Writing Down Passwords?

Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.

Re:keepass.sourceforge.net

[winkydink]

My experience with it is that it is ok. I'm not a raving proponent, but it works as advertised.

Re:keepass.sourceforge.net

[goofy183]

I use it and it works well. I started when I got an online banking account that wouldn't let me use my standard username. I had to have mixed case and numbers in both my username and password. I got KeepPass and now store everything in there.

It runs in my system tray and I can click, enter my master password and have access to all my passwords. It has also let me use long random passwords for my very important sites since I don't need to remember them any more.

Also you can use a USB key as part of the key to unlock the database so you have the something you know + something you have security.

Re:recommendations?

[m85476585]

Password Safe

Also in Crypto-Gram (2001)

[Bruce+Stephens]

May 2001 Crypto-gram

vim has integrated encryption

[ikewillis]

vim has integrated cryptographic functionality through VimCrypt. :help :X for more information.

I have a rather large master password list for every server at work which I store this way. It's quite handy.

Get a keyring

[26199]

A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.

Re:recommendations?

[dknj]

i wrote this in 2 seconds, but it duplicates what the original post does. you need string::random, you could roll your own but i'm lazy and counterstrike is calling my name. enjoy!

use String::Random;

$pass = new String::Random;

for($i=0;$i<26;$i+=3)
{
printf("%c-%s\t",($i+65),$pass->randpattern("...") );
printf("%c-%s\t",($i+66),$pass->randpattern("...") );
printf("%c-%s\n",($i+67),$pass->randpattern("...") );
}

-dk

Re:recommendations?

If someone found the card, a dictionary attack would be slowed down by a factor of... 1, because it's just a simple substitution cipher. Plus, you must use longer passwords, otherwise the two-char substitution means the actual key is only half as long as it is entered. It's still a neat system, because it's poor-man's two-factor authentication. You have something (a substitution cipher key), plus you know something (the original key). Strategically, it's better than storing the original key in your wallet, cheaper than an RSA fob and no authentication system tweaks are required. On the other hand, it's not the best solution either, because it essentially documents the keyspace, which makes it that much easier to brute force.

Also, a "dictionary attack" doesn't have to mean someone scripting logons based on a dictionary. In fact, such a thing would usually not work. Assuming you could try 100 passwords/sec (pretty unlikely) it would take many, many years to exhaust an 8 char password with a 26 char keyspace. Success of a dictionary attack typically requires you have the hash and can generate & compare as many passwords/sec as you have compute power.