Slashdot Mirror
Writing Down Passwords?
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
Aren't all the reasons that this is a good/bad idea the same as they were then?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
which ran a few weeks back, and which has some pretty sound reasoning behind it.
I do believe that there is also "some pretty sound reasoning" when the users decide to share their whole drive together with the passwords on P2P. I mean, by doing that, one can sleep peacefully knowing that his password is redundantly stored, for the next n years.
Give me a break. Security is designed by the need for it. There is a need to protect your email password because even email has a legal standing as a form of communication. Same goes for your personal and work files.
In your own home, who else is going to find a piece of paper with your password on? For a router that you configure and forget, writing down the password sounds reasonably sensible to me.
I've got this thing called a spiral bound notebook...
remember when it was {of|for|by} the people?
I write my passwords down, most of them anyway, on my Palm, using Keyring.
Everything's protected by a master password and triple DES, so it's fairly secure.
I found out about KeePass (http://keepass.sourceforge.net/) on that previous story, so I've started using it. It's a very handy utility to have! It can keep track of all my passwords for various email accounts, websites, etc. It's a simple program that (based on my experience so far), just works!
If you wanted portability, you could keep your password database on a USB memory drive and carry that around with you.
I see that they just released 1.0 on June 4th - congrats!! I highly recommend people check it out!
Kiss your ass goodbye if you lose that password!
Intron: the portion of DNA which expresses nothing useful.
Writing the passwords down is good for remembering, and that itself is not what makes it a security issue. It is writing it down and leaving it for someone else to find that is bad.
A year back at my old school, a teacher left her password for school network access taped to her monitor. A student found it used that to take down the enire network. Took down everything from the entire school's grades, email, library system and of course internet access.
Should you drive on the left hand side of the road, or the right hand side?
Despite what some people seem to think, there's no "right" answer other than following the context. I live in the US and routinely drive on the left hand side of the road... on one way streets where I'll be turning left soon. I've done it on interstates... where the right hand lanes were closed due to construction and the oncoming traffic was moved onto the access road.
Writing down passwords is the same deal. It's a Bad Idea in your cubicle. It's a Cause For Termination Idea if you're a sysadmin.
But on a router at home, or in a locked wiring cabinet? It's a damn good idea. On a card in your wallet, especially in that zippered compartment so it can't accidently slip out? Good idea, unless you routinely leave your wallet unsecured. In which case you're an idiot with bigger problems than just writing down your passwords.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Well, how good is your physical security?. If the system will be accessed from an environment where there are likely to be unauthorized people wandering around all the time (large office, public area, etc), then don't write it down. If the system will be accessed from a place that only people you trust have access to (home), then it's not a danger- and if your home is ever compromised, having your router password in plain sight is the least of your worries.
If you're a pocket-picking cracker with common sense, you'll probably realize that "Hey, this business card with nonsensical combinations of letters and numbers scribbled on it might actually have some sort of significance." Or maybe the owner just has an ASCII fetish.
Disassociating the passwords is of course a good idea *if* you must write down your passwords because this way if you just lose it, no one will know how to use the information. It doesn't protect you from a thief, however.
"Screw slashdot." -- Linus Torvalds
Then I have a few *really* strong passwords that I use to encrypt text files holding passwords that either belong to myself or other entities (customers, etc.) using GPG's symetric method. I retain copies of these files locally, but I also store them for safe keeping on my primary gmail account.
Trust me -- nobody's guessing the hard password, nor is it brute-force-dictionary crackable. Unless there's a major breakthrough in cryptanalysis or quantum computing, my files are safe for a good while.
No, I'm not arrogant. But I think I go through the hoops that a "normal" person need go through for securing this kind of stuff. My adversaries don't include the US Gub'ment, multinationals, or other countries.
Method of processing duck feet
The security of writing down passwords depends upon the security of the paper they are written upon.
If you have a router/firewall on your Internet connection, and you write the password(s) to the router on a piece of paper taped to the router, then you are not really reducing your security - if the bad guys are in the room reading the password you are already in trouble.
However, if you write your workstation password down on a piece of paper under your keyboard, and other people can reasonably be expected to have access to your office, then you are greatly reducing your security. If, on the other hand, you have your password written down on a piece of paper you keep in your wallet, then the reduction in security is fairly minimal - especially if there is nothing in your wallet that would lead the bad guys to your workstation.
www.eFax.com are spammers
Has anyone used this product at all? http://keepass.sourceforge.net/ [sourceforge.net] If so would you care to comment on using it?
I for one have been keeping my ass for quite many years now, and it has worked fine for me. YMMV
Bruce Schniers (now Open Source) App:
Password Safe
Is exactly what you need to "write down" passwords with. You only need remember a single password to decrypt the database. And since the database uses Blowfish, it is pretty damn good.
I have over 50 username/password combos stored in mine with a strong password to open the database itself.
If you need to write down a password, this is the way to do it.
Try to hack my 31337 firewall!
If you are willing and able to get into the wire room by any means ( either by breaking in, or sneaking in, or even walking in ), why would you bother with the password? You could just insall a hidden tap and be done with it.
I tell my users that if they do write down their password/creds that they should treat it in the same way they do their drivers license or passport. After all, those are credentials too and it provides a good analogy so people can better understand what their responsibilites are regarding them.
That's often not enough though. I also tell them the first time I see their creds in the open that I'll remind them of the policy. After that, their password documents will be destroyed immediately and without notice on sight if discovered in the open again... and that their password will be changed just as fast.
Call that a bit draconian if you will but I see it as a way to meet people in the middle. I can issue strong passwords without having to think about wether people will remember them, and as long as people treat their credentials like responsible adults I don't have to worry about adverse disclosures.
Truth is people are going to write down their passwords no matter what you tell them to do. Providing a climate where people aren't afraid of admitting it and setting an official policy regarding how that's handled can help you manage risks that otherwise would be hard to approach.
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
I went high-tech. I'm using software called "Keyring" on a Palm Zire 21 PDA. It protects my password list using triple-DES encryption, and I'm using a 25-character passphrase.
It's also smaller and easier to carry around than a notebook.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I think that they want people to write down passwords so that people will feel okay making more complex passwords. That way they [won't be / are less likely to be] ripped off by a bruteforce dictionary attack, just a crowbar attack through their front door.
Zoeith
Song lyrics are useful too : TaLWSATGiG There's a Lady Who's Sure, All That Glitters is Gold Usually gives you mixed case too, if you treat it like a title (ie minor words like is as the etc are lower case)
All available data suggest that regardless of any of this, the sun will still come up tomorrow.
that's a lil dumb ya know .... or couple more logical variations... couple of more banks...
say i am a sys admin at slashdot, and i happen to be a son of a bitch, and i browse through the passwords of users, and see a username "milimetric" with a password "blumpy&slashdot", then i take a wild guess and go to some bank's website and try the username milimetric with a password blumpy&bank or blumpy&bankname
and i leave the rest for your imagination....
No, I use "Strip" for my palm.
Passwords are only revealed if I type in my 12 char long passphrase.
Because I sync my plam at home and at work (very good for keeping addresses and calander in sync)
Now if some mugs my palm, he cannot access my passwords (take a looong tim eto bruteforce it)
And I just grab any other palm (they are pretty cheap on ebay now) and do a sync, problem solved.
we need an "-1 Plain wrong" moderation option!
Just as long as they're being appropriately hidden.
There is something to be said for a report like Microsoft's, which has proper reasoning behind it, etc. But NetGear's idea of telling the average end-user that "the experts are wrong, there's no problem writing your password down" just encourages people to write their laptop password on a post-it and stick it to their laptop (which is *always* a stupid thing to do).
If you're going to tell people to do something that may risk security, you _must_ tell them when it's appropriate and how to limit the security risk.
http://blog.nexusuk.org
If you've got a bunch of machines that rarely need to be messed with locked inside rooms/closets that will be in easy reach of the administrator(s), you can give each one a unique, high-entropy password and tape it to the box. Then a compromise of one of them will not compromise any others. If an attacker has physical access you're 0wn3d anyway.
This is particularly useful when you're doing a small business setup, when the "administrator" is the person in the office with the strongest computer skills, but has a completely different job description, and is likely to lose track of a notebook or whatever else. Contrary to the environments a lot of slashdotters work in or have worked in, most people work in companies with no dedicated technical staff, so it's quite helpful to set them up with something like this, especially if you're the contractor/friend/relative who they'd call when they need to change something and can't. Anyone who's done enough support has probably had the realization that every request to change/reset a password is an inherent security risk.
The physical access warning is key though. Left to their own devices, they won't think twice about putting the server in plain view in the reception room.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.