyone else find the same?
I'm sitting here reading /. because I fucking can't remember the fucking root password to a server that I'm supposed to administer as a favor to a friend. I changed it two months ago, haven't needed to get on the fucking machine since and now, when I need to fix it, I can't remember what the fuck I changed it to. And no, I can't just stick a rescue boot disk in because I don't know what fucking city the server is in.
Note to self: Next time, write down the fucking password and put it in the fucking file cabinet.
Note to poster: Did you ask this fucking question just to fuck with my mind or was it pure coincidence?
FreeSpeech.org
When setting up something like a router, I place the password on a piece of paper, taped to the bottom of the unit.
Basically turning it into a physical security issue. More than once I've been thankful for said password being on the bottom of the unit. After all, it's already a well-known and acepted security fact that physical access = 0wn3d, so you can't really make matters worse by doing this, but you can prevent the "forgot the password" scenario.
We have one customer that has called us several times because she's having problems accessing her router. Each time the conversation goes "I've forgotten my password, how do I reset my password on my airport?" "Ma'am, your password is taped to the bottom of your airport." "It is? Oh look there it is. When did I do that?"
*sigh* At least it saves us from having to remember the password itself for her.
Someone's going to point out this looks like the "leave the key under the mat" scenario, but if they have physical access to your router, they're already inside your door - if you can't control who has access to the router, there's little point of even bothering wiith a password other than to keep the wal-mark kiddies from playing with it.
I work for the Department of Redundancy Department.
One of the best pieces of usability software ever.
I use a naming scheme for all my passwords whereby a passphrase is constructed from the "name of the site"|"name of activity" a non-alpha character and a constant string that I use for every password in my life. I simply can't forget my password - it's encoded in the context of whatever activity requires it.
I do like programming things that work super quickly, especially when they work super quickly, super quickly.
Well, it is said that once someone has physical access to your machine, all security features are almost null and void. Shoot just bringing a knoppix cd bypasses most of it. Now in a corporate world where everyone has physical access, thats a different story, but I think this is in reference to home machines.
"And The Geek Shall Inherit The Earth" --Jeff Darlington
Several years ago I came to realize that one can either work with human nature and win; or work against it and lose. In the arena of passwords anyone who recommends NOT WRITING passwords down is declaring themselves against human nature. I tell users, "By all means write your password(s) down. However, treat that piece of paper like it were a $1000 bill. You wouldn't put a $1000 bill in your desk or under your keyboard. Don't do it with a password." It isn't the written password that is the problem. It's the casual treatment of something valuable.
Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.
A similar program, free for personal/non-profit use, but with a less klunky interface, is AnyPassword.
I'm sick and tired of these hip, "ironic" sigs. This is an actual, honest-to-goodness no-nonsense sig!
Of course these companies are recommending users write their passwords down. They are well aware of how easy a PC / system can become compromised. So with one little Trojan all your passwords become useable by unscrupulous third parties.
However, suggesting people write them down is just a knee-jerk ill-thought-out reaction to a problem they current have no control in solving.
Common sense and more awareness... A little less trust in things that are said to be secure...
If you use the Internet, or other open network systems, Bluetooth, WIFI etc and you use a password or personal data to log on... then it is not secure regardless of what you are told.
Did nobody notice, that this is indirectly targetted at companys, who had workers layed off, just to find out, they can't get access to databases protected by passwords from those workers?
....
If they have the passwords 'in a safe', the layoffs are less problematic for the companies
Solid passwords can be created and retrieved easily if chosen using a judicious personalized mnemotechnic method. For example, say you need a password to login as "John Doe" on "Slashdot News for Nerds, Stuff that matters". Using a combination of initials and special characters your password becomes: jd%snfnstm I use variations of similar techniques for my passwords which makes it very easy to remember them for me and very difficult to find out for others.
Real men just upload their passwords to (anonymous) ftp, and let the rest of the world mirror them.
I keep my passwords and personal details on a USB key as I need to carry quite a lot around with me. There are 2 flaws in this system. 1 - I lose it, 2 - Someone steals it from me.
Both are countered by encrypting the data with a single password that I keep in my head.
TBH if someone is going to try and mug me for it I'd rather worry about my life and well being than a few passwords on my key. Besides, I can change the passwords by talking to the sys-admin types and that may take a day or so. A broken arm or fractured skull will take much longer to fix.
Time flies like an arrow. Fruit flies like a banana.
I've used PasswordSafe for a years now and haven't had any trouble with it at all. PasswordSafe was originally written by Bruce Schneier, the oft-quoted security expert. It's now open source and has picked up some nice functionality. From Schneier's web site:
"Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm."
http://www.targus.com/us/product_details.asp?sku=P A460U
we see things not as as they are, but as we are.
-- anais nin
...to gain access to your phone book?
Pathword : http://www.cryptme.com/e/PathwordDescription.asp Your can have 10 strong passwords on a credit-card sized memo, with only you able to read it ... so powerful, but it's not free (even if it is easy to reproduce)
The Machine stops.
probably quite true, I'm sure no fucker is reading mine!
-- "Can't sleep, clowns will eat me!"
in piglatin
I generally have passwords I don't use often written down (server root pw, etc.) but then if I start using it, even if it's awkward, I end up remembering it, so that password list is destroyed, and a new one is made without the memorized pass included. It seems to work fairly well. Just don't lose that little note card :D
My suggestions: #1 write your passwords down in runes, or some other childhood code that you have remembered. This will keep you passwords safe from normal ppl. #2 Memorize several alpha numeric strings and give them names. Modify these passwords with non-alpha numberic characters at the beginning an end. You can write these passwords down in a short form that no one other than your self will readily decipher. If you fear memory loss at some point in the future, write down your password strings and put them someplace safe and obscure. You may wish to impliment suggestion #1 when you write down this list. #3 Store your passwords in a text file, that is zipped, passworded, and then renamed to a JPG or mp3 or exe. Store this file on removable media and label it with something obscure that no one would be interested in. floppies labled dos 3.2, cd's labled old old wares or system ghosts, or on a removable flash/usb drive. #4 Store your passwords in a text file. XOR that text file. Zip the text file with password encryption, then append the file to the end of another file. Store it on a 5.25 floppy. #5 Give your passwords personal security levels. 1 - Anyone, 2 - Friends, 3 - Coworkers, 4 - signigicant other(s), 5 - no one.
Between work and home I've got several hundred passwords. For 'security' purposes some of them age and expire every 60 days. Don't know 'bout you, but I can't remember that many passwords and user ID's. I keep them all on my PDA. I take my PDA everywhere with me (OK, so I'm a geek). The PDA has an application that encrypts the file of passwords (I forget whether it uses Blowfish or IDEA). I remember ONE password which lets me access or update the other passwords.
[Insert pithy quote here]
Even before I took a job as a sysadmin I had too
many passwords on different systems to remember.
So I invented some rules for writing them down:
1. Obviously: don't write them in a public place,
meaning anywhere a guest, janitor, or thief
visiting my office could find them.
2. In a pocket address book or on a wallet card,
don't make a system:user:password list, write
down the passwords only with no indication of
what system and user name they are for. Maybe add
a few phone numbers or nonsense strings. That way
if my book or wallet is lost and found by a
stranger it won't give enough info for someone to
figure out where a password is valid and for what
username. Trust my memory for my login names and
names of my workstations/servers/ISPs.
3. When it gets to the point where you just have
to re-use the same password on multiple machines
think about differential vulnerabilities. Maybe
I will use the same password on two Windows
workstations in the same office, but I use a
different one on Mac or Linux boxes -- if someone
can access one Windows box and find my password
he can probably break into the one sitting next
to it just as well, but why give him the password
for the Linux box, too.
4. When I became a system administrator I bought
a PDA to replace my little black address book,
and I use an encrypted file for my passwords. And
then I was very careful never to lose the PDA or
leave it where it could be stolen.
Put all your login names and passwords in a text file, and password protect the file.
Oh, wait...
This sig is false.
If you've got a bunch of machines that rarely need to be messed with locked inside rooms/closets that will be in easy reach of the administrator(s), you can give each one a unique, high-entropy password and tape it to the box. Then a compromise of one of them will not compromise any others. If an attacker has physical access you're 0wn3d anyway.
This is particularly useful when you're doing a small business setup, when the "administrator" is the person in the office with the strongest computer skills, but has a completely different job description, and is likely to lose track of a notebook or whatever else. Contrary to the environments a lot of slashdotters work in or have worked in, most people work in companies with no dedicated technical staff, so it's quite helpful to set them up with something like this, especially if you're the contractor/friend/relative who they'd call when they need to change something and can't. Anyone who's done enough support has probably had the realization that every request to change/reset a password is an inherent security risk.
The physical access warning is key though. Left to their own devices, they won't think twice about putting the server in plain view in the reception room.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
... like Passwords Plus, which is available for Windows, Mac, & Palm; you can read its specs here. It's like a database program where you define the fields, though some predefined templates are included.
Hiding your password under the keyboard is probably still a lot better than using a weak password.
Someone with physical access to your desk and enough time for a reboot probably has total access to your machine. (_USUALLY_ - this certainly assumes unencrypted disks, no BIOS boot passwords and bootable CDROMs. But these are 99% true)
And they might've left fingerprints. And somebody might know they were at your desk...
But with a weak password someone potentially has REMOTE access to your machine. I'd take a memorized hard password over a written one, and it's certainly better to hide it better. But I'd take a strong underkeyboard password over a weak memorized one.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
..."fucking"?
Honestly, I believe in practicing what one preaches. I have witnessed too many occasions where passwords have been stolen, even from a secure physical location.
On the other hand, I 100% support personal encrypted password safes; particularly for those who need to keep 10+ passwords for various systems and do not want some complex algorithm for mental generation and maintenance of said passwords.
I also have difficulty supporting password generator programs; because if a machine can generate the password, no amount of system state or entropy is going to prevent another machine from eventually duplicating the passwords (perhaps using the same code as the generator). Of course; one would be careful to make sure that the password generation program is not sending its creator the passwords it generates!
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.