Slashdot Mirror
Writing Down Passwords?
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
Ive actually done that... should I be shot? Not plain text of course, simply use a word shift encryption which can be easily deciphered by hand. I posted all my current passwords like that and it has come in handy quite a bit. (I also have posted same list on slashdot comments)
See Jon Udell's
Simple single sign-on article from May 2005:
It points out a few simple solutions that will solve many people's problems.
Simpy
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
I Am My Own Worst Enemy
Just as long as they're being appropriately hidden. One of the few times that I ever snapped at a user without being provoked was when I saw, in the HR department, the name of the bank, dial-up number, account number, and password for the payroll account on a Post-It on the user's bulletin board, with the following words in big letters:
PAYROLL ACCOUNT MASTER LOGIN
I ripped it down and handed it to her, telling her somewhat angrily that she needed to lock it in a secure location, or I would escalate it to the head of HR and the head of IT. I came back everyday for a week, and periodically for a few months afterward, at times when the user was not there to ensure that it had not been placed in any semi-obvious location, and that all of the cabinet drawers were locked. I still ended up telling the mentioned managers, but in a more general way that they needed to do more to focus on security of accounts, among other things. They implemented training a couple of weeks later, fortunately.
You can never go home again... but I guess you can shop there.
Several years ago I came to realize that one can either work with human nature and win; or work against it and lose. In the arena of passwords anyone who recommends NOT WRITING passwords down is declaring themselves against human nature. I tell users, "By all means write your password(s) down. However, treat that piece of paper like it were a $1000 bill. You wouldn't put a $1000 bill in your desk or under your keyboard. Don't do it with a password." It isn't the written password that is the problem. It's the casual treatment of something valuable.
Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.