Slashdot Mirror
Ask Slashdot: How To Protect Your Passwords From Amnesia?
Phopojijo writes "You can encrypt your password library using a client-side manager or encrypted file container. You could practice your password every day, keep no written record, and do everything else right. You then go in for a serious operation or get in a terrible accident and, when you wake up, suffer severe memory loss. Slashdot readers, what do you consider an acceptable trade-off between proper security and preventing a data-loss catastrophe? I will leave some details and assumptions up to interpretation (budget, whether you have friends or co-workers to rely on, whether your solution will defend against the Government, chance of success, and so forth). For instance, would you split your master password in pieces and pay an attorney to contact you with a piece of it in case of emergency? Would you get a safe deposit box? Some biometric device? Leave the password with your husband, wife, or significant other? What can Slashdot come up with?"
Tell all your passwords to me, they'll be safe. Just don't forget who I am.
And then, whenever you need your password, just "ask Slashdot"! Of course there will then be some jokers who post incorrect passwords, but they will be modded down rapidly since anyone can check whether the password is correct or not. Just go with the "+5 informative" one.
Amnesia is most often associated with major brain damage, which means you have a lot more to worry about than your passwords. Now zombies, those are real, which is why I'm holed up here in the middle of Nebraska with enough ammo to put the entire state out. You hear that zombies, you'll never take me alive!
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
For my personal passwords, I rely on security through obscurity: I don't believe that anyone can find my passwords in the giant mess that I call my office. If I get sick, I can use the recovery time to clean up my office. It will take weeks, if not months.
Btw, I don't need a terrible accident to forget passwords. It happens a lot for those passwords that I don't need too often.
I have a master password which i then encode with a simple cypher of adding letters together. e.g. A + B = D.
I then get a sentence from a book/movie etc and essentially add these together:
myveryspecialpasswordisawesome
ALLYOURBASEAREBELONGTOUS
I then just stored the encoded version on a piece of paper around the house for example with a hint? ....?
adsfaudfjuasdfjadsufadsfjadsfdsaf, Air force
...suffer from amnesia. Passwords generally don't, so I would not worry about that particular problem.
And now excuse me, I need to water my keyboard.
Tattoo your safe deposit bank number (the bank of which required your biometric identity to get into the vault) on your arm. Maybe you should also tattoo the name of the bank (and address?) there, I seem to remember that he had problems remembering he had a safe deposit box there.
Nice try, NSA!
IIRC, Nemeth, Hein, Snyder, and Whaley suggest a sealed envelope in a safe (or locked away in a safe place). As soon as the seal's broken, you know that the person(s) who know(s) the combination/has the key indeed needed access to the password (in an emergency), so you may want to change the password in the future.
It's generally wiser to keep passwords inside the head rather than on a file - encrypted or otherwise. But if you can't do that, keep it on a piece of paper, and if you're worried about others seeing your paper, well, lock it up somewhere safe, and if you're truly paranoid, you could always write your password with a system that only you know...example: if your password would be 15821e2a you could write 26932f3b instead, and only YOU know that you only shifted the numbers and characters one number ahead, you could do this to each second character in your code, or according to your own system. Your brain is the limit!
What this world is coming to - is for you and me to decide.
At Hackaday we're actually developing a solution that could work in your case. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating and storing long and complex random passwords for the different websites you use daily. It is designed to be as small as possible so it can fit in your pocket. The Mooltipass is composed of one main device and a smartcard. On the device are stored your AES-256 encrypted passwords. The smartcard is a read protected EEPROM that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your credit card, too many tries will permanently lock the smart card. Therefore, you'd only need to share your PIN code with your husband/wife (5 to 6 numbers) And the whole project is open source.... http://hackaday.com/tag/developed-on-hackaday/
Suppose you did indeed have an amnesia-proof password store. And then you get into a situation where you are scared to death (jackbooted thugs breaking into your house in the middle of the night, drag you off to some scary Cuban shore, ...) and you are so frightened by the ordeal that you forget your valuable passwords. So fine so good. But then there's you're amnesia-proof solution, which brings your memories back. oops.
It's very easy to create unique passwords that are hard to guess, and completely trivial to remember. My method is this:
- I have a 4 "stems" that are the first letters of 4 lines of poetry I remember from school. one stem is used for "very personal" things (ssh private key passwords for instance), another for login on "trusted" machines (my servers), and a third to use on various websites I trust moderately, and a fourth is a "junk" stem to use on shite websites (hotmail and the likes).
- To each stems, I append 2 digits (always the same)
- I prefix each stem with the first 3 letters of my username, and I append the 3 first letters of the machine's name, or website name I'm logging onto, after the digits.
- Finally, I append the number of letters in the machine name or website name (sans www. or .com).
The passwords that I create that way are reasonably secure, usually unique, and all I have to remember is a poem, my username for a particular machine/website (those I can store somewhere in plain text just in case) and the method to derive the corresponding password.
I have kajillions of passwords, and zero trouble remembering them. How hard can it be? I've never felt the need for a password storage solution of any kind.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I did something really clever with my password list .... I'm darned if I can remember what though.
Full disk encryption says hi.
My first program:
Hell Segmentation fault
I'd rather give my password to a russian hacker than to a lawyer. The former is probably more trustworthy...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Try not getting amnesia in the first place! Whore!
Always wear a helmet
Full disk encryption says hi.
Software deprecation says hi too: have you ever tried to read a cryptoloop-encrypted volume with a recent Linux kernel? Good luck with that.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Remember the only password and encode it to multiple unique passwords per website using PwdHash (browser addons are recommended).
Passwords are of no use if you have amnesia, because you don't have a clue what they are for.
But with any security question, there are always events where you say "if X happens, then you have lost and there is no point in trying to mitigate". For example, if people break into your house willing to beat you up for your passwords and kill you if you don't give them out, then you have lost.
Write your private passwords on paper, hide them somewhere in your house, if you want deposit a copy at your work place in case the house burns down (if you have a work place with your own desk that can hold private stuff), and lay off the paranoia.
I have a solution for this scenario, and equally for my sudden death.
Can't tell you what it is, obviously, as that would compromise it. Not much help, I know. But that's how security works.
In the case of my employer, I got lucky: the administrative passwords were placed in a signed and sealed envelope in case anything critical happened. It worked because they knew how to handle confidential data and acknowledged that I was the only one who should have access to those passwords (unless something critical happened).
In the case of important personal passwords (e.g. financial institutions), you could write it down and place it in a safe. You're letting the bank handle the security in that case, and it is physical security, so there is a lot less to worry about in that case.
For the most part though, my personal passwords are not a huge concern. Passwords for sites like Slashdot can be recorded non-securely, or not recorded and forgotten, without significant consequence. (My choice is to not record and risk forgetting. Other people may stick them in a notebook in their desk.)
I keep my pa55w0rd hidden in plain sight.
The real story:
You have a good password, that changes every 2 months. It is complex, and the previous password does not look like the current password.
Then you come back from a 2 week vacation and you have only 3 tries to remember your password.
happens way too often.
Everyone forgets passwords once in a while.
Personal Passwords? Most of them can be reset. That is, if that email address still exists. Otherwise it probably wasn't important enough anyway.
Job passwords? Can be reset
Government related passwords (like DigiD in the Netherlands)? Reset it online and they'll send you a reset code via ye olde mail
My girlfriend suffered from a cerebral hemorrhage a couple of years ago.
Trying to get a new bank pass (she also forgot her PIN) was way more difficult than online stuff recovery.
All my disks are encrypted by the cryptolocker virus. That way I can get them unencrypted for the low low price of 2 bitcoins without having to remember any passwords :)
A lot of people want to use electronic stores for passwords on their computers. I think that is more dangerous given how connected machines are these days than a piece of paper that can't be hacked in to electronically from a remote connection. Paper is the best way to keep them so long as the paper is out of sight and locked away when not in use.
~~ Behold the flying cow with a rail gun! ~~
Just ask NSA for your passwords, since they probably know them all.
Not sure if they will want to reveal them to you, though.
If you post as an AC, don't expect me to spend a mod point on you.
Write them down. In a notebook. Label what they are the password for.
Store book in safe place and update once a year.
That's how I do it for my employers (large fireproof safe, book sealed so you can't open it without me noticing, etc.) and for myself.
If you get to my safe, get into my safe, get into the book, then it's also game over for every PC in the house anyway, not to mention my Facebook password will be the least of my worries (banking token generators, etc.).
Seriously people, stop repeating the advice to "never write down passwords". Write them all down in one huge book and PUT IT SOMEWHERE VERY VERY VERY SAFE. Then if you die, if you're on holiday and someone needs to log in for whatever reason, if your other half is at home and desperately needs to do something important as you, then you can talk them through getting access or they will know.
If you don't trust them? Lock it in a cheap safe of your own. Worst that happens is that you have to get out the cutting discs to get back into the thing and get your passwords back if you have a case of total amnesia.
I have a master password which i then encode with a simple cypher of adding letters together. e.g. A + B = D.
I then get a sentence from a book/movie etc and essentially add these together:
myveryspecialpasswordisawesome
ALLYOURBASEAREBELONGTOUS
I then just stored the encoded version on a piece of paper around the house for example with a hint? ....?
adsfaudfjuasdfjadsufadsfjadsfdsaf, Air force
F.
The stated problem was: "Amnesia".
You appear to have answered a completely different problem.
No sig today...
3g Yellow Car - To you that means nothing
I thought it was Google moving into self-driving taxis.
I imagine some kind of safe with a time lock on it, set to automatically open if a button "Add One Day/Week/Month/Year" is not pressed for the time interval. Of course, it can also be opened by inputting the pass code at any time. If you forget the pass code, and need access to the contents, all you have to do is wait for it to automatically unlock when the time runs out.
If there is a chance you need the contents at short notice, you lower the time, if you can afford to wait a month, then do so.
Pick some nerdy site, say slashdot, and create an account. Use your password as the username, but it won't stand out in such sites. Cackling devilishly at the foolishness of the masses who do not realize that your password is hiding in plain sight is optional.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Go get a small PO Box
Print a master list of passwords each week and mail it to yourself at that PO box
Every 3-6 months go clean out your box except for the most recent and shred them
Keep the key with you at all times.
Why use this over a safety deposit box?
(1) It's a federal felony for someone else to remove or open the letters
(2) You have a list no more than a week old (prior to your death or amnesia) available
(3) If you should die or become incapacitated, your home/mailing address will get a reminder once a year that you HAVE a box, and where it is, by producing ID or appears certifying your death or incapacitation, your attorney or next of kin will get a notification that such a box exists and when they (or you) check to see what mail you've gotten they'll discover your passwords.
Is it just my observation, or are there way too many stupid people in the world?
I'd like to see Google, or Facebook or some other social media style site implement (what I'm calling) a 'Reverse Locker'
The idea is simple. It keeps stuff secret, but *only* if you log in periodically.
As well as solving the problem asked, the uses are more than you might think. For example I'd like to keep some documents safe until my death, at which point I'm happy for them to be made 'public' (such as a Last Will and Testament, or whatever)
Since your assumption is that you're forgetting things you must assume you'll forget everything, including the fact that you have something to access with a password or the means with which to recover the password. Therefore someone has to come to you with the information without any action from your side, judge that you're enough "yourself" to give you access to your own passwords, and then give the information.
If you do not trust a single person with this information the question becomes:
How can you give multiple people parts of the information such that the chance that they can reconstruct it is minimal?
How about this? http://kk.org/cooltools/archives/13786
Depends on the paper. Might have been intercepted by NSA under its TAO program. In that case, you might have network connected paper.
If your password is all that stands between the forces of chaos and evil and some military-grade secrets or billions of untraceable dollars then I'm sure there are well-documented, probably contractual or even statutory, procedures for ensuring continuity of access should the password-holder be stabbed by a Bulgarian umbrella.
Otherwise, just write the bloody thing down and keep it wherever you put other important documents - if the bad guys get physical access to your computer and paper records, especially without you knowing you're probably humped anyway.
Or if you want perfect security, learn to live with the consequential risk that you might lock yourself out rather than introducing deliberate backdoors or involving third parties. You can't create a way of accessing your account without knowing the password without, er, creating a way of accessing your account without knowing the password.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Just as with other important papers I keep a copy of my password manager password and a copy of urls user ids and pws in hard copy inside. Reasonably secure and easy to recover.
I'm a consultant - I convert gibberish into cash-flow.
I decided a while back to only access sites that employ biometrics-based access. Unless an event destroys my biometric signature, I'll be safe. Obviously, at Slashdot I use a standard strong password, namely "abc". Slashdot allows password resetting, so no issue there. Darn clever, I think.
Why not just buy a fingerprint reader and use that to secure your password vault?
Sure someone can hack off your hand and get your passwords, but if they're that valuable you shouldn't have a vault to begin with.
I would probably give a master password and a copy of my password safe to my lawyer, along with my will and other legal paperwork that she should have just in case something should happen to me.
I was in the midst of posting something similar. I hadn't thought of encryption, but that would be a good idea.
I have a sheet of paper hidden in my office on which I've printed a list of clues that reveal portions of my encryption keys. They can only be solved using information only known by close and trustworthy family and friends. It is not entitled and appears fairly obscure without context, but I know they're smart to figure that out.
Alternately, you could go with Cory Doctorow's solution of giving one half of each encryption key to your lawyer and the other half to your significant other. If anything were to happen that would give them power of attorney, they would need to collaborate to unlock your data. Having one of them as your lawyer makes this a very attractive option (assuming you're the one Slashdotter when a significant other ;)
the NSA.
My karma is not a Chameleon.
All my passwords are on a notepad, however I admit this may not work for everyone, it depends on your environment and the risk of the pad being stolen.
"If any question why we died, Tell them because our fathers lied."
So I keep all my credentials written down in a Rolodex file. And I lock the file in a safe. This strategy has saved me no end of grief already. The most-frequently used creds I can remember; the more infrequently-used ones I have to access by one level of indirection. I figure if I forget the combination to the safe, I can always hire a locksmith. This also solves the problem of how your estate handles things like your on-line assets: your executor might need to access your accounts and everything is already organized to do so.
I bought a used manageable switch with no password. I had to find the documentation, specs, build its proprietary serial cable, access the console, only then did I find the funky odd way to reset its passwords.
Quite a few passwords are not for windows, and require a lot of additional work to reset. All those simple routers on the market are very widely used. They don't reset the router access password, they reset the entire router. The SSID, WPA/wifi password, dhcp, all configurations, messing up the network.
The time required to reset all the passwords is precious time lost and creates additional problems. By now you are being called messy and irresponsible all over the place. The responsible thing is to find a good and secure way to store, document, and transmit the passwords when needed. Then reset them and re-document them. Which is a pain.
Build your own energy sources from scratch. http://otherpower.com/
Especially considering that the average lawyer uses Windows XP with no antivirus and a dozen toolbars installed...
My first program:
Hell Segmentation fault
I fail to see how it's relevant. My point is that FDE does not come with a "forgotten password? Nullo problemo, tell me your mother's maiden name" function.
My first program:
Hell Segmentation fault
You are assuming that you are going to remember that you have a system with data that you will want to access, but that you will forget how to access it. I would have suggested noting your user name and password in a special booklet or something, but then again I suppose you would forget about that as well. In that case you could opt to have your name and password tattooed somewhere on your body, preferably some place generally out of sight, but password changes would be inconvenient.
Write a script with a "dead man's switch." Store passwords in an encrypted file on a secure system. If you don't log on and issue some sort of "wait" command every 30 days or so, then passwords get emailed to an account whose password is stored on a phone. At the time the passwords are issued, it's bloody insecure, but it should work well enough to get into the systems and change the passwords to something else. Not a perfect system, of course. What happens with a 60 day coma? Passwords are accessible for at least 25 of them, but not to you, etc. Existence of the script and encrypted file on an email ready system means there's a vulnerable spot there, too. It's better than nothing, though, and doesn't involve lawyer fees.
- W. Blaine Dowler
http://www.bureau42.com
No one seems to have mentioned Shamir Secret Sharing yet.
You create a file with all your passwords, encrypt it with, say, pgp and use SSS to split the master password in several pieces. You then give a piece to each of your friends/family. When you need it back you ask for the pieces.
The beauty of this is that you can generate, say, 10 pieces, and set it up such as with any 5 or 6 pieces you can get the original back. Thus if some of your keepers lose their piece, you're still good to go.
For linux there's the ssss utility that takes care of this.
Cosplayers.net - The Cosplayers Network
Use one (or up to 5) YubiKeys with LastPass. If you aren't worried about the security of the key (losing one, having one stolen), you can use one slot in the key as a static password, the second slot can be used for YubiCo's one time passwords.
I wouldn't do it that way but do use a YubiKey for the OTP functionality.
Trolling is a art,
I forget passwords now. There are almost always ways to get them back. All websites have password recovery features. If you have a webmail account there are multiple ways of getting the password back/reset. Probably the only issue would be something you are 100% responsible for, such as an encrypted local drive. If it's unencrypted then it's trivial to get in if you have access to the hardware.
soylentnews.org
There's an awful lot of theoretically smart people here who can't seem to figure out that any scheme that requires you to know just about anything at all is not going to be appropriate for the posited memory loss scenario.
You won't forget a secure password that you've been using for 30 or 40 years. You might forget a password because the company makes you change it every 90 days even though it is a secure password and you have not shared it with anybody. Company security policy is its own worst enemy.
If you are not allowed to question your government then the government has answered your question.
You do have a lawyer, right?
Putting a small retainer and/or having a working relationship with a lawyer is invaluable at times, and it's easier to set up while you're healthy and there's no fecal matter impacting a air displacer.
Most law firms have arrangements for secure storage, or just let them know you have a PO box. If something happens they're equipped to deal with it, and they should be equipped to deal with all your estate matters.
If a state actor really wants your passwords, they'll just use the wrench anyway.
..don't panic
This is something that has been on my mind. I'm yet to do anything about it though.
A safe deposit envelope/satchel (as opposed to a full box) in a bank is pretty cheap - and I would additionally store the actual paper with the passwords in a "tamper proof" envelope so that I can tell if the passwords have been read since I last visited.
Amnesia is not a relevant risk. It is basically more likely that what can cause amnesia will instead kill you or leave you with a recovery effort high enough that the passwords do not matter. Also, recovering passwords turns out to be pretty easy in most cases, as users forget them without amnesia as well.
Special situations are of course different, for example if you are going into dementia or have some condition that is known to cause amnesia. For those, you probably have no choice but to trust somebody else with your user-name and password.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
write your passwords down on a piece of paper. then drive out to the desert with a gps, and bury them in a box in a random spot, noting the gps location. then come back home, go to a convenience store, and buy a lotto ticket with the numbers from the gps. leave it on your fridge with a magnet. you're done! p.s. this approach may result in you getting shot and killed by an automated machine gun of your own device. but on the plus side, your old frenemies will see to it that your kids are well taken care of.
My keys to the universe are printed on a piece of paper in the safe. Take the key to the safe open the safe grab the red envelope that has printed on it in big letters "PASSWORDS" and go from there. I update it monthly.
And it's not just for me, If I get splatted by some moron in a SUV texting his BFF my wife has access to everything without having to go through nasty messes that companys put in the way for a widow to gain access to her husbands accounts.
Do not look at laser with remaining good eye.
I had an amazing solution for just this problem. But, I had a small stroke and can no longer remember the solution. Sorry.
Arms are often exposed for anybody to see. If you need to keep a tattoed number secret, it is better to tattoo it on your butt. That way, if the NSA wants to know the number, they'll have to send a hot femme fatale to seduce you, which for a Slashdotter would be a good problem to have.
Maybe there exists some kind of fingerprint-protected usb stick?
I wouldn't have thought amnesia was such an issue that I actually have to worry about my passwords.
Given the fact you have amnesia do you really think you are likely to remember what sites you regularly visit?
I am Bennett Haselton! I am Bennett Haselton!
http://passguardian.com/
This uses Shamir's Secret Sharing algorithm to take your password, and split it into a configurable number of pieces, and requires a subset of those shares to reconstruct the original. Take your master password, split it into 10 shares, and require 5 shares to reconstruct. Then distribute the 10 shares to secure locations and trusted people.
Example:
Password: 12345
Share 1: 801650d0edcbd0c3c949f
Share 2: 802c91a40a532182e3570
Share 3: 803ad177a79bc1420a1de
Any 2 shares can reconstruct the password.
And the site runs entirely in Javascript. You can save it to a USB stick and run it from an offline PC, so you don't have to worry about your password being stolen.
Yes sir. We are currently analyzing intelligence to narrow down possible locations for "the middle of Nebraska". First waves of attack with fake dummy zombies to consume ammunition. Please do not hit your head too much as we plan to "analyze" it to extract passwords, one bite at a time, starting at the toes.
Sir, your password recovery procedure is running according to plan and on schedule, sir, any other instructions?
Build your own energy sources from scratch. http://otherpower.com/
But for proper security I change my name every 3 months. My last name was abner27#doub1eday.
Some drink at the fountain of knowledge. Others just gargle.
and have hard copy of the Password in a fireproof safe at home. This way if I'm hit by the bus, struck by Lighting or any other reason, so long as I'm able to function, I can recover all of my passwords.
Hell I've been using a password safe for a decade - started with a freebie from PC Mag called Passes (included the source code) but I've replaced it with Passkeeper due to cross platform support so I haven't written anything but a single PW down in a decade.
Mod me up/Mod me down: I wont frown as I've no crown
I have a deal with a friend who is geographically disparate from me: He knows the password to an encrypted flash drive that I have in mhy possession. In the event that amnesia (or god forbid something worse) should befall me, he knows to come and retrieve this drive. We generally chat on the phone once a week or so, so he would know pretty quickly if there were a problem that required this. On the drive is a list of passwords and associated data to reclaim most of my digital life, and to let others know what's going on.
Every year or so I pull the drive out and update it with changes and ensure that it's still functional. So far it feels like a pretty good plan. If I wanted to step it up a little more, I would put this in a safe deposit box in a bank. I still ponder doing that, but really I'm not so important for it to truly matter, haha.
There are three methods of authentication: Something you know, something you have, something you are. Passwords are the first category. In the case of amnesia, you lose all that. Any method of reclaiming passwords that also requires you to know something will also fail with amnesia, so a device with a PIN or another layer of passwords or those stupid "security questions" won't work. You can transform case 1 into case 2 easily by putting your passwords in some type of lock box. However, if you have amnesia, how do you remember where you put it, and how to open it? If you do get into your safety deposit box and find a piece of paper with 'myxlplix' on it, how do you know what that means, or what it's for, if you can't remember? The third category is basically biometrics, which might work, unless the same accident that gave you amnesia also cut off your right hand, or put out your eye, or lost whatever body part is needed to authenticate you. And of course, you have to remember that you have biometric authentication, how to use it, and what it's for.
And then there's this: any method for storing or reclaiming passwords that is outside your head weakens the security of your passwords. If you can get your passwords back without needing to know something only you know, then someone else can as well.
I have an encrypted file which has lots of important info. My wife has a piece of paper with the password for that file. Simple.
"Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana
I have several one time passwords printed on a protected paper that is stored in a place that is private, yet still something me or my family (in the case of my demise) would be guaranteed to come across when going through my estate (think safe deposit box). It says nothing about what it is, but I have a few key people that know about this paper and what it is. It's not going to be easy to access without my knowledge, and if I awake from a coma I would find it pretty quick (though granted I may not know what it is, that's what my friends are useful for), unless I was like BK and didn't even know where I lived or was from anymore. I hope someone would claim me, but in that situation nothing I could do would help and probably be of little concern anyway.
Another option would be to randomly mail yourself clues, since you never know when this may happen to you. Like a letter with an extra stamp which will get your attention due to the envelope having excess postage. In that stamp under a microscope there are subtle picture alterations with clues. Then it's just a game of connecting the dots!
My car keys......? Damn!
Have gnu, will travel.
So go ahead and store an ISO or physical disc of a distro that does. And the specs of the hardware that would have to be emulated to run it.
Whenever I type the wrong password, sites tell me what my password is. They prompt me that my password, is, "incorrect." Seriously though, bio-metric identification maybe the best solution.
Use Shamir's Secret Sharing . That way ordering doesn't matter. You just need the N secrets.
One approach that is not very secure but is cheap and fast (so if you're going in for emergency surgery and only have a couple minutes to prepare) is to send a letter to yourself just before the operation. Print out your passwords, stick them between two sheets of cardboard or other sheets of paper on which you've scribbled random lines (to prevent someone from holding the letter up to the light to read the message) and send it to yourself. Add a sticker (or a painted strip of nail polish of which you've taken a picture) across the flap as a little added intrusion detection.
This avoids the problem that some people have identified with other solutions, namely remembering what you did with the passwords. ["I got a letter, I guess I should open it since that's what you do with letters."] It also makes it a federal offense (mail tampering) for others to open your mail, and it is a little bit of "security through obscurity" because that letter will look like any other letter you receive. [Security through obscurity shouldn't be your ONLY means of security, but if you have to use that approach the obscurity is a bonus.] Sure, it's not going to safeguard your passwords from the government ... but if the government is really interested in your passwords, they have other approaches they can use (cue the XKCD about a $5 wrench.)
Seriously. A plain old Safe Deposit Box, at a bank. (Not "Safety Deposit", that's a misnomer.)
You will likely have plenty of paperwork to tell you what bank you have. Further, you should have old bills for the box rental.
Also, Safe Deposit keys tend to look rather distinctive, and they are stamped with the number.
My password is written down in a place where it's not obvious that it's a password. I figure if somebody wants my password bad enough to locate and identify it, they'd find it much easier to break into my house while I'm at work and install a hardware keylogger.
Literally, I leave a paper trail. My main password vault's on my computer, encrypted. There's backup copies stored several other places. And down in the garage there's a fireproof safe with my important papers in it. I put a sealed envelope in the safe with the master password to my password vault plus a printed listing of critical information like bank and utility accounts, emergency contact information for important people, and crucial passwords and regularly update a flash drive copy of my password vault that goes in the safe as well. Some good friends locally get an encrypted copy of the password vault, and the vault password plus the listing is held in escrow with a lawyer who my friends know to contact if anything happens. As a last-ditch measure my younger brother who's the executor of my estate, lives several states away and doesn't normally have physical access to the safe has a sealed envelope with the combination to the safe plus the printed listing.
In most cases where something happens to me, my friends (who've got a limited power of attorney for this purpose) or family (ditto) can get the safe combination (either from me, my brother or the lawyer), get into the safe, get access to my computer and password list and keep everything on-track. In dire emergency the executor of my estate (my brother, or the lawyer if my brother's not available) has access to the information. Potential for abuse is limited because of the way critical cleartext information is separated from the access needed to make use of it.
Finally a lot of bills are on automatic payment from a credit card. That gives a month to a month and a half buffer before regular bills will start going unpaid for people to sort things out. Critical things like the server bill are pre-paid for 6-month or 1-year periods so crucial backups and lines of contact via e-mail aren't easily lost.
No, I'm not paranoid here. I have been there. Bad case of the flu that just wouldn't go away, or so I thought. Over the course of an afternoon it went from just that to bad enough I called an ambulance to take me to the hospital. 3 hours later I was in ICU on a ventilator because I wasn't breathing on my own, and I spent the next 4 weeks in an induced coma. So my preparations aren't for something that might happen, they're for something that's already happened and may happen again.
There's no such thing as a secure password that's been in use for 30 or 40 years.
I'd give my right arm to be ambidextrous...
I am dealing with a passwrod issue right now. My parents are healthy, in great shape and mentally fit. They are also getting old; my dad is 75 and my mom is almost 70.
They have investment accounts, email accounts and all that; pretty much all their data is online.
For us, the solution is 1Password and Dropbox.
They will run 1Password on their computers, tablets and phones, and use Dropbox to sync the password file. They are going to share the Dropbox folder with me, and give me the master password (or put it in their safe at home). I'm going to do the same thing.
I'm sure this won't work for everybody, but we have a huge amount of trust with each other.
We've been dealing with a death in the family, and we are shoveling cash at a house that was owned by the deceased, just so we don't lose it. It will take 18 months of probate before we own it. It's been a huge wakeup call to make sure that everything is in a trust, and passwords are accessible.
This is what I did as part of my will, so that my family can recover my online life after I die. It would work the same for memory loss, coma etc.
Firstly, keep all of your logins, passwords and private details in a password manager with a master password (I use 1Password).
Second, encrypt your master password using this technique, which splits your secret into X parts: http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing
You then give one part of the key to each of your trusted friends or family members. The best part is that this technique doesn't require all X parts to be recombined to get the key back; you can specify how many parts are needed. For example, I split my key into 11 parts, but only 8 are required to recover my master password.
Your friends don't have to do anything except keep their part of the key tucked away in their email archive.
There are plenty of implementations of this algorithm, I used this one: http://www.christophedavid.org/w/c/w.php/Calculators/ShamirSecretSharing
and if you use only reversible letters (A,T,O,I ...) then no one will know that they can only be read in the mirror during a full moon!
There's no such thing as a secure password that's been in use for 30 or 40 years.
Why, do passwords decay as the get older? If you haven't told it to anybody, then how can it have gotten any less secure? If someone is trying hashing attacks against your server, a 30 year old password has the same chance of being found as a 1 day old one. A keylogger works just as well on one day old passwords. A password saved encrypted instead of hashed is just as vulnerable at 1 day old as a 30 year old one.
If you are not allowed to question your government then the government has answered your question.
This is how I will do it. I will split the key into multiple pieces. I will give the pieces to different persons. These persons must not know each other. The will also not know that they only hold a portion of the key (they will think that they have the entire key). I will also instruct them that in the event that I lose my memory, they should remind me of the key. Since I will get multiple key pieces, I will have a clue that the keys need to be combined. One variation of this is to have a safe, inside a safe, inside a safe. I then have multiple keys to these safes. I will hand copies of the keys to different persons. Again, these persons must not know each other. They must not have physical access to the safes. I will tell them to hand me back the keys in the event that I lose my memory. They should remind me that it is for a particular safe in my house. It is important that the persons that I hand the keys to must not know each other. That way, if anyone tries to break in to my house to gain physical access to the safe, they will not be able to get to the passwords without the other keys.
Sharpie scribble or tattoo hints on your body parts and take lots of Polaroid pictures. You'll either find your password eventually, or stumble across the person who killed your wife...
As others have mentioned, password security should be commensurate with the risks you face.
But in the unfortunate event of your untimely death, your progeny, spouse, other relatives, or (god forbid) state-appointed lawyer may be tasked with the job of closing down your online presence. Access to your Email account, Farcebook, G+/-, WoW, Eve, etc. etc., may be critical for those you leave behind so that they can: close the accounts gracefully, make the announcement of your passing, track down *your* friends to tell them the news, or pick up your armed & high-level characters and continue their quests.
Consider a method whereby access to those passwords will be granted to those managing your estate, what of it that there is.
Just put them in the.....uh....um...
Table-ized A.I.
A lot of the ideas presented (writing it down, getting a lock box, etc) won't work if you have ALSO forgotten where you hid them.
The only way to be completely safe is to let another person hold the passwords for you, either directly (by giving it to them) or indirectly (letting them know which bank the lockbox is at), and then give instructions for this person to contact you on a regular basis to remind you that they have your passwords (in case you also forget who you gave the passwords to)
cognitive disfunction is a thing that's existed for centuries. Amnesia counts. So who's going to care for your children in the event that you don't remember how to make breakfast?
Oh right, you have a will. It can be executed in whole or in part.
Stop pretending that new problems need new solutions. We have old solutions that work damn fine.
... under this circumstance, remembering passwords is likely to be the least of my problems.
You can't plan for everything. This one is pretty low on my list.
This (the parent comment) bears repeating and expounding-upon.
Use Shamir's Secret Sharing you can arbitrarily choose the number pieces into which your secret will be broken (N) as well as the minimum number required to reconstitute the secret (M). It is referred to as "M of N."
For example, you could perform the 3 of 5 operation on your master password, distribute 1 piece to your best friend, 1 piece to your lawyer, 1 piece to your sibling, and keep two pieces for yourself in your home safe. Or distribute those two to other trusted persons. Whatever. Any combination of THREE of the five pieces will reconstitute your master password.
You can build in any level of redundancy you wish.
Back in the 60s,there was a tale amongst scavengers (redevelopment was big in Chicago then) of one who bought rights to take the furniture of an old couple who both went into a care facility. He found $30,000 under a fridge. They forgot almost everything! If you don't have anyone you can trust then you are surely an island or a mole terrified to retune to your burrow. (password donnekafka).
It seems like it ought to be simple enough to devise some sort of password safe. The purpose of this safe would be to contain your "master password". To determine the password to the safe, you would have to combine information many of your friends know. For instance, you might leave instructions for finding the password that say something like "what was the name of John's first pet", or "what was Mary's 3rd grade teacher's name". They would be questions for which only that person or people close to them would know the answer, and something that isn't available by Googling.
Assuming you spread your questions out over a large enough group of people (so there isn't overlap, i.e. not everyone the questions are targeted at know each other) you should be able to come up with a relatively secure password mechanism. The problem is that you'd either need to tell everyone the question's you're using and instruct them not to answer those questions for someone other than you, or you'd have to deal with the possibility of a 3rd party finding your instructions and going on a scavenger hunt to find the answers to unlock the password.
But in general, I think this idea is fairly solid. One down side is you'd have to keep your instructions up to date, if one of your friends dies and they're the only person that could answer a given question then you might end up locked out.
My passwords are stored in my keylock safe in my home. 2 plain white sealed envelopes. One is the actual passwords the other is some random stuff I put together. If someone breaks in I highly doubt they are going to go to the trouble of trying to find my safe, Too many electronics and a coin collection that looks valuable but isn't. The valuable coins rest with my passwords.
"If stupid things work...then they are not stupid."
Do not rely on your memory alone to access your bitcoins! If you use the open source program Bitcoin Armory, you can create a fragmented paper backup of your wallet. With a fragmented backup, if you lose your password you can recover your bitcoins with M of N fragments where you chose M between 2 and 8, and N between 2 and 12 at the time of creating the backup. For example, you can create a 2 of 3 fragmented backup. Keep 1 fragment in a safety deposit box, 1 in your home, and give 1 to your mom. If you forget your password for your Armory wallet, you can use any two fragments to get your bitcoins back. If your house catches fire, and you lose everything in it, you can recover your bitcoins with the 1 fragment in your safety deposit box, and 1 that your mom has. And, in case your mom is a dirty thief, she won't be able to steal your bitcoins.
No, really. It's important. Place everything in the hands of a venerable old law firm. Sleep better knowing.
I coded and put to market early this week Sim2Com, which stands for Simple-to-Complex Password Converter. Old timers like me would call it a password cruncher (rather than a password manager.) From coder's point-of-view, it is simply a seeded hashing engine that hashes a masterkey and simple text, and converts the hash to random alphanumeric (cum symbols). It's repeatable and the complex passwords can be quickly copy, pasted (Ctrl+C) into the apps password box. It's done on the fly so no temp files or database, network or Internet involved. There is a free trial download available; I'm await verdict from peers such as my fellow Slashdot folks. The downside is it runs in Windows, but it also runs in Windows VM in Linux or Mac. Designed mostly for IT infrastructure professionals who babysit corporate sytems, pcs and users. Probably overkill for consumers. ( www.sim2com.com/sim2com_english_brochure.htm ) Thank you.
Correction: While Sim2Com does not officially support Macs and Linux, some have reported they are using it in those systems. Sim2Com apparently works in Mac Windows Bootcamp, but not properly in Windows 8.1 VM where Sim2Com's graphics do not show properly. So it would be wrong to say Sim2Com works in Linux or Mac under the circumstances; it works in Windows primarily.