Ask Slashdot: How To Protect Your Passwords From Amnesia?

Phopojijo writes "You can encrypt your password library using a client-side manager or encrypted file container. You could practice your password every day, keep no written record, and do everything else right. You then go in for a serious operation or get in a terrible accident and, when you wake up, suffer severe memory loss. Slashdot readers, what do you consider an acceptable trade-off between proper security and preventing a data-loss catastrophe? I will leave some details and assumptions up to interpretation (budget, whether you have friends or co-workers to rely on, whether your solution will defend against the Government, chance of success, and so forth). For instance, would you split your master password in pieces and pay an attorney to contact you with a piece of it in case of emergency? Would you get a safe deposit box? Some biometric device? Leave the password with your husband, wife, or significant other? What can Slashdot come up with?"

Secure safe.

Tell all your passwords to me, they'll be safe. Just don't forget who I am.

Just post it on Slashdot

[michelcolman]

And then, whenever you need your password, just "ask Slashdot"! Of course there will then be some jokers who post incorrect passwords, but they will be modded down rapidly since anyone can check whether the password is correct or not. Just go with the "+5 informative" one.

Nice try

[sc0rpi0n]

Nice try, NSA!

Use mooltipass

[mathieu.stephan]

At Hackaday we're actually developing a solution that could work in your case. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating and storing long and complex random passwords for the different websites you use daily. It is designed to be as small as possible so it can fit in your pocket. The Mooltipass is composed of one main device and a smartcard. On the device are stored your AES-256 encrypted passwords. The smartcard is a read protected EEPROM that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your credit card, too many tries will permanently lock the smart card. Therefore, you'd only need to share your PIN code with your husband/wife (5 to 6 numbers) And the whole project is open source.... http://hackaday.com/tag/developed-on-hackaday/

Re:A piece of paper in a drawer

For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate...

Your boss does not have "every right" to know your password at work any more than any other employee has a "right" to know it. You are an IT Security person's worst nightmare with that bullshit argument, especially if you have even a fucking hint of how Windows security works, and know damn well that in any emergency, most any member of your IT staff can reset any password upon following proper HR and IT policy, which is your audit trail as well for CYA.

Work passwords pretty much for the most part do NOT need to be stored offline in any way for this very obvious reason, and by relying upon the security guards, you've basically destroyed any point in having any sort of strong password policy.

Like I said, you're an IT Security person's worst nightmare. Knock it off with that shit already, and use common sense.

Re:A piece of paper in a drawer

[aaribaud]

For work-related passwords, my boss has every right to know my passwords if I get sick

Hmm, no, he has every right to access your professional data for sure, but this does not necessarily require him to know your passwords. Back when I was doing IT for a 25-odd people company, I'd briefed people that their password was like their signature: personal, and if some manager asked them their password, they should redirect the manager to me (happened a few times, each time the request was baseless and rejected, and when there was an actual problem, it was solved without anyone having to let anyone else know their password). Heck, I'd briefed everybody never to tell me their password.

Re:A piece of paper in a drawer

[ifiwereasculptor]

do I have any physical place where someone finding out my passwords would be the least of my concerns? If you have a place like that, store your passwords there.

You just gave me the best idea ever: tattoo your passwords on your penis. The chance of losing it is small when compared to the chances of losing a notebook or piece of paper, it's a private location and chances are social engineering industrial espionage attempts will have to get pretty interesting. I can see only two minor problems with my plan: first, you might not be able to fit strong passwords in there. If you end up only being able to fit easy to brute force passwords, I suggest you use the old piece of paper method, and maybe a pump. Second, your work may be one of those that use five or six different systems, all with different passwords, and rotate them on a monthly basis. You can still stick with the idea, but oh, boy, you're going to be sore.

Use a PO Box

[Overzeetop]

Go get a small PO Box
Print a master list of passwords each week and mail it to yourself at that PO box
Every 3-6 months go clean out your box except for the most recent and shred them
Keep the key with you at all times.

Why use this over a safety deposit box?
  (1) It's a federal felony for someone else to remove or open the letters
  (2) You have a list no more than a week old (prior to your death or amnesia) available
  (3) If you should die or become incapacitated, your home/mailing address will get a reminder once a year that you HAVE a box, and where it is, by producing ID or appears certifying your death or incapacitation, your attorney or next of kin will get a notification that such a box exists and when they (or you) check to see what mail you've gotten they'll discover your passwords.