Slashdot Mirror
Ask Slashdot: How To Protect Your Passwords From Amnesia?
Phopojijo writes "You can encrypt your password library using a client-side manager or encrypted file container. You could practice your password every day, keep no written record, and do everything else right. You then go in for a serious operation or get in a terrible accident and, when you wake up, suffer severe memory loss. Slashdot readers, what do you consider an acceptable trade-off between proper security and preventing a data-loss catastrophe? I will leave some details and assumptions up to interpretation (budget, whether you have friends or co-workers to rely on, whether your solution will defend against the Government, chance of success, and so forth). For instance, would you split your master password in pieces and pay an attorney to contact you with a piece of it in case of emergency? Would you get a safe deposit box? Some biometric device? Leave the password with your husband, wife, or significant other? What can Slashdot come up with?"
Tell all your passwords to me, they'll be safe. Just don't forget who I am.
And then, whenever you need your password, just "ask Slashdot"! Of course there will then be some jokers who post incorrect passwords, but they will be modded down rapidly since anyone can check whether the password is correct or not. Just go with the "+5 informative" one.
Amnesia is most often associated with major brain damage, which means you have a lot more to worry about than your passwords. Now zombies, those are real, which is why I'm holed up here in the middle of Nebraska with enough ammo to put the entire state out. You hear that zombies, you'll never take me alive!
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
For my personal passwords, I rely on security through obscurity: I don't believe that anyone can find my passwords in the giant mess that I call my office. If I get sick, I can use the recovery time to clean up my office. It will take weeks, if not months.
Btw, I don't need a terrible accident to forget passwords. It happens a lot for those passwords that I don't need too often.
Figure out how you can recover your password for every service and system you use, at the time when you first set up the account
1) You have every chance of just plain forgetting the password in the first place.
2) It's your way to recover your account if it's compromised.
3) It's a potential vulnerability in the first place.
4) It's almost impossible to figure out how you have things set up if you didn't sit down and lay things out properly in the beginning
If all your accounts send their password recovery emails to the same Gmail account, and that account doesn't have TFA, or it has TFA and you've never bothered to print off the master codes, you're saving yourself very little effort in exchange for the distinct possibility of completely screwing yourself over at a later date.
No kidding!!! What do you say at this point?
I have a master password which i then encode with a simple cypher of adding letters together. e.g. A + B = D.
I then get a sentence from a book/movie etc and essentially add these together:
myveryspecialpasswordisawesome
ALLYOURBASEAREBELONGTOUS
I then just stored the encoded version on a piece of paper around the house for example with a hint? ....?
adsfaudfjuasdfjadsufadsfjadsfdsaf, Air force
...suffer from amnesia. Passwords generally don't, so I would not worry about that particular problem.
And now excuse me, I need to water my keyboard.
Tattoo your safe deposit bank number (the bank of which required your biometric identity to get into the vault) on your arm. Maybe you should also tattoo the name of the bank (and address?) there, I seem to remember that he had problems remembering he had a safe deposit box there.
Nice try, NSA!
Store your passwords that are that important with a lawyer. That's what they're there for.
IIRC, Nemeth, Hein, Snyder, and Whaley suggest a sealed envelope in a safe (or locked away in a safe place). As soon as the seal's broken, you know that the person(s) who know(s) the combination/has the key indeed needed access to the password (in an emergency), so you may want to change the password in the future.
My password list is encrypted with a master password.
My wife knows the master password
In case that she has amnesia too, the master password is tied to a event in my live. When I(or somebody else) can remember that event i can regenerated the master password.
It's generally wiser to keep passwords inside the head rather than on a file - encrypted or otherwise. But if you can't do that, keep it on a piece of paper, and if you're worried about others seeing your paper, well, lock it up somewhere safe, and if you're truly paranoid, you could always write your password with a system that only you know...example: if your password would be 15821e2a you could write 26932f3b instead, and only YOU know that you only shifted the numbers and characters one number ahead, you could do this to each second character in your code, or according to your own system. Your brain is the limit!
What this world is coming to - is for you and me to decide.
At Hackaday we're actually developing a solution that could work in your case. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating and storing long and complex random passwords for the different websites you use daily. It is designed to be as small as possible so it can fit in your pocket. The Mooltipass is composed of one main device and a smartcard. On the device are stored your AES-256 encrypted passwords. The smartcard is a read protected EEPROM that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your credit card, too many tries will permanently lock the smart card. Therefore, you'd only need to share your PIN code with your husband/wife (5 to 6 numbers) And the whole project is open source.... http://hackaday.com/tag/developed-on-hackaday/
Write them all on post it notes and stick them to the edge of your monitor. Seems to work for all of the managers where I work.
Suppose you did indeed have an amnesia-proof password store. And then you get into a situation where you are scared to death (jackbooted thugs breaking into your house in the middle of the night, drag you off to some scary Cuban shore, ...) and you are so frightened by the ordeal that you forget your valuable passwords. So fine so good. But then there's you're amnesia-proof solution, which brings your memories back. oops.
write down some of the letters/numbers, enough to trigger your memory of the whole password but not enough for anyone to know what it could possible be.
It's very easy to create unique passwords that are hard to guess, and completely trivial to remember. My method is this:
- I have a 4 "stems" that are the first letters of 4 lines of poetry I remember from school. one stem is used for "very personal" things (ssh private key passwords for instance), another for login on "trusted" machines (my servers), and a third to use on various websites I trust moderately, and a fourth is a "junk" stem to use on shite websites (hotmail and the likes).
- To each stems, I append 2 digits (always the same)
- I prefix each stem with the first 3 letters of my username, and I append the 3 first letters of the machine's name, or website name I'm logging onto, after the digits.
- Finally, I append the number of letters in the machine name or website name (sans www. or .com).
The passwords that I create that way are reasonably secure, usually unique, and all I have to remember is a poem, my username for a particular machine/website (those I can store somewhere in plain text just in case) and the method to derive the corresponding password.
I have kajillions of passwords, and zero trouble remembering them. How hard can it be? I've never felt the need for a password storage solution of any kind.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I write down all my personal passwords. I know people say not to do this, but if they have physical access to your home then you are already screwed.
I did something really clever with my password list .... I'm darned if I can remember what though.
Try not getting amnesia in the first place! Whore!
Always wear a helmet
Remember the only password and encode it to multiple unique passwords per website using PwdHash (browser addons are recommended).
Passwords are of no use if you have amnesia, because you don't have a clue what they are for.
But with any security question, there are always events where you say "if X happens, then you have lost and there is no point in trying to mitigate". For example, if people break into your house willing to beat you up for your passwords and kill you if you don't give them out, then you have lost.
Write your private passwords on paper, hide them somewhere in your house, if you want deposit a copy at your work place in case the house burns down (if you have a work place with your own desk that can hold private stuff), and lay off the paranoia.
I have a solution for this scenario, and equally for my sudden death.
Can't tell you what it is, obviously, as that would compromise it. Not much help, I know. But that's how security works.
In the case of my employer, I got lucky: the administrative passwords were placed in a signed and sealed envelope in case anything critical happened. It worked because they knew how to handle confidential data and acknowledged that I was the only one who should have access to those passwords (unless something critical happened).
In the case of important personal passwords (e.g. financial institutions), you could write it down and place it in a safe. You're letting the bank handle the security in that case, and it is physical security, so there is a lot less to worry about in that case.
For the most part though, my personal passwords are not a huge concern. Passwords for sites like Slashdot can be recorded non-securely, or not recorded and forgotten, without significant consequence. (My choice is to not record and risk forgetting. Other people may stick them in a notebook in their desk.)
I keep my pa55w0rd hidden in plain sight.
The real story:
You have a good password, that changes every 2 months. It is complex, and the previous password does not look like the current password.
Then you come back from a 2 week vacation and you have only 3 tries to remember your password.
happens way too often.
Really,
Write it down and keep it in your home.
Chances of someone breaking into your home and stealing your password are very, very slim...
Create an encrypted master password file with a key that only I could possible know and would be unlikely to forget. Some thing like what I remember from my first plane trip (DC6Flt405SFOtoLAX) when I was eight years old. In real life if I was so badly hurt that I couldn't remember the master password, anything protected with a password would most likely be of little use to me anyway.
Hints are nice, but also problematic: If they are too obvious, others can easily figure out the password. If they are too cryptic, you may later not be able to make sense of them yourself (happened to me, actually).
I don't want me touching my stuff.
Have a laptop with a fingerprint scanner, set it up with all your passwords (lenovo thinkpads do very well for this), no more worries.
Now if you lose both of your arms, well, we can't help you.
Hauser is the guy with amnesia. I had a plan to protect my passwords, but Kuato talked me out of it.
You want to know something weird?
I have passwords that my hands can type but my brain doesn't actually know.
If you asked me to write them down I wouldn't be able, but if you asked me to type them I could do it in seconds without even thinking.
Tattoo it on your wang.
Everyone forgets passwords once in a while.
Personal Passwords? Most of them can be reset. That is, if that email address still exists. Otherwise it probably wasn't important enough anyway.
Job passwords? Can be reset
Government related passwords (like DigiD in the Netherlands)? Reset it online and they'll send you a reset code via ye olde mail
My girlfriend suffered from a cerebral hemorrhage a couple of years ago.
Trying to get a new bank pass (she also forgot her PIN) was way more difficult than online stuff recovery.
I'd suggest a formula comprised of website name / or url and a number between 1 and 10 which allows for nice shifting around of letters. ;-)
Keep the formula safe somewhere on paper under your bed or in safe
It has allowed me to keep track of about 60 login sites i've been to. In the past 15 years. //. grmbl.
Not always you get the option to decide your own password these sites annoy the hell out of me. They are however becoming increasingly rare but in workplaces you sometimes get handed down an account including password which is not changable
All my disks are encrypted by the cryptolocker virus. That way I can get them unencrypted for the low low price of 2 bitcoins without having to remember any passwords :)
Life defining moments as the hints that you'll only get.
3g Yellow Car - To you that means nothing however to me it means "in third grade my evil bitch teacher took away my yellow crayon car which made me cry" I do that with a master file just in case because it's just one of those things you're probably never gonna forget. I have to do it like that because my mind is burnt from years of hardcore drug abuse and new memories fade fast.
Suffering temporary amnesia is a golden opportunity to start fresh.
Just ask NSA for your passwords, since they probably know them all.
Not sure if they will want to reveal them to you, though.
If you post as an AC, don't expect me to spend a mod point on you.
Paper, a pen, somewhere to store it, and someone to locate it.
And i figure my dementia wont hold up against my hardwired "geo-organize" tick. ;)
Some think its just a mess, but there IS a system, they just dont get it.
Write them down. In a notebook. Label what they are the password for.
Store book in safe place and update once a year.
That's how I do it for my employers (large fireproof safe, book sealed so you can't open it without me noticing, etc.) and for myself.
If you get to my safe, get into my safe, get into the book, then it's also game over for every PC in the house anyway, not to mention my Facebook password will be the least of my worries (banking token generators, etc.).
Seriously people, stop repeating the advice to "never write down passwords". Write them all down in one huge book and PUT IT SOMEWHERE VERY VERY VERY SAFE. Then if you die, if you're on holiday and someone needs to log in for whatever reason, if your other half is at home and desperately needs to do something important as you, then you can talk them through getting access or they will know.
If you don't trust them? Lock it in a cheap safe of your own. Worst that happens is that you have to get out the cutting discs to get back into the thing and get your passwords back if you have a case of total amnesia.
I have a master password which i then encode with a simple cypher of adding letters together. e.g. A + B = D.
I then get a sentence from a book/movie etc and essentially add these together:
myveryspecialpasswordisawesome
ALLYOURBASEAREBELONGTOUS
I then just stored the encoded version on a piece of paper around the house for example with a hint? ....?
adsfaudfjuasdfjadsufadsfjadsfdsaf, Air force
F.
The stated problem was: "Amnesia".
You appear to have answered a completely different problem.
No sig today...
I imagine some kind of safe with a time lock on it, set to automatically open if a button "Add One Day/Week/Month/Year" is not pressed for the time interval. Of course, it can also be opened by inputting the pass code at any time. If you forget the pass code, and need access to the contents, all you have to do is wait for it to automatically unlock when the time runs out.
If there is a chance you need the contents at short notice, you lower the time, if you can afford to wait a month, then do so.
Print out your passwords in a basic text file. Take a screenshot (Print Screen) of the file and paste it into MS Paint. Save the file wherever you want, but just don't put password or porn keywords in the name. Delete the original text file.
Or just write out the passwords using the brush tool. Add whatever Captcha patterns you want if you're extra paranoid.
Pick some nerdy site, say slashdot, and create an account. Use your password as the username, but it won't stand out in such sites. Cackling devilishly at the foolishness of the masses who do not realize that your password is hiding in plain sight is optional.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Go get a small PO Box
Print a master list of passwords each week and mail it to yourself at that PO box
Every 3-6 months go clean out your box except for the most recent and shred them
Keep the key with you at all times.
Why use this over a safety deposit box?
(1) It's a federal felony for someone else to remove or open the letters
(2) You have a list no more than a week old (prior to your death or amnesia) available
(3) If you should die or become incapacitated, your home/mailing address will get a reminder once a year that you HAVE a box, and where it is, by producing ID or appears certifying your death or incapacitation, your attorney or next of kin will get a notification that such a box exists and when they (or you) check to see what mail you've gotten they'll discover your passwords.
Is it just my observation, or are there way too many stupid people in the world?
Pen and paper. Duh.
I'd like to see Google, or Facebook or some other social media style site implement (what I'm calling) a 'Reverse Locker'
The idea is simple. It keeps stuff secret, but *only* if you log in periodically.
As well as solving the problem asked, the uses are more than you might think. For example I'd like to keep some documents safe until my death, at which point I'm happy for them to be made 'public' (such as a Last Will and Testament, or whatever)
Since your assumption is that you're forgetting things you must assume you'll forget everything, including the fact that you have something to access with a password or the means with which to recover the password. Therefore someone has to come to you with the information without any action from your side, judge that you're enough "yourself" to give you access to your own passwords, and then give the information.
If you do not trust a single person with this information the question becomes:
How can you give multiple people parts of the information such that the chance that they can reconstruct it is minimal?
How about this? http://kk.org/cooltools/archives/13786
If your password is all that stands between the forces of chaos and evil and some military-grade secrets or billions of untraceable dollars then I'm sure there are well-documented, probably contractual or even statutory, procedures for ensuring continuity of access should the password-holder be stabbed by a Bulgarian umbrella.
Otherwise, just write the bloody thing down and keep it wherever you put other important documents - if the bad guys get physical access to your computer and paper records, especially without you knowing you're probably humped anyway.
Or if you want perfect security, learn to live with the consequential risk that you might lock yourself out rather than introducing deliberate backdoors or involving third parties. You can't create a way of accessing your account without knowing the password without, er, creating a way of accessing your account without knowing the password.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Just as with other important papers I keep a copy of my password manager password and a copy of urls user ids and pws in hard copy inside. Reasonably secure and easy to recover.
I'm a consultant - I convert gibberish into cash-flow.
If you have amnesia, your passwords are the least of your worries.
In fact you wouldn't even know if you have a computer to use them with, let alone a family, a boss, or a job.
It doesn't matter anymore, your forgotten memories are someone elses problem.
I decided a while back to only access sites that employ biometrics-based access. Unless an event destroys my biometric signature, I'll be safe. Obviously, at Slashdot I use a standard strong password, namely "abc". Slashdot allows password resetting, so no issue there. Darn clever, I think.
Why not just buy a fingerprint reader and use that to secure your password vault?
Sure someone can hack off your hand and get your passwords, but if they're that valuable you shouldn't have a vault to begin with.
I would probably give a master password and a copy of my password safe to my lawyer, along with my will and other legal paperwork that she should have just in case something should happen to me.
I was in the midst of posting something similar. I hadn't thought of encryption, but that would be a good idea.
1-Keep encrypted passwords in cold storage (usd, hard drive...) place it in somewhere you only have access to
2-Setup Google Inactive Accout
3-Set it up to send a message(containing the password) to a trusted person's email
or just tattoo it under your eyelids
I have a sheet of paper hidden in my office on which I've printed a list of clues that reveal portions of my encryption keys. They can only be solved using information only known by close and trustworthy family and friends. It is not entitled and appears fairly obscure without context, but I know they're smart to figure that out.
Alternately, you could go with Cory Doctorow's solution of giving one half of each encryption key to your lawyer and the other half to your significant other. If anything were to happen that would give them power of attorney, they would need to collaborate to unlock your data. Having one of them as your lawyer makes this a very attractive option (assuming you're the one Slashdotter when a significant other ;)
And the forgotten password isn't the one for your email account. ;-)
the NSA.
My karma is not a Chameleon.
Most sites now support SMS verification, and hence amnesia-proof.
As a member of the military in a combat arms MOS, I have two "dead-letters" both contain similar information on accounts and access but the circumstances for which is delivered is significantly different (these are "old fashioned" paper and ink letters and not electronic documents). The literal dead-letter is a part of my living will and gives access to everything to my wife upon my death (something which I am comfortable, but many people may not be). The 2nd is more of a "TBI/coma" insurance for myself, to be sent to my wife if I am alive, but have suffered a serious head injury (GCS of 13 or less), which contains access (logins, passwords/phrases/pictures) to all my non-monetary account as well as my various loan accounts. This way my various financial obligations can be taken care of without having to resort to the power of attorney papers which have, in my experience so far, not been timely for things such as monthly payments. This places a lot of trust into my wife. For those whmo do not have someone whom they can trust on this level, a deposit box with your bank, or if you can afford it, a retained attorney can take the place just as well. You can determine who has access to the document when you deposit it so that someone whom is out to "rubber-hose hack" your digital accounts doesn't have easy access to the papers. You are still relying on the memory of where/with whom you stored this document in the case of amnesia, but that information is relatively benign, and can be trusted with friends/family whom you wouldn't trust directly with your various account information
All my passwords are on a notepad, however I admit this may not work for everyone, it depends on your environment and the risk of the pad being stolen.
"If any question why we died, Tell them because our fathers lied."
So I keep all my credentials written down in a Rolodex file. And I lock the file in a safe. This strategy has saved me no end of grief already. The most-frequently used creds I can remember; the more infrequently-used ones I have to access by one level of indirection. I figure if I forget the combination to the safe, I can always hire a locksmith. This also solves the problem of how your estate handles things like your on-line assets: your executor might need to access your accounts and everything is already organized to do so.
I bought a used manageable switch with no password. I had to find the documentation, specs, build its proprietary serial cable, access the console, only then did I find the funky odd way to reset its passwords.
Quite a few passwords are not for windows, and require a lot of additional work to reset. All those simple routers on the market are very widely used. They don't reset the router access password, they reset the entire router. The SSID, WPA/wifi password, dhcp, all configurations, messing up the network.
The time required to reset all the passwords is precious time lost and creates additional problems. By now you are being called messy and irresponsible all over the place. The responsible thing is to find a good and secure way to store, document, and transmit the passwords when needed. Then reset them and re-document them. Which is a pain.
Build your own energy sources from scratch. http://otherpower.com/
Have a tiny laser projector inserted under the skin of your abdomen.
Make your password a semi-nonsensical sentence, write it on a beat up Post-It note, and leave it in an inconspicuous place. If anyone sees it, they won't know it's a password, just the ravings of a lunatic, so you're safe!
...but I encrypt all my passwords in plaintext.
You are assuming that you are going to remember that you have a system with data that you will want to access, but that you will forget how to access it. I would have suggested noting your user name and password in a special booklet or something, but then again I suppose you would forget about that as well. In that case you could opt to have your name and password tattooed somewhere on your body, preferably some place generally out of sight, but password changes would be inconvenient.
Myself, I would store them in a file on an sd card or thumb drive that is locked away securely and have a trusted party, or parties, to either have the key/combination, or know where it is so I can access the data. They would be instructed that if a situation like what you describe happens to me, they will contact me when I am once again functional and either provide me with the access information, or will retrieve and bring me the drive.
All that said, I think that there are encrypted thumb drivers, or external hard drives, that have a fingerprint scanner. That would be another option, since your "password" is your fingertip. :-) If you use such a device, then you only need to have a third party who knows where you keep it and can either tell you, or bring it to you.
Write a script with a "dead man's switch." Store passwords in an encrypted file on a secure system. If you don't log on and issue some sort of "wait" command every 30 days or so, then passwords get emailed to an account whose password is stored on a phone. At the time the passwords are issued, it's bloody insecure, but it should work well enough to get into the systems and change the passwords to something else. Not a perfect system, of course. What happens with a 60 day coma? Passwords are accessible for at least 25 of them, but not to you, etc. Existence of the script and encrypted file on an email ready system means there's a vulnerable spot there, too. It's better than nothing, though, and doesn't involve lawyer fees.
- W. Blaine Dowler
http://www.bureau42.com
I use a different scheme. I use a password hint that helps me remember things that help me remember my password. For example:
- password hint: farm equipment
- I have a tractor.
- I bought my tractor from my cousin's wife.
- My cousin died in a thresher accident.
- The thresher was harvesting wheat.
- Wheat tortilla aren't as good as corn tortillas.
- They use corn to make ethanol.
- They put ethanol is gas.
- My tractor is out of gas.
- My password: farm equipment
See. Easy and amnesia proof.
I keep a system with autologin. All others have bios passwords +user passwords. That system has a master password in plain view (its the name of an object). Only my oldest daughter knows what it is but doesnt understand the use of it yet. NOBODY else knows that thats the password. Been there for 3-4 years now.
My truecrypt container is copied to many places, even on my key-chain updated when needed
No one seems to have mentioned Shamir Secret Sharing yet.
You create a file with all your passwords, encrypt it with, say, pgp and use SSS to split the master password in several pieces. You then give a piece to each of your friends/family. When you need it back you ask for the pieces.
The beauty of this is that you can generate, say, 10 pieces, and set it up such as with any 5 or 6 pieces you can get the original back. Thus if some of your keepers lose their piece, you're still good to go.
For linux there's the ssss utility that takes care of this.
Cosplayers.net - The Cosplayers Network
Use one (or up to 5) YubiKeys with LastPass. If you aren't worried about the security of the key (losing one, having one stolen), you can use one slot in the key as a static password, the second slot can be used for YubiCo's one time passwords.
I wouldn't do it that way but do use a YubiKey for the OTP functionality.
Trolling is a art,
The reason I say this is that they are deductible on your taxes (at least they are here in Canada) and offer exceptional security for you to leave a ledger with your password written in it. If you are concerned that this is not secure enough get two at separate banks. One has a coded sheet the other has a decoder sheet.
I forget passwords now. There are almost always ways to get them back. All websites have password recovery features. If you have a webmail account there are multiple ways of getting the password back/reset. Probably the only issue would be something you are 100% responsible for, such as an encrypted local drive. If it's unencrypted then it's trivial to get in if you have access to the hardware.
soylentnews.org
There's an awful lot of theoretically smart people here who can't seem to figure out that any scheme that requires you to know just about anything at all is not going to be appropriate for the posited memory loss scenario.
You won't forget a secure password that you've been using for 30 or 40 years. You might forget a password because the company makes you change it every 90 days even though it is a secure password and you have not shared it with anybody. Company security policy is its own worst enemy.
If you are not allowed to question your government then the government has answered your question.
You do have a lawyer, right?
Putting a small retainer and/or having a working relationship with a lawyer is invaluable at times, and it's easier to set up while you're healthy and there's no fecal matter impacting a air displacer.
Most law firms have arrangements for secure storage, or just let them know you have a PO box. If something happens they're equipped to deal with it, and they should be equipped to deal with all your estate matters.
If a state actor really wants your passwords, they'll just use the wrench anyway.
..don't panic
This is something that has been on my mind. I'm yet to do anything about it though.
A safe deposit envelope/satchel (as opposed to a full box) in a bank is pretty cheap - and I would additionally store the actual paper with the passwords in a "tamper proof" envelope so that I can tell if the passwords have been read since I last visited.
Amnesia is not a relevant risk. It is basically more likely that what can cause amnesia will instead kill you or leave you with a recovery effort high enough that the passwords do not matter. Also, recovering passwords turns out to be pretty easy in most cases, as users forget them without amnesia as well.
Special situations are of course different, for example if you are going into dementia or have some condition that is known to cause amnesia. For those, you probably have no choice but to trust somebody else with your user-name and password.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
With my job I have more than 20 different username/password combinations; Most of which change every three months. So, this is what I would do: Make an Excel (or equivalent) spreadsheet with site/program/files username and password combinations. Use 7zip to put it into a 'file.7z' with AES-256 encryption with a good strong password. Then store it on the cloud of your choice (I use ownCloud). Since you can always do a password reset on your cloud account, now you just have to remember your 7z password (if you can't remember one password, amnesia is more than just an issue; you need professional help). This will store as many passwords as you need.
I just tell my robot friend, Calculon. The chances of us both ever having amnesia at the same time, are vanishingly small.
write your passwords down on a piece of paper. then drive out to the desert with a gps, and bury them in a box in a random spot, noting the gps location. then come back home, go to a convenience store, and buy a lotto ticket with the numbers from the gps. leave it on your fridge with a magnet. you're done! p.s. this approach may result in you getting shot and killed by an automated machine gun of your own device. but on the plus side, your old frenemies will see to it that your kids are well taken care of.
My keys to the universe are printed on a piece of paper in the safe. Take the key to the safe open the safe grab the red envelope that has printed on it in big letters "PASSWORDS" and go from there. I update it monthly.
And it's not just for me, If I get splatted by some moron in a SUV texting his BFF my wife has access to everything without having to go through nasty messes that companys put in the way for a widow to gain access to her husbands accounts.
Do not look at laser with remaining good eye.
I had an amazing solution for just this problem. But, I had a small stroke and can no longer remember the solution. Sorry.
Arms are often exposed for anybody to see. If you need to keep a tattoed number secret, it is better to tattoo it on your butt. That way, if the NSA wants to know the number, they'll have to send a hot femme fatale to seduce you, which for a Slashdotter would be a good problem to have.
don't mind me..
KiiLZmbO933#bugGleskuMp
#forgotpassword
Maybe there exists some kind of fingerprint-protected usb stick?
I wouldn't have thought amnesia was such an issue that I actually have to worry about my passwords.
Given the fact you have amnesia do you really think you are likely to remember what sites you regularly visit?
I am Bennett Haselton! I am Bennett Haselton!
Use lastpass: http://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html
and when you get amnesia, don't forget to remember the single key, or how you preserved it. The key word written on a piece of paper in your wallet might be safe and enough of a reminder. Who knows, maybe such a reminder may help you recover your amnesia.
If you have heirs, be sure to utter the key among your last words when you die.
http://passguardian.com/
This uses Shamir's Secret Sharing algorithm to take your password, and split it into a configurable number of pieces, and requires a subset of those shares to reconstruct the original. Take your master password, split it into 10 shares, and require 5 shares to reconstruct. Then distribute the 10 shares to secure locations and trusted people.
Example:
Password: 12345
Share 1: 801650d0edcbd0c3c949f
Share 2: 802c91a40a532182e3570
Share 3: 803ad177a79bc1420a1de
Any 2 shares can reconstruct the password.
And the site runs entirely in Javascript. You can save it to a USB stick and run it from an offline PC, so you don't have to worry about your password being stolen.
At least for a lot of websites I do not even know my actual password.
I use the PwdHash-plugin installed to my firefox and so I only need to remember a few words that combined with the webaddress are calculated into secure hash values as password.
So you can have one keyword to remember and still different passwords.
Yes sir. We are currently analyzing intelligence to narrow down possible locations for "the middle of Nebraska". First waves of attack with fake dummy zombies to consume ammunition. Please do not hit your head too much as we plan to "analyze" it to extract passwords, one bite at a time, starting at the toes.
Sir, your password recovery procedure is running according to plan and on schedule, sir, any other instructions?
Build your own energy sources from scratch. http://otherpower.com/
But for proper security I change my name every 3 months. My last name was abner27#doub1eday.
Some drink at the fountain of knowledge. Others just gargle.
"How To Protect Your Passwords From Amnesia?"
I want to bang my face repeatedly against a very dense object every time I see someone try to construct a question like this.
and have hard copy of the Password in a fireproof safe at home. This way if I'm hit by the bus, struck by Lighting or any other reason, so long as I'm able to function, I can recover all of my passwords.
Hell I've been using a password safe for a decade - started with a freebie from PC Mag called Passes (included the source code) but I've replaced it with Passkeeper due to cross platform support so I haven't written anything but a single PW down in a decade.
Mod me up/Mod me down: I wont frown as I've no crown
I have a deal with a friend who is geographically disparate from me: He knows the password to an encrypted flash drive that I have in mhy possession. In the event that amnesia (or god forbid something worse) should befall me, he knows to come and retrieve this drive. We generally chat on the phone once a week or so, so he would know pretty quickly if there were a problem that required this. On the drive is a list of passwords and associated data to reclaim most of my digital life, and to let others know what's going on.
Every year or so I pull the drive out and update it with changes and ensure that it's still functional. So far it feels like a pretty good plan. If I wanted to step it up a little more, I would put this in a safe deposit box in a bank. I still ponder doing that, but really I'm not so important for it to truly matter, haha.
There are three methods of authentication: Something you know, something you have, something you are. Passwords are the first category. In the case of amnesia, you lose all that. Any method of reclaiming passwords that also requires you to know something will also fail with amnesia, so a device with a PIN or another layer of passwords or those stupid "security questions" won't work. You can transform case 1 into case 2 easily by putting your passwords in some type of lock box. However, if you have amnesia, how do you remember where you put it, and how to open it? If you do get into your safety deposit box and find a piece of paper with 'myxlplix' on it, how do you know what that means, or what it's for, if you can't remember? The third category is basically biometrics, which might work, unless the same accident that gave you amnesia also cut off your right hand, or put out your eye, or lost whatever body part is needed to authenticate you. And of course, you have to remember that you have biometric authentication, how to use it, and what it's for.
And then there's this: any method for storing or reclaiming passwords that is outside your head weakens the security of your passwords. If you can get your passwords back without needing to know something only you know, then someone else can as well.
I have an encrypted file which has lots of important info. My wife has a piece of paper with the password for that file. Simple.
"Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana
I have several one time passwords printed on a protected paper that is stored in a place that is private, yet still something me or my family (in the case of my demise) would be guaranteed to come across when going through my estate (think safe deposit box). It says nothing about what it is, but I have a few key people that know about this paper and what it is. It's not going to be easy to access without my knowledge, and if I awake from a coma I would find it pretty quick (though granted I may not know what it is, that's what my friends are useful for), unless I was like BK and didn't even know where I lived or was from anymore. I hope someone would claim me, but in that situation nothing I could do would help and probably be of little concern anyway.
Another option would be to randomly mail yourself clues, since you never know when this may happen to you. Like a letter with an extra stamp which will get your attention due to the envelope having excess postage. In that stamp under a microscope there are subtle picture alterations with clues. Then it's just a game of connecting the dots!
My car keys......? Damn!
Have gnu, will travel.
Whenever I type the wrong password, sites tell me what my password is. They prompt me that my password, is, "incorrect." Seriously though, bio-metric identification maybe the best solution.
Use Shamir's Secret Sharing . That way ordering doesn't matter. You just need the N secrets.
Encrypt your passwords.txt to your own public key and that of your significant other, friend, dog, cat, whatever ... You don't necessarily give the encrypted file to that person, or tell them what you've done.
Then when you forget your private key passphrase, you only need ask them to decrypt the file for you.
If you've forgotten who that person is, or that the file exists, I doubt passwords are anywhere near the top of your concerns.
One approach that is not very secure but is cheap and fast (so if you're going in for emergency surgery and only have a couple minutes to prepare) is to send a letter to yourself just before the operation. Print out your passwords, stick them between two sheets of cardboard or other sheets of paper on which you've scribbled random lines (to prevent someone from holding the letter up to the light to read the message) and send it to yourself. Add a sticker (or a painted strip of nail polish of which you've taken a picture) across the flap as a little added intrusion detection.
This avoids the problem that some people have identified with other solutions, namely remembering what you did with the passwords. ["I got a letter, I guess I should open it since that's what you do with letters."] It also makes it a federal offense (mail tampering) for others to open your mail, and it is a little bit of "security through obscurity" because that letter will look like any other letter you receive. [Security through obscurity shouldn't be your ONLY means of security, but if you have to use that approach the obscurity is a bonus.] Sure, it's not going to safeguard your passwords from the government ... but if the government is really interested in your passwords, they have other approaches they can use (cue the XKCD about a $5 wrench.)
Mod parent up. Smarter people have figured this out long ago: https://en.wikipedia.org/wiki/Secret_sharing
So what you do is find a user friendly utility that does this, and then you get a number of your trusted friends/relatives to share your secret. Then it takes T out of N of them to work together to recreate your secret.
Shamir is the "S" in RSA.
http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
sudo apt-get install ssss
Please note that having all the "shares" in one place is essentially the same as writing down your password, so you need to put physical security in place to protect them. Starting with separating them.
Seriously. A plain old Safe Deposit Box, at a bank. (Not "Safety Deposit", that's a misnomer.)
You will likely have plenty of paperwork to tell you what bank you have. Further, you should have old bills for the box rental.
Also, Safe Deposit keys tend to look rather distinctive, and they are stamped with the number.
I write mine on the BACK of a post-it then stick it on my monitor.
No one ever looks there.
My password is written down in a place where it's not obvious that it's a password. I figure if somebody wants my password bad enough to locate and identify it, they'd find it much easier to break into my house while I'm at work and install a hardware keylogger.
Literally, I leave a paper trail. My main password vault's on my computer, encrypted. There's backup copies stored several other places. And down in the garage there's a fireproof safe with my important papers in it. I put a sealed envelope in the safe with the master password to my password vault plus a printed listing of critical information like bank and utility accounts, emergency contact information for important people, and crucial passwords and regularly update a flash drive copy of my password vault that goes in the safe as well. Some good friends locally get an encrypted copy of the password vault, and the vault password plus the listing is held in escrow with a lawyer who my friends know to contact if anything happens. As a last-ditch measure my younger brother who's the executor of my estate, lives several states away and doesn't normally have physical access to the safe has a sealed envelope with the combination to the safe plus the printed listing.
In most cases where something happens to me, my friends (who've got a limited power of attorney for this purpose) or family (ditto) can get the safe combination (either from me, my brother or the lawyer), get into the safe, get access to my computer and password list and keep everything on-track. In dire emergency the executor of my estate (my brother, or the lawyer if my brother's not available) has access to the information. Potential for abuse is limited because of the way critical cleartext information is separated from the access needed to make use of it.
Finally a lot of bills are on automatic payment from a credit card. That gives a month to a month and a half buffer before regular bills will start going unpaid for people to sort things out. Critical things like the server bill are pre-paid for 6-month or 1-year periods so crucial backups and lines of contact via e-mail aren't easily lost.
No, I'm not paranoid here. I have been there. Bad case of the flu that just wouldn't go away, or so I thought. Over the course of an afternoon it went from just that to bad enough I called an ambulance to take me to the hospital. 3 hours later I was in ICU on a ventilator because I wasn't breathing on my own, and I spent the next 4 weeks in an induced coma. So my preparations aren't for something that might happen, they're for something that's already happened and may happen again.
There's no such thing as a secure password that's been in use for 30 or 40 years.
I'd give my right arm to be ambidextrous...
I am dealing with a passwrod issue right now. My parents are healthy, in great shape and mentally fit. They are also getting old; my dad is 75 and my mom is almost 70.
They have investment accounts, email accounts and all that; pretty much all their data is online.
For us, the solution is 1Password and Dropbox.
They will run 1Password on their computers, tablets and phones, and use Dropbox to sync the password file. They are going to share the Dropbox folder with me, and give me the master password (or put it in their safe at home). I'm going to do the same thing.
I'm sure this won't work for everybody, but we have a huge amount of trust with each other.
We've been dealing with a death in the family, and we are shoveling cash at a house that was owned by the deceased, just so we don't lose it. It will take 18 months of probate before we own it. It's been a huge wakeup call to make sure that everything is in a trust, and passwords are accessible.
This is what I did as part of my will, so that my family can recover my online life after I die. It would work the same for memory loss, coma etc.
Firstly, keep all of your logins, passwords and private details in a password manager with a master password (I use 1Password).
Second, encrypt your master password using this technique, which splits your secret into X parts: http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing
You then give one part of the key to each of your trusted friends or family members. The best part is that this technique doesn't require all X parts to be recombined to get the key back; you can specify how many parts are needed. For example, I split my key into 11 parts, but only 8 are required to recover my master password.
Your friends don't have to do anything except keep their part of the key tucked away in their email archive.
There are plenty of implementations of this algorithm, I used this one: http://www.christophedavid.org/w/c/w.php/Calculators/ShamirSecretSharing
It just split it in seven pieces and tie to artifacts of meaning. And call them "horcruxes."
You can encrypt a blob containing your passwords with a strong, symmetric cipher (e.g., Blowfish, AES-256, etc.), then split the secret using Shamir's secret sharing scheme. Software to do this is in the FreeBSD ports collection, so it's likely available for other platforms, too. Anyway, once split, you hand shares of the secret to people, who have to collude to recreate the secret. The threshold for number of shares needed to reconstitute the secret is adjustable, as is the number of shares. The instructions to recover the blob can be written out and stored in a low- to no-security place. I've used this for root passwords at work, where I'm required by policy to be the only person with them. In case of a beer truck, my coworkers with password shares, the instructions, and the encrypted blob can recover the passwords.
This may not cover full amnesia, but it will make your passwords very secure and much easier to remember. I'm sure some of you are familiar with this approach but it works well, particularly with older individuals. When I used to be a traveling admin, there was always that one person (or a few) who knew how to hammer stuff into Excel but not much else, and you would always have to unlock their account due to password failures. This puts a stop to that mess.
Use a password generator, crank out an 8 to 24 character password, then write the whole thing down on a sticky note _minus one character_. Now, all you need to do is remember that character and where it belongs in the sequence. When it comes time to change your password, generate a new one, do the same trick. This avoids dictionary attacks and gives brute force methods alot to chew on in the case of a compromise.
Your password (if at your office or home) will make you look like an idiot because it's right there, taped to your monitor or desk, but only you will know the key to make it work. This is much simpler than using the same password (or variations thereof) for everything as older people tend to do.
A solution to the problem at hand is a biometric data device that requires a thumbprint or your face to unlock, with all your passwords in an excel doc and heavily encrypted on the device. Use the same password trick to unlock the encryption or supply the 3 character sequence (to insert) to a trusted individual (3 characters because you need to know the preceding and trailing characters where your "remembered" character is inserted).
and if you use only reversible letters (A,T,O,I ...) then no one will know that they can only be read in the mirror during a full moon!
There's no such thing as a secure password that's been in use for 30 or 40 years.
Why, do passwords decay as the get older? If you haven't told it to anybody, then how can it have gotten any less secure? If someone is trying hashing attacks against your server, a 30 year old password has the same chance of being found as a 1 day old one. A keylogger works just as well on one day old passwords. A password saved encrypted instead of hashed is just as vulnerable at 1 day old as a 30 year old one.
If you are not allowed to question your government then the government has answered your question.
This is how I will do it. I will split the key into multiple pieces. I will give the pieces to different persons. These persons must not know each other. The will also not know that they only hold a portion of the key (they will think that they have the entire key). I will also instruct them that in the event that I lose my memory, they should remind me of the key. Since I will get multiple key pieces, I will have a clue that the keys need to be combined. One variation of this is to have a safe, inside a safe, inside a safe. I then have multiple keys to these safes. I will hand copies of the keys to different persons. Again, these persons must not know each other. They must not have physical access to the safes. I will tell them to hand me back the keys in the event that I lose my memory. They should remind me that it is for a particular safe in my house. It is important that the persons that I hand the keys to must not know each other. That way, if anyone tries to break in to my house to gain physical access to the safe, they will not be able to get to the passwords without the other keys.
Sharpie scribble or tattoo hints on your body parts and take lots of Polaroid pictures. You'll either find your password eventually, or stumble across the person who killed your wife...
As others have mentioned, password security should be commensurate with the risks you face.
But in the unfortunate event of your untimely death, your progeny, spouse, other relatives, or (god forbid) state-appointed lawyer may be tasked with the job of closing down your online presence. Access to your Email account, Farcebook, G+/-, WoW, Eve, etc. etc., may be critical for those you leave behind so that they can: close the accounts gracefully, make the announcement of your passing, track down *your* friends to tell them the news, or pick up your armed & high-level characters and continue their quests.
Consider a method whereby access to those passwords will be granted to those managing your estate, what of it that there is.
I've been using song lyrics for passwords for years. Swap out letters for some numbers or whatever and you're set. Now just hope you hear that song to trigger the memory when you have amnesia.
Just put them in the.....uh....um...
Table-ized A.I.
A lot of the ideas presented (writing it down, getting a lock box, etc) won't work if you have ALSO forgotten where you hid them.
The only way to be completely safe is to let another person hold the passwords for you, either directly (by giving it to them) or indirectly (letting them know which bank the lockbox is at), and then give instructions for this person to contact you on a regular basis to remind you that they have your passwords (in case you also forget who you gave the passwords to)
cognitive disfunction is a thing that's existed for centuries. Amnesia counts. So who's going to care for your children in the event that you don't remember how to make breakfast?
Oh right, you have a will. It can be executed in whole or in part.
Stop pretending that new problems need new solutions. We have old solutions that work damn fine.
... under this circumstance, remembering passwords is likely to be the least of my problems.
You can't plan for everything. This one is pretty low on my list.
As long as you remember were you but your yubikey you should be good. Chain it around your neck??
So, here's something JUST FOR YOU http://tech.slashdot.org/comments.pl?sid=4631643&cid=45892383
* :)
(I *think* you'll like it - a lot (since we have 'common-ground' in that area & it makes as perfect as possible what YOU felt is, imperfect... since, based on what I've seen in rebuttal/responses from off-topic illogical trolls to MY points on hosts, they're a LOT MORE "PERFECT" as-is, than the competition in various browser addons can manage - & my program makes the result in a custom hosts file a HELL OF A LOT BETTER/more "perfect" still... bigtime!))
APK
P.S.=> Stay cool, & enjoy... apk
This (the parent comment) bears repeating and expounding-upon.
Use Shamir's Secret Sharing you can arbitrarily choose the number pieces into which your secret will be broken (N) as well as the minimum number required to reconstitute the secret (M). It is referred to as "M of N."
For example, you could perform the 3 of 5 operation on your master password, distribute 1 piece to your best friend, 1 piece to your lawyer, 1 piece to your sibling, and keep two pieces for yourself in your home safe. Or distribute those two to other trusted persons. Whatever. Any combination of THREE of the five pieces will reconstitute your master password.
You can build in any level of redundancy you wish.
Hauser: Howdy, Quaid. If you're watching this, that means that Kuato is dead, and you led us to him. I knew that you wouldn't let me down. Sorry for all of the shit I've put you through, but hey, what are friends are for? All I want to do is wish you happiness and good living, old buddy, but unfortunately, that's not gonna happen. You see, that's "my" body you have there, and I want it back. Sorry for being an Indian giver, but I was here first. So, adios, amigo!
What I've done in the past is to have a piece of paper with little doodles on it that remind me of the passwords for various sites, accounts, databases, ATM, whatever I need. The doodles are just odd associative hints which mean that if someone other than me sees it, there is no way THEY can get my password out of it.
But of course, the problem is with carrying this piece of paper everywhere and keeping it updated.
Just yesterday I launched a demo of a free online service meant to help people remember their passwords in this exact way, by letting you upload an image hint that a browser extension will display automatically when you need to log on to a specific site.
While I'm not yet ready to reveal the product to the world, it is technically functional; feel free to ask me on sirmagis@gmail.com if you want to join the demo and see if this type of solution works for you.
Make it very very tiny and then embed it somewhere.
Then all you have to do remember that it is 'very very tiny' and the cleverly named object in which it is embedded.
Back in the 60s,there was a tale amongst scavengers (redevelopment was big in Chicago then) of one who bought rights to take the furniture of an old couple who both went into a care facility. He found $30,000 under a fridge. They forgot almost everything! If you don't have anyone you can trust then you are surely an island or a mole terrified to retune to your burrow. (password donnekafka).
Practice your password until typing it in is just one motion associated with wanting to access your data. Hopefully the amnesia will not have affected you so severely you won't be able to automatically type in the password w/o having a clue what it actually is.
It seems like it ought to be simple enough to devise some sort of password safe. The purpose of this safe would be to contain your "master password". To determine the password to the safe, you would have to combine information many of your friends know. For instance, you might leave instructions for finding the password that say something like "what was the name of John's first pet", or "what was Mary's 3rd grade teacher's name". They would be questions for which only that person or people close to them would know the answer, and something that isn't available by Googling.
Assuming you spread your questions out over a large enough group of people (so there isn't overlap, i.e. not everyone the questions are targeted at know each other) you should be able to come up with a relatively secure password mechanism. The problem is that you'd either need to tell everyone the question's you're using and instruct them not to answer those questions for someone other than you, or you'd have to deal with the possibility of a 3rd party finding your instructions and going on a scavenger hunt to find the answers to unlock the password.
But in general, I think this idea is fairly solid. One down side is you'd have to keep your instructions up to date, if one of your friends dies and they're the only person that could answer a given question then you might end up locked out.
My passwords are stored in my keylock safe in my home. 2 plain white sealed envelopes. One is the actual passwords the other is some random stuff I put together. If someone breaks in I highly doubt they are going to go to the trouble of trying to find my safe, Too many electronics and a coin collection that looks valuable but isn't. The valuable coins rest with my passwords.
"If stupid things work...then they are not stupid."
Do not rely on your memory alone to access your bitcoins! If you use the open source program Bitcoin Armory, you can create a fragmented paper backup of your wallet. With a fragmented backup, if you lose your password you can recover your bitcoins with M of N fragments where you chose M between 2 and 8, and N between 2 and 12 at the time of creating the backup. For example, you can create a 2 of 3 fragmented backup. Keep 1 fragment in a safety deposit box, 1 in your home, and give 1 to your mom. If you forget your password for your Armory wallet, you can use any two fragments to get your bitcoins back. If your house catches fire, and you lose everything in it, you can recover your bitcoins with the 1 fragment in your safety deposit box, and 1 that your mom has. And, in case your mom is a dirty thief, she won't be able to steal your bitcoins.
No, really. It's important. Place everything in the hands of a venerable old law firm. Sleep better knowing.
I coded and put to market early this week Sim2Com, which stands for Simple-to-Complex Password Converter. Old timers like me would call it a password cruncher (rather than a password manager.) From coder's point-of-view, it is simply a seeded hashing engine that hashes a masterkey and simple text, and converts the hash to random alphanumeric (cum symbols). It's repeatable and the complex passwords can be quickly copy, pasted (Ctrl+C) into the apps password box. It's done on the fly so no temp files or database, network or Internet involved. There is a free trial download available; I'm await verdict from peers such as my fellow Slashdot folks. The downside is it runs in Windows, but it also runs in Windows VM in Linux or Mac. Designed mostly for IT infrastructure professionals who babysit corporate sytems, pcs and users. Probably overkill for consumers. ( www.sim2com.com/sim2com_english_brochure.htm ) Thank you.
Correction: While Sim2Com does not officially support Macs and Linux, some have reported they are using it in those systems. Sim2Com apparently works in Mac Windows Bootcamp, but not properly in Windows 8.1 VM where Sim2Com's graphics do not show properly. So it would be wrong to say Sim2Com works in Linux or Mac under the circumstances; it works in Windows primarily.
Puts penis envy in a new light...