Slashdot Mirror
How do you Remember Your Passwords?
Aaron asks: "Like most people reading this, I have more than a few computer accounts. Password maintenance (e.g., changing them regularly, thinking of ones that are hard to crack but possible to recall, remembering what this week's password is on account foo) is nontrivial. What strategies for managing passwords do you have?"
Mnemonics and password schemes are tricks a few people use, but I'm sure some of you out there have better ways. Would any of you care to share?
Keep all mine in scribble.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
- Secret! - which is basically a password protected set of memo pages, but it also can do TAN and single use passwords.
- SecureMemo - Similar to Secret! but each memo is encrypted seperately. I was already using Secret! when some of these types of things came out.
- Strip - My current favorite. This is a password protected application that is designed for managing password info. It is a database of records with Username, Password, and Description fields. It can generate a random password of a requested length, and you can use it to send an account to another user (great for a sysadmin when creating people's accounts). Only big negative I've seen is that the password length has a length limit, so storing ssh and pgp passphrases may not fit.
All three of these store their data encrypted both on the pilot and on the backups. You could do something similar with a PGP or otherwise encrypted file on your computer, but I prefer the redundancy of having the data in two places. PalmPilot and backup machine (plus backups of the backup machine.But there is more you can do than using them a lot. Make passwords that make sense. This doesn't necessarily make them insecure, but easier to remember. For example: noone would guess w3/.org is the password for Rob's server. But it's darn easy to remember.
All my passwords have some sort of connection to my life, servers, what's running on them, etc etc. But be careful not to make them too easy. My password is most definitely not my girlfriends name.
Also, use your old passwords (that you are familiar with) for all those stupid Web-accounts. Who cares! Of course make exceptions when you start ordering stuff, especially with one-click-buying.
I use my wife's first name for all my accounts. For those sites that does not accept "Amanda" as a password, I use the names of my kids ("Allan" and "Ann"), and also write the password down on a yellow label stuck to my monitor (together with the site/account name of course), as well as in a file named PASSWORDS in my home directory. Just in case the label fall off.
This has worked well until now, I have never had to ask the admins to remind me what my password is.
Nothing says that easy to memorize has to mean easy to guess.
Take a common household phrase..
ash nazg gimbatul
..apply 31337 to it..
@Sh N@5g G!Mb@tU1
..now table it...
@ShN
@5gG
!Mb@
tU1
..and unwind that.
@@!tS5MUhgb1NG@
...that's something that can be memorized in source form as long as the 31337 rules are consistent and the table is near-orthagonal. It can be regenerated on a scrap of paper or, with a smudged-off-afterward marker, on a countertop.
I type some number enriched ascii jumbled text from something I have laying on the desk that can be remembered and type it in qwerty on a dvorak keyboard. I can type my password out, but if you ask me what it is, I wouldn't know unless I actualy typed it. Its like a secret decoder ring...
One of the things I have noticed is that humans as a whole tend to remember pictures and symbols far more easily than alphanumeric information. (Simple fact - we have evolved that way). ;-) ). After several years it became hard to achieve unique ones that everybody involved could easily remember. Hence our switch to visual methods.
As one of the system administrators for a medium sized ISP, we are faced with the problem of regulary rotating certain account passwords (I think you can guess which ones
Simple Example:-
Imagine a large smiley face situated on your keyboard (as in certain keys were colored differently to make up the face)
Nasty ASCII Art Bit:-
1234567890-=
qwertyuiop[]
asdfghjkl;'#
zxcvbnm,./
Normal Keyboard layout
1234*6*890-=
qwertyuiop[]
as*f*h*kl;'
\zxc**nm,./
Stars show keys used to draw smiley face
Ok, so I have made a pretty lame job of that, but notice that I have used 5 & 7 to make up the eyes, g for the nose and dvbj for the mouth. That gives us a password of 57gdvbj. Once we have that, we can add features to make it more secure, a Capital G for the nose for example, or using punctuation % and & to give the face "eyebrows".
Personally I find this method a useful way of coming up with passwords that are only suseptable to brute force attacks, whilst maintaining a visual link so that our primate brains can have a stab at remembering them. Other pictures that can be used are symbols, flags, large letters, the list is pretty long.
Good Idea/Bad Idea?
Dave.
ive found that my memory is just more tuned to remembering numbers, mathimatical formulas, and strings of characters in general than other things like events, people, and conversations. it seems like once ive used a password (or ip address, account number, etc) a few times, i will continue to remember it, as long as i recall it every so often.
i used to be a network admin at an isp. we had one master sheet of paper with all the passwords for servers and NAS's (totalling around 25) that we would keep locked in a safe. i would only have to pull it out when i wanted to get on a box that i hadnt used more than once or twice. i guess my memory is just better at storing arbitrary strings up to around 10 characters.
whats annoying is that usually i can remember whether ive heard a person's name before but i have a very hard time associating their face with the name. i also have a difficult time rememberng all the things im supposed to do during my day. my finance on the other hand can remember conversations from years ago word for word but has to check with me when someone asks for our zip code. i wonder if theres some sort of male/female thing going on...
anyway, one way to make passwords easier is to take a random 4-6 letter word and to convert it to "l33t-speak", and then optionally tack on a random number or non-alphanumeric or two. for example, take the word "fault", change it to "F@u|t", and add a 0 to get "0F@u|t". granted it may not be perfect, but it may be easier to remember than random characters and a bit more secure than just dictionary words. another trick we used at the isp was to make them loosly based on vulgarities--after a while it was almost a contest to see who could thing of the best(or worst depending on your perspective).
still another alternative can be found on freshmeat. theres is at least one program out there that will keep a list of passwords for you. i think theyre stored encrypted, and you only have to remember the one password to open the list.
"gpasman" and "kpasman" are two examples...
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
For admin level passwords I first create a "random" alphanumeric password and then create a mnemonic phrase using method I got from one of those "How to improve your memory" books I read long ago. To remember numbers you can use sounds.
1 T or D sound.
2 N
3 M
4 R
5 L
6 Soft G or ch
7 Hard G or K
8 F
9 P or B
10 S
It took a while to get comfortable with it but it was long ago and the pain is forgotten. The mnemonic for my (now closed) bank account from 15 years ago is "mouse cheese malls" which translates to 3060350. Double letters which make a single sound count are a single number. For letters, I use words. There doesn't seem to be a problem remembering which words are for numbers and which are for letters.
When I have to assign medium level passwords to others, I give them a phrase and they use the first letter of each word sometimes followed by a number. i.e. Why did the chicken cross the road...wdtcctr22.
For admin accounts (except for some reason, I've never subjected a root account to this), and some websites, I often base passwords on lines of songs I like. For instance, the first letters of each word; if there aren't enough letters, punctuation, and/or the artists initials help. And often, instead of using the real line, I substitude one or more words. ;-)
Sybase SA accounts are a lot easier. Sybase gives you up to 30 characters, so no 8 character limit. My favourite tactic there are plays on names related to the town I was born; given the fact that all Sybase servers I've worked with were behind firewalls in environments noone else was coming from the same country I was born in, that was pretty safe.
Root passwords are a different matter. Except for personal boxes, root passwords are often shared between people, so deciding on them is a different manner; you can't just use your favourite strategy.
And sometimes, you don't really care. For instance, slashdot mails your password, and your password goes in plain text to slashdot when you log in. Not that I could really care if someone used my password - slashdot is pretty close to the end when it comes to important things. For such passwords, I just keep them in a file, and cut-and-paste, although my current slashdot password has a certain rythm that makes it easy to remember.
Oh, one word of advice. Don't suggest in a (root) password things that aren't true. In a previous workplace, we had 2 sun E3000's next to each other, sharing a console using a switchbox. One weekend, I came in to chance the tape drive of one of the machines. The root password of the machine suggested it was the machine to the left. I logged in and halted the system. Then I turned the key of the left machine, and wondered why the screen didn't go blank. When my pager went of 30s later to notify me which machine was down I realized what I had done.....
-- Abigail
Pick a phase you remember by heart. For example:
"Yippy-ky-yay MuthaF**er" from Die Hard[1|2|3]
(I've deliberately chosen to use a weak example)
Now, use the first letter of each word. YKYMF.
You want to make it harder, scramble the capitalization: YkyMF
Maybe add punctuation: YkyMF!
Pick a theme with several such phrases, and there you go: easy to remember, hard to guess passwords.
www.eFax.com are spammers
Hmm. I keep mine on a Scramdisk (a free virtual disk encryptor available from Here. I also encrypt the data with PGP every so often and email it home, so I have a backup if I lose the scramdisk or forget IT's password
--
-=DaveHowe=-
-=DaveHowe=-
But you have to be physically there
:)
.... You're in, but your initial config might be all skiwompus!
Reboot the box then
LILO: linux -s
# passwd whatever
# shutdown -r now
Now you have root back and change whatever the hell you want
Or in the Case of RAS equipment
do a NINDY by plugging the jumpers on the mobo
Upload a new TAOS/COMOS using a serial connection with 1K/XModem transfer
halfway through upload yank the jumpers
Reboot twice
OK OK all kidding aside. personally I do PGP encrypted files of router/RAS configs as well as passwd files stored offsite in 2 vaults. One at home, one in another office.
Hey it was either that or tattoo the passwds on my cat, and let the fur grow back!!
*JUST KIDDING PETA PEOPLES*
-- Life: Hate the Game... Love the cereal
Until some time ago, I used the same password as the username. Not kidding. I got a few visits that way, people mailing me from my own account saying "Cool! Hey, your foo script didn't work like it should, I fixed it for you", and the like. People who want to do bad things seems to be lame enough never to just knock on the door and try the handle.
I'd like to still have the same scheme on some systems, but people in general are paranoid enough so that I choose strong passwords so that they will still be friends with me. I must say though that I find it much easier to restore a backup every once in a long while, than to use all the paranoid security that people force upon me. I even secured my own computer and removed the guest/guest, system/manager and login/password accounts, which had been there for, well, forever really.
So either way; how do I remember the passwords these days? Well, it's not only passwords, it's bank account codes and other codes too that goes with all plastic cards you get. I'm sorry to say that there really isn't any great trick to it. The mind can easily store atleast 20-30 more secure passwords (and probably even more), even if you change them regularly. To memorize a new password, I write it down on a piece of paper and try to attach images of the characters to the paper in my mind. If you attach graphical images, sometimes even smell perhaps, you will most probably remember it far longer than you need to.
Password and remembering them have been very easy for me ..
:)
Well the process that I have used is as follows :
If I have a standing GF when I change the password, I would keep my password as "iluvxyz", and if I have just broken up with a GF i would have my password as "fuckuxyz"..
Isn't that cool. Maybe it will be cooler if I also add that I have never had a GF !
Manifest
... "follow me" the wise man said, but he walked behind
Contrary to my previous, humorous post, I store my passwords in a plain text file, zipped with a password on the zipfile, then PGP-encrypted and stored on a CD.
The passphrase is something I'm almost unlikely to forget. But just in case, I keep a copy of the passphrase and the zip password in a locked strongbox in my room.
For additional physical security, I also own a set of swords.....
Chas - The one, the only.
THANK GOD!!!
Chas - The one, the only.
THANK GOD!!!
I just thought of this whilst reading all the posts.. :) because of the registers requiring multiple fingerings....
for keyboardists, try the opening few measures of the theme of a composition, (hmm.Bach's Preludes would be a little too repetative though..) imagining the comp keyboard as a musical keyboard. Yeah Yeah I know, the keys are entirely wrong, BUT,If you know the piece, your fingers should remember at LEAST the theme, and hit the same area everytime..
I started testing this theory with not only keyboard themes, but also guitar licks... BTW, Chords don't work:), violin solos, bass lines.
Trombonists,flautists, and other brass and woodwinds would tend to have problems. Especially trombonists
I dunno, maybe I just need more coffee
and more testing.... please let me know what you think
-- Life: Hate the Game... Love the cereal
My way of creating and remembering passwords is
to take a word I know, or phrase, or whatever,
and transpose it on my keyboard -- move all the
letters one or two letters left, right up or
down. Usually I shift one or two characters
and one control character. Ususually, after the
second or third time I type it, I don't have to
look at the keyboard, either. =)
The net result of this is uniformly
line-noise-type passwords.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
When I'm putting a password on something I'm not going to use every day, or at least not often enough that I'll remember it, I generally use CD catalog numbers.
You know, the string of numbers and letters on the label. This has saved my butt many, many times.
I may forget the exact string of letters, numbers, and non-alpha-numerics. But I always, always remember which CD.
If I'm home, I can pull it off the shelf. That's easy enough. But here's the cool part.
If you're away from home, any record store can look it up for you. This has saved me from having to hack into my own systems many times. And when you call a record store at 11:00 in the morning and say "I have a strange request", the lone person managing an empty store in off business hours is generally eager to help, too.
I don't care if they know the password - they don't know who i am or what i'm unlocking.
Sure, you could come to my house and take down a list of my entire cd collection, but it would take you a while. I have a lot of music, and i also mix upper and lower case on the letters.
Of course, if you have a small music collection, or predictable tastes, maybe it's not such a good idea. Personally, 70% of my cds were special-order.
This is just like television, only you can see much further.
In the previous password poll on slashdot I revealsed that I 'leet my passwords (password -> p4ssw0rd). This is hard to crack and easy to remember. The only thing left now, is to associate all the many passwords with the accounts they belong to. Unfortunately I do this by simply making passwords from services they are associated with (e.g., randomportal.com -> r4nd0mp0rt4l). I guess that's a weak link in my scheme...although the only way to break it would be to actually know my scheme...which I guess I've just given to every slashdotter :\
It's 10 PM. Do you know if you're un-American?
This is the best one I've found so far..
:o)
When creating a password, I take the first word(s) that pops into my head, and then spoonerize it..
(for those of you who have forgotten third grade english, a spoonerism is a play on words, where syllables are swapped.. for example "start the car" would become "cart the star." "slashdot" could become "dlatsosh", "datslosh")
Then, all I have to do is remember what I was thinking of when I created the account (pretty simple - if it's non-critical, I just use the name of the site.)
Oh, for those of you who think I just told you my slashdot password, this is the place I didn't do this
--
- Secret!
- Strip
I'm pretty sure that the SecureMemo is by CertiCom.I have this 14-letter (yes, it was originally for NT) password which is entirely random, including the amount of punctuation stuffed into it.
Now, this isn't the case anymore, but when I finally burned the piece of paper it was written on, I had the exact keystrokes tucked away somewhere in my head, but the actual password itself wasn't there. I could think "type the password" and quickly spin it off but I could not remember the password.
I've had to tell a few other people, and I always had to type it out into Notepad just to remember it, but I have it completely memorized now (along with 6 or 7 other 8-letter passwords).
Personally, I don't see the need to change them very often. I don't let people see them while I'm typing them (touchtyping has many advantages :) and I usually ssh to other systems. The only ones I don't ssh to are the ones I don't care about anyway (such as slashdot and the various MUCKs I'm on), and for those I just use a common word.
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
first: take a phrase, say:
"I love Meg"
This is one that I can fondly remember.
second: mispell things:
"ey lav Meg"
third: truncate, abbreviate and shorten: "eylavm"
fourth: mess with the caps and characters: "eyLaVM"
There, you have a rather strong password, and all you need to remember is that you love Meg (which I do, I stopped using the password because I had to tell her what I'd done... ;).
Any way, it is a pretty simple hash, and you can use phrases as long as you like, anywhere from 2 words on up. All it needs to be is something you can remember.
For those stupid numbers (social security, bank accounts, etc), I have a little business card in my wallet which I write them on. Now, the first nine characters of every number is formatted to look like an ssn, and then when I have shorter numbers to remember, I tack them onto the end, so they don't really follow any format a person could recongnize. I can pick out which numbers are what, but that's because I know where I wrote them.
I hope that helps, but I also know that I have a pretty impressive long term memory, so what seems simple to me...
Jeff
I change my major account passwds weekly; one week I needed to know the seven wonders of the world, so for the first week I used
gwcgptoz3wow
(Great Wall of China, Great Pyramid, Temple Of Zeus, 3 Wonders Of the World)
then I had to know a torsion formula for engineering:
theta_PLoverAE (theta = PL/AE)
onward to a new friend I met and whose birthday I needed to remember:
erica16june79
That way, after logging into my account for a week, I know my password and a useful fact. When I realize that I no longer recite the mnemonic to myself each time I login, I know it's time to change over.
--Jurph
Basically, I choose a phrase or common theme (like a musical group I like, etc) and then take the first letter or two of each word, then 37337-1z3 it. This can generate nice long passwords if you need them, for instance, my PGP key is encrypted with an 18 character long phrase based on a musical group, using such obscure things that it would be rather hard for someone to guess.
Also, using psuedo-perl code generates instant line noise passwords, and as long as you're up on your perl, everything is easy to remember. For instance (this one is easy, but you get the idea):
my=~s/$p4ss/@w0rd/g;
It doesn't make sense, but that's ok.
Firstly keep the number to a minimum - for minimum password length of 8 characters 8 passwords is about the maximum users can cope with using this system. Users are required to think of a quotation, poem, a passage from a play, etc. which they ALREADY remember. Security administrators produce a card for each 'work-group', one per user. The card has the letters of the alphabet printed in any order, even random, in one column or line and a random selection of keyboard characters in a parallel line or column. Cards are replaced at 6 month intervals with a new combination of characters. The user simply spells out the remembered 'key' to themselves, one letter at a time, with the card to hand, looks at the alphabetic column/line and selects the corresponding code character for entry. When the card is kept 'private' this method of remembering passwords is far more resistant to cryptographic techniques than the machine on which it is being used. The habit of some users sticking the card on their VDU/terminal - "in case I loose it" should be discouraged - this makes the system vulnerable to cryptographic techniques. Loosing a card is no big deal anyway, as co-workers in the same 'group' have an identical card which may be borrowed to log in. Lost cards should of course initiate the replacement of all cards for the 'work-group'.
I do pretty much the same thing, I use a random character generator to kick out a few passwords, pick the hardest one for stuff that matters.. Boxes only I have root on, etc. Then I use the next hardest one for boxes someone may need root on at some point, then I use the next for personal accounts I care about, then i use the name of the week with a number or two thrown in for sites I could care less about. Once every couple of months I kick out some new passwords and change them all and voala. I have also figured out with the random garbage my passwords are, if someone needs root and I give it to them, they don't remember it the next day and have to ask again.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
Of course, it defeats the entire purpose of the system for you to tell us this, because now anyone who finds one of yoru passwords can figure ou the rest, making changing your password pointless.
/. neanderthal will pay for his security breach! The foolish mortal was smart enough to hide his email from his /. preferences, but I did a lookup for "Coward,Anonymous" on a few email search engines, and LOOK WHAT I FOUND!!
YES!!! Good point. Let The Cracking Begin!!! This
E-mail Results 1 - 3 of 3
1) coward, anonymous
My E-mail Address is PRIVATE
2) coward, anonymous
My E-mail Address is PRIVATE
3) Coward, Anonymous
guest@Radio.CZ
We have found him!! He will pay for leaving himself so wide open. Let this be a lesson to all that would follow.
not unless the cracker coded it that way...I'm sure you could come up with a crack ruleset for keys that are near each other, but it would be a pain.
Mmmmm. Dvorak.
Security through obscurity.
If you can touch type, make some varyations. I used to use asdfasf. REALLY easy to remember, and friends who think they're cute can try to break you password by watching, but no one counts the *******.
Also, if I ever lose an arm I'm locked out of all my accounts...
/.
I usually use the front of my cranium to bash passwords into the keyboard. I figure, if I lose the front of my brain, I can do without being able to login to
CryptInfo may be a great bit of software, but what use is that if you can't trust it since the code isn't open?
This isn't to impune its author in any way: the software could have been compromised without his knowledge, or else his family might be held under risk of murder unless he distributes a non-obvious backdoor.
Cryptographic software has to be open-sourced, full stop. No exception.
Strip is GPL'd, so even if it were god-awful (which it is isn't), at least one can trust it.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
does anyone know of a UNIX command line filter that can convert plaintext to 3l337 text? There are some cool things one could do with that.
Actually, what I would really like is a proxy server that "Eleetizes" all communication going through it, while keeping links and such intact. That could be fun.
I could easily write the former myself if it does not exist, but I don't know how to write a proxy server...
--
grappler
Vidi, Vici, Veni
if the system allows an unlimited number of authentication requests to be made without imposing a delay between requests, or if you have the hashed/encrypted string to match against, then yes.
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
Just make it a cgi script that takes an url as a parameter, as in:
h ttp://slashdot.org
http://yourbox.com/cgi-bin/make-leet.pl?target=
or something similar. Just have the script grab the page in question, leet'ize it, and print it back out. Not too hard. A while back I wrote something like that to remove relocate urls from places like excite.
This sig is false.